http://www.databreaches.net/?p=686
ACLU questions massive ID theft case in Greeley
Posted January 15th, 2009 by admin
Howard Pankratz reports:
A probe of one of the biggest identity theft cases in Colorado history will be undertaken by two grand juries although the ACLU of Colorado says it is “highly likely” it will challenge the legality of the investigation.
The grand jury probe stems from the seizure last October of 4,900 tax files from Amalia’s Translation and Tax Service in Greeley by the Weld County Sheriff’s Office.
After a search warrant was approved by Weld County District Court Judge Marcelo Kopcow, the tax service was raided on Oct. 17.
[...]
In a letter to Klein, [Colorado ACLU legal director Mark] Silverstein said it is “highly likely” that the ACLU will file a civil lawsuit on behalf of Cerrillo seeking the return or destruction of copies of the materials seized from her business.
“We are concerned about what appears to be an illegal search and seizure and an illegal invasion of the constitutional rights not only of Amalia but also her 5,000 clients and customers,” said Silverstein.
“I’m referring to the search and seizure of the 49 boxes of files and all of her computers, all of the hard drives, all of the CDs and all of the floppy discs,” Silverstein added.
Read more in The Denver Post
[From the article:
Authorities traced approximately $2.6 million in payments to illegal immigrants using phony Social Security numbers who used the tax service, said Weld County District Attorney Ken Buck.
Perhaps they should assess hacking skills?
http://www.databreaches.net/?p=661
PA: Police: School data hacked, grades altered
Posted January 15th, 2009 by admin
Pottsville police anticipate filing charges against one or more computer hackers who unlawfully made changes to an online grading system used by Pottsville Area School District.
“You had some people who hacked into a school-functioned, online site and found ways to change data that was put in there,” Pottsville police Capt. Ronald J. Moser said Wednesday
“In this case, someone figured out a teacher’s login and password. It is still a federal offense,” said Monica Langenberg, Shawnee, Okla., director of business development for Classroll.com.
Classroll.com is an online classroom assessment and instructional management system the school district pays to use, according to Langenberg and Pottsville Area Superintendent James T. Gallagher.
Read more on TMC.net
[From the article:
"We have a way to track the IP address so we can fully help the school figure out and find out where it's occurring. [Probably the school library. Then what? Bob] Our CEO has also been working with the Pottsville school district," Langenberg said.
Guers said the incidents were isolated. [They also said: "Apparently in this case it went on for a while.” Bob]
I (being paranoid) suspect she purchased them from retail ID dealers who got them from wholesalers, who smuggled them in from the Ukraine where they had been gathered from hackers around the globe, randomly mixed (to avoid quick identification of the source) and perhaps even tested for validity.
http://www.databreaches.net/?p=697
The missing “how” in media reports
Posted January 16th, 2009 by admin
The Associated Press reports that Tasheika Brown pleaded guilty in New Orleans to conspiracy to use stolen credit card numbers to buy cellular telephone equipment and airtime.
The story does not indicate how she got the stolen credit card numbers.
Unfortunately, we seem to be seeing an increasing number of media reports that refer to use of stolen PII without any indication of how the thief obtained the PII. That would seem somewhat important for us to know, especially since most notifications of breaches suggest that data have not been misused. Are these from unreported breaches or breaches we knew about?
Maybe if we waterboard the defendants, they’ll tell us where/how they got the PII.
Oh wait… that’s the administration that’s on its way out.
Nevermind.
But it would help if U.S. attorneys or prosecutors who issue press releases addressed the issue of how criminals obtained the PII.
Why did he have access to these machines? He was a help desk geek. They should never have access to servers. Even if he did, that access should have been terminated when he was.
http://www.databreaches.net/?p=693
Blaine Man Pleads Guilty to Sabotaging Former Employer’s Computer System
Posted January 16th, 2009 by admin
Slightly off-topic because no PII seems to have been involved, but suppose he had decided to capture transactions instead of just crashing the system?
A 21-year-old Blaine man pleaded guilty yesterday in federal court in connection with sabotaging his former employer’s computer system after being terminated.
David Ernest Everett Jr. pleaded guilty to one count of intentional damage to a protected computer. Everett, who was charged on Dec. 1, 2008, entered his plea Jan. 12 in Minneapolis before United States District Court Judge Joan Ericksen.
According to Everett’s plea agreement, he was employed from July 2007 through March 18, 2008, by the Wand Corp. as a help-desk employee. Wand Corp. provides Point of Sale servers for a number of retail companies, including several fast-food restaurants. The servers are used to conduct cash register transactions, and are located within the restaurants. However, each server can be remotely administered by Wand using an Internet-based program.
Everett’s employment with Wand was terminated on March 18 and he was upset by the termination. On April 9, Everett admitted that he launched a malicious software attack on Wand client servers located in approximately 3,000 restaurants. Everett also admitted that he created three malicious files to perform the attack, which was designed to crash the client servers.
Everett launched the attack from his home computer, and was able to install the files on approximately 1,000 client servers.
In the early morning hours of April 10, the servers housed at Wand client facilities throughout the U.S. began to crash immediately after being turned on, and the systems stopped performing expected functions and stopped responding to commands. The server and its systems were completely non-operational.
Wand began an investigation, located the malicious files and was able to restore service to the client servers. The cost to Wand to investigate and rectify the damage caused by the installation of the malicious files was $48,770.
Source - U.S. DOJ
Kinda screams: “We don't need no stinking Fifth Amendment!” Perhaps next they will fine/arrest/execute people who refuse to give a DNA sample?
http://www.pogowasright.org/article.php?story=20090115193415125
IA: Bill would allow fines for minors who refuse breath tests
Thursday, January 15 2009 @ 07:34 PM EST Contributed by: PrivacyNews
Law enforcement officials could issue fines to minors suspected of possessing alcohol for refusing to take breath tests under a proposed bill in the Iowa Senate.
The bill’s main sponsor in the Senate said the measure would help law enforcement crack down on underage drinking, but a Drake University law professor said issuing fines for refusing to take the breath tests raises concerns that the bill may be unconstitutional.
Source - Globe Gazette
Pay attention, Colorado!
http://news.slashdot.org/article.pl?sid=09%2F01%2F15%2F195242&from=rss
Breathalyzer Source Code Ruling Upheld
Posted by timothy on Thursday January 15, @02:22PM from the show-your-work-please dept. The Courts Software United States
dfn_deux writes
"In a follow up to a 2005 story where Florida judge Doug Henderson ruled that breathalyzer evidence in more than 100 drunk driving cases would be inadmissible as evidence at trial, the Second District Court of Appeal and Circuit Court has ruled on Tuesday to uphold the 2005 ruling requiring the manufacturer of the Intoxilyzer 5000, Kentucky-based CMI Inc, to release source code for their breathalyzer equipment to be examined by witnesses for the defense of those standing trial with breathalyzer test result being used as evidence against them. '"The defendant's right to a fair trial outweighed the manufacturer's claim of a trade secret," Henderson said Tuesday. In response to the ruling defense attorney, Mark Lipinski, who represents seven defendants challenging the source codes, said the state likely will be forced to reduce charges — or drop the cases entirely.' ... What this really means is that outside corporations cannot sell equipment to the state of Florida and expect to hide the workings of their machine by saying they are trade secret. It means the state has to give full disclosure concerning important and critical aspects of the case."
Rules to live by? It doesn't pay to be a second class citizen.
http://www.pogowasright.org/article.php?story=20090115201655851
Florida settles lawsuit; drivers get $1 each
Thursday, January 15 2009 @ 08:16 PM EST Contributed by: PrivacyNews
Facing a $3.5-billion deficit next year, Florida desperately needs all the money it can get. But millions more will disappear because the state has settled a lawsuit that affects millions of motorists.
The Legislature will spend $10.4-million to settle a class action lawsuit over allegations that the state illegally sold drivers' personal information to marketing firms over a four-year period in violation of a federal law barring the practice. The state made $27-million each year on the deal, according to the lawsuit. [Let's see: $27 million times four is $108 million. Subtract the $10.4 million settlement and the state gets to keep $97.6 million. Crime does pay! Bob]
[...]
The preliminary settlement requires the state motor vehicle agency to post on its Web site a system to obtain names of the mass marketers that bought the personal information, as well as a reference on license and registration forms on state and federal disclosure laws.
Source - TampaBay.com
Comment: according to the story, each driver will get $1.00. Yes, a single dollar. The four drivers who started the class action suit will get $3,000 each, and five law firms will divide $2.85-million in legal fees. [It's good to be a Class Action lawyer! Bob] So even after paying the settlement, the state still made about $100 million by breaking the law, and presumably the marketing firms that bought the personal information turned a profit. So what's the message the state learns by this settlement? That if you make enough of a profit, it still pays to break the law? When a state violates its citizens' privacy, it should compensate them properly and not be allowed to profit from its illegal behavior. -- Dissent
“There is no bill that we can't screw with...”
http://news.cnet.com/8301-13578_3-10144035-38.html?part=rss&subj=news&tag=2547-1_3-0-5
Democrats sneak Net neutrality rules into 'stimulus' bill
Posted by Declan McCullagh January 15, 2009 4:46 PM PST
The House Democrats' $825 billion legislation released on Thursday was supposedly intended to "stimulate" the economy. Backers claimed that speedy approval was vital because the nation is in "a crisis not seen since the Great Depression" and "the economy is shutting down."
That's the rhetoric. But in reality, Democrats are using the 258-page legislation to sneak Net neutrality rules in through the back door.
… The catch is that the federal largesse comes with Net neutrality strings attached. The Commerce Department must ensure that the recipients "adhere to" the Federal Communications Commission's 2005 broadband policy statement (PDF)--which the FCC said at the time was advisory and "not enforceable," and has become the subject of a lawsuit before a federal appeals court in Washington, D.C.
New technique. Clever Now you can get phished at a site you know is safe!
http://it.slashdot.org/article.pl?sid=09%2F01%2F16%2F014243&from=rss
Phishing For Bank Info Without Any Pesky Malware
Posted by timothy on Friday January 16, @12:06AM from the but-the-convenience-is-incredible dept. Security IT
Emb3rz writes
"DarkReading.com brings us news of a new approach to phishing that targets online banking sites. Here's the novel part of it: it doesn't involve any of the typical attack vectors we all know and love. Instead, it uses JavaScript from a remote page to detect if you have a banking site open, and prompts you for info via popup if you do."
[From the article:
Grossman, who, along with Robert "RSnake" Hansen, had previously researched detecting users online, says the fact that there is no malware infecting the machine itself makes the in-session phishing attack especially dangerous. It would be difficult for antimalware tools to detect, he notes.
Commenters wonder if this has any relation to the UK Navy's switch to Windows?
http://tech.slashdot.org/article.pl?sid=09%2F01%2F16%2F0135232&from=rss
Virus Infection Hits UK's Ministry of Defense, Including Warships
Posted by timothy on Friday January 16, @03:10AM from the but-not-windows-for-warships-per-se dept. The Military Communications Security
Retrovirus writes with a link to a Register story which says that the UK's
"Ministry of Defence confirmed today that it has suffered virus infections which have shut down 'a small number' of MoD systems, most notably including admin networks aboard Royal Navy warships."
No comments:
Post a Comment