Saturday, April 05, 2008

I think they would have preferred the traditional pen. NOTE: The electronic tax filing system has a major bug. If I can file one fraudulent return I can automate the process and file hundreds.

http://www.pogowasright.org/article.php?story=20080404173228638

CA: UCI students report their identities stolen

Friday, April 04 2008 @ 05:32 PM EDT Contributed by: PrivacyNews News Section: Breaches

At least 90 University of California, Irvine graduate students have reported to campus police that they were the victims of identity theft, by people who fraudulently filed tax returns using their names and social security numbers to collect refunds, campus officials confirmed today.

Most students discovered the thefts when they tried to file their tax returns electronically, and were informed by the IRS that their returns had already been filed, officials said. [Interesting that the IRS issues refunds before confirming that the recipient is real. Don't they have the ability to match income reported on a return with the employer's W2's? Bob]

Source - OCRegister

[From the article:

"UCI is trying to keep it out of the press because it looks horrible for them, but either (an employee) did this, or someone they contracted with did this and they don't want to create mass panic, but this is the kind of thing you should be panicked about."

... Casey said she was told that information was potentially breached on 4,500 graduate students and that the thieves may have set up a fake company to file phony tax returns.



“We have no control over our contractors?”

http://www.pogowasright.org/article.php?story=20080404194244975

Laptop stolen from Pfizer contractor puts employee data at risk

Friday, April 04 2008 @ 07:42 PM EDT Contributed by: PrivacyNews News Section: Breaches

Attorneys for Pfizer, Inc. have notified the NH DOJ [pdf] that on February 7, a laptop belonging to a contractor who assists with travel and meetings arrangements for Pfizer employees was stolen from the contractor's home during a burglary.

According to letter from Bernard Nash of Dickstein Shapiro LLP, analysis of a backup drive [Cheaper than a continuous inventory of data locations? How old is the backup? Bob] indicated that the stolen laptop contained information about approximately 800 individuals, including approximately 3 residents of New Hampshire. A forensic review indicated that the information on the stolen laptop included "names and credit card numbers, as well as, in some instances, credit card expiration dates, home and/or business addresses, home and/or business and/or cell phone numbers, personal and/or business e-mail addresses, hotel loyalty program numbers and other travel and logistics information." Although the forensic review was not completed by the time of notification, [Obviously, this is a slower method. Bob] no SSN appear to have been on the laptop, nor any PIN numbers.

Nash's letter indicated that although Pfizer's incident did not appear to meet the notification trigger for New Hampshire, Pfizer had elected to notify individuals. They have also arranged for a two-year package of credit-protection services and identity theft insurance for affected individuals.



It's not always contractors.

http://www.pogowasright.org/article.php?story=20080404195321776

Laptop stolen from employee's home held employee data for Griffin Electric

Friday, April 04 2008 @ 07:53 PM EDT Contributed by: PrivacyNews News Section: Breaches

Griffin Electric, Inc. has notified the NH DOJ [pdf] that a a password-protected [Oxymoron Bob] company laptop computer and company health plan insurance invoices were stolen from an employee's home during the weekend of March 15. The breach affected an unspecified number of employees, including approximately 55 New Hampshire residents.

According to the notification letter to employees, the laptop contained the names of certain employees, their social security numbers, and dates of birth. The health insurance paper invoices listed employee names and social security numbers, although those security numbers were identified as "sub. numbers" and not "social security numbers." The invoices did not include any personal medical information, addresses or dates of birth.

Griffin Electric indicated that they planned to arrange for credit monitoring services, and had contacted the health insurance vendor to have them change the employee information printed on their invoices. [The invoices violated HIPAA? Bob]



How was this accidental?

http://www.pogowasright.org/article.php?story=20080404201005665

Oops - please give us back $985.44 and all of the employee data we sent you by mistake

Friday, April 04 2008 @ 08:10 PM EDT Contributed by: PrivacyNews News Section: Breaches

Eastern Sales and Marketing New England has notified the NH DOJ [pdf[ that in corresponding with a former employee over monies they had paid her in error, they inadvertently disclosed the name, bank identification number and bank account number of 137 of current and former employees.

According to John Buckley, Chairman of ESMNE, "The employee who received the inadvertent disclosure returned the documents to ESMNE and stated that she does not want any of the inadvertently disclosed information in her possession."

ESMNE notified all affected individuals, but did offer free credit monitoring.



It's not always data on a computer that gets lost, and the trash receptacle isn't always “secure storage.” (See next article)

http://www.pogowasright.org/article.php?story=20080404161356407

Gov't loses thousands of staff records (updated)

Friday, April 04 2008 @ 04:13 PM EDT Contributed by: PrivacyNews News Section: Breaches

A three-ring binder containing the personal records of nearly 3,000 former federal employees is missing. But the government says not to worry -- because it was probably accidentally thrown out with the trash.

The Federal Energy Regulatory Commission said on Friday that the binder, which first went missing last month, contained Social Security numbers of employees who left the agency between 1983 and 2007.

Source - Interactive Investor

PogoWasRight.org editorial comment: interesting that a UK site picked up the story that wasn't on any US site yet -- Dissent

Update: The FERC has a press release about the incident on their site.


How valuable is your trash?

http://www.pogowasright.org/article.php?story=20080405075944492

SC: Trash with personal information stolen

Saturday, April 05 2008 @ 07:59 AM EDT Contributed by: PrivacyNews News Section: Breaches

An employee of Spartanburg insurance company Seguros Internacionales reported bags of trash containing personal client information were stolen this week.

The employee, 21, said sometime between Wednesday evening and Thursday morning an unknown person or persons rummaged through bags of trash outside of the 7980 Asheville Highway store.

She said three trash bags containing finished tax returns, I-10 forms, insurance forms and check receipts were stolen. The paperwork included copies of driver's licenses, birth certificates and other personal information. None of the papers were shredded before they were thrown away.

Source - GoUpstate.com


Trash for hackers.

http://www.pogowasright.org/article.php?story=20080405075314614

AU: Royal Perth Hospital dump computers, patient details

Saturday, April 05 2008 @ 07:53 AM EDT Contributed by: PrivacyNews News Section: Breaches

CONFIDENTIAL patient details are being left on old computers dumped in an open skip bin in a busy laneway at Royal Perth Hospital.

Personal information, including patient names and addresses, dates of birth, medical conditions and patient numbers, was accessed with ease by The Sunday Times this week.

Sources say up to 500 computers have been dumped in the bin, pending collection, since November.

Source - Perth Now

[From the article:

Government sources tipped off The Sunday Times about the slack security because they were furious that patients' personal information was left out in the open.



Resource?

http://www.pogowasright.org/article.php?story=20080404164810956

RESOURCE: For businesses that have a breach

Friday, April 04 2008 @ 04:48 PM EDT Contributed by: PrivacyNews News Section: Breaches

It's becoming an almost hourly occurrence for me (Dissent, a/k/a the Caped Crusader for Privacy) to see press releases from commercial outfits that offer their services to businesses to help prevent or respond to breaches, or to comment on them.

One of the lesser known resources for dealing with breaches may be the Identity Theft Resource Center's "Breach Response Program," and I thought I'd mention them on this site because businesses may want to know about them.

The Identity Theft Resource Center, a nonprofit organization, has consistently held the view that both consumers and businesses are the dual victims of identity theft. As part of its outreach program to companies and governmental agencies, ITRC provides Breach Response Services including recommendations for notification letters, first responder call center training, website FAQs, and assistance in establishing clear communications by the breached entity.

Unlike many commercial services that will only help you if you buy their product or contract with them, ITRC does NOT require the purchase of consumer products as a pre-requisite for ITRC providing breach response services.

If you find your company in the unenviable position of having to deal with a breach, this nonprofit can be reached at itrc[at]idtheftcenter.org or 858-693-7935 x 101, or contact them through their web site at www.idtheftcenter.org, and do consider them when trying to determine where and how to get help.



Good to see this is working. Interesting that there were no reports of terrorists detected.

http://www.pogowasright.org/article.php?story=2008040414432095

TSA Deploys Airport Behavior Screeners

Friday, April 04 2008 @ 02:43 PM EDT Contributed by: PrivacyNews News Section: Fed. Govt.

To the untrained eye, the man looked like any other traveler as he waited in line at Kennedy Airport. But something about the way he was acting caught the attention of two security screeners.

For 16 minutes, they questioned him, scanned every inch of his body twice with a metal-detecting wand and emptied his carry-on bag onto a table. Out came a car stereo with wires dangling from it.

... Of the more than 104,000 air travelers who were plucked out of security lines and subjected to a more intense level of screening because of something suspicious in their demeanor, fewer than 700 were ultimately arrested, officials said.

Many more -- about 9,300 -- revealed something during the screening process that caused the TSA to call in law enforcement for a more thorough investigation.

Source - Newsday http://www.newsday.com/news/nationworld/nation/wire/sns-ap-airports-behavior-agents,0,5978041.story



This is an interesting idea. I wonder how hard US companies would lobby to keep this from happening here? Also interesting to see who wouldn't comply and what excuse they offered.

http://www.pogowasright.org/article.php?story=20080404191023932

UK: The John Harris files

Friday, April 04 2008 @ 07:10 PM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

For the past couple of months, fragments of my past have been regularly dropping through the letterbox, contained in A4 envelopes.

I didn't remember buying the autobiography of the US basketball star Dennis Rodman from Amazon on February 19 2000, but according to the bumf they sent me - and, in actual fact, my bookshelves - that's what happened. When I opened a package from the Identity and Passport Service, I found a murky photocopy of a form I'd filled in 22 years ago. My old postcodes and telephone numbers regularly flashed in front of my eyes; thanks to the DVLA, I was reminded not only of all my past parking fines, but the fact that my secondhand Volkswagen Golf clocked up its first mileage in and around Basingstoke.

The AA, bless them, sent me the full transcript of a conversation I had in June 2007 with an operative called Julie (an illustrative excerpt: "We're at home and our car won't start. I assume it's the battery"; "Right, smashing. We'll get some help to you there.")

This is what happens when you make a list of the companies and organisations with whom you regularly deal and put in subject access requests - an opportunity afforded by the 1998 Data Protection Act (DPA), whereby anyone with access to paper and envelopes (and, more often than not, a £10 cheque) can write to an organisation's data protection officer, and demand to see the information held on them.

Source - Guardian



Gartner is well respected – if sometimes slow on the uptake.

http://news.zdnet.co.uk/software/0,1000000121,39379900,00.htm?r=1

Gartner: Open source will quietly take over

Peter Judge ZDNet.co.uk Published: 04 Apr 2008 14:53 BST

In a few years' time, almost all businesses will use open source, according to Gartner; even though IT managers may be unaware of it, and prefer to talk about fashions such as software as a service.

... Gartner misses the point that a free licence does more than cut the cost of ownership, said Taylor, pointing out that it provides other benefits. "Licensing is only a slice of the total cost, but historically, companies have only bought as many licences as they can afford. If you remove the licence cost, you may only remove three percent of the of total cost of the existing project, but you also remove the brakes — you massively expand the numbers that project can be rolled out to at no extra cost.

"Open source gives massive scalability at no transaction cost, for whatever you are doing," he said.



Aside for the fact it is counter-productive, doesn't test for steroids, irritates the parents and the students, and fails to comply with the Supreme Court mandates; what's wrong with it?

http://www.pogowasright.org/article.php?story=2008040423501625

Drug testing opposition grows in Flower Mound

Friday, April 04 2008 @ 11:50 PM EDT Contributed by: PrivacyNews News Section: Minors & Students

Students at Flower Mound High School participating in any extracurricular activities (and any student with a parking permit) will be given "the privacy of a stall" to provide a urine sample, should they be selected for a random drug test as part of Lewisville ISD's new drug testing program.

In what may be one of the most far-reaching applications of random student drug testing since a divided United States Supreme Court upheld the practice in 2002, Lewisville ISD's new aggressive, $437,787 campaign to combat teen drug use is meant to deter and decrease use, along with providing counseling for students already using illegal drugs, according to the Lewisville ISD.

Source - Pegasus News



Some simple but interesting ideas.

http://www.darkreading.com/document.asp?doc_id=150276&WT.svl=column1_1

An Inconvenient Lack of Truth

We'll never be able to fix our security problems until we start truthfully sharing breach information

APRIL 4, 2008

... My research leads to some conclusions that may be unsurprising, but often ignored:

1. Blame the system, not the victims, for identity fraud.

2. Blame the credit card companies, not the retailers, for credit card fraud.

3. Consumers suffer from identity fraud, retailers from credit card fraud.

4. We need fraud disclosure, not breach disclosure.

5. We need public root cause analysis. [I would LOVE that. Probably ain't gonna happen though. Bob]

6. Breach disclosures teach us the wrong lessons.



Just consider it 'convergence' Next: DRM on your apartment door! DRM on your pacemaker!

http://www.technewsworld.com/rsstory/62391.html?welcome=1207400561

DRM for Cars: No Pay, No Play

By Chris Woodyard USA Today 04/05/08 4:00 AM PT

When the light starts to flash, you had better have the cash.

That's the reality for millions of subprime borrowers whose used car purchase is contingent upon having an unusual option: a little box mounted underneath the dashboard that forces them to make their payments on time.

A light on the plastic box flashes when a payment is due. If the payment isn't made and the resulting code punched in to reset the box, the vehicle won't start. The next step is a visit from the repo man.



Tools & Techniques

http://www.killerstartups.com/Mobile/MobileTalkPacket8net---Affordable-International-Calls/

MobileTalk.Packet8.net - Affordable International Calls

International calls making a dent in your pocketbook? MobileTalk from Packet8 will get you cheaper rates without all the dressed up frills. The app works by looping your calls through VoIP, thereby cutting costs by 90%. It’s really too easy to use. Set up takes a few minutes, but from there, every thing else is a breeze. You download the app to your phone, and then proceed with your calls as you normally would. When you make an international call MobileTalk will immediately route the call through their network, getting you a local number, and making your calls really cheap.

http://mobiletalk.packet8.net/



For my students (I wonder if this could be extended to rare and antique books?)

http://www.killerstartups.com/eCommerce/Bluerectanglecom---Book-Reviews-and-Buybacks/

Bluerectangle.com - Book Reviews and Buybacks

BlueRectangle is an online bookstore that buys and sells books and also helps you to select your next purchase by providing you with video book reviews. Selling a book is simple, just enter the ISBN number of the books you’d like to sell and BlueRectangle will let you know whether they have a need for the book and how much they will pay you for it. Shipping is free, so you don’t have to worry about making any further calculations because the price you see is the price you get. Attention college students: BlueRectangle will also buy your used textbooks, which should allow you to save a bit of money for the more important things in life.

http://www.bluerectangle.com/



For my Small Business class This is one of many sites offering “instant storefronts”

http://www.killerstartups.com/eCommerce/Shopwindozcom---Online-Shops-for-Niche-Products/

Shopwindoz.com - Online Shops for Niche Products

ShopWindoz is a portal where designers of original products can create their own online shop without requiring any programming knowledge. Anyone with a suitable product can go to ShopWindoz, open a shop, and start selling their goods to the world. People interested in purchasing original micro-brand, independent products directly from the source can go to ShopWindoz, and search for either the product they desire or a particular shop. ShopWindoz offers secure SSL encrypted payment methods and a community rating system so that the best vendors will rise to the top over time. A quick glance at the current inventory shows that the site is heavily focused on unique clothing and fashion apparel, at least for the time being.

http://www.shopwindoz.com/en/home/public



I found this little gem recently...

http://www.fosstools.org/

fosswin

FOSSWIN is a collection of over 100 Free and Open Source Software for academic, government, and business organizations using the Windows 98SE/Me/2000/2003/XP operating systems. The software has been carefully assembled to provide free alternatives to expensive commercial suites such as MS Office, MS Outlook, Photoshop, Matlab, etc. The collection is available as an ISO image, a ZIP archive, or as a portable package. The portable version is self-contained - it can be extracted on a removable storage media such as a USB thumb drive and applications will run directly from it without installation. Simply extract the "fosswin_portable.zip" file on a 512MB USB stick and double-click on the file "PStart.exe". This will launch the applications menu and park it in the system tray of the computer. All three distributions contain this README file with a more detailed description of FOSSWIN and its usage.
FOSSWIN ISO
FOSSWIN ZIP
FOSSWIN Portable

Friday, April 04, 2008

Low quantity, high quality (i.e. It isn't just us second class citizens this time.)

http://www.msnbc.msn.com/id/23943781/

Privacy advocate's health data is stolen

Lawmaker's medical records nabbed along with government laptop

updated 4:12 p.m. MT, Thurs., April. 3, 2008

WASHINGTON - If there's one person whose medical records you wouldn't want to lose track of, it's the co-chairman of the congressional caucus that focuses on protecting consumers' privacy.



For my hacking students. Consider this a warning – no matter how bad the security was (is?) at OU, you still can't do things like this...

http://www.pogowasright.org/article.php?story=20080403093814895

Student charged with hacking into OU accounts

Thursday, April 03 2008 @ 09:38 AM EDT Contributed by: PrivacyNews News Section: Breaches

A University of Oklahoma student has been charged with violation of the Oklahoma Computer Crimes Act for allegedly hacking into and causing havoc with other students’ computer accounts.

Jose Antonio Roman, 19, was charged Tuesday in Cleveland County District Court.

Roman is accused of using his laptop computer to scan the local OU subnet at Walker Tower from his dorm room. Roman allegedly used data acquired to obtain user names and passwords to other students’ OU e-mail and Facebook accounts. Investigators said he changed other students’ passwords, locking them out of their accounts. In one case, Roman allegedly replaced a woman’s photo with a graphic described as “the laughing man.”

Source - Norman Transcript



Interesting. May reflect reality, but not the ethical perspective I think must apply.

http://www.pogowasright.org/article.php?story=2008040317184527

Nissenbaum: “Privacy in Context”

Thursday, April 03 2008 @ 05:18 PM EDT Contributed by: PrivacyNews News Section: Other Privacy News

NYU’s Helen Nissenbaum gave a lecture entitled, “Privacy in Context” at the School of Information yesterday as the last Distinguished Lecture of the semester. You can find audio of her talk here and photos here.

Abstract: Contemporary practices of gathering, analyzing, and disseminating personal information have placed impossible demands on the concept of privacy. The weight of these demands, in turn, is reflected in norms, laws, policies, and technical requirements that frequently seem to miss the mark, failing to negotiate a reasonable course between unbridled opportunism, on the one hand, and suspicious intransigence, on the other. This talk will present key elements in the theory of contextual integrity, which builds upon structural aspects of social life to enrich our understanding of privacy and its importance as a moral and political value. Allowing context-relative social norms and context-based social values into the scope of analysis enables nuance and subtle discrimination, often missing in other dominant approaches, in modeling and theorizing privacy as well as adjudicating and justifying particular privacy claims.

Source - UC Berkeley School of Information



Statistics

http://www.bespacific.com/mt/archives/018015.html

April 03, 2008

FBI: Reported Dollar Loss from Internet Crime Reaches All-Time High

News release: "According to the 2007 Internet Crime Report, the Internet Crime Complaint Center (IC3) received 206,884 complaints of crimes perpetrated over the Internet during 2007. Of the complaints received, more than 90,000 were referred to law enforcement around the nation, amounting to nearly $240 million in reported losses. This represents a $40 million increase in reported losses from complaints referred to law enforcement in 2006. All complaints received by IC3 are accessible to federal, state, and local law enforcement to support active investigations, trend analysis, and public outreach and awareness efforts."



Perhaps you don't need sophisticated technical analysis to find crooks?

http://techdirt.com/articles/20080402/184456730.shtml

State Sues Unclaimed Money Site After Finding It Told Wile E. Coyote He Had Unclaimed Money

from the batman-too dept

Pennsylvania is suing a website that promised to help people get access to unclaimed money they were owed after investigators determined that the site was convincing people to pay $24.95 for a membership by telling them they had unclaimed money, no matter who they were. Investigators used the scientific method of testing whether Spiderman, Batman and Wile E. Coyote had unclaimed money. After discovering that all three were told they did (on a free search, details only available if you paid), they decided that the site was perhaps being less than honest with users.



Interesting problems with hints at some technical solutions

http://www.pogowasright.org/article.php?story=20080404063722800

Q&A: Chris Kelly, chief privacy officer of Facebook

Friday, April 04 2008 @ 06:37 AM EDT Contributed by: PrivacyNews News Section: Internet & Computers

Facebook's man in charge of privacy talks about the challenges of China, identity theft and child protection

Source - Times Online hat-tip, FIRST.org



Interesting legal summary in the article...

http://www.pogowasright.org/article.php?story=20080404063127993

Ie: Filter or Else! Music Industry Sues Irish ISP (editorial)

Friday, April 04 2008 @ 06:31 AM EDT Contributed by: PrivacyNews News Section: Internet & Computers

EMI, Sony, Warner and Universal have brought an action in the High Court (Record Number 2008 1601P) seeking an injunction which would require Eircom to put in place a filtering system to block illegal peer-to-peer downloads. While there have previously been cases aimed at individuals who are uploading music, this is the first Irish action to target an ISP. This note briefly considers the background to, and possible implications of, this case.

Source - Society for Computers and Law



Interesting 'take' on censorship.

http://yro.slashdot.org/article.pl?sid=08/02/28/2117256&from=rss

EU Views Net Censorship As a "Trade Barrier"

Posted by kdawson on Thu Feb 28, 2008 06:25 PM from the do-as-i-say dept. Censorship

I Don't Believe in Imaginary Property writes

"The European Parliament just passed a proposal to treat internet censorship as a trade barrier, in particular the 'Great Firewall of China.' If passed by the European Council, the issue would be raised in trade negotiations and could lead to economic sanctions and trade restrictions for those countries unwilling to remove oppressive Net censorship."

We have discussed some of the ways in which the EU, and its member countries, engage in their own brand of censorship.



Gee willikers, a government computer system project that failed. How unusual.

http://hardware.slashdot.org/article.pl?sid=08/04/03/1612249&from=rss

Census Bureau To Scrap Handhelds — Cost $3 Billion

Posted by kdawson on Thursday April 03, @12:49PM from the one-two-three-many dept. Portables Government United States

GovTechGuy writes

"The Census Bureau will tell a House panel today that it will drop plans to use handheld computers to help count Americans for the 2010 census, increasing the cost for the decennial census by as much as $3 billion, according to testimony the Commerce Department secretary plans to give this afternoon."



Tools & Techniques Not “Can't,” rather “don't bother to...”

http://www.pogowasright.org/article.php?story=20080403094054463

Survey reveals inability to track and trace data access among UK retailers

Thursday, April 03 2008 @ 09:40 AM EDT Contributed by: PrivacyNews News Section: Breaches

Figures out today indicate that almost half (45 per cent) of medium to large retailers in the UK who handle credit card transactions are unable to track and trace who has been accessing data within the company network according to a survey carried out by research experts Vanson Bourne on behalf of LogLogic, the leader in log management integration.

Source - Press Release

[From the article:

Restrictions on budget (24 per cent), time (14 per cent) and other priorities (41 per cent) were cited as the reasons why concerned IT directors didn’t have systems in place to track and trace data access.



Tools & Techniques

http://www.pogowasright.org/article.php?story=20080403170151834

NFC Phones: Next Hacker Target

Thursday, April 03 2008 @ 05:01 PM EDT Contributed by: PrivacyNews News Section: Other Privacy News

Small computerized devices that communicate wirelessly promise to make everyday life more comfortable and less technically challenging, but the technology might achieve just the opposite. Near field communication (NFC) in phones automatically exchange data with other phones and objects in their vicinity. These phones are the latest example of a new technology developed with a strong focus on potential applications, but without sufficient thought to security and privacy concerns.

Source - EETimes

[From the article:

NFC merges mobile phones with radio frequency identification (RFID) tags and promises easy access to information. The technology enables phones to communicate with RFID labels attached to objects, as well as with other NFC phones over short ranges, centimeters. [A simple hack should convert these into the “Ronco Price-o-matic” (seen on Saturday Night Live) allowing you to set whatever price you think is fair... Bob]



For my hacking students (Someone needs to educate users)

http://www.bespacific.com/mt/archives/018012.html

April 03, 2008

New FTC Videos Help Consumers Spot Phishing Scams

News release: "The Federal Trade Commission has released three 60-second videos to help alert consumers to phishing scams. Phishing uses deceptive spam to trick consumers into divulging sensitive or personal information, including credit card numbers and other financial data, through an email or a link to a “copycat” site. The goal of the videos is to offer practical, useful, and memorable messages. The videos are the newest tool on OnGuardOnline.gov, the agency’s multimedia initiative to help consumers be on guard against Internet fraud, secure their computers, and protect their personal information. The award-winning site features tips, articles, how-to videos, interactive quizzes, and tutorials in English and Spanish. The new videos also will be featured on YouTube and on the FTC Web site here."

Thursday, April 03, 2008

Granted it's only a footnote, but what were these lawyers smoking at the time?

http://www.pogowasright.org/article.php?story=20080402184934948

Administration Asserts No Fourth Amendment for Domestic Military Operations

Wednesday, April 02 2008 @ 06:49 PM EDT Contributed by: PrivacyNews News Section: Fed. Govt.

Today's Washington Post reports on a newly released memo, "Memorandum for William J. Haynes II, General Counsel of the Department of Defense Re: Military Interrogation of Alien Unlawful Combatants Held Outside the United States" (March 14, 2003) , which which was declassified and released publicly yesterday. Balkinization has commentary on the very troubling opinion.

While the newly released memo focuses on "asserting that federal laws prohibiting assault, maiming and other crimes did not apply to military interrogators," it contains a footnote referencing another Administration memo that caught our eye:

... our Office recently concluded that the Fourth Amendment had no application to domestic military operations. See Memorandum for Alberto R. Gonzales, Counsel to the President, and William J. Haynes, II, General Counsel, Department of Defense, from John C. Yoo, Deputy Assistant Attorney General and Robert J. Delahunty, Special Counsel, Re: Authority for Use of Military Force to Combat Terrorist Activities Within the United States at 25 (Oct 23, 2001). (emphasis added)

Source - EFF



I thought we we done with this – have they waited until the end of the first quarter to close this deal? Sort of spreading the pain?. I wonder what else is hanging. (Note: this does not help customers.)

http://www.pogowasright.org/article.php?story=20080402123614187

MasterCard Reaches Agreement with TJX to Provide Issuers Worldwide up to $24 million for Data Breach Claims

Wednesday, April 02 2008 @ 12:36 PM EDT Contributed by: PrivacyNews News Section: Breaches

MasterCard Worldwide today announced it has reached an agreement with The TJX Companies Inc. (TJX) to offer an Alternative Recovery Program to MasterCard issuers affected by the previously announced data breach of TJX.

The agreement calls for TJX to provide up to $24 million to support an Alternative Recovery Program to settle claims made by issuers to recover costs and losses they claimed to have incurred in connection with the breach. Issuers must have previously filed claims and agree to the Alternative Recovery Program's terms to be eligible for compensation funded by the agreement.

Source - PR Newswire

[From the article:

The agreement is contingent upon the acceptance of issuing financial institutions representing at least 90 percent of the claimed-on MasterCard accounts. [Think it will fly? Bob]



Not a big privacy breach, but these are the worker bees, so I expect them to have a bit more interest in privacy legislation in the future...

http://www.pogowasright.org/article.php?story=20080402194700996

Aides’ private info exposed

Wednesday, April 02 2008 @ 07:47 PM EDT Contributed by: PrivacyNews News Section: Breaches

PogoWasRight.org editor's note: not everyone might consider this a privacy breach, but I do, so I am including it under breaches. -- Dissent.

Furious senior House aides are demanding committee action against a website that has posted their bank account numbers, signatures, home addresses and children’s names that are included in financial disclosure documents.

Some are demanding legal action against the website LegiStorm, which since February has been posting congressional documents online as a way to increase transparency in government. Aides have brought their complaints to the House Administration Committee and the clerk of the House.

Staffers, however, are unsatisfied so far and say they may protest by refusing to turn in personal disclosure forms by the May 15 deadline. They worry the online information could lead to identify theft or their being targeted by criminals, and some are pleading for intervention from lawyers at the House General Counsel’s office.

Source - The Hill

[The web site: http://www.legistorm.com/

[From the article:

LegiStorm founder Jock Friedly has refused to remove the names of children, home addresses and staffers’ signatures. In defending his company, he said it is up to the House and Senate to remove information from the forms if it is sensitive.

“If they fell down on their jobs, it’s not our fault,” he said.



Tools & Techniques “What's in your backyard?”

http://www.news.com/8301-10784_3-9909638-7.html?part=rss&subj=news&tag=2547-1_3-0-5

Homeland Security: We're ready to launch spy satellite office

Posted by Anne Broache April 2, 2008 9:00 PM PDT

WASHINGTON--A plan to expand the number of government police and security agencies that can tap into detailed satellite images is proceeding, despite concerns from Congress, the head of the U.S. Department of Homeland Security said Wednesday.

During a roundtable discussion with bloggers and journalists here, Secretary Michael Chertoff said a "charter has been signed" to create a new office, which will serve as a clearinghouse for requests from law enforcement, border security, and other domestic homeland security agencies to view feeds from powerful satellites. It will be called the National Applications Office.

... As part of its efforts to detect network intrusions in real time, Homeland Security has said it plans to expand use of an existing system known as Einstein, that will, among other things, monitor visits from Americans and foreigners [Isn't that pretty much everybody? Bob] visiting .gov Web sites. The set-up is in place at 15 federal agencies, but Chertoff has asked for $293.5 million from Congress in next year's budget to roll it out governmentwide.



Tools & Techniques Think of it as the convergence of wiretapping with anything electronic...

http://blog.wired.com/27bstroke6/2008/04/democratic-lawm.html

Democratic Lawmaker Vouches for Bush Administration's Secret Plan to End Cyber War

By Kevin Poulsen April 02, 2008 | 2:39:13 PM

You'd think by this point House Democrats would be a little leery when the Bush administration comes up a new threat that it says can only be combated by a secret, warrantless NSA surveillance program requiring assistance from the private sector.

... The op-ed doesn't elaborate on what kind of secret cyber security programs they're hoping to keep out of the public view -- probably because, you know, they're secret.

But in a January New Yorker story -- the one where McConnell first made the comparison between September 11 and hack attacks -- we find these details.

In order for cyberspace to be policed, internet activity will have to be closely monitored. Ed Giorgio, who is working with McConnell on the plan, said that would mean giving the government the authority to examine the content of any e-mail, file transfer, or web search. "Google has records that could help in a cyber-investigation," he said. Giorgio warned me, "We have a saying in this business: 'Privacy and security are a zero-sum game.'"


Related?

http://news.zdnet.co.uk/security/0,1000000189,39378374,00.htm

US reveals plans to hit back at cyber threats

Tom Espiner ZDNet.co.uk Published: 02 Apr 2008 17:27 BST

The US Air Force Cyber Command is developing capabilities to inflict denial of service, confidential data loss, data manipulation, and system integrity loss on its adversaries, and to combine these with physical attacks, according to a senior US general.



This is called “A grasp of the obvious” (Depressing chart in the article states that only 9% of companies surveyed encrypted data to protect privacy...)

http://www.pogowasright.org/article.php?story=20080402124109250

Data Loss Problems Still Not A Priority At Most Companies

Wednesday, April 02 2008 @ 12:41 PM EDT Contributed by: PrivacyNews News Section: Businesses & Privacy

The tech industry's out to thwart data breaches at supermarkets, on social networks, in banks and schools, and across government and business, but it has a long way to go to get out the word about available products.

Identity theft remains a big issue, yet relatively few companies plan to use data loss prevention products on their computers. Makers of such products hope regulations will boost the market.

[...] Many data security purchases have been reactive, says RSA's Corn. But he sees three trends changing this. One is a rising interest in how to protect data on network endpoints such as PCs and laptops.

Another is that more firms, spurred in part by regulations that force companies to disclose data breaches, are trying to get a handle on the sensitive information they keep. A third driver is that firms are doing more to codify policies around data — determining where data should and shouldn't go.

Source - Investors.com


Related (This is what happens when security is not a priority?)

http://www.pogowasright.org/article.php?story=2008040219011435

The Identity Theft Resource Center Reports That Data Breaches More Than Doubled in 2008 First Quarter

Wednesday, April 02 2008 @ 07:01 PM EDT Contributed by: PrivacyNews News Section: Breaches

Data breaches disclosed by Hannaford Bros Supermarket Chain, GE Money, and Georgetown University are just some of the 167 breaches reported during the first quarter of 2008, according to the non-profit Identity Theft Resource Center (ITRC). This is more than double the first quarter in 2007 (76 breaches).

.... The 2008 ITRC Breach Report, as of 3/31/2008, reflects 167 reported breaches, more than 1/3 of the total number of breaches for calendar 2007. ITRC also categorizes these breaches into the following areas: Business (35.9%); Educational (25.2%); Government/Military (18%); Medical/Healthcare (13.8%); and Banking/Credit/Financial (7.2%). These 2008 Breach Reports are available on the ITRC website: www.idtheftcenter.org/artman2/publish/lib_survey/ITRC_2008_Breach_List.shtml

Source - Yahoo!

[From the article:

These 2008 Breach Reports are available on the ITRC website: (www.idtheftcenter.org/artman2/publish/lib_survey/ITRC_2008_Breach_List.shtml) ITRC will also provide comparison information from previous years.


Related Security Training can't hurt.

http://www.pogowasright.org/article.php?story=20080403062731656

Don't blame 'stupid users' for data breaches

Thursday, April 03 2008 @ 06:27 AM EDT Contributed by: PrivacyNews News Section: Breaches

Security breaches that can be traced back to the actions of one individual are not the fault of one "stupid" employee but rather a failure to educate and engage the whole workforce around the importance of good security practice, according to a leading academic.

Source - ZDNet



AKA “The Embarrassing Question Source Book” (Not that politicians can be embarrassed.

http://www.bespacific.com/mt/archives/018005.html

April 02, 2008

Congressional Pig Book 2008: Annual Compilation of Pork-Barrel Projects in Federal Budget.

News release: "Citizens Against Government Waste (CAGW) today released the 2008 Congressional Pig Book, the latest installment in an 18-year exposé of pork-barrel spending...In fiscal year 2008, Congress stuffed 11,610 projects (the second highest total ever) worth $17.2 billion into the 12 appropriations bills. That is a 337 percent increase over the 2,658 projects in fiscal year 2007, and a 30 percent increase over the $13.2 billion total in fiscal year 2007. Alaska led the nation with $556 in pork per capita ($380 million total), followed by Hawaii with $221 ($283 million) and North Dakota with $208 ($133 million). CAGW has identified $271 billion in total pork since 1991."


Related Should Colorado's congressbeings do better?

http://www.cnn.com/2008/POLITICS/04/02/pork.spending/index.html?eref=rss_topstories

updated 5:12 p.m. EDT, Wed April 2, 2008

'Pig Book' names congressional porkers



Is this as logical as it seems to me?

http://www.pogowasright.org/article.php?story=20080403062943305

Making Available != Distribution, Says Court in London-Sire v. Doe

Thursday, April 03 2008 @ 06:29 AM EDT Contributed by: PrivacyNews News Section: In the Courts

As we mentioned yesterday, a New York court in Elektra v. Barker gave a boost to the recording industry by ruling that an offer to distribute a file on a P2P network can infringe the distribution right, even if no one ever actually downloaded it from you. Well, on the same day, a Massachusetts court in London-Sire v. Doe ruled just the opposite, holding that "merely exposing music files to the internet is not copyright infringement" (we just received the ruling today).

EFF filed an amicus brief in this case (formerly known as Atlantic v. Does 1-21), and our arguments appear to have found a more receptive audience in Boston that they did in New York City (the judge thanks us for our participation on page 11). The 52-page ruling is the most extensive analysis yet of the recording industry's "making available" argument, which claims that you infringe copyright merely by having a song in your shared folder, even if no one ever downloads it.

Source - EFF



A good bad example. How not to introduce biometric tools

http://www.pogowasright.org/article.php?story=20080402180827239

AU: Ku-ring-gai High students 'forced' to accept ID scans

Wednesday, April 02 2008 @ 06:08 PM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

A SYDNEY high school has been accused of intimidating students into having their fingerprints scanned for a new attendance monitoring system, and branding parents who object as "idiots".

Parents of students at Ku-ring-gai High School in Sydney's north say their children have been bullied into taking part in a trial of the scheme introduced this week.

Source - Herald Sun



Tools & Techniques Perhaps this will be integrated into your on-board GPS?

http://hosted.ap.org/dynamic/stories/T/TECHBIT_SPEED_TRAPS?SITE=VALYD&SECTION=HOME&TEMPLATE=DEFAULT

New Mobile Service Fights Speed Traps

By ANICK JESDANUN AP Internet Writer Apr 2, 4:39 PM EDT

NEW YORK (AP) -- In a modern equivalent of flashing your headlights to warn other motorists of police speed traps, you can now warn fellow drivers with a cell phone or personal digital assistant about speed traps, red-light cameras and other threats to ticket-free driving.

And as you approach a known threat, you'll get an audio alert on your mobile device.

The developer of Trapster, Pete Tenereillo, said the system, which requires punching in a few keys such as "pound-1" to submit information to Trapster's database, should comply with laws banning talking on cell phones.



Interesting?

http://www.techcrunch.com/2008/04/02/zillow-disrupts-lending-market-with-mortgage-marketplace/

Zillow Disrupts Lending Market With Mortgage Marketplace

Mark Hendrickson April 2 2008

Zillow, the site where you can find pricing estimates and other info about houses around the United States, aims to disrupt the online lending market with the launch of its Mortgage Marketplace.

Wednesday, April 02, 2008

A very non-TJX response.

http://www.pogowasright.org/article.php?story=20080402065521527

Hannaford issues apology to shoppers

Wednesday, April 02 2008 @ 06:55 AM EDT Contributed by: PrivacyNews News Section: Breaches

Hannaford supermarket shoppers are getting an apology in their shopping bags for a security breach that was announced two weeks ago.

CEO Ron Hodge sent a message to customers online and through leaflets left in grocery bags.

Source - sunjournal.com

[From the article:

He says the company is also considering, on a case-by-case basis, the out of pocket expenses placed on customers who had to cancel their cards.



A very TJX response. “We ain't saying, 'cause we don't gotta.”

http://www.pogowasright.org/article.php?story=20080401204600988

EXCLUSIVE: 250,000 insured by Union Security Insurance Company had personal info stolen

Wednesday, April 02 2008 @ 07:46 AM EDT Contributed by: PrivacyNews News Section: Breaches

When a desktop computer containing names, dates of birth, Social Security numbers and "other personal information" was stolen from Administrative Systems, Inc. in December, ASI's web site indicated that "several" of its clients had been affected. But as more information emerged, it appeared that it wasn't just "several" clients. ASI's notification letters and exhibits to two states attorney general indicated approximately 40 companies or insurance carriers as clients that were affected.

Now a spokesperson for one of those clients, Union Security Insurance Company, has informed PogoWasRight.org that 250,000 of their customers had data on the stolen desktop.

Is the ASI incident yet another big breach that has managed to fly under the media radar? It's impossible to say until we find out more, but for those who track and analyze data losses, the ASI breach may serve as yet another useful example of why we need fuller disclosure and reporting laws. Could the number of unencrypted SSN on the stolen desktop run into the millions? Who knows? Unless there's some requirement that ASI reveal those numbers or unless all of the affected clients reveal their numbers, we may never find out how many individuals had their data exposed in this breach, even though the numbers are already significant and are likely much larger.



“We don't need no stinking backups!” (Let's hope this is an April Fools joke.) Clearly a case of “Undue Reliance”

http://hosted.ap.org/dynamic/stories/G/GRADES_GONE?SITE=VALYD&SECTION=HOME&TEMPLATE=DEFAULT

Apr 1, 6:47 PM EDT

Computer Erases Ind. Students' Grades

EVANSVILLE, Ind. (AP) -- A computer malfunction wiped out a month's worth of grades at three high schools and one middle school, giving struggling students a second chance but dismaying others.

... Upcoming report cards at the four schools will not be issued as scheduled. Instead, the final two weeks of the current six-week period will be combined with the final six weeks of the year into an eight- week reporting period.

... The school district's announcement said IBM engineers determined the loss of data was caused by "an unfortunate and very rare combination of hardware problems and backup configuration settings."



Follow-up: Creating the (im)perfect e-alibi?

http://seattlepi.nwsource.com/local/357260_craigslistcrime02.html

Police: Couple covered up theft with Craigslist post

THE ASSOCIATED PRESS Last updated April 1, 2008 9:10 a.m. PT

MEDFORD, Ore. -- It wasn't a hoax or revenge that cost a Southern Oregon man many of his belongings when people responded to a Craigslist posting and nearly emptied his rural home, officers say: It was a pair of thieves covering their tracks.



See how the other half legislates...

http://www.bespacific.com/mt/archives/017994.html

April 01, 2008

Cybercrime Legislation: EU Country Profiles

Cybercrime Legislation - Country profiles: "These profiles have been prepared within the framework of the Council of Europe’s Project on Cybercrime in view of sharing information on cybercrime legislation and assessing the current state of implementation of the Convention on Cybercrime under national legislation. They do not necessarily reflect official positions of the countries covered or of the Council of Europe."

  • Octopus Interface 2008 - Cooperation against Cybercrime,
    Tuesday 1 - Wednesday 2 April 2008, Council of Europe, Strasbourg, France. "The 2008 Conference will focus on the cooperation between service providers and law enforcement, the state of cybercrime legislation and the effectiveness of international cooperation. In the face of the increasing vulnerability of societies to the threat of cybercrime the Conference provides a platform for enhancing cooperation among key stakeholders from around the world."



Interesting. I wonder if this impacts Metadata?

http://it.slashdot.org/article.pl?sid=08/04/02/0133212&from=rss

Blocking Steganosonic Data In Phone Calls

Posted by kdawson on Wednesday April 02, @03:18AM from the could-you-repeat-that-please dept. Encryption Science

psyced writes

"Steganography is a technique to encode secret messages in the background noise of an audio recording or photograph. There have been attempts at steganalysis in the past, but scientists at FH St. Pölten are developing strategies to block out secret data in VoIP and even GSM phone calls by preemptively modifying background noise (link is to a Google translation of the German original) on a level that stays inaudible or invisible, yet destroys any message encoded within. I wonder if this method could be applied to hiding messages in executables, too."



Quantity has a quality of its own...

http://www.infoworld.com/article/08/04/01/Storage-revolution-shuffling-IT-jobs_1.html?source=rss&url=http://www.infoworld.com/article/08/04/01/Storage-revolution-shuffling-IT-jobs_1.html

Storage revolution shuffling IT jobs

Enterprises are creating data at an astounding rate, and the new technologies for dealing with that data are also creating new job types

By Stephen Lawson, IDG News Service April 01, 2008

... Demand for storage capacity has grown by 60 percent per year and shows no signs of slowing down, according to research company IDC. New disclosure laws, which require more data to be preserved and retrievable, also are making storage management a bigger job.



Total Information Awareness by any other name, smells... If access to Database X by State A is found to be “illegal, immoral, or fattening” they will humbly end that access – and State B will take over...

http://www.pogowasright.org/article.php?story=20080402062738429

Centers Tap Into Personal Databases

Wednesday, April 02 2008 @ 06:27 AM EDT Contributed by: PrivacyNews News Section: State/Local Govt.

Intelligence centers run by states across the country have access to personal information about millions of Americans, including unlisted cellphone numbers, insurance claims, driver's license photographs and credit reports, according to a document obtained by The Washington Post.

One center also has access to top-secret data systems at the CIA, [It only takes one to “share” that data. Bob] the document shows, though it's not clear what information those systems contain.

Dozens of the organizations known as fusion centers were created after the Sept. 11, 2001, terrorist attacks to identify potential threats and improve the way information is shared. The centers use law enforcement analysts and sophisticated computer systems to compile, or fuse, disparate tips [“I have evidence...” Joe McCarthy Bob] and clues and pass along the refined information to other agencies. They are expected to play important roles in national information-sharing networks that link local, state and federal authorities and enable them to automatically sift their storehouses of records for patterns and clues.

Source - Washington Post

[From the article:

The list of information resources was part of a survey conducted last year, officials familiar with the effort said. It shows that, like most police agencies, the fusion centers have subscriptions to private information-broker services that keep records about Americans' locations, financial holdings, associates, relatives, firearms licenses and the like.



What happened to “You data is safe with us?”

http://www.pogowasright.org/article.php?story=20080401130817175

UK national ID database tested with FBI criminal data

Tuesday, April 01 2008 @ 01:08 PM EDT Contributed by: PrivacyNews News Section: Fed. Govt.

THE HOME OFFICE is testing its identity scheme database with criminal data supplied by the FBI, the INQUIRER has learned.

The Identity and Passport Service said in a written statement that the FBI had agreed supply data from the Integrated Automated Fingerprint Identification System (IAFIS), its biometric criminal database .

"IPS has a Memorandum of Cooperation with the FBI which enables the FBI to provide IPS anonymised fingerprint data for the purposes of testing our biometric systems," said the statement.

The IPS did not say how many records or precisely what fields of the FBI database would be used to test the ID system. But it did say that the test data would be "available in the millions", and that it would include 10-print fingerprint records.

Source - The Inquirer

Comment: I kept looking to see if there was any reference to today's date or April's Fool, but it appears to be for real. -- Dissent



“Let us make your life better (and you easier to surveil)”

http://www.pogowasright.org/article.php?story=20080401180511476

Using Tire Pressure Sensors To Spy On Cars

Tuesday, April 01 2008 @ 06:05 PM EDT Contributed by: PrivacyNews News Section: Surveillance

Beginning last September, all vehicles sold in the US have been required to have Tire Pressure Monitoring System (TPMS) installed. An article up at HexView enumerates privacy issues introduced by TPMS, and some of them look pretty scary. Did you know that traffic sensors on highways can be adopted to read TPMS data and track individual vehicles?

Source - slashdot

[Original article: http://www.hexview.com/sdp/node/44 ]



Interesting but incomplete. I think this is inevitable as both employees and computers are viewed as commodities, but the issue is appropriate management and control – something most IT departments seem unable to accomplish.

http://www.infoworld.com/article/08/04/02/14FE-user-managed-pc_1.html?source=rss&url=http://www.infoworld.com/article/08/04/02/14FE-user-managed-pc_1.html

IT heresy revisited: Let users manage their own PCs

Large companies such as BP and Google are rethinking the idea of IT controlling users' computers and sharing their lessons from the frontlines

By Tom Sullivan April 02, 2008

Users should choose and manage their own PCs.



Everyone?

http://wendy.seltzer.org/blog/archives/2008/04/01/who-needs-more-computer-security-education.html#comments

April 1, 2008

Who needs more computer security education?

Filed under: Berkman, politics, code — wseltzer @ 5:34 pm

Berkman’s Stop Badware project just released a new study, in which they report the “paradox” that most users feel safe online, despite a rash of malefactors and potential mishaps:



A Zamzar competitor. (Another way to bypass YouTube filters?)

http://www.killerstartups.com/Video-Music-Photo/CatchVideonet---Download-Your-Fav-Youtube-Videos/

CatchVideo.net - Download Your Fav Youtube Videos

This site will convert your beloved YouTube video into any one of six formats (mpeg, mov, mp4, 3gp, mp3 or flv), so that you’ll be able to watch it whenever and wherever you want. That’s not all either. It’s also incredibly easy to use—a chimp could do it. Just enter the URL of the video you want, select your format and hit the ‘Convert and Download’ button. Listo. That’s it, you’re video’s ready to run.

http://catchvideo.net/



I'm a big Monty Python fan, so I find this website both informative and amusing. Why don't more organizations do this? Thanks to Ralph Losey (http://ralphlosey.wordpress.com/) for providing a bit of comic relief.

... If you are ready for a humorous interlude at this point, see the video below of John Cleese providing his in depth analysis of Rule 26 [e-Discovery Bob] (thanks to his sponsor, Iron Mountain, and their funny website: friendlyadvicemachine.com).

Tuesday, April 01, 2008

Today is April 1st. That means there are a number of April Fool stories on the sites I read. So I had to be extra careful in checking them out. OR I might have let one or two slip into this blog to see if you are paying attention. OR I did try to keep them out, but that last sentence was simply a way to cover my (quite extensive) butt. OR ALL of the articles today are bogus. (Cue the Twilight Zone theme: du du de du, du du de du)



Not much detail, but an actual apology on their website – not the TJX model...

http://www.pogowasright.org/article.php?story=20080331200333221

Advance Auto says data on 56,000 customers exposed

Monday, March 31 2008 @ 08:03 PM EDT Contributed by: PrivacyNews News Section: Breaches

Advance Auto Parts Inc said Monday a "network intrusion" had exposed credit card, debit card and checking account information for up to 56,000 customers and was the subject of a criminal investigation.

The auto parts retailer said 14 of its stores, including locations in Georgia, Ohio, Louisiana, Tennessee, Mississippi, Indiana, Virginia and New York, had been affected.

Source - Forbes



Note that a good (read: highly paid) spin doctor can state the obvious (people may have used their cards more than once) in a way that makes it seem they have somehow mitigated this disaster. No indication if they were in PCI compliance or using encrypted communications.

http://www.pogowasright.org/article.php?story=20080331200455862

Credit cards at ski resort compromised

Monday, March 31 2008 @ 08:04 PM EDT Contributed by: PrivacyNews News Section: Breaches

A Vermont ski resort has been the target of a security breach that may have compromised tens of thousands of credit cards.

Okemo Mountain Resort said Monday that hackers broke into its computer network and potentially gained access to credit card data from 28,168 transactions between Feb. 7 and Feb. 22 and 18,401 credit cards between January and March 2006.

The number of affected cardholders is unknown but Okemo said it expects it to be lower than the number of transactions.

Source - Forbes



Another “guide” resource.

http://www.phiprivacy.net/?p=180

Apr-1-2008

Genetic Privacy Page

The World Privacy Forum has published a new page on genetic privacy outlining basic policy issues and collecting World Privacy Forum work in the area. The page also links to key external research being done in privacy and genetics, and also links to key organizations doing work in this area in the U.S. and the U.K.

See their Genetics Privacy Page


...and another

http://www.pogowasright.org/article.php?story=20080401073248870

New Rules on School Privacy Law Proposed

Tuesday, April 01 2008 @ 07:32 AM EDT Contributed by: PrivacyNews News Section: Minors & Students

The Department of Education this week proposed the most comprehensive update of its regulations for the main federal school privacy law in two decades.

The more than 30 pages of proposed rules for the Family Educational Rights and Privacy Act, or FERPA, include protections for educators who seek to share information to protect a student’s health or safety, new guidelines for school districts on sharing student data with educational researchers, and a proposed requirement that schools safeguard electronic and other records, including from some school staff members.

Source - Education Week

Related - Federal Register, March 24



Pass this to your security geek (and perhaps your Legal Dept?) Might be the start of a “What's Possible” for e-discovery..

http://books.slashdot.org/article.pl?sid=08/03/31/143235&from=rss

Windows Forensic Analysis

Posted by samzenpus on Monday March 31, @02:07PM from the read-all-about-it dept.

Don Wolf writes

"Computer forensics is a rapidly growing discipline and an even faster growing business. Whether it's the natural progression of technological science pertaining to crime or perhaps the digression of a few elite information security professionals, computer forensics is every so slowly gaining credibility in the otherwise PhD dominated field of criminal science. Computer evidence continues to be showcased in some of the most high-profile and controversial court cases in history, from the murder case of Lasie Peterson to the multi-billion dollar Enron scandal. Whether society will allow it or not, computer forensics geeks will play pivotal roles in the prevalence of justice."

Keep reading for the rest of Don's review.



Background for Security Planning?

http://www.technewsworld.com/rsstory/62066.html

Cyber-Thieves' New Target: Business Processes

By Jack M. Germain TechNewsWorld 04/01/08 4:00 AM PT

... "The two things that stand out the most in this new report are the dramatic increase in attacks against businesses and the casual response from company officials about protecting their e-mail," Benham told TechNewsWorld.

... Infections from viruses and spyware are the No. 1 e-mail security concern. These security worries are followed by data breaches and spam. More than half of the respondents experienced spyware and virus attacks in 2007. Over 40 percent dealt with a phishing attack.

Download the full report (3.4 MB) [Registration required Bob]



Is this an indication of some systemic weakness in Australia? Or...

http://www.pogowasright.org/article.php?story=20080331204430374

Aussies hit by ID theft

Monday, March 31 2008 @ 08:44 PM EDT Contributed by: PrivacyNews News Section: Breaches

ALMOST a quarter of the Australian population have been affected by identity theft, a new study has found.

The study by Veda Advantage research found 23 per cent had been affected and that, oddly, those in the most tech savvy age group 16-24 years of age were the least likely to have done something to prevent it.

As many as nine out of 10 people in that age bracket admitted they had taken no measure whatsoever to protect themselves.

Source - Courier Mail


...is it just easy to steal Ids everywhere?

http://www.pogowasright.org/article.php?story=20080331204319739

NZ: Teenager guilty of million-dollar hacking campaign

Monday, March 31 2008 @ 08:43 PM EDT Contributed by: PrivacyNews News Section: Breaches

A New Zealand teenager accused of leading an international ring of computer hackers which skimmed millions of dollars from bank accounts was today convicted of illegal computer hacking.

Owen Thor Walker, 18, pleaded guilty yesterday to six charges related to using computers for illegal purposes. Police allege that he led a group of hackers who took control of 1.3m computers around the world without their owners' knowledge.

Source - Guardian

[From the article:

Although several of the charges he was convicted of carry maximum terms of five years' imprisonment, Judge Arthur Tompkins said he was not considering prison. [Is it ethical for a judge to signal intent before the trial? Bob]



How exposed are you on the web?

http://www.pogowasright.org/article.php?story=20080331103700171

Identifight Tells You What Sites Your Email Address Is Publicly Linked To

Monday, March 31 2008 @ 10:37 AM EDT Contributed by: PrivacyNews News Section: Internet & Computers

Matthew wrote in to complain about a new website called Spokeo, which sounds like a stalker's dream: it sucks up all the entries in your address book, then returns a Big Brothery smorgasbord of all the publicly accessible accounts and services linked to each email address, along with updates any time something happens. It might surprise you to see just how easy it is for someone to assemble a picture of your Internet footprint with only an email address.

Don't like the sound of that? Luckily for you, someone has already been inspired to follow Spokeo's model and create a tool—Identifight—that lets you track your own email address to see what shows up, so you can patch up privacy leaks.

Source - The Consumerist blog



This could be intersting – and expensive.

http://techdirt.com/articles/20080321/171235620.shtml

Is It Unconstitutional To Restrict Time On A Library Computer?

from the seems-a-bit-extreme dept

A woman in Florida is claiming that it's a violation of her First Amendment rights that a library is restricting the amount of time patrons can spend on a computer. She's also upset that they're asking for ID before you can log on. The library says they're doing this to keep the wait down for a computer, but the woman says it's to keep homeless people and other low income people from using computers. It may be difficult case to prove, as it hardly seems like the library is preventing people from using the computers altogether -- just limiting how long they can use them in a single sitting. Even then, the limit of two and a half hours, does seem pretty long. The requirement for an ID might be an issue, if there are people with no IDs, but it's still difficult to see this as a First Amendment issue.



It is nice to see that, with all the pontificating back and forth, someone is actually checking the facts. Now if only Congress-beings could read...

http://www.pogowasright.org/article.php?story=20080331101731461

CRS: Selected Laws Governing the Disclosure of Customer Phone Records by Telecommunications Carriers

Monday, March 31 2008 @ 10:17 AM EDT Contributed by: PrivacyNews News Section: Fed. Govt.

... This report discusses recent legislative and regulatory efforts to protect the privacy of customer telephone records and efforts to prevent the unauthorized use, disclosure, or sale of such records by data brokers. In addition, it provides a brief overview of the confidentiality protections for customer information established by the Communications Act of 1934. It does not discuss the legal framework for the disclosure by telephone companies of phone records to the government. For an overview of laws that address disclosure of telephone records to the government, see CRS Report RL33424, Government Access to Phone Calling Activity and Related Records, by Elizabeth B. Bazan, Gina Marie Stevens, and Brian Yeh. For an overview of federal law governing wiretapping and electronic eavesdropping, see CRS Report 98-326, Privacy: An Overview of Federal Statutes Governing Wiretapping and Electronic Eavesdropping, by Gina Marie Stevens and Charles Doyle. This report will be updated when warranted.

Source - CRS: Selected Laws Governing the Disclosure of Customer Phone Records by Telecommunications Carriers [pdf], March 10, 2008



I bet Sony wishes this was a joke...

http://arstechnica.com/news.ars/post/20080331-sony-bmgs-hypocrisy-company-busted-for-using-warez.html

Sony BMG's hypocrisy: company busted for using warez

By David Chartier | Published: March 31, 2008 - 02:12PM CT

Sony BMG is no stranger to piracy. As one of the most vocal supporters of the RIAA and IFPI antipiracy efforts, the company has some experience hunting down and punishing consumers who don't pay for its products. The company is getting some experience on the other side of the table, however, now that it's being sued for software piracy.

PointDev, a French software company that makes Windows administration tools, received a call from a Sony BMG IT employee for support. [Bob's 49th rule: Don't steal what you don't understand. Bob] After Sony BMG supplied a pirated license code for Ideal Migration, one of PointDev's products, the software maker was able to mandate a seizure of Sony BMG's assets. The subsequent raid revealed that software was illegally installed on four of Sony BMG's servers. The Business Software Alliance, however, believes that up to 47 percent of the software installed on Sony BMG's computers could be pirated. [Not a totally unbiased source Bob]

These are some pretty serious—not to mention ironic—allegations against a company that's gone so far as to install malware on consumers' computers in the name of preventing piracy.

While PointDev is claiming €300,000 (over $475,000) in damages in its suit against Sony BMG, Agustoni Paul-Henry, PointDev's CEO, says (from a Google translation of a French report) that this is more about principle than money: "We are forced to watch every week if key software pirates are not [sic] on the Internet. We are a small company of six employees. Instead of trying to protect us, we could spend this time to develop ourselves."

Paul-Henry thinks Sony BMG's piracy of PointDev's products is the fault of more than just a single employee (again, translated): "I think piracy is linked to the policy of a company. If the employee has the necessary funding to buy the software he needs, he will. If this is not the case, he will find alternative ways, as the work must be done in one way or another."



R this the right wae to teach kids to read?

http://www.killerstartups.com/eCommerce/AudibleKidscom---Reading-Is-Easy-If-Youre-Listening/

AudibleKids.com - Reading Is Easy (If You're Listening)

Remember Reading Rainbow? It was great, educational, and all sorts of book-loving goodness. We all loved that guy from Star Trek letting us in on books like Amelia Bedelia and Where The Wild Things Are. Even the old school graphics and jingle were so catchy and cool, you’d have to stop yourself from singing it in the bath. Nowadays, it seems like reading went the way of the dinosaurs. Dead. Gone. Rare at best. Luckily, there’s AudibleKids. If you’re familiar with Audible, the site that provides audible book pleasure for users everywhere, then you’ll get the idea of AudibleKids. It’s the kid-sized version of Audible. It’s the Reading Rainbow for the 2000’s. Parents can create profiles for their kids and set content controls. Profiles will show what you’ve downloaded and acts as a way to network, get to know other audiophiles. Audio books are search by age group, keyword, award winners, etc. Once you’ve downloaded the software, you can listen to the audiobooks on your device of choice. To whet your child’s reading appetite, there’s a nice selection of free books to download.

http://audiblekids.com/



This looks like fun.

http://www.killerstartups.com/Blogging-Widgets/Innertoobcom---The-Next-Level-of-Podcasting/

Innertoob.com - The Next Level of Podcasting

If you are a podcaster or blogger looking for a way to make your podcasting completely interactive and user friendly, then Innertoob is the service for you. Innertoob allows you to upload any mp3 or flash link and then create the most dynamic podcast possible. Make real time comments directly on the screen and create easy to click on time posts, allowing people to click on the parts of the recording that you have commented on. People can respond to these comments in real time so that your file becomes a constantly changing resource where people can discuss things in real time. Users can also easily change the screen size and clicking from one time post to the next is simple. So if you are looking for a way that allows you to have a real time discussion on your podcast, then look no further.

http://www.innertoob.com/