http://www.databreaches.net/?p=5900
Heartland Breach Affects OPFCU
July 1, 2009 by admin Filed under Financial Sector, Hack, ID Theft, Malware, U.S.
And the impact of the Heartland Payment Systems breach continues:
Having police officers around didn’t prevent this credit union from having to deal with a data breach.
The Omaha Police Federal Credit Union is replacing 1,167 of its customers’ debit cards after being notified that the card numbers were among those involved in the data breach at Heartland Payment Systems of Princeton, N.J.
Mary Johnson, credit union president, said her staff members have been monitoring card activity while the new cards are being issued and have found no instances of fraud or loss. Credit union members are receiving the new cards before the old ones are deactivated, she said.
Read more in The Omaha World-Herald.
Once again, though, a news report doesn’t tell us when the credit union was first made aware that those card numbers were involved in the breach. Were they notified in February and are first taking action now or were they just recently notified?
What level of cooperation is proper?
http://www.pogowasright.org/?p=1086
Warrantless searches: MySpace, Yahoo and ATT
July 1, 2009 by Dissent Filed under Govt, Internet, Surveillance
An email purporting to be from Mike Duffey, Special Agent, Florida Department of Law Enforcement Computer Crime Center, to the ICAC Task Force mailing list was posted on Wikileaks.org. The email is reportedly from June 2009. The full header is not provided:
From: Duffey, Mike
Sent: None
To: ICAC.Task.Force
Subject: RE: Att refuses legal process in exigent situation- UPDATE!! and concerns
Thank you to everyone who responded. Below is an update with some concerns that based on the responses we received some of you have had.
First let me layout the scenario: Wed night- June 24th we received information that an individual using a yahoo screen name had discussed in detail recently molesting his six year old daughter in an incest forum then chatting on yahoo instant messenger. We began attempting to identify this individual. We discovered a MySpace page associated with the email address. Also on the Myspace, which was public was a name and photos of a girl with the same name as the one who was being molested. Also on the Myspace page was the photo of an adult female who had been tagged, which linked us to her public MySpace page, and had a caption under the photo saying “girlfriend”. Also at this time we were able to discover who we believed the potential targets were but based on info we were receiving we were not able to determine where the suspect was living due to multiple addresses. Later we discovered that our suspect had moved two weeks ago to where we ultimately found him.
We contacted MySpace claiming “exigent circumstances” for subscriber info and log in information for both MySpace using the users at they both had photos of the child victim on there pages with references to her being their child. MySpace responded to our request within 20 minutes and 45 minutes later we had the IP log-in info. Which came back with at least 15 different IP’s over the last 30 days, all belonging to ATT.
Problem Number 1. –Yahoo
In the mean time we were still waiting on Yahoo to respond to our initial request. Approximately three hours later yahoo responded by denying our exigent request. We then called Yahoo back and explained the situation to yahoo who understood the request but claimed they would not be able to obtain the IP log-in info until 48 hours after the log-in occurred. In this case we had info the abuse had recently occurred and need that IP log in within that 48 hour window. When we couldn’t get that we were forced to push back for IP info after the 48 hour window. After 7-hours they gave us the IP’s that were over 48 hours old. These IP’s also were assigned to ATT.
My Comment here is that I find it very hard to believe Yahoo, which collects your IP at the time of log in can’t provide LEO’s with IP log-in information until 48 hours later. In today security conscious environment its not weather they can its that they don’t want to and im sure they will site costs. I say they are actually helping facilitate criminal activity and hindering LEO’s ability to conduct a real time investigation.
Problem Number-2- ATT
We then contacted ATT around 9:00 am. We talked with [employee's name redacted] at ATT and explained to her the situation at hand. [employee] told us “it did not meet there requirement” and we need a subpoena to get that information. We again attempted to explain the situation and were told “ due to ECPA and their interpretation ATT was not allowed to release this information as to where the user of the IP was physically located at. We than began the legal process of getting a subpoena issued as we here in FL don’t have Admin subpoena powers and the process could take anywhere from 4-5 hours or longer. Upon posting on the listserve we received many, many contact names for ATT other than [employee] who basically of no help and didn’t really seem to care. We then contacted [employee 2] with ATT who also toed the company line and refused to provided the information without a subpoena. [employee 2] explained that if it was an exigent situation we would not be giving him IP addresses that were over 48 hours old, hence where is the exigency? We then explained that the IP had to be like that because Yahoo couldn’t provide us with current IP’s. It was at this point that we went to the only current IP we had which were from the MySpace info which was connected to the yahoo email address. We were still forced to get a subpoena after which ATT confirmed the address and subscriber name at 4pm.
My comment is on ATT interpretation of ECPA and that they sighted a prior issue where they provided subscriber info to an LEO. The case went to trial and at the trial ATT had to explain why they provided customer info to LEO’s in a non-exigent situation, thus the defense claimed. ATT said the info they provided was throw out and caused a bad case. ATT explained that is one example as to why they don’t just give out customer on old IP’s, which I explained the fact of why this was occurring and that a child we believed was being sexually abused. In the end they didn’t offer much help either as we had already developed enough intelligence to connect the suspect with a residence.
At 6pm we hit the residence. In the interview with the suspect he admitted to sexually molesting the child over the last two day and while doing so streamed it on webcam to other users. The child was interviewed and divulged the occurrence. Actually the suspect was to arrive home about ten minutes after we arrived. We can only imagine what would have occurred that evening. Why would it have been different than any other night.
To those who assisted thank you !!
I can only hope that one day ATT realizes that there interpretation of ECPA potentially could have hindered us to a point that the abuse could have occurred again. They are not by themselves there Yahoo in their inability to provide LEO with real time IP is equally to blame. Especially when they both could have been of more help!! I realize that they receive a lot of requests but they also make a lot of money from the people who use their systems.
Mike Duffey
Special Agent
Florida Department of Law Enforcement
Computer Crime Center
Perhaps we shouldn't give powerful tools like computers to people with no clue how to use them? By now you would think politicians would understand that emails are sensitive – and calling the police makes more sense than calling the IT department.
http://www.databreaches.net/?p=5933
PA Legislator’s Laptop Stolen from Car
July 1, 2009 by admin Filed under Breach Incidents, Government Sector, Theft, U.S.
A Pennsylvania state representative had his state-issued laptop stolen from his car over the past weekend. But State Rep. Frank Dermody may not be particularly concerned because, according to the Pittsburgh Tribune-Review, the legislator said no sensitive state data were on it.
Nothing “sensitive,” but an “undetermined number of e-mails from constituents” were on the stolen laptop? I wonder how his constituents feel about his lack of concern over their emails and any personal details they might have contained.
Dermody said that after the theft, he immediately contacted the legislature’s I.T. department, “which erased his password.” Horses and barn doors, anyone?
Better than a “National ID” program? “Papers, Citizen! We can't allow you to travel/enter a federal building/drive a car until we know you are healthy.”
http://www.pogowasright.org/?p=1096
Class Action Suit: Stimulus Act and health privacy
July 1, 2009 by Dissent Filed under Court, Legislation, U.S.
The Stimulus Act signed into law by President Obama jeopardizes the privacy rights of the 65 percent of Americans who aren’t on Medicaid or Medicare by requiring health-care providers to create an electronic health record of every person in the United States, a class action claims in Federal Court.
Because Title XIII of the Stimulus Act aims to have everyone’s medical histories in the system by 2014, their personal health information would be a “mouse click away from being accessible to an intruder,” according to lead plaintiff Beatrice M. Heghmann, a health-care professional who has never been covered by Medicare and Medicaid.
Heghmann sued Secretary of Health and Human Services Kathleen Sebelius, White House Office of Health Reform Director Nancy-Ann Deparle and Administrator of the Centers for Medicare and Medicaid Services Charlene Frizzera.
Read more in Courthouse News.
[From the article:
It also allows government officials to link a person's medical information with other forms of personal identification, such as a driver's license number or Social Security number, Heghmann says.
… She says the $22 billion earmarked for the electronic registry exists solely to obtain confidential health-care information.
(Related) Now that we know who you are, we need to know where you go... And we want you to pay us for tracking you!
GPS-Based System For Driving Tax Being Field Tested
Posted by Soulskill on Wednesday July 01, @11:37AM from the you-can-trust-us dept. transportation privacy
An anonymous reader writes
"Apparently, since gas consumption is going down and fuel efficient cars are becoming more popular, the government is looking into a new form of taxation to create revenue for transportation projects. This new system is a 'by-the-mile tax,' requiring GPS in cars so it can track the mileage. Once a month, the data gets uploaded to a billing center and you are conveniently charged for how much you drove. 'A federal commission, after a two-year study, concluded earlier this year that the road tax was the "best path forward" to keep revenues flowing to highway and transportation projects, and could be an important new tool to help manage traffic and relieve congestion. ... The commission pegged 2020 as the year for the federal fuel tax, currently 18.5 cents a gallon, to be phased out and replaced by a road tax. One estimate of a road tax that would cover the current federal and state fuel taxes is 1 to 2 cents per mile for cars and light trucks.'"
Move the workers someplace else, I need a bigger office. Actually a good move if you need to draw employees from an educated population or a population that speaks foreign languages (and English)
http://it.slashdot.org/story/09/07/02/0333202/NSA-To-Build-20-Acre-Data-Center-In-Utah?from=rss
NSA To Build 20 Acre Data Center In Utah
Posted by samzenpus on Thursday July 02, @07:57AM from the data-on-the-horizon dept. security database usa
Hugh Pickens writes
"The Salt Lake City Tribune reports that the National Security Agency will be building a one million square foot data center at Utah's Camp Williams. The NSA's heavily automated computerized operations have for years been based at Fort Meade, Maryland, but the agency began looking to decentralize its efforts following the terrorist attacks of Sept. 11, 2001 and accelerated their search after the Baltimore Sun reported that the NSA — Baltimore Gas & Electric's biggest customer — had maxed out the local grid and could not bring online several supercomputers it needed to expand its operations. The agency got a taste of the potential for trouble January 24, 2000, when an information overload, rather than a power shortage, caused the NSA's first-ever network crash taking the agency 3 1/2 days to resume operations. The new data center in Utah will require at least 65 megawatts of power — about the same amount used by every home in Salt Lake City so a separate power substation will have to be built at Camp Williams to sustain that demand. "They were looking at secure sites, where there could be a natural nexus between organizations and where space was available," says Col. Scott Olson, the Utah National Guard's legislative liaison. NSA officials, who have a long-standing relationship with Utah based on the state Guard's unique linguist units, approached state officials about finding land in the state on which to build an additional data center. "The stars just kind of came into alignment. We could provide them everything they need.""
This is rather depressing – the type of search I'd expect from devoted followers of supermarket tabloids...
http://www.killerstartups.com/Web-App-Tools/chromomulator-com-find-out-what-is-hot-on-the-www
Chromomulator.com - Find Out What Is Hot On The WWW
There is so much happening on the Internet that it is a bit hard to stay on top of the hottest stories and media doing the rounds. That is where services such as Chromomulator step right in. They let you have access to only the crème of the crème as regards the stories and items featured on the Web. In the specific case of Chromomulator, it takes the top 100 Google searches at any given time by glancing at the Google Trends page, and complements it with information retrieved from Digg and Technorati. Using this information it produces a list of the hottest and most noteworthy online content around.
For my Computer Security class. Have fun with your neighbors!
http://lifehacker.com/5305094/how-to-crack-a-wi+fi-networks-wep-password-with-backtrack
How to Crack a Wi-Fi Network's WEP Password with BackTrack
By Gina Trapani, 9:30 AM on Wed Jul 1 2009
… Today we're going to run down, step-by-step, how to crack a Wi-Fi network with WEP security turned on.
… Dozens of tutorials on how to crack WEP are already all over the internet using this method. Seriously—Google it. This ain't what you'd call "news." But what is surprising is that someone like me, with minimal networking experience, can get this done with free software and a cheap Wi-Fi adapter.
I'm looking for a co-author (to do all the work)
http://gawker.com/5305024/exploiting-the-blog%2Bto%2Bbook-bubble-a-guide
Exploiting the Blog-to-Book Bubble: A Guide
By Alexia Tsotsis, 6:49 PM on Tue Jun 30 2009
Two blogs, [...] scored contracts at Penguin's Gotham Books imprint in the past week, the latest in an endless series of such deals. Shouldn't you get a piece of the action?
It's not like there's any shame in aiming for a book deal right when you start your blog. As the New York Observer puts it:
These days it seems more and more like people start goofy Web sites practically counting on seeing their stuff between two covers.
No comments:
Post a Comment