Saturday, May 24, 2008

Once again in the news. Once again setting new standards for bad security management.

http://www.pogowasright.org/article.php?story=20080523191815198

TJX employee fired for exposing shoddy security practices

Friday, May 23 2008 @ 07:18 PM EDT Contributed by: PrivacyNews News Section: Breaches

TJX Companies, the mammoth US retailer whose substandard security led to the world's biggest credit card heist, has fired an employee after he left posts in an online forum that made disturbing claims about security practices at the store where he worked.

Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas, that employees were able to log onto company servers using blank passwords, [“Our employees are too dumb to remember a password...” Bob] the fired employee, Nick Benson, told The Register. This policy was in effect as recently as May 8, more than 18 months after company officials learned a massive network breach had leaked the details of more than 94 million customer credit cards. Benson said he was fired on Wednesday after managers said he disclosed confidential company information online.

Source - The Register

[From the article:

So last August, Benson took to Sla.ckers.org, a website dedicated to web application security, and began anonymously reporting the shoddy practices in this user forum.

... The account has us wondering if other TJX employees have tales similar to Benson's. If so, please contact your reporter using this link. (Anonymity assured.) [Perhaps we need a national “rat out your employer” web site? Bob]


Related

http://www.pogowasright.org/article.php?story=2008052406175281

Most Retailer Breaches Are Not Disclosed, Gartner Says

Saturday, May 24 2008 @ 06:17 AM EDT Contributed by: PrivacyNews News Section: Breaches

While nearly half of U.S. retailers have been hit with some kind of information security attack, only a small percentage of them have actually reported breaches to their customers, research company Gartner reports.

In a new study based on interviews with 50 U.S. retailers, Gartner found that 21 of them were certain they had had a data breach. However, just three of the retailers had disclosed the incident to the public.

The small number of retailers in the survey make it impossible to draw any firm conclusions from the data, but it does underscore a noteworthy trend, said Gartner analyst Avivah Litan. "Sensitive data is being stolen and most of the time it's not being disclosed," she said. "There are a lot more breaches than we hear about."

Source - PC World

[From the article:

Data breaches at retailers are the top cause of credit and debit card theft, accounting for about 20 percent of all incidents, Gartner said.

And this type of crime is not going away. Credit card companies predict that payment card fraud rates will double over the next two years, the research company said.


Also related. I wonder if their “forensic expert” offered to assume some liability if they are wrong?

http://www.pogowasright.org/article.php?story=20080521070651112

Saks: laptops recovered, so no need to notify customers

Friday, May 23 2008 @ 10:00 AM EDT Contributed by: PrivacyNews News Section: Breaches

Back in mid-April of this year, retailer Saks Fifth Avenue (SFA) discovered that four laptops had been stolen. Two of the stolen laptops contained names, addresses, and credit card information on some of their customers. On April 30, Saks notified New Hampshire and Maryland attorney generals of the incident and their intent to notify customers of the loss.

But according to an updated notification [pdf] from SFA dated May 16, two of the four laptops were reportedly recovered by police within 24 hours of SFA's letter to the states attorney general, and the remaining two laptops were recovered "shortly thereafter." SFA says that they then retained an "independent, certified forensics company that analyzed the recovered laptops and was able to confirm that none of the personal data on any of the laptops was accessed or compromised in any way." [I need to do more research. As far as I know, it is impossible to make this claim with certainty. Bob]

Relying on the forensics report, SFA concluded that there is "no risk of identity theft or fraud to the individuals whose information was on those laptops," and cancelled their plan to send out notifications to customers.

Perhaps SFA does not realize that the breach report was posted on the internet where their customers might find out about it. Or perhaps SFA thinks that their customers will agree with them that there was no need to notify them in light of the forensics report. But at least one customer who was interviewed about the situation felt otherwise. "I would want to know everything," said Frances, a long-time SFA customer who prefers to be identified by only her first name. "Even if they think there is no risk, I would want to be told, just in case."

Calls to SFA for a statement were not answered by the time of publication.



Of course you only want to steal the best identities...

http://www.phiprivacy.net/?p=427

May-24-2008

HOSP ID-THEFT DUO NAILED

Erika Martinez reports in the NY Post:

Two information specialists at a Brooklyn hospital stand accused of swiping patient information to open bogus credit-card accounts and shop online while working.

Jessica Paul, 23, and Jessica Darden, 20, of Maimonides Medical Center in Borough Park, accessed patient files and ran the names through a credit-check Web site, seeking people with high credit ratings, authorities said.

Paul is accused of stealing the identities of four people from March 1 to May 7 and of using a doctor’s computer to set up Neiman Marcus and PayPal accounts.

Full story - NY Post



Cute. If you copy the slides, remember to keep checking for new and bigger breaches...

http://www.networkworld.com/slideshows/2008/052208-laptop-losers.html?ts

Laptop Losers Hall of Shame

By Carolyn Duffy Marsan, Network World, 05/22/08

Here's a list [Slides, actually. Bob] of the 10 biggest (known) security breaches from lost or stolen laptops, where government agencies, corporations and colleges failed to safeguard the names, Social Security numbers and other personal info of their customers. Encryption software - which costs as little as $10 per laptop - could have prevented most of these incidents.



Another HP stype witch hunt?

http://www.pogowasright.org/article.php?story=20080524063449729

Deutsche Telekom Suspected of Privacy Breaches

Saturday, May 24 2008 @ 06:34 AM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

Security staff at telecoms giant Deutsche Telekom are suspected of breaching German data privacy laws during a secret attempt to identify the sources of high-level leaks to the media, the company said Saturday, May 24.

Using the company's own records of millions of numbers dialed, the dates and the durations, the internal-security unit had hunted for possible matches between news reporters and Telekom directors.

Source - dw-world.de



Almost there... Does the right to confront your accuser trump the 'privacy card?'

http://www.kjct8.com/Global/story.asp?S=8373982

Greeley schools agree to let parents see school bus video

Associated Press - May 23, 2008 8:24 PM ET

GREELEY, Colo. (AP) - Greeley school officials have agreed to let parents of students disciplined for bad behavior on school buses to view security video of what happened.

... School officials said Friday they think they can respect students' privacy while allowing parents to view video in disciplinary cases. The district is still determining specific procedures for viewings.



A tool for the nervous browser? Far from fool proof, but far better than nothing.

http://searchengineland.com/080523-075927.php

May. 23, 2008 at 7:59am Eastern by Barry Schwartz

Google's Safe Browsing Diagnostic Tool

A week ago Google announced the release of a safe browsing diagnostic tool. To use the tool, just append a URL to the end of http://www.google.com/safebrowsing/diagnostic?site=.

For example, to test this site, you would enter http://www.google.com/safebrowsing/diagnostic?site=http://searchengineland.com/. Google will then return four sets of security information about that page.

... The Zero Day blog has some additional information on this Google security release.



This could be useful, even if it is written in Canadian...

http://www.pogowasright.org/article.php?story=20080524062322326

Ca: New book launched to help businesses comply with privacy law

Saturday, May 24 2008 @ 06:23 AM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

The Office of the Privacy Commissioner of Canada (OPC) today launched a new book to help businesses comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), the federal private sector privacy law. Leading by Example: Key Developments in the First Seven Years of PIPEDA was unveiled at a three-day summit organized by the International Association of Privacy Professionals.

Source - CNW Group

Related - Leading by Example: Key Developments in the First Seven Years of the Personal Information Protection and Electronic Documents Act (PIPEDA) (69 pages, pdf) Related - html formatted book



A whole new field of employment for my hacking students?

http://arstechnica.com/news.ars/post/20080522-the-future-of-political-dirty-tricks-and-deception-online.html

The future of political dirty tricks and deception online

By Julian Sanchez | Published: May 22, 2008 - 07:30PM CT

Make sure your driving record is clear, citizen. See that you've paid off your parking tickets and paid up your child support, and remembered to bring two forms of ID before showing up to the polls on Thursday. That's the preposterous, predictable refrain of the voter "information" flyers and robocalls that crop up like clockwork—usually in minority neighborhoods—during election season, touting ersatz endorsements, fictitious voting requirements, and precisely-wrong times, dates, and places at which to make your voice heard in the democratic process. With old-fashioned smear campaigns already proving disturbingly effective in digital form, civil rights activists worry that it's only a matter of time before voter suppression tactics make the leap to the Internet. Earlier this week, at the annual Computers, Freedom and Privacy conference, they braced for the inevitable.


Related? I think so. “If we don't have the ability to hang the occasional chad, anyone could be President!”

http://news.cnet.com/8301-10784_3-9951458-7.html?part=rss&subj=news&tag=2547-1_3-0-5

Senators: No need for paper e-voting trails, 'electronic' ones are OK

Posted by Anne Broache May 23, 2008 12:20 PM PDT


Computer scientists have pressed for e-voting paper trails for years, in peer reports and in testimony on Capitol Hill. Now it looks like Congress is poised to ignore this idea: forthcoming legislation will say that a backup "electronic" record is OK too.



The law seems to “suggest” that electric suppliers might want to comply, but they can “accept the risk” instead and they don't need to buy new equipment. Sounds like they wrote the law... “You want a warm fuzzy feeling? Microwave your cat.”

http://www.bespacific.com/mt/archives/018420.html

May 23, 2008

FERC Chairman Testifies on Implications of Cyber Vulnerabilities on the Resiliency and Security of the Electric Grid Event

Chairman Kelliher testified before the House Homeland Security Committee, Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology on Implications of Cyber Vulnerabilities on the Resiliency and Security of the Electric Grid

  • "The Congress made FERC responsible for overseeing the reliability of the bulk power system, but it provided specific restrictions on the procedures to be used to develop and put into effect mandatory reliability standards. [Section 215 of the Federal Power Act] is an adequate basis to protect the bulk power system against most reliability threats, and for that reason I do not believe there is a need to amend section 215. However, I believe a different statutory mechanism is needed to protect the grid against cyber security threats, given the nature of these threats."

Friday, May 23, 2008

If nothing else, the inability to determine exactly what is on your tapes (or laptops) keeps your name in the news as each new “discovery” makes headlines.

http://www.pogowasright.org/article.php?story=20080523081108864

Customer Info From More Banks May Be On Lost Tape (BNY update)

Friday, May 23 2008 @ 08:11 AM EDT Contributed by: PrivacyNews News Section: Breaches

Personal and financial information for customers of Wachovia Bank, Webster Bank and other Connecticut banks may also have been contained on a computer tape that has been missing since late February, Attorney General Richard Blumenthal said Thursday.

The information could compromise personal data for many more Connecticut depositors, well beyond the 556,000 customers of People's United Bank whose information has been confirmed to be on the missing tape, Blumenthal said.

Source - Courant.com



Spreading sand on the slippery slope?

http://blog.wired.com/27bstroke6/2008/05/isp-content-f-1.html

Former Prosecutor: ISP Content Filtering Might be a 'Five Year Felony'

By Ryan Singel May 22, 2008 | 3:23:35 PM

NEW HAVEN, Connecticut -- Internet service providers that monitor their networks for copyright infringement or bandwidth hogs may be committing felonies by breaking federal wiretapping laws, a panel said Thursday.

University of Colorado law professor Paul Ohm, a former federal computer crimes prosecutor, argues that ISPs such as Comcast, AT&T and Charter Communications that are or are contemplating ways to throttle bandwidth, police for copyright violations and serve targeted ads by examining their customers' internet packets are putting themselves in criminal and civil jeopardy.

"These ISPs are getting close to the line of illegality and may be violating the law," Ohm told conference goers at the Computers, Freedom and Privacy conference Thursday.

Charter's proposed test of a system that eavesdrops on the URLs its customers visit, in order to serve them targeted ads, has already spurred a powerful Congressman to question whether the scheme would violate the Cable Act. For its part, Comcast's heavy-handed throttling of peer-to-peer sharing by sending fake stop messages to its customers has the Federal Communications Commission holding hand-wringing public hearings over whether it should ban the practice as being inconsistent with its open network principles.

But Ohm thinks the legal quandary is simpler. These schemes all seem to violate the Wiretap Act, a federal statute banning eavesdropping that comes with criminal and civil penalties. That law has some exceptions for service providers to monitor content, but only when necessary to deliver service, or to protect the company's "rights and property."

In fact, Ohm thinks network system administrators could themselves be in legal trouble, just for following orders from their bosses to install monitoring devices.

"Not only is this a five-year felony, it also has individual accountability," Ohm said. "The sys admin could be sued individually and prosecuted individually If you are asked by your manager to go and do this kind of monitoring, you yourself may be legally exposed."

Fellow panelist Michael McKeehan, a director of Internet and Technology Policy for Verizon, said his company shares the same legal concerns, which is why it has explicitly said it has no plans to build filters to look for copyright infringers, as AT&T has it is interested in doing.

"As far as copyright filtering at the net level goes, Verizon is not doing it," McKeehan said. "We see significant legal and policy issues that need study."

He cited privacy issues with monitoring customers, increased liability if the filtering solution misses something and the possibility of falsely identifying a legitimate file transfer with an illicit one, and the possibility that filters will lead to a encryption war with file sharing software, which is already turning to crypto to hide p2p packets from Comcast's filters.

"Do we want to deputize the middle man in this process?" McKeehan asked, sceptically.

Not surprisingly, the panel did not include anyone from an ISP that is filtering or talking about filtering packets. Those ISPs skipped even an FCC hearing in Stanford last month.

But surprisingly, the head lawyer for Intel's System Technology Lab, Brad Biddle did show up, registering Intel's disapproval of network filters -- especially mandated ones -- on the grounds they could slow innovation and even eventually trickle down to hardware makers.

"If you filter for copyright content at the network level, why not filter at the device level?" Biddle asked. "The next step is to have devices screen for watermarks."

Devices and services like the SlingBox, which lets people view their cable television connection using remote devices, could easily be collateral damage of network copyright filters.

"If they aren't going to be allowed to evolve, we all lose," Biddle said.

The movie and music industry is pushing hard to have states and federal government require filters on university networks, and successfully got Tennessee to pass a law earlier this month that would require schools to beef up content filtering any year that a school got more than 50 copyright infringement notices, according to panelist Steven Worona of EDUCAUSE, which represents university IT departments.

"The RIAA would love to have filter mandates -- state or federal," Worona said, calling universities easy, but wrong targets.

"We are the only ISPs that are trying to inform clients or customers that what they are trying to do is illegal," Worona said.

When asked whether Verizon tried to numerically identify known child pornography images, McKeehan said it had given up on a trial of software to check email attachments, in part because the technology can be defeated by changing a single pixel in the image or slightly resizing it.

"They may be perverts but they are not stupid," McKeehan said.

But Ohm isn't convinced that lawmakers will see it that way, and forsees a bill requiring filtering for child pornography -- an issue sometimes called the skeleton key to the Constitution.

"Once you have a mandate built into the law and you give an order that they build in the surveillance architecture, then it is a shorter walk to get Congress to extend that mandate," Ohm said.



“We're protecting you!” (Bad planning. Setting a limit on gallons rather than dollars would have made more sense, but then that information isn't sent to the card processors...)

http://www.greenbaypressgazette.com/apps/pbcs.dll/article?AID=/20080523/GPG0101/805230619/1978/GPGbusiness

More customers cut off at pump

Some credit card companies put limits on pay-at-the-pump transactions

By Maureen Wallenfang Gannett Wisconsin Media May 23, 2008

As gasoline prices rise, more customers are finding pumps shutting off before their gas tanks are full.

Convenience stores and gas stations say they aren't to blame. It's the credit card companies.

It happens when a customer uses a credit card to pay at the pump.

"It's fraud liability, and meant to protect against identity theft," said Shellee Cosgrove, general manager of Walnut One Stop, 515 W. Walnut St., Green Bay, and Walnut Wine & Liquor.

The credit-card limit isn't new, but many customers never noticed it before because they never pumped that much money into a single tank. But with gas prices on the brink of $4 a gallon, it's happening more often now.

Some credit cards limit pay-at-the-pump transactions to $60 or $80. Some gas cards have preset $100 and $125 limits.



My Security students find this a difficult topic to get their heads around.

http://news.cnet.com/8301-13860_3-9950662-56.html?part=rss&subj=news&tag=2547-1_3-0-5

Microsoft embraces 'Bring Your Own Laptop' model

Posted by Ina Fried May 22, 2008 3:50 PM PDT

REDMOND, Wash.--You've heard of BYOB, now get ready for Bring Your Own Laptop.

There's a small but growing trend in which companies are choosing to give employees money toward their personal laptop, rather than providing a company-issued portable. British Petroleum is among the companies that is trying the approach.

One of the technologies that is making that possible is desktop virtualization, which allows companies to put their software or even an entire corporate image onto the device without having to worry about the fact that it doesn't control the entire laptop.

... For the company, such personally owned laptops can save on support costs and serve as a retention tools for Generation Y-ers, said Lee Nicholls, global solutions director for IT consultant Getronics.



There are a couple of articles like this today. Enough to cause a change?

http://www.jacksonville.com/tu-online/stories/052308/met_281977289.shtml

Privacy laws let suspect go free

By MARCIA LANE, St. Augustine Record May 23, 2008

ST. AUGUSTINE - St. Johns County and state law enforcement officials say they were trying to protect county taxpayers' wallets when they decided not to arrest a drug suspect sent to Shands Jacksonville hospital with a self-inflected head wound.

They didn't plan on Lawrence Jeffrey Sacks walking out of Shands on Sunday and disappearing four weeks after he was taken to the hospital after an April 30 raid on a trailer that housed a marijuana grow house in St. Johns County.

Officials say the hospital was to notify them when Sacks was ready to leave. [Did they ask, or was this just wishful thinking? Bob]

That didn't happen because Sacks was never arrested and, hence, was protected under federal privacy laws. The hospital couldn't release information on him, not even to law enforcement, according to a hospital spokeswoman.

Sacks had a bullet wound to the head when he was taken to the hospital, and St. Johns officials saw no reason to arrest him because they - and St. Johns County taxpayers - would have had to foot the bill, Sheriff's Office spokesman Chuck Mulligan said Thursday.

... Shands, though, is supported by taxpayers, getting funds from both the state and Jacksonville for indigent care.


Interesting that the salvage yard hadn't already salvaged the gasoline...

http://www.wisinfo.com/apps/pbcs.dll/article?AID=2008805230455

Privacy laws are thwarting theft case

The Reporter Staff Posted May 23, 2008; 4:00 AM

JUNEAU — Hospital confidentiality laws appear to be hampering the Dodge County Sheriff Department's search for suspects who may have been injured while attempting to siphon gasoline [When stealing gas at night, don't strike a match? Bob] from equipment at a town of Beaver Dam salvage yard on May 18.

Due to evidence left at the scene, authorities believe the attempt to tap gasoline from equipment parked at Wally's Auto Salvage was thwarted when one of the vehicles burst into flames.



...kinda thought so...

http://news.slashdot.org/article.pl?sid=08/05/22/195233&from=rss

Federal Court Says First-Sale Doctrine Covers Software, Too

Posted by timothy on Thursday May 22, @03:19PM from the it-better dept. The Courts Software

New10k writes

"The US District Court in Seattle has rejected Autodesk's myriad arguments regarding its software licenses and found in favor of eBay seller Timothy S. Vernor. The ruling started by ruling that Vernor was within his rights to resell copies of AutoCAD Release 14 he got in an auction. Once the court settled the legitimacy of reselling, it used that ruling as a lens to dismiss all of Autodesk's various claims. More than once the court described Autodesk's arguments as 'specious' and 'conflicted.'"

Autodesk managed to have Vernor's eBay account pulled, after he listed for sale copies of AutoCad 14. He sued Autodesk in response.



Governments love monitoring their citizens...

http://www.engadget.com/2008/05/22/rim-allows-indian-government-to-monitor-blackberry-network/

RIM allows Indian government to monitor Blackberry network

by Nilay Patel, posted May 22nd 2008 at 2:28PM

Well, it took longer than 15 days to reach a resolution, but apparently RIM is going to back down and allow the Indian government to monitor the Blackberry network in that country. What's worse, it appears that RIM was more interested in covering its own ass than protecting user data during the negotiations: the only concession the company received from the Indian government was a promise that it won't be held liable if there's a leak of users' personal information. [Is that enough to tip the scales in the US? Bob] Yeah, that ought to provide a sparkling incentive to keep things safe. There's no word on when monitoring might begin, but we've got a feeling privacy-loving Indians might suddenly be in the market for a new smartphone.


...but sometimes it gets to be too much. I'll never understand bureaucratic thought (or is that an oxymoron)

http://techdirt.com/articles/20080521/1350411194.shtml

City Council Tells 'Dumbest Criminal' To Stop Posting So Much Evidence To YouTube

from the give-the-cops-a-challenge,-man dept

We've been mocking various attempts to get laws passed that would make it illegal for criminals to post evidence of their crimes on YouTube. This makes absolutely no sense -- as you're basically telling criminals "stop giving us the evidence we need to convict you." If the criminals are so dumb as to hand over such evidence, shouldn't the police and gov't officials be happy about it? Now, in a rather extreme example of this, the city council for Leeds, in the UK, has banned a man they refer to as one of the city's "dumbest criminals" from posting any more evidence to YouTube. In fact, the City Council even seems to recognize how helpful the guy has been: "He has handed us the evidence against him on a plate. In the last three years, we have seen a 32 per cent reduction in crime in Leeds. If more criminals were as obliging, the city would be even safer." So why would you ban him from uploading such evidence?



Business Model: What level of population density is required to make this work?

http://www.webware.com/8301-1_109-9944477-2.html

Wakozi lets lazy New Yorkers get munchies and booze delivered

By Josh Lowensohn – May 14, 2008, 2:42 PM PDT

... Unlike online grocery stores of yore, Wakozi's not doing any of the stocking or infrastructure necessary to get products out on its own; instead it's just acting as the middle man to get hungry people (or those in need of the spare roll of toilet paper at the most inopportune times) the means to get items delivered fast, and with just a few clicks.

The system works by matching you up with businesses that deliver within a certain geographical threshold. After plugging in your address, you can view an entire listing of these businesses, as well as their menus, delivery charges, hours of business, and estimated time of food arrival. Many promise delivery within half an hour, although others simply list the nebulous "ASAP."

Since launching less than two months ago, creator Robert Rizzo says the site's user base has increased weekly by more than 100 percent. He also says that one of the things that makes his system so potentially powerful is that it tracks what items are selling for each retailer, so they can stock up on items that are popular with the home delivery crowd.

Also worth noting is that the company hasn't spent a dime on advertising, and doesn't plan to until it raises its first round of funding. In the meantime, it's expanding into other areas of New York, including Brooklyn and Queens, before launching in two more major cities later this year.



Business Model: Perhaps starting as a summer job for the kids?

http://www.chicagotribune.com/features/lifestyle/green/chi-thu-grease-fuel-may22,0,2418331.story

Grease sizzles as fuel source

Restaurants provide new takeout as rising energy prices send the demand for biodiesel soaring

By Mike Hughlett and Rick Popely Tribune reporters 12:27 PM CDT, May 22, 2008

In the era of alternative fuels, grease is turning into a pretty slick investment.

Restaurants increasingly are being paid for their used cooking oil, icky stuff that historically they've had to pay to have hauled away. And sales of kits that allow diesel-powered cars to run on used cooking oil are soaring.

With all the attention, rendering firms are reporting a surge in grease thefts.

... The grease market is competitive, with relatively low barriers; after all, it can be just a matter of sucking out gunk from a tank into a truck.

Thursday, May 22, 2008

Another ratio question. Does Tennessee represent only 1/200ths of their business?

http://www.phiprivacy.net/?p=418

HealthSpring says laptop with personal data stolen

Wendy Lee reports: May-22-2008

Nashville-based managed care company HealthSpring Inc. said Wednesday a laptop computer containing personal information of about 450 state residents was stolen in March.

The laptop, believed to contain names, dates of birth and social security numbers of about 9,000 individuals, was stolen from a HealthSpring employee’s locked car on March 30 in Houston, the company said.

[...]The stolen laptop was password protected but not encrypted….

Full story - The Tennessean



Interesting only for the Colorado connection

http://www.pogowasright.org/article.php?story=20080522054254263

NJ: ID thieves hit Elmer auto dealer employees

Thursday, May 22 2008 @ 05:42 AM EDT Contributed by: PrivacyNews News Section: Breaches

Several employees at Country Ford in Elmer, including owner Brent Lilliston, were apparently victims of identity thieves, the auto dealer said Wednesday.

As many as 11 service technicians were affected by an information breach that stretches back at least six months, one of the victims said.

Service technician Colt Gibson, 24, of Crest Avenue in Millville, reported the incident to police Tuesday. He indicated it occurred several months ago and this week he was notified that someone used his name to apply for a Kohl's credit card but was turned down because Gibson had put a lock on his credit report.

In a telephone interview Wednesday afternoon, Gibson said names, addresses, Social Security numbers and home phone numbers of the 11 technicians "somehow ended up in Colorado."

Source - The Daily Journal

[From the article:

"We have no idea how it happened," Gibson said.

... "It looks like the information was taken from years ago and in the last six months things started to pop," Nelson said.

... When he filed the police report, Gibson told investigators the dealership assured its employees the security breach had been eliminated. [Even though “we have no idea how it happened?” Bob



Why would this device be more secure than any other?

http://www.pogowasright.org/article.php?story=20080521070204808

iPhone forensics toolkit raises questions about privacy

Wednesday, May 21 2008 @ 07:02 AM EDT Contributed by: PrivacyNews News Section: Other Privacy News

You may have reason to worry about your personal data resurfacing if you've returned an iPhone back to the Apple Store or sold it on eBay. It appears one developer discovered a serious privacy issue with refurbished iPhones after creating a forensics toolkit that allowed him to recover deleted email, contact information, and other personal data previously stored on his iPhone.

On his website, Jonathan Zdziarski describes how this is possible.

Source - Yahoo! Tech

[From the article:

This means that while the average Joe may not have the know-how to recover deleted files yet, someone who does can easily have access to any data you've ever stored on the phone.


Now this is NOT new, so what's their excuse? (and wouldn't they still need to disclose the “breach?”)

http://www.pogowasright.org/article.php?story=20080521083712396

OKC buyer finds sensitive information on server

Wednesday, May 21 2008 @ 08:37 AM EDT Contributed by: PrivacyNews News Section: Breaches

The Oklahoma Corporation Commission is removing hard drives from all surplus computer equipment after a server containing the names and Social Security numbers of thousands of residents was sold at an auction recently.

Oklahoma City resident Joe Sills discovered more than 5,000 Social Security numbers after purchasing the server and other surplus state computer equipment at an auction last month.

Source - Tulsa World



When AG's start making noises like this, it could mean 1) they are running for re-election, 2) they want to make a “name” as 'tough on corporations' in preparation for a run for Governor or 3) their name was on that tape.

http://www.pogowasright.org/article.php?story=20080521142150916

People's customers' data lost (update1)

Wednesday, May 21 2008 @ 02:21 PM EDT Contributed by: PrivacyNews News Section: Breaches

Connecticut Attorney General Richard Blumenthal warned today that thousands of state residents' Social Security numbers and bank account information may have been lost when unencrypted computer back-up tapes disappeared in February.

According to Blumenthal, account holders and share owners of People's United Bank are among the 4.5 million consumers whose personal data was on the tapes.

Blumenthal demanded more information about the incident in a letter to Steven Dalmatch, general counsel of The Bank of New York Mellon Shareowner Services. A spokesman for People's United could not be immediately reached for comment.

Source - Connecticut Post

Related - Statement of Connecticut Attorney General: Data breach at New York bank possibly affecting hundreds of thousands of CT consumers
Related - AP: Bank of N.Y. works with attorney general on security breach
Related - The Day: Bank data breach exposes information on 4.5 million accounts
Related - WTNH: Security breach exposes Social Security, bank account numbers
Previous coverage on PogoWasRight.org: here and here



So where do I go for a refund? A case of “undue reliance?” How do you differentiate between stupidity and criminal intent? (The comments are very interesting...)

http://it.slashdot.org/article.pl?sid=08/05/21/2045247&from=rss

Coding Flaws Caused Moody's Debt Rating Errors

Posted by timothy on Wednesday May 21, @05:31PM from the uh-oh-spaghettios dept. Bug Programming The Almighty Buck News

An anonymous reader writes

"The Financial Times has the story that billions in incorrect AAA ratings given out by Moody's were the result of a coding error in its computer models. 'Internal Moody's documents seen by the FT show that some senior staff within the credit agency knew early in 2007 that products rated the previous year had received top-notch triple A ratings and that, after a computer coding error was corrected, their ratings should have been up to four notches lower.'"



Google's spin on the issue...

http://googlepublicpolicy.blogspot.com/2008/05/google-health-privacy-and-hipaa.html

Google Health, privacy, and HIPAA

Monday, May 19, 2008 at 6:32 PM Posted by Mike Yang, Senior Product Counsel

... Unlike a doctor or health plan, Google Health is not regulated by HIPAA because Google does not provide health care services.



Interesting. By the same logic, would you go to jail if I claimed YOU had child porn? (Is one free speech and the other crying “Fire” in a crowded theater?)

http://techdirt.com/articles/20080520/1749381182.shtml

Supreme Court Says Telling People You Have Child Porn Is Illegal... Even If You Don't Have It

from the something-doesn't-seem-right-there dept

I certainly have absolutely no problem with the government going after folks involved in child pornography. [Amen! Bob] However, they shouldn't stretch the laws so far as to make it ridiculous. Unfortunately, however, it looks like the Supreme Court is allowing them to do so. In a recent decision, the Supreme Court okayed a law that makes it illegal to simply try to convince someone else that child pornography is available -- even if it is not. That is, merely telling someone that there is child pornography at a certain link could be considered illegal. Two justices dissented, but seven said the law was fine. The lower court seemed to have it right, noting how problematic it was that this law would apply to "any promoter -- be they a braggart, exaggerator, or outright liar -- who claims to have illegal pornography." However, the justices, led by Justice Scalia, seem to say that the law would only be used in cases where it made sense. Of course, given how often we see laws twisted beyond their original purpose, this seems difficult to believe.



Better than nothing. I wonder how they prioritize?

http://www.pogowasright.org/article.php?story=20080522060742733

Feds encrypt 800,000 laptops; 1.2 million to go

Thursday, May 22 2008 @ 06:07 AM EDT Contributed by: PrivacyNews News Section: Fed. Govt.

In the last year, agencies have purchased 800,000 licenses for encryption software through the federal Data at Rest (DAR) Encryption program, which is run jointly by the General Services Administration and the U.S. Department of Defense.

... While sales on the DAR Encryption program are stronger than anticipated, federal officials admit they haven’t secured all of their laptops, handhelds and removable drives yet.

``It was originally thought that there would be about 1 million laptops in DoD and one million in civilian agencies. We roughly came up with the number of 2 million laptops. However that number is informal. It’s constantly being expanded and contracted,’’ says David Hollis, program manager for the Defense Department’s Data at Rest Tiger Team.

Source - NetworkWorld


If the UK's National Health Service alone has 700,000 devices, the the US Government-wide estimate of 2,000,000 suspect?

http://www.pogowasright.org/article.php?story=2008052206123147

UK: NHS to encrypt 700,000 devices

Thursday, May 22 2008 @ 06:12 AM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

Connecting for Health, the NHS agency behind the troubled National Programme for IT, is to purchase 700,000 encryption licences for its desktop PCs, laptops and smartphones.

The encryption software, which will be provided by McAfee, should help limit the impact of any further data loss.

Source - SC Magazine Thanks to Brian Honan for this link.



The saga continues...

http://tech.slashdot.org/article.pl?sid=08/05/21/2211201&from=rss

Feds Now Allowed to Use Internet

Posted by samzenpus on Wednesday May 21, @07:35PM from the welcome-to-the-web dept. The Internet It's funny. Laugh. Security

fast66 writes

"Nextgov reports that a new court order allows the Department of the Interior to connect to the Internet, six years after the federal agency was ordered to disconnect. District Judge James Robertson said, "I find that the consent order is of no further use and must be vacated," Robertson wrote in his ruling. "The . . . disconnected offices and bureaus may be connected." He added that his ruling was based not on evidence but "on a legal conclusion that it is not my role to weigh IT security risks."

[Robertson's ruling:

http://www.usdoj.gov/civil/cases/cobell/docs/pdf/05142008_order.pdf



It isn't always wise to be on the cutting (bleeding?) edge.

http://www.law.wisc.edu/blogs/wisblawg/2008/05/twitter_and_the_legal_professi.html

Twitter and the Legal Profession

There has been a lot of discussion lately about Twitter and its applications for the legal profession. Twitter is a free micro-blog service in which people answer the question "What are you doing?" in 140 characters or less.

Although many have questioned whether such a tool could have any practical application at all, for better or worse, some enterprising individuals have indeed applied it in legal settings. Here's a sample of some of the ways in which Twitter is being used:

  • Live Coverage from the Courtroom - From journalists:
    From the ABA Journal:



Way to go, Judge! (No one else is teaching cell phone etiquette ...)

http://www.news.com.au/story/0,23599,23735155-421,00.html

Teenage boy jailed for taking call in court

By Phoebe Stewart May 21, 2008 02:53pm

A MAGISTRATE has jailed a teen for answering his mobile phone in court.



How I grade my students.

http://www.phdcomics.com/comics/archive/phd051608s.gif

Wednesday, May 21, 2008

I think this is a new low... They not only lost the disc, but it was their ONLY COPY?

http://www.phiprivacy.net/?p=412

May-20-2008

NHS disc containing sensitive data lost

Caroline Gammell reports in the Telegraph:

A computer disc containing the medical records of more than 38,000 NHS patients went missing when it was sent to a software company to be backed up - in case the records got lost.

The information, which dates back 10 years, was mislaid somewhere between London and Sandown Health Centre on the Isle of Wight.

It was given to courier company City Link in March, but the health centre only spotted it was missing in May.

Full story - Telegraph Related - The Press Association



Increasingly common?

http://www.pogowasright.org/article.php?story=20080520184358499

LendingTree LLC Sued Over Customer Information Data Breach

Tuesday, May 20 2008 @ 06:43 PM EDT Contributed by: PrivacyNews News Section: Breaches

LendingTree LLC, the online mortgage unit of IAC/ InteractiveCorp. (IACI), has been sued over a security breach in which some employees allegedly allowed mortgage lenders to gain access to confidential customer information.

The lawsuit, filed in U.S. District Court in Manhattan on Friday, alleges that the Charlotte mortgage referral company failed to adequately safeguard confidential customer information contained in its customer loan request forms and that data was accessed and stolen by several LendingTree employees.

"As a result of defendant's actions, millions of its customers have had their personal confidential information compromised, have had their privacy rights violated, have been exposed to the risk of fraud and have otherwise suffered damages," the lawsuit said.

Source - CNN Money



How bad was it? Would it scale up to have a similar impact on the US?

http://news.cnet.com/8301-10789_3-9948720-57.html?part=rss&subj=news&tag=2547-1_3-0-5

The Estonia cyberwar: One year later

Posted by Robert Vamosi May 20, 2008 2:34 PM PDT

One year ago, the Estonian government moved a war memorial honoring Russian-Estonians who died fighting the Nazis, a move that may have triggered what some believe is the first instance of a sustained, international cyberwar.

Now, Gadi Evron, a security evangelist for Beyond Security who was in Estonia at the time of the attacks, has revisited the events with an article in the Georgetown Journal of International Affairs and reprinted here online (PDF).



Tools & Techniques. It takes some thought to figure this stuff out...

http://www.f-secure.com/weblog/archives/00001440.html

Phishing Piers on Legitimate Sites

Posted by Sean @ 10:52 GMT Wednesday, May 21, 2008

... However, even obscure URLs can be taken offline quickly as they have no legitimate functions. Sending a message to the host providers with a request that the entire bogus site be taken offline does the trick.

So what next?

Instead of setting up their own sites, we're seeing more and more evidence of phishing from hacked sites; legitimate sites that are unknowingly hosting phishing. And then the site cannot simply be pulled offline without collateral damage to the legitimate business. So the website's administrator must be contacted to repair the damage.

Sites such as bbcsales.com, a 15 year old business with a long-standing Web presence.



Tools & Techniques These “how to” videos are useful...

http://digg.com/gadgets/How_To_Eavesdrop_on_Bluetooth_Conversations

How To Eavesdrop on Bluetooth Conversations watch!

5min.com — A demo on how to attack and capture audio on a Bluetooth headset using a handheld Nokia.

http://www.5min.com/Video/How-To-Eavesdrop-on-Bluetooth-Conversations-925061



Coming soon to a server near you?

http://hardware.slashdot.org/article.pl?sid=08/05/20/1248231&from=rss

New 'Phlashing' Attack Sabotages Hardware

Posted by timothy on Tuesday May 20, @09:29AM from the not-so-nice dept. Security Hardware IT

yahoi writes

"A new type of denial-of-service attack, called permanent denial-of-service (PDOS), damages a system so badly that it requires replacement or reinstallation of hardware. A researcher has discovered how to abuse firmware update mechanisms with what he calls 'phlashing' — a type of remote PDOS attack."



The data is there, why not use it? Information overload?

http://www.cnet.com/8301-13880_1-9949185-68.html?part=rss&tag=feed&subj=Workers'Edge

Get the low-down on the sites you visit with CallingID

Posted by Dennis O'Reilly May 21, 2008 12:01 AM PDT

I used to think the last thing I needed was another browser toolbar. But now I gladly sacrifice a little screen real estate to find out who owns the sites I visit, where they're located, and whether they pass muster with the security checkers.

That's what you get with CallingID, an add-on for Internet Explorer and Firefox that adds a mult-hued toolbar to the browsers. Along with use of green, yellow, and red to signify the site's safety, the toolbar shows the owner and location of the site.



We love our customers... When Microsoft pushes (forces) the update to SP3, your browser will die?

http://www.informationweek.com/news/windows/operatingsystems/showArticle.jhtml?articleID=207801330

Windows XP SP3 Chokes On ISP Versions Of Internet Explorer 7

Specifically, XP3 runs a version of an essential dynamic-link library file called XMLLite.dll that's not compatible with versions of IE7 released prior to October.

By Paul McDougall InformationWeek May 20, 2008 02:09 PM

Private label versions of Microsoft's Internet Explorer 7 browser, including those provided to customers by Internet Service Providers Comcast and Qwest, are prone to crash during installation on computers running Windows XP SP3 because they tend to be outdated, Microsoft is warning.



We love our customers... “We are actually blocking the only indication that you are being monitored, but we'll keep selling your information to our advertisers and charging them as if you were still looking at the ads!”

http://www.pogowasright.org/article.php?story=2008052018482763

UPDATE: Charter Will Track Your Internet Activity Regardless Of Whether You Opt Out

Tuesday, May 20 2008 @ 06:48 PM EDT Contributed by: PrivacyNews News Section: Businesses & Privacy

Last week, we wrote about Charter's decision to begin tracking its users internet activity and inserting targeted ads. One of our readers wrote in to let us know he discovered that Charter's insecure opt-out solution—downloading a cookie that must be downloaded for each user and browser, and downloading it again whenever the cache is cleared—only blocks the ads from showing up; it doesn't block Charter from monitoring users' searches and web activity.

Source - The Consumerist


Related. Maybe we can get versions for any company that tracks us on the Internet... (No doubt this will escalate into an all out arms race...)

http://www.pogowasright.org/article.php?story=20080520070402684

Privacy group launches Phorm spoiler

Tuesday, May 20 2008 @ 10:04 AM EDT Contributed by: PrivacyNews News Section: Internet & Computers

A privacy group has launched a new piece of software that it claims will make the data collected by the Phorm advertising service "absolutely worthless".

The AntiPhorm group - which describes itself as "a loose conglomeration of concerned individuals comprised of artists, programmers and designers" - says it wants to prevent ISPs from profiting from their customers' personal surfing habits.

Source - PC Pro



A simple way to show off the new puppy?

http://www.killerstartups.com/Comm/Ekkotv---Flash-Based-Video-Chat/

Ekko.tv - Flash Based Video Chat

ekkoTV is a new flashed based video chat service. It pulls your contacts from AIM, Yahoo, Google, and/or MSN to create buddy lists. Clicking on the name of your friend will send out an invite; once they’ve received the invitation, a webpage for your chat is opened. Users can chat with up to two other people. The platform can be embedded on blogs and personal websites to create interesting dialogues. Users will of course need a webcam and a decent internet connection to take advantage of ekkoTV. Using the video chat app is absolutely free. Sign up is required.

http://www.ekko.tv/



Could be useful...

http://www.killerstartups.com/Web20/Vocabulixcom----Learn-Spanish-and-German-the-Easy-Way/

Vocabulix.com - Learn Spanish and German the Easy Way

To avoid mistakes like the infamous Kennedy flub, “Ich bin ein Berliner” (roughly, ‘I’m a jelly donut’), you may want to brush up on those language skills. And why not try something free, something web-based, and something multilingual like Vocabulix. Granted, Vocabulix focuses on a trio of languages—English, Spanish, and German—but the spread is comprehensive. You can build vocabulary with a series of customizable (level, topic, type) practices. Or, you can focus on your verb skills with Vocabulix’s verb drills. Even those tricky conjugations are available for practice. Of course, there’s the requisite networking touch as well. You can find and connect with language buddies for extra practice, or create group lessons. You can find language schools, buy cds and books and post questions if you need extra help. And you don’t even have to leave your house.

http://www.vocabulix.com/

Tuesday, May 20, 2008

Today does not look like a good day for the new Privacy Officer.

http://www.pogowasright.org/article.php?story=20080519123314347

LPL Financial hacked in 2007 for "pump and dump" stock scheme; over 10,000 customer accounts exposed

Monday, May 19 2008 @ 01:12 PM EDT Contributed by: PrivacyNews News Section: Breaches

Almost a year after becoming aware that hackers had compromised the login passwords of 14 financial advisors and four financial assistants in 9 states over the course of several months, LPL Financial has notified [pdf] the Maryland Attorney General's office of the incident.

In a detailed notification letter dated May 6th from Keith H. Fine, Senior Vice-President and Associate Counsel, the company described how after they first became aware of the hack on July 16, 2007, they notified law enforcement, FIRA, and affected individuals. The company estimates that personal information on 10,219 customers was exposed, including the unencrypted names, addresses, phone numbers, dates of birth, account numbers, and Social Security numbers of customers and non-customer beneficiaries.

Investigation of the incident determined that access to customer accounts was used to engage in a "pump and dump" scheme involving penny stocks, but all attempted transactions were reportedly either intercepted or reversed. No customer suffered any financial loss from the attempted transactions, and the company reports that there is no indication that customer information was used for any other purpose.

In August 2007, LPL retained Kroll Inc. to provide various services, including notification of affected individuals and free credit monitoring services for individuals. A series of communications was sent to affected individuals commencing on September 21, 2007, and most recently in May 2008.

Following this incident, LPL Financial reportedly initiated steps to improve its security on its advisor facing trading and operations systems. As part of enhancing security, they created a new position of Chief Security/Privacy Officer in March 2008, and other new security policies have been implemented this month. The company anticipates that their other security improvements will be completed in December 2008.


...and then after that one...

http://www.pogowasright.org/article.php?story=20080519131659904

Burglary of LPL Financial employee's home affects 1,397 employees

Monday, May 19 2008 @ 01:16 PM EDT Contributed by: PrivacyNews News Section: Breaches

While still dealing with the hacking incident that affected over 10,000 customer accounts, LPL Financial learned in September 12, 2007 that a laptop containing employee data had been stolen from an employee's home in San Diego.

The password-protected computer contained unencrypted names, addresses, fingerprints, and Social Security numbers of registered representatives and office employees, most of who were from Massachusetts.

Affected individuals were first notified on November 30, 2007 and were offered free credit monitoring and identity restoration services from Kroll, Inc.

And once again, the notification to individuals did not say that there was a theft, but talked about the incident as "unauthorized person(s) obtained access to the system...."


...and after that...

http://www.pogowasright.org/article.php?story=20080519130551172

Five computers stolen from LPL Financial office in December contained customer data

Monday, May 19 2008 @ 01:17 PM EDT Contributed by: PrivacyNews News Section: Breaches

LPL Financial has notified [pdf] the Maryland Attorney General's Office that on December 11, 2007, a burglary at one of their offices in Diamond Bar, California, resulted in the theft of 5 computers that contained personal information on 444 customers.

The stolen computers were password-protected, but contained unencrypted personal information: names, addresses, dates of birth, Social Security numbers, and account numbers. Affected individuals were first notified on February 11, 2008 and were offered free credit monitoring through Kroll.

Somewhat curiously, perhaps, although LPL reports this as a burglary, all of their appended notifications to individuals say "unauthorized person(s) obtained access to the system...." which sounds more like a hack than a burglary.


...and let's not forget this one...

http://www.pogowasright.org/article.php?story=20080519125724971

LPL Financial laptop stolen from employee's car had data on 2800 employees

Monday, May 19 2008 @ 01:14 PM EDT Contributed by: PrivacyNews News Section: Breaches

LPL Financial has notified the Maryland Attorney General's office that on April 10, 2008, a laptop containing data on 2800 employees of LPL or its affiliated companies was from an employee's car in North Carolina

The personal information on the laptop contained names, Social Security numbers, employee ID numbers, and other employee financial compensation information.

In describing its plans to improve data security and steps it had already taken, the company indicated that it "had begun" a project to encrypt data on laptops [Translation: Nothing has actually been encrypted yet... Bob] used by employees and representatives.

Once again, the company used Kroll to provide services to affected individuals, including free credit monitoring.



Questions: 1) Is it reasonable to extrapolate the total number of compromised customers by taking the ratio of Maryland's population to the total US population? 2) Why do so many employees have social security numbers on their laptops?

http://www.pogowasright.org/article.php?story=20080519121639862

Stolen laptop contained employee data from Bearing Point Management & Technology Consultants

Monday, May 19 2008 @ 01:08 PM EDT Contributed by: PrivacyNews News Section: Breaches

Bearing Point Management & Technology Consultants reports that a laptop stolen from an employee's vehicle on April 11 contained personal information on some of its employees, 26 of whom are Maryland residents.

Personal information on the laptop included first and last names and Social Security numbers.

According to the letter sent to employees by Joseph T. Van Thuyne, HR Director, Administration, Policies and Systems, the laptop required two passwords and two forms of authentication and at the time of the theft, was inside a case in the trunk of the employee's vehicle. [Translation: No encryption Bob]

The company has offered those affected 12 months of free credit monitoring.



So who (if anyone) would assert they are in control of (you know, actually managing) the users with the laptops? Another reason to encrypt EVERYTHING on EVERY laptop.

http://www.pogowasright.org/article.php?story=20080519122543129

Sodexo laptop stolen but company not sure whether employee data was on it or not

Monday, May 19 2008 @ 01:10 PM EDT Contributed by: PrivacyNews News Section: Breaches

Sodexo, Inc., a provider of integrated food and facilities management services, reports that a laptop stolen from an employee's vehicle in Montgomery County may have contained names and Social Security numbers on 919 residents of Maryland employed by the company.

In a letter [pdf] to the Maryland Attorney General's office dated May 9, Robert A. Stern, Senior Vice-President and General Counsel for Sodexo, writes that the company "has not been able to confirm definitively that the file was on the laptop."

The company set up a hot line for employees to call, but did not offer free credit monitoring.



The damage from the Hannaford breach continues...

http://www.pogowasright.org/article.php?story=20080520063131461

Bank: Breach affected accounts

Tuesday, May 20 2008 @ 06:31 AM EDT Contributed by: PrivacyNews News Section: Breaches

TD Banknorth said yesterday a group of New Hampshire customers was notified last week that their Visa debit or credit cards have been compromised, most likely because of the Hannaford Brothers Supermarkets security breach.

"We do closely monitor those cards for suspicious activity, and it was because of our fraud-detection activity that we noticed the cases of fraud," spokesman bank Jennifer Carlson said yesterday,

Carlson declined to release the specific number of customers affected or their location, citing privacy policy.

Source - Union Leader



Looks like the Phishers missed one. Or did they?

http://it.slashdot.org/article.pl?sid=08/05/19/1325214&from=rss

Identity Theft Hits the Root Name Servers

Posted by CmdrTaco on Monday May 19, @10:00AM from the i-don't-think-i-am-who-you-think-i-am dept. Security The Internet IT

aos101 writes

"The Renesys blog has an interesting story about networks advertising the old address space of the L root name server after ICANN changed the IP address last November. These networks were also running root name servers on the old IP address of the L root name server up until last week, so any DNS servers still using the old IP address might have been getting their answers from these bogus name servers. A very cursory examination by Renesys of one of these bogus servers found that it appeared to be providing correct responses, which might be why no one noticed the problem. As Renesys points out, the volume of traffic to a root server is staggering, so the people running these bogus root servers must have had a reason. What did they get out of it?"



One to watch? At least until I find out how they can substitute their machine for the ATM card reader without anyone noticing!

http://www.pogowasright.org/article.php?story=20080519163803504

Secret Service joins Lunardi's ATM theft case; 234 victims now identified

Monday, May 19 2008 @ 04:38 PM EDT Contributed by: PrivacyNews News Section: Breaches

The Secret Service has joined the investigation into the Los Gatos Lunardi's Supermarket ATM identity theft case as the number of victims continues to climb.

Most recent figures show that 234 Lunardi's shoppers reported they are victims of the scam. Approximately $251,000 has been stolen since police discovered an ATM machine at the store had been tampered with to obtain customers' account information.

Source - Mercury News



Perhaps we'll get a better look at how these Phishing crimes work too?

http://www.pogowasright.org/article.php?story=20080519162213833

5 People Arrested in Connection with International Online Phishing Scheme (update 1)

Monday, May 19 2008 @ 04:22 PM EDT Contributed by: PrivacyNews News Section: Breaches

Five people were arrested Monday in Los Angeles and others were being sought in connection with an international online "phishing" scheme that defrauded thousands of victims and hundreds of financial institutions, federal authorities said.

A total of 33 people, U.S. citizens and foreign nationals alike, were named in a 65-count indictment charging them with participating in the Internet-based fraud, prosecutors said. The indictment, unsealed today, was returned by a federal grand jury in Los Angeles.

Source - Fox6News

Related - DOJ Press Release

Related - an article in InformationWeek lists affected institutions as:

Allegheny Federal Credit Union, American National Bank of Texas, Arizona Federal Credit Union, Banker's Bank & Trust, Bank of the West, Boeing Employees' Credit Union, Bowdoinham Federal Credit Union, Capital One Bank, Citibank, Downey Savings & Loan, Credit Union One, E-Trade, Desert Schools Federal Credit Union, Flagstar Bank, First Merit Bank, Iowa League Corporate Central Credit Union, Jeffco Schools Credit Union, Langley Federal Credit Union, Mountain America Credit Union, Orange County Teacher's Credit Union, Pointbank, NASA Federal Credit Union, North Island Credit Union, Premier Credit Union, PSCU Financial Services, Regions Bank, School Financial Credit Union, Southwest Corporate Federal Credit Union, Teacher's Credit Union, Telco Credit Union & Affiliates, Valley National Bank, VISA, Washington State Employees Credit Union, and Waterbury Teachers' Federal Credit Union.

Update 1: The Hartford Courant indicates that Bridgeport-based People's Bank, Brattleboro Savings and Loan Association in Vermont, Citibank, Capital One, JPMorgan Chase & Co., Comerica Bank, Wells Fargo & Co., eBay and PayPal were also targeted.



An ethical Catch 22 In theory, lawyers aren't supposed to look at this information. In theory, lawyers aren't supposed to claim the data is classified when it is not. So do you sanction both sides?

http://blog.wired.com/27bstroke6/2008/05/secret-data-in.html

Secret Data in FBI Wiretapping Audit Revealed With Ctrl+C

By Ryan Singel May 16, 2008 | 7:51:59 PM

Once again, supposedly sensitive information blacked out from a government report turns out to be visible by computer experts armed with the Ctrl+C keys -- and that information turns out to be not very sensitive after all.

This time around, University of Pennsylvania professor Matt Blaze discovered that the Justice Department's Inspector General's office had failed to adequately obfuscate data in a March report (.pdf) about FBI payments to telecoms to make their legacy phone switches comply with 1995 wiretapping rules. That report detailed how the FBI had finished spending its allotted $500 million to help telephone companies retrofit their old switches to make them compliant with the Communications Assistance to Law Enforcement Act or Calea-- even as federal wiretaps target cellphones more than 90 percent of the time.

This isn't the first time the Justice Department has made such an error.



“Screwing our customers, one sale at a time.” Hard to blame this one on an untrained new employee...

http://www.news.com/8301-10784_3-9947410-7.html?part=rss&subj=news&tag=2547-1_3-0-5

Best Buy challenges FCC over analog TV sales penalty

Posted by Erica Ogg May 19, 2008 3:43 PM PDT

The Federal Communications Commission says Best Buy and other retailers must pay more than $3 million in fines for selling analog TVs without labels that explain the sets won't work after the digital TV switchover next February.

In a 41-page legal document filed last week (and dug up by Ars Technica), Best Buy essentially says, "Oh yeah? Make us."



Won't the RIAA have fits over this service?

http://www.killerstartups.com/Web20/iRadeocom---Stream-Your-Music/

iRadeo.com - Stream Your Music

Want to share your music with others? iRadeo is a free streaming radio platform. Installing iRadeo on your website is easy. First download and unzip the iRadeo package. Open the file and update your settings and preferences. Upload files and folders to your server and place the given code where every you please on your website and you are done. You can start uploading your MP3/WAV files to your folder and iRadeo will stream the file.

... Other listeners can easily embed your player on their sites by coping and pasting code. Sharing music with others couldn’t be easier than at iRadeo.com.

http://www.iradeo.com/



Interesting resource...

http://www.bespacific.com/mt/archives/018382.html

May 19, 2008

Online Tool Provides Victims' Rights Law Information

"VictimLaw has been designed as a comprehensive, user-friendly online database of victims’ rights statutes, tribal laws, constitutional amendments, court rules, administrative code provisions, and case summaries of related court decisions that meets the needs of a wide variety of users with different levels of substantive and technological expertise. VictimLaw also offers brief victims' rights and justice system overviews. Such ready access to information can advance the cause of crime victims’ rights by facilitating the exercise, implementation, and enforcement of those rights. This resource was developed by the National Center for Victims of Crime with funding from the Office for Victims of Crime (OVC), the Office of Justice Programs (OJP), and the U.S. Department of Justice (DOJ)."



More disciplines should do this. Who knows what is being lost...

http://www.bespacific.com/mt/archives/018392.html

May 19, 2008

Preserving Legal Information: The Chesapeake Project's First-Year Evaluation

"The Chesapeake Project began as a two-year (2007-2008) pilot digital preservation program established to preserve and ensure permanent access to vital legal information currently available in digital formats on the World Wide Web. The purpose of The Chesapeake Project is to successfully develop and implement a program to stabilize, preserve, and ensure permanent access to critical born-digital legal materials. The goal is to establish the beginnings of a strong regional digital archive collection of U.S. legal materials as well as a sound set of standards, policies, and best practices that have the potential to serve as a model for the future realization of a nationwide digital preservation program . See Legal Information Archive: The Chesapeake Project, First Year Evaluation." [via Sarah J. Rhodes]



and since we're discussing legal resources, I'll toss this one in too

http://www.bespacific.com/mt/archives/018383.html

May 19, 2008

New on LLRX.com

Keeping Up with Class Actions: Reports, Legal Sites and Blogs of Note - "Staying current on the latest cases and news in the area of class actions can be challenging, but Russell Scott's guide to reliable subscription based publications, free legal sites and blogs that offer timely news, analysis and selected copies of court filings, is a valuable resource. — Published May 19, 2008"



Another example of tools to make the transition from Windows to Linux easier. Start training your employees now, the death of Windows is inevitable!

http://tech.slashdot.org/article.pl?sid=08/05/19/2223258&from=rss

A Virtualized Linux System For Windows

Posted by kdawson on Monday May 19, @07:01PM from the bill-in-the-middle dept. Operating Systems Windows Linux

getupstandup1 writes

"Ulteo today unveiled their Virtual Desktop (screenshots, download) which is a free, full Linux desktop that runs seamlessly on Windows. It's interesting because it's not running under Xen or VMWare, but instead uses the coLinux patch, which they claim allows the system to achieve 'great performance, close to a native installation on the PC.' No need to reboot the system anymore to switch from Windows to Linux."

We discussed Ulteo when the Ubuntu-derived distro was announced a year back.