http://www.databreaches.net/?p=2721
NZ: Massey University Experiences Serious Breach Of Security
March 31, 2009 by admin Filed under: Education Sector, Exposure, Non-U.S.
The Massey University intranet system utilised by students from all across New Zealand, MyMassey, is under scrutiny after a severe breach of security left thousands of students able to access other people’s highly sensitive information.
Rawa Karetai, President of the Albany Students’ Association, was one of the first students to notice this critical error: “I was first made aware that the website www.mymassey.com started giving out personal information about other students at about 10.40pm. I immediately went and found a computer that was free and started to check to see if I was experiencing the same issues.”
Karetai, like many other students, now had access to a variety of highly sensitive personal information that was not his own. Information at his disposal included, but was not limited to, the following: Massey ID numbers; Full names; Date of Birth; IRD Number; Academic transcripts as well as contact addresses and phone numbers. Students who had discovered this fault were also able sign the person whose information they could now access up for new papers or amend any of their contact details.
Read more on voxy.co.nz
[From the article:
In a written statement released earlier today, Chief Information Officer Gerrit Bahlman attributed the incident to "an operating system patch release". [Patches rarely turn off the security. Bob]
If someone is shifting the responsibility (risk) to you, shouldn't you ensure that you have addresses it?
http://www.pogowasright.org/article.php?story=20090331215927983
Retailers: Credit card data inadequately protected
Tuesday, March 31 2009 @ 09:59 PM EDT Contributed by: PrivacyNews
The self-regulatory system credit card companies have created to protect consumer data sacrifices some consumer protections for the sake of conveniencing the credit card companies and their financial institution partners, retail representatives told Congress Tuesday.
In light of recent data breaches that have compromised consumer information, such as the potentially massive 2008 Heartland Payment Systems breach, some congressmen are questioning whether the Payment Card Industry Data Security Standards, created and regulated by credit card companies, are sufficiently protecting information.
Source - Cnet Related - Forbes: Visa, MasterCard In Security Hot Seat
[From the Cnet article:
Yet representatives of the retail industry told a panel of the House Homeland Security Committee that when the credit card industry established the PCI standards in 2004, it did so mainly to reallocate its own fraud costs.
"In our view, if you peel off all the layers around PCI data security standards, you will see it for what it is," said Dave Hogan, senior vice president and chief information officer for the National Retail Foundation. "In significant part, (it is) a tool to shift risk off the banks' and credit card companies' balance sheets and place it on others."
Michael Jones, the CIO for Michaels Stores, backed up Hogan's comments with the fact that the credit card companies' financial institutions do not accept encrypted transactions, even though the PCI standards generally call for all credit card data to be encrypted.
Transferring this data unencrypted can lead to breaches like the Heartland breach, or the 2007 TJX breach that compromised 45.7 million customer accounts, Jones said. Michaels has been asking for the past three years for the ability to encrypt transaction information, he said.
[From the Forbes article:
Given that both Hannaford and Heartland had complied with PCI rules, the congressional panel turned the spotlight on the credit card companies, arguing that their security measures need to be redesigned or supplemented with federal laws--a potential crackdown that could require changes on the part of both retailers and financial services companies.
"I don't believe that PCI standards are worthless," said Rep. Yvette Clark, D-N.Y., who led the hearing. "But I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure. It is not."
Related If these laws are wrong, what is right?
http://www.pogowasright.org/article.php?story=20090331083554833
Mass., Nev. data protection laws wrong, ineffective (opinion)
Tuesday, March 31 2009 @ 08:35 AM EDT Contributed by: PrivacyNews
Massachusetts and Nevada have joined the list of states with bills legislating steps businesses must take to protect personal information such as Social Security numbers and financial account numbers. These state regulations represent exactly the wrong kind of laws to be passing, but legislators compelled to take on identity theft seem intent on establishing legal requirements for technical solutions.
Source - Eric Ogren, SearchSecurity.com
[From the article:
While Nevada Revised Statutes Title 597, Section 970 (NRS 597.970) calls for personal information to be encrypted when transferred over public networks, Massachusetts 201 CMR 17.00 Standards for The Protection of Personal Information of Residents of the Commonwealth is even more encompassing. When MA 201 CMR 17.00 goes into effect in January of 2010, all non-government entities that handle personal information must document and follow a set of security procedures that appears to have been heavily inspired by the PCI DSS.
… Merchant Warehouse Inc. and ProPay Inc. are two leading vendors that offer secure credit card handling services for merchants. These two organizations present examples of the types of alternatives that become more attractive as the liabilities of handling personal information increase. Both vendors illustrate end-to-end, swipe-through payment systems:
Encrypt credit card data at the swipe. The merchant is never in possession of clear text credit card information as it is encrypted before even entering the point-of-sale (POS) system.
Securely pass transactions onto card processors. The business transaction remains secure from the POS application all the way through delivery to the credit card processing companies. While the merchant has transaction receipts, they are not in possession of personal information that must be secured.
Provide automated credit card on file services. Merchants with subscription services, such as newspapers that bill monthly, can have the service handle the transaction and provide the merchant with business intelligence reports. Expensive investments in security products and audits are shared among all service members.
Report all transaction information to merchants. Merchants need the intelligence of customer lists and profiles to run a competitive business.
Guidelines! Or at least they are taking a stab at guidelines.
http://www.pogowasright.org/article.php?story=20090331111241604
AU: Surveillance questions in Victoria raise issues for us all.
Tuesday, March 31 2009 @ 11:12 AM EDT Contributed by:PrivacyNews
The Victorian Law Reform Commission has released a Discussion Paper on Surveillance in Public Places. Chairperson of the commission, Neil Rees, said “surveillance affects all Victorians whether we are shopping, catching public transport, driving on major roads, or attending a sporting event”.
Source - Open and Shut
[The paper: Surveillance in Public Places: Consultation Paper (PDF 4.7MB)
Related Valid use of surveillance? Sounds like this one will spread quickly!
http://blog.wired.com/defense/2009/03/fbi-catches-rob.html
FBI Nabs Robbers With Google Map, Spycam Mashup
By Noah Shachtman March 31, 2009 2:36:00 PM
… FBI agents in Arkansas are enlisting the online public's help in catching the thieves. And it appears to be working. Four bank robberies have been solved in the past six months, thanks in part to tips collected from BanditTrackerArkansas.com, Little Rock special agent Steven Burroughs tells the Arkansas Democrat-Gazette. In all, 10 suspected robbers featured on the site are now behind bars.
… Law enforcement agencies have longed relied on the press and the public to help catch crooks, of course. And some departments, like the NYPD, upload their "wanted" posters. But BanditTrackerArkansas.com — and its sister site for Texas, BanditTracker.com — are a little different and a little more sophisticated. Descriptions of the suspect and the crime are paired with pictures from the bank's surveillance cameras, both indoor and out. The whole thing is then plotted on a Google Map.
Security at home. Security Managers might want to pass this to all employees.
http://download.cnet.com/8301-2007_4-10208734-12.html?part=rss&subj=news&tag=2547-1_3-0-5
Rid your computer of the Conficker virus
by Seth Rosenblatt March 31, 2009 5:53 PM PDT
… First off, make sure that you are actually infected. There aren't many warning signs, but a few will stand out if you know what to look for. One fast way to check is to try to visit any major security software publisher's Web site. If you've cleared your browser cache beforehand, and you can load the sites of Symantec, Eset, Avira, or AVG, you're clean because Conficker blocks access to them.
… Assuming you've got the virus, the next step is to download one of several free removal clients. The Conficker-specific tools are McAfee's Stinger, Eset's Win32/Conficker Worm Removal Tool, Symantec's W32.Downadup Removal Tool, and Sophos' Conficker Cleanup Tool.
You can't keep a good (defined as: makes money) idea down.
http://it.slashdot.org/article.pl?sid=09/03/31/2012228&from=rss
Spam Back Up To 94% of All Email
Posted by kdawson on Tuesday March 31, @05:19PM from the rust-never-sleeps dept. Spam
Thelasko writes
"A NYTimes blog reports that the volume of spam has returned to its previous levels, as seen before the McColo was shut down. Here is the report on Google's enterprise blog. Adam Swidler, of Postini Services, says: 'It's unlikely we are going to see another event like McColo where taking out an ISP has that kind of dramatic impact on global spam volumes,' because the spammers' control systems are evolving. [True throughout the criminal industry. Spam increases, cattle rustling decreases. Bob] This is sad news for us all."
Sign of the economic times or another example of techno-greed?
http://mobile.slashdot.org/article.pl?sid=09/03/31/2149253&from=rss
Cellular Repo Man
Posted by kdawson on Tuesday March 31, @06:57PM from the new-low-for-crippleware dept
LateNiteTV sends in news of a "kill pill" from LM Ericsson AB that a wireless carrier could use to remotely disable a subsidized netbook if the customer doesn't pay the monthly bill or cancels their credit card.
"...the Swedish company that makes many of the modems that go into laptops announced Tuesday that its new modem will deal with [the nonpayment] issue by including a feature that's virtually a wireless repo man. If the carrier has the stomach to do so, it can send a signal that completely disables the computer, making it impossible to turn on. ... Laptop makers that use Ericsson modules include LG Electronics Inc., Dell Inc., Toshiba Corp., and Lenovo."
The feature could also be used to lock thieves out of the data on a stolen laptop.
Another update for Cindy's “Sex and Power” class.
http://www.pogowasright.org/article.php?story=20090331111123950
Federal judge blocks teen "sexting" charges
Tuesday, March 31 2009 @ 11:11 AM EDT Contributed by: PrivacyNews
A federal judge has issued a temporary restraining order that prevents an overzealous prosecutor from charging three teens as child pornographers. The girls were found scantily-clad in photos circulated by "sexting" students.
Source - Ars Technica
[From the article:
Monday, a federal judge issued a temporary restraining order, finding that the girls (and their mothers) were likely to prevail in a civil rights lawsuit against Wyoming County District Attorney George Skumanick, and enjoining Skumanick from making good on his threat to file felony charges against the girls unless they agreed to participate in a five-week "educational" program.
… First, because the photos so obviously did not qualify as child porn under state law—and because it would be perverse in any event to consider the girls culpable for photographs circulated by others without their consent—Skumanick's threat amounted to retaliation for engaging in speech protected by the First Amendment. Second, the use of that frivolous threat to attempt to bully the teens into an education program—a threat that was effective in compelling the participation of the other boys and girls Skumanick targeted—encroached upon the constitutionally protected rights of parents to direct their children's upbringing. Finally, the requirement within that program that the girls write an essay explaining “what you did” and “why it was wrong" amounted to compelled speech, again a First Amendment violation.
… Skumanick himself has voluntarily agreed to provide the photographs at issue in the case to the teens' lawyers. He had previously refused to hand them over on the grounds that he would himself be guilty of distributing child porn if he did so.
There's lots of money in politics...
http://www.killerstartups.com/Web20/electobot-com-barackobama-com-for-local-candidates
Electobot.com - BarackObama.com For Local Candidates
If you intend to become an elected representative, it goes without saying that you must be fully abreast of the latest developments in the technological world, and apply them to your knowledge. This could hardly have been vetoed a few years back. Today, after Obama’s phenomenal campaign on the WWW and the results it yielded, this is more evident than it ever was.
As such, having a good political campaign website is the first thing that has to be dealt with if you intend on traversing that pathway.
… All you have to do is submit some information as regards your principles [There's a major stumbling block... Bob] and proposals through a content management system, and include a photograph. The company then takes care of the rest.
The finished site also includes a wealth of interactive features. For instance, contributions can be taken via PayPal, whereas mailings can be handled through the site. Visitor statistics are also very easy to access, as it is only fit.
Somehow I don't think my Blog subscribers are into Twitter, but I could be wrong.
http://www.killerstartups.com/Web-App-Tools/tweetmyfeed-net-publish-rss-feeds-on-twitter-accounts
TweetMyFeed.net - Publish RSS Feeds On Twitter Accounts
If you want to keep your Twitter following as posted as you can, you might as well give this site a try. You see, TweetMyFeed will empower you to take your existing RSS feed and publish it on a Twitter account. This way, those who follow you on Twitter will be able to learn all about any new content that you are adding to your website.
Using this service is as simple as it gets – there is no need to download or install anything, all that has to be done is to fill in a short form and then you are ready to start tweeting your site or blog away. In addition to furnishing your Twitter username you are requested to provide your password, and that might be a problem for some people who are understandably reticent to give such information away. Other fields that have to be filled out include the name of the website and one that reads “Define what your site is about”.
[From the web site:
Most people don't subscribe to your RSS feeds anymore so this helps get your blog posts to the wider, more active twitter audience.
No comments:
Post a Comment