Tuesday, May 12, 2009

Notification done right?

http://www.databreaches.net/?p=3911

Breach handling done right: Johns Hopkins Hospital

May 11, 2009 by admin Filed under: Breach Reports

In 2007, when Johns Hopkins learned that backup tapes had been lost in transit, I complimented them for their handling of the incident. They’ve managed to impress me yet again — which is no small feat — by their handling of a recent incident….

In February, this site posted a story about a breach that may have involved an employee at Johns Hopkins Hospital in Baltimore and a fraudulent driver’s license ring operating in Virginia. In its notification (pdf) to the Maryland Attorney General’s Office of April 3, the hospital provides more information on what happened and their response [SEE CORRECATION BELOW: these incidents may be unrelated].



Are breaches too common (too small) to be news? Or is there a disclosure process designed to keep them quiet?

http://www.databreaches.net/?p=3873

A few more breaches that didn’t make the news

May 11, 2009 by admin Filed under: Breach Reports

Thanks to those states who post notifications online….

  • TravelCLICK, Inc. reported (pdf) that customers who used their web site to book hotel reservations may have had their data accessed by unauthorized others during the period February to March of this year. Reservation data included names, full credit card numbers, expiration date, but no CVV or CID, and in some cases, telephone numbers and email addresses. No details were provided other than their statement that the data were “inadvertently accessible.” They did not offer affected customers any free services.

  • Starwood Hotels & Resorts Worldwide reported (pdf) that the Westin Grand Hotel in Washington D.C. inadvertently attached information on some customers, including their credit card numbers, in an email sent to other guests who had made reservations. They, too, did not offer those affected any free services.

  • Experian reported (pdf) that a client, Newburyport Capital, had accessed consumer information without authorization. Experian was notifying those affected and had suspended Newburyport Capital’s access. Why Experian advised those affected to notify all three credit reporting agencies instead of offering to just take care of the Experian notification themselves is a bit of a puzzle to me.

  • Liberty Mortgage, a subsidiary of BB&T Financial, reported (pdf) that it accidentally mailed credit reports to the wrong customers. The company offered those affected two years of free credit monitoring. While their letter is somewhat forthright about their error, it suggests that there was only one client affected, whereas the notification to the state suggests that there were a number of misdirected credit reports.



Guidance for your security policy. (list of cases omitted)

http://www.databreaches.net/?p=3897

FTC enforcement of data protection

May 11, 2009 by admin Filed under: Breach Reports

Since 2001, the FTC has filed charges against 25 businesses for failure to protect consumers’ information. The cases were cited in their May 5th testimony and comments (pdf) in Congress about two bills being considered: H.R. 2221, the Data Accountability and Protection Act, and H.R. 1319, the Informed P2P User Act.

The cases fall into five major types:

  1. Businesses that allegedly misrepresented their own security procedures by claiming that they had strong security protection when they failed to employ even basic security protections: Microsoft, Petco, Tower Records, Life is good, and Premier Capital Lending.

  2. Businesses that failed to protect consumer data from simple and well-known type of attacks such as an SQL injection (Genica Corp., Guidance Software) or businesses that failed to implement simple technologies to counteract basic security threats (TJX, Reed Elsevier and Seisint).

  3. Businesses that failed to use reasonable procedures to verify the legitimacy of its customers or those accessing consumer data: Choicepoint.

  4. Businesses that retained sensitive consumer information that they no longer needed: BJ’s Warehouse, DSW Shoe Warehouse, and CardSystems Solutions.

  5. Businesses that did not dispose of sensitive consumer information properly: CVS Caremark.

The 25 cases were:



http://yro.slashdot.org/article.pl?sid=09/05/12/0012255&from=rss

The Electronic Police State

Posted by kdawson on Monday May 11, @11:54PM from the watching-you dept.

gerddie writes

"Cryptohippie has published what may be called a first attempt to describe the 'electronic police state' (PDF). Based on information available from different organizations such as Electronic Privacy Information Center, Reporters Without Borders, and Freedom House, countries were rated on 17 criteria with regard to how close they are already to an electronic police state. The rankings are for 2008. Not too surprisingly, one finds China, North Korea, Belarus, and Russia at the top of the list. But the next slots are occupied by the UK (England and Wales), the US, Singapore, Israel, France, and Germany."

This is a good start, but it would be good to see details of their methodology. They do provide the raw data (in XLS format), but no indication of the weightings they apply to the elements of "electronic police state" behavior they are scoring.


Related: We'll just pass a little radiation through your brain...

http://it.slashdot.org/article.pl?sid=09/05/12/1234222&from=rss

Brain Scanning May Be Used In EU Security Checks

Posted by timothy on Tuesday May 12, @08:59AM from the who-do-you-think-you-are? dept.

An anonymous reader writes with this excerpt from the Guardian:

"Distinctive brain patterns could become the latest subject of biometric scanning after EU researchers successfully tested technology to verify identities for security checks. The experiments, which also examined the potential of heart rhythms to authenticate individuals, were conducted under an EU-funded inquiry into biometric systems that could be deployed at airports, borders and in sensitive locations to screen out terrorist suspects."

The same article says that "The Home Office, meanwhile, has confirmed rapid expansion plans of automated facial recognition gates: 10 will be operating at major UK airports by August." I wonder what Bruce Schneier would have to say about such elaborate measures.


Related: Anti-social-networking? Perhaps we could add videos from the cell phone?

http://www.killerstartups.com/Web20/zapatag-com-report-bad-drivers-track-their-licenses

Zapatag.com - Report Bad Drivers & Track Their Licenses

http://www.zapatag.com/

They say it is a jungle out there, and any person who spends just one hour in the streets and roads of any American city can tell you he sometimes feels like committing a crime. If you ever feel like that, calm down for a minute and do the right thing – report the bad driver and let others know about the wrongdoer. This website is there to let us all “bring accountability to our streets the Web 2.0 way” by not simply reporting bad drivers but also tracking license plates and zapping tags.

The main page will let you pick the City and State in question, and furnish a plate and add the pertinent details and comments for all to see. As it is the case with sites such as this one, a Google Map is featured in order to put everything into context.

All in all, this site will let you get even online and (hopefully) enhance road security at the very same time. Check it out at the provided address and see how it works in person.



Of course, all my access is under an assumed name...

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=337791

What Google knows about you

Google may know more about you than your mother does. Got a problem with that?

By Robert L. Mitchell

… If you use Google's search engine, Google knows what you searched for as well as your activity on partner Web sites that use its ad services.

If you use the Chrome browser, it may know every Web site you've typed into the address bar, or "Omnibox."

It may have all of your e-mail (Gmail), your appointments (Google Calendar) and even your last known location (Google Latitude).

It may know what you're watching (YouTube) and whom you are calling. It may have transcripts of your telephone messages (Google Voice).

It may hold your photos in Picasa Web Albums, which includes face-recognition technology that can automatically identify you and your friends in new photos.

And through Google Books, it may know what books you've read, what you annotated and how long you spent reading.


Related Now Google connects the e-dots for you... Is research now too easy? (Not based on what my students turn in...)

http://www.bespacific.com/mt/archives/021340.html

May 11, 2009

Google News Search Results Now Providing More Content Options

Google News Blog: "Last Thursday we launched a new format for story pages on Google News. These are the pages you see when you click the "all [#] news articles" link of each cluster of articles which cover the same news event--or "story," as we say on the Google News team. The story page includes timely and relevant information from different sources indexed in Google News. Depending on the most recent coverage and materials available for a given story, the page features top articles, quotes from the people in the story, and posts from news blogs. You'll also find image thumbnails, videos, articles from sources based near the story, and a timeline of articles to trace media coverage of the story."



Interesting study in reducing bureaucracy?

http://www.pogowasright.org/article.php?story=20090512044030362

UK: Making European data protection law fit for the 21st century

Tuesday, May 12 2009 @ 04:40 AM EDT Contributed by: PrivacyNews

The Information Commissioner’s Office (ICO) is today publishing the review of the strengths and weaknesses of the EU Data Protection Directive which it commissioned from RAND Europe. The RAND study concludes that, in an increasingly global, networked environment, the Directive will not suffice in the long term.

Source - Information Commissioner's Office press release (pdf)

RAND report: Review of the European Data Protection Directive (pdf)



Statistics to quote?

http://www.pogowasright.org/article.php?story=20090512044657218

Kiwi disclosure law could boost security, says Symantec

Tuesday, May 12 2009 @ 04:46 AM EDT Contributed by: PrivacyNews

A new survey of small and medium sized businesses shows 58% of Australian and New Zealand companies suffered a data loss or breach that affected business performance.

The survey, by security company Symantec, found 69% of these organisations reported losses due to systems breakdown or hardware failure, 49% through onsite and natural disasters, 47% through human error, 45% through a lost or stolen laptop or other protable device and 39% through deliberate sabotage by an employee.

Source - Computerworld

[From the article:

The ANZ loss rate is well above the global average of 41% and even further away from the US rate of 29% and Canada's loss rate of 27%.


Related How to lose the geek vote?

http://www.pogowasright.org/article.php?story=20090511111133565

NZ: Massive holes in Brash security

Monday, May 11 2009 @ 11:11 AM EDT Contributed by: PrivacyNews

Police have concluded there were so many holes in security surrounding National Party offices in opposition that it would be impossible to establish how former leader Don Brash's private emails were made public.

Source - Stuff



Should we expect to see the nose camera videos on Youtube?

http://www.wired.com/dangerroom/2009/05/cia-our-drones-are-killing-terrorists-promise/

CIA: Our Drones are Killing Terrorists. Promise.

By Noah Shachtman May 11, 2009 12:08 pm

Al Qaeda is so spooked by CIA drone attacks that Osama’s crew is staging spectacular bombings in Pakistan, in an attempt to get America to call off its unmanned attack fleet, former U.S. officials and counterterrror advisers say. And the CIA is apparently so spooked about the possibility of a withdrawal that they’re spilling details about their supposedly-secret drone strikes to the New York Times.



It used to be difficult for a mere employee to commit the company to anything. How could this have been avoided?

http://www.pogowasright.org/article.php?story=20090511142426409

"For a good time, call..." Is Yahoo liable for sex graffiti?

Monday, May 11 2009 @ 03:16 PM EDT Contributed by: PrivacyNews

When someone posts fake Yahoo profiles of his ex-girlfriend and passes them out in chat rooms so that anonymous men will harass her for sex, does the company have any duty to take them down in a timely matter? A federal court says no... except for the fact that a Yahoo employee verbally promised to do so.

Source - Ars Technica Related - Barnes. v. Yahoo (pdf), Opinion



Do I want a separate app for each newspaper/magazine/blog/website I read?

http://www.wired.com/epicenter/2009/05/nytimes-reader-shows-graceful-future-of-online-news/

NYTimes Reader Shows Graceful Future of Online News

By Ryan Singel May 11, 2009 3:39 pm

I read the news today in a whole new way. And I’m betting you will too, soon.

Journalism’s grey lady, the New York Times just threw down her cane and sprinted to the forefront of online newspapers with the release of version two of the Times Reader — a downloadable application built on Adobe’s AIR framework.



For the Swiss Army folder?

http://www.oldversion.com/

OldVersion.com



Also for the Swiss Army folder. How my students will be notified that their pages have been updated...

http://www.killerstartups.com/User-Gen-Content/wikialarm-com-monitor-your-wiki-pages

WikiAlarm.com - Monitor Your Wiki Pages

http://www.wikialarm.com/

I must admit that more than often I have considered making a contribution of my own to Wikipedia, yet something has always stopped me: the fact that the addition I could make could be so easily modified by others. Of course, I am missing the boat altogether – the idea of a wiki is exactly that. You make a contribution, and then others are inspired by it and add their own input. Your original data is bound to be modified, yet I think you get what my concern is – are you going to labor hard over something only to have modified by someone who might not have done his homework? That is where a tool like the one under review right now comes in handy.

Generally speaking, WikiAlarm will notify you whenever any of your pages on Wikipedia is modified. It lets you track as many pages as you wish, and these are monitored every hour of the day during the whole week. The e-mails themselves come complete with full visibility on the changes that have been made, too, so that you don’t have to start opening windows manually like crazy in order to keep everything in sight.

When all is said and done, this is useful both for individual users and for enterprises that wish to have a better online reputation management tool. After all, Wikipedia is the port of call for the vast majority of internauts looking for information, and if something therein is wrong it should be rectified as soon as possible.



Amusing. USB drives as advertising toys?

http://www.pcmag.com/slideshow/0,1206,l%253D240154%2526a%253D240155,00.asp

10 Wacky USB Flash Drives



An inspiration for my Computer Security class final exam?

http://it.slashdot.org/article.pl?sid=09/05/11/1951204&from=rss

NSA Wages Cyberwar Against US Armed Forces Teams

Posted by ScuttleMonkey on Monday May 11, @05:18PM from the next-time-take-the-gloves-off dept.

Hugh Pickens writes

"A team of Army cadets spent four days at West Point last week struggling around the clock to keep a computer network operating while hackers from the National Security Agency tried to infiltrate it with methods that an enemy might use. The NSA made the cadets' task more difficult by planting viruses on some of the equipment, just as real-world hackers have done on millions of computers around the world. The competition was a final exam for computer science and information technology majors, who competed against teams from the Navy, Air Force, Coast Guard and Merchant Marine as well as the Naval Postgraduate Academy and the Air Force Institute of Technology. Ideally, the teams would be allowed to attack other schools' networks while also defending their own but only the NSA, with its arsenal of waivers, loopholes, and special authorizations is allowed to take down a US network. NSA tailored its attacks to be just 'a little too hard for the strongest undergraduate team to deal with, so that we could distinguish the strongest teams from the weaker ones.' The winning West Point team used Linux, instead of relying on proprietary products from big-name companies like Microsoft or Sun Microsystems."



How can I resist?

http://geekadvancement.com/

THE SOCIETY FOR GEEK ADVANCEMENT

… was founded upon the principles that we should all embrace our inner and outer geek and have fun while doing it. As individuals who love learning, innovating and believe in possibility as well as change, the second step of responsibility is to “be the geek that keeps on giving”. As a member of SGA, we work together as a global community to provide the tools and help others realize their true potential too!

No comments: