Friday, January 02, 2009

Important for those of us who follow breaches.

http://www.pogowasright.org/article.php?story=20090101074119872

ANNOUNCE: Breach news moving to DataBreaches.net

Thursday, January 01 2009 @ 07:41 AM EST Contributed by: PrivacyNews

Effective today, reports and news stories on specific breach incidents will no longer be posted to PogoWasRight.org , but will have their own web site at DataBreaches.net, the Office of Inadequate Security. The OIS news feed will now appear on PogoWasRight.org's homepage for those who prefer to continue visiting this site while finding out the latest headlines from OIS and PHIprivacy.net

The change will enable site visitors to comment on breaches and to help researchers more quickly locate specific types of breaches.

Some breach-related news will continue to be posted to PogoWasRight.org, but the bulk of breach news will be on the new site. The change also enables PogoWasRight.org to continue to provide global coverage of privacy issues without important news stories being lost amid the increasing number of breach stories. PHIprivacy.net will continue to cover healthcare-related privacy issues, but healthcare-related breaches are also moving to DataBreaches.net.

Hope to see you over there, and Happy New Year!


Related

http://www.databreaches.net/?p=27

Happy New Year and Welcome!

January 1st, 2009 by admin

Whether you’ve migrated over from PogoWasRight.org, PHIprivacy.net, or just stumbled across this site, welcome and Happy New Year!

This site is devoted to reported breaches involving PII or PHI. PogoWasRight.org and PHIprivacy.net will continue to cover discussions of privacy breaches as well as other aspects of privacy news, but if you are looking for reports on breach incidents, you will now find them on this site.

In addition to news coverage, you will also find information on legislation related to breaches as it is proposed in the 111th Congress.

This site permits comments on news stories and items. Simply register and login to post your comments. No longer do you need to just mutter to yourself as you read a news story — now you can mutter out loud. [So that's what I've been doing! Bob]



Individuals are not the only potential targets in a BIG data breach.

http://www.databreaches.net/?p=120

Express Scripts extortionist sends Toyota data on 188 employees

January 1st, 2009 by admin

On November 11, Express Scripts announced that some its clients had received extortion attempts, presumably from the same person or persons who had contacted them with the threat to expose personal information if Express Scripts did not meet their demands.

On November 21, Toyota Motor Sales notified the New Hampshire Attorney General that:

[...]

Early the following week, Toyota received a similar threat directly, apparently from the same extortionist. The extortionists identified 188 current and former Toyota associates’ name, social security number and date of birth held by Express Scripts. Additionally, they suggested that they possessed similar information for “most” other current and former Toyota associates and their covered dependents. The FBI is investigating the incident.

In its letter to affected associates and their dependents, Toyota described the communication they received, and added (boldface in original):

[...]

We believe that there is some risk, based on the threat contained in extortionists’ letter, that you or your dependents’ personal information could be misused. Therefore, we believe you should consider taking action to protect your identity even though, at this time, we have received no evidence that there has been any attempt to misuse your personal information or that of your covered dependents.

Express Scripts, through its vendor Kroll, Inc. is offering fraud prevention assistance in connection with this incident (please see enclosed information). The Fraud Prevention Steps You Can Take enclosed with this letter will also be available on ToyotaVision at http://tv/toyotavision/. You may also obtain information through the Express Scripts website at www.esisupports.com We recommend that you take action promptly.


Related Everyone is impacted by Identity Theft. Expect this to devolve to any “unusual” charge.

http://www.pogowasright.org/article.php?story=20090102065507903

UK: Tell us your holiday plans, banks insist

Friday, January 02 2009 @ 06:55 AM EST Contributed by: PrivacyNews

Credit and debit cardholders are being told by banks to notify them of their holiday destinations and foreign travel plans or face having their accounts frozen in moves to combat fraud.

Customers increasingly find that trying to make a transaction abroad triggers a shutdown of their account as card companies seek to curb the use of information stolen from British cards.

Source - Times Online



How to abuse your customers...

http://www.pogowasright.org/article.php?story=20090102060252289

Twply takes a spam-and-grab approach to violating your privacy

Friday, January 02 2009 @ 06:02 AM EST Contributed by: PrivacyNews

When's the last time you gave out your username and password for something crucial to a random web service? That's what a lot of people have been doing with Twply.com. The site asks you for your username and password, and then promises to send any @replies that you get on Twitter to your email account.

However, it'll also spam its own URL across your Twitter account - "Just started using http://twply.com/ to get my @replies via email. Neat stuff!". That means they've got a big database of Twitter usernames and passwords, ripe for spamming. I wonder what could happen if they got bought by someone without a conscience... Oh, wait.

Source - TechDigest



They win contracts based on their expertise?

http://www.databreaches.net/?p=113

Malware blamed in latest SAIC breach

January 1st, 2009 by admin

Science Applications International Corporation (”SAIC”), recipient of a number of large government contracts, notified the New Hampshire Attorney General on December 9th of a security breach involving malware. The specific malware was not named, but was described as “designed to provide backdoor access.”

The breach was detected on October 28th. In its letter to an unspecified number of affected individuals, SAIC wrote:

This letter is to notify you of a potential compromise of your personal information, including your name and social security number, date of birth, home address, home phone number and clearance level and possibly other personal information necessary to complete government security clearance questionnaires (e.g., SF-8SP or SF-86). We collected this information from you to provide it to the U.S. Government either to enable you to visit a government facility or to assist you in obtaining or updating your government clearance.

Our Security personnel routinely receive information regarding malicious software from industry partners. This process led to the recent discovery on October 28, 2008 of malicious software designed to provide backdoor access on a computer used to process your security clearance or visit request. [Why is anything online beyond a unique identifier and an approved or denied flag? Bob] Unfortunately, due to the nature of this malicious software, it avoided our standard cyber security precautions which include using industry-leading software for virus and spyware detection, intrusion detection systems, and firewalls. To help detect and prevent similar attacks, we keep pace with industry best practices and software, we continue to work with our industry partners and we are implementing Trusted Desktop, which removes elevated privileges from users. [Let's hope they don't mean this version of Trusted Desktop: http://downloads.zdnet.com/abstract.aspx?docid=720717 Bob]

We have communicated with Defense Security Information Exchange and the Federal Bureau of Investigation regarding this malicious software, and we have sought evidence regarding whether the malicious software was used to access your personal information. To date there is no indication that any of your personal data was accessed. As there is a potential that it could have been accessed, we recommend that you take precautionary measures, including the actions further detailed in Exhibit A attached to this letter,

If their description and explanation sounds familiar, it may be because SAIC had another breach almost a year ago where malware (a keylogger) also evaded their detection system. In that breach, it was mostly corporate account data at risk. The nature of the data in this most recent incident is of more concern due to its security implications.

As in the previous incident, SAIC did not offer those affected by the recent breach any free services for credit monitoring or repair.


Related In case you thought I was kidding about the contracts...

http://news.cnet.com/8301-1009_3-10130225-83.html?part=rss&subj=news&tag=2547-1_3-0-5

Defense contractors eye cybersecurity bonanza

Posted by Jonathan Skillings January 1, 2009 6:46 PM PST

... Bloomberg has a year-end rundown on the efforts of the big defense contractors to tap into market that could swell to $11 billion by 2013.


Related?

http://yro.slashdot.org/article.pl?sid=09%2F01%2F02%2F0052201&from=rss

UK Government To Outsource Data Snooping and Storage

Posted by timothy on Friday January 02, @06:40AM from the avoid-conflict-of-interest dept. Privacy

bone_idol writes

"The Guardian is reporting that the private sector will be asked to manage and run a communications database that will keep track of everyone's calls, emails, texts and internet use under a key option contained in a consultation paper to be published next month by Jacqui Smith, the home secretary. Also covered on the BBC."



Oh gloom and doom!

http://www.pogowasright.org/article.php?story=20090102062518126

Data losses set to soar, predicts KPMG

Friday, January 02 2009 @ 06:25 AM EST Contributed by: PrivacyNews

KPMG’s Data Loss Barometer predicts that the number of people affected by data loss around the world could soar to 190 million in 2009, compared to 92 million in the previous year, as the credit crunch deepens.

In the three months to November 2008 the number of people affected by data loss incidents (47.8 million) was more than for the first eight months of the year combined – and 38 per cent higher than the same period in 2007 (34.5 million).

The Data Loss Barometer research concludes that the total number of reported incidents for 2008 will be 427, compared to 2007 (412) – the highest annual figure recorded by KPMG since the firm began collecting the data in 2005.

Source - SC Magazine

[From the article:

A few simple questions such as ‘Do you know where your data comes from?’, ‘Where it is stored and how it is used?’ and ‘Do you have a clear plan of what to do should you lose your data?’ are good starting points for all businesses – large and small.”



Attention Homeland Security! Isn't this the system you want to install?

http://www.pogowasright.org/article.php?story=2009010113151646

S. Korean woman 'tricked' airport fingerprint scan

Thursday, January 01 2009 @ 01:15 PM EST Contributed by: PrivacyNews

A South Korean woman entered Japan on a fake passport in April 2008 by slipping through a state-of-the-art biometric immigration control system using special tape on her fingers to alter her fingerprints, it was learned Wednesday.

Source - Daily Yomiuri

[From the article:

The sources said the fact that the woman was so easily able to beat the sophisticated computer system will force the government into a drastic review of its counterterrorist measures and the current screening immigration system.

The immigration bureau reported to the Justice Ministry that a considerable number of South Koreans might have entered Japan illegally using the same technique, as a South Korean broker is believed to have helped the woman enter Japan.



Wouldn't it be nice to connect a numbers of people, each interested in a narrow area of law, and produce high-level overviews like this one every week?

http://www.pogowasright.org/article.php?story=20090102062125484

Log retention initiatives

Friday, January 02 2009 @ 06:21 AM EST Contributed by: PrivacyNews

David Fraser of Canadian Privacy Law Blog presents a brief snapshot of some legal initiatives that affect internet log retention in a selection of countries.

Source - Slaw



Illustrating once again that there are many ways to skin a cat. But, is the DA just creating a larger petard?

http://www.pogowasright.org/article.php?story=20090101072011731

ID cases may go to grand jury

Thursday, January 01 2009 @ 07:20 AM EST Contributed by: PrivacyNews

Weld District Attorney Ken Buck has requested a grand jury be assembled to decide whether there’s enough evidence to arrest more than 1,000 people suspected of identity theft.

Buck asked for the jury Tuesday after he and Weld District Court Judge James Hartmann continued to disagree on whether the tax records of defendants in the identity theft sting Operation Number Games were confidential.

Source - Greeley Tribune

[From the article:

The Weld County Sheriff’s and District Attorney’s offices began the effort in November to apprehend 1,300 people suspected of identity theft or criminal impersonation in northern Colorado by seizing their federal income tax records from Amalia’s Tax Service in Greeley. The tax records were used as evidence of them using false or stolen Social Security numbers. [So you can see why he doesn't want then toss out. Bob]

... Buck has said he consulted with the Internal Revenue Service before filing the cases and firmly believes the information is not considered confidential. [Amplify! Are my records confidential? If not, why not? Bob]

... Convening a grand jury also would eliminate the need for preliminary hearings, which are held to determine if there’s enough evidence to take the matters to trial.

In a preliminary hearing Monday, Hartmann dismissed two criminal impersonation cases against one defendant involved in Operation Number Games because of a lack of evidence.



For my security classes and your security manager

http://www.bespacific.com/mt/archives/020211.html

January 01, 2009

Google Releases Browser Security Handbook

SecurityFocus: "Google posted...a handbook for Web developers that highlights the key security features and quirks of major Web browsers. The document, dubbed the Browser Security Handbook, has three parts that tackle the security features in browsers and browser-specific issues that could lead to security weaknesses."



Documenting the decline and fall of the Microsoft Empire

http://tech.slashdot.org/article.pl?sid=09%2F01%2F01%2F2322235&from=rss

IE Market Share Drops Below 70%

Posted by timothy on Thursday January 01, @07:06PM from the probably-too-late-to-open-source-ie dept. Internet Explorer Microsoft Software

Mike writes

"Microsoft's market share in the browser dropped below 70% for the first time in eight years, while Mozilla broke the 20% barrier for the first time in its history. It's too early to tell for sure, but if Net Applications' numbers are correct, then Microsoft's Internet Explorer will end 2008 with a historic market share loss in a software segment Microsoft believes is key to its business."



In contrast to the Microsoft article above... (Is this so different from a “feature want list?”)

http://tech.slashdot.org/article.pl?sid=09%2F01%2F02%2F0037254&from=rss

Google Wants You To Be Its Unpaid Muse

Posted by timothy on Friday January 02, @08:10AM from the voluntary-grindstone-for-nose-skinning dept. Google Businesses

theodp writes

"So where do you turn to for great ideas when tough times force you to abort your engineers' brainchildren? If you're Google, reports Nicholas Carlson, you simply outsource brainstorming to your users. Google's launched a new Google Product Ideas blog as well as a Product Ideas for Google Mobile site where users can submit feature and product ideas and vote on others. So what's in it for you if you come up with Google's next billion-dollar-idea? 'If you post an idea or suggestion and we put it into action, we may give you a shout out on our Product Ideas blog,' explains Google, 'but we won't be compensating users for their ideas.' Lucky thing don't-be-evil Googlers don't have to live up to the IEEE Code of Ethics, or they might have to credit properly the contributions of others."

So what's wrong with a shout out among consenting adults?

No comments: