Today's theme seems to be the protection of large, sensitive database information and the creation of a couple of new (to me) legal concepts...
Think of this as a database for potential employees. Fortunately, this would never happen in the US, our security is foolproof!
http://www.databreaches.net/?p=6541
‘Secret’ Swedish police data sold by criminals
August 4, 2009 by admin Filed under Breach Incidents, Breach Types, Financial Sector, Government Sector, Non-U.S., Of Note
Supposedly secret police lists containing details about Sweden’s most dangerous criminals are up for sale across the country among members of the Swedish underworld. The documents have apparently been leaked from the Stockholm police’s Criminal Investigation Department.
The lists, known as the Alcatraz List and Nova List, contain a wide-range of information about Sweden’s toughest criminals, there associations to one another, as well a details about their relationships with family members, acquaintances, and girlfriends.
[...]
Linderoth confirmed that information from the lists is being sold to criminal across the country. She said that the lists came out as a result of criminal activity and that no police officers are suspected of being invovled. [If true, it must be a master hacker! Bob]
Nor does she believe the disclosure has damaged the police’s work. [Oh? Bob]
“It’s not good, but it’s a living document and now that we know about it can we restructure things,” she told DN.
Read more on The Local (Sweden).
(Related) Of course, there is always a bigger fool...
http://www.databreaches.net/?p=6533
Police files found in dumpster
August 3, 2009 by admin Filed under Breach Incidents, Breach Types, Exposure, Government Sector, Paper
Hundreds, perhaps thousands of personal files from the Scranton Police Department were found unshredded in a dumpster, according to a news story on WNEP.
“One or more files that should have been shred were thrown into the dumpster,” said Scranton Director of Public Safety Ray Hayes. He admitted that a mistake was made.
Newswatch 16 found names, addresses, social security numbers, even what appeared to be an old evidence bag of marijuana; all things that could potentially end up in the wrong hands.
[...]
Director Hayes added that not all of the files in the dumpster were confidential. He said many of those files are already a matter of public record.
(Related) At least one state used inmates to enter personnel data into a computer system.
http://www.databreaches.net/?p=6557
NH inmate had corrections officers’ data
August 4, 2009 by admin Filed under Exposure, Government Sector, Non-U.S., Paper
The Associated Press reports that a New Hampshire State Prison inmate was found in possession of a list containing details — including social security numbers — of Corrections Department workers. Officials believe that the inmate might have obtained the list when he worked at a warehouse, where a copy of the list was waiting to be shredded. [I read this as another case of using inmate labor in highly sensitive areas without adequate supervision. Bob]
(Related) Of course, some states make sensitive data available for sale..
http://www.pogowasright.org/?p=2532
Sale of DMV Data Could Bankrupt Missouri
August 4, 2009 by Dissent Filed under Breaches, Businesses, Court, Featured Headlines, Govt, U.S.
Two related federal class actions have the potential to bankrupt the state. The plaintiffs claim that the Source for Public Data and Chexsystems Collection Agency illegally obtained a database from the Missouri Department of Motor Vehicles, with confidential information about Missouri drivers….. The classes claim the companies violated the Federal Driver’s Privacy Protection Act by selling their personal information and making false representations to get it.
Read more on Courthouse News.
Related: Complaint against Chexsystems Collection Agency (pdf)
(Related) Gary Alexander sent me this one. I seem to remember a Supreme Court nominee's video rental records being examined by the press, perhaps that was enough to make Washington politicians take action?
http://www.networkworld.com/community/node/44055?source=NWWNLE_nlt_daily_am_2009-08-03
Video rental records are afforded more privacy protections than your online data.
Defcon 17 Security Conference By jheary on Sat, 08/01/09 - 1:49am.
Today at Defcon 17 I attended an interesting talk given by the Electronic Frontier Foundation (EFF) where they talked about some of the case law that is shaping our countries IT related laws. One of the interesting tidbits that I picked up was that current laws seem to protect your personal video rental and sales records (i.e. what you rented from the video store) from disclosure in a more effective way than your computer data residing online. I'm no lawyer, and this is not legal advice, but here are some of the details on the subject.
It is one thing to have a policy. Part of management's responsibility is to ensure that procedures are followed. Especially when an employee is terminated for cause.
http://www.databreaches.net/?p=6527
TNCC computer tech says access now cut off
August 3, 2009 by admin Filed under Breach Incidents, Education Sector, Unauthorized Access
It may be a sign of the times that even the risk of a data breach becomes newsworthy. [God, let's hope so! Bob]
Last week, the Daily Press reported that a former part-time computer help desk technician at Thomas Nelson Community College claimed that he had been laid off almost three weeks earlier, but that he still had computer access to the records and Social Security numbers of every student in the Virginia Community College System. The college denied that he had been “laid off,” and stated that school policy is to end access when an employee is terminated.
In a follow-up a few days later, the reported that as soon as they had published the first story, the former tech’s access was promptly terminated. This time, the college claimed that:
“However, we believe his assessment of his access was incorrect; it did not include access to Social Security numbers,” Hayden said. “Security of student and institutional records is a paramount concern for all of Virginia’s Community Colleges, including Thomas Nelson Community College.”
“I’m pretty positive,” Slater said Friday, when asked again if he was sure he had access to Social Security numbers.
I suspect this editorial (rant?) reflects the opinion of many security wonks.
http://www.wired.com/dangerroom/2009/08/white-house-cyber-czar-resigns-good-riddance/
White House ‘Cyber Czar’ Resigns; Let’s Not Replace Her.
By Michael Tanji Email Author August 3, 2009 4:16 pm
The White House’s acting “cyber czar” just resigned, with no permanent replacement in sight. Which is just fine. We can make more progress on the network security front without such a “czar.”
For starters, we’ve had reasonable facsimiles of cyber czars before — to little effect. The studies have been done, the list of tasks complete, yet we continue to fail year after year.
… Despite grandiose claims to the contrary, the government has very little direct impact on how safe national resources are online.
It figures that California requires outrageous behavior...
http://www.ktvu.com/news/20267691/detail.html
Workplace Surveillance Lawsuit Tossed By High Court
Posted: 1:43 pm PDT August 3, 2009
SAN FRANCISCO -- The California Supreme Court Monday rejected a lawsuit filed against a Southern California residential children's center by two clerical workers who learned there was a surveillance camera hidden in their office.
The camera and a related motion detector were set up by officials at the Hillsides Children's Center in Los Angeles County in 2002 in a bid to find out who was looking at pornography late at night on a computer in the office.
The center's director later said he didn't suspect either of the two workers who filed the lawsuit, but wanted to find out whether another center employee was entering their office at night to view pornography online.
Center management said that since the center served abused children, it would be harmful to have such an employee working there.
… The state high court, in a ruling issued in San Francisco, said the two workers had a reasonable expectation of privacy.
But the panel also unanimously said the privacy invasion didn't rise to the level of an "outrageous" action that would have allowed the lawsuit to proceed.
The panel said the action was justified by legitimate business concerns for the welfare of the children and about the center's possible legal liability. The court also said the intrusion was limited because the camera was activated only at night and only three times in a three-week period and the two workers were never caught on film.
Justice Marvin Baxter said in the ruling that misuse of office computers is an increasing problem for employers.
Another “We gotta do something” reaction to 9/11? Probably helps solve crime, but prevent terrorism? (Maybe “sharing” explains how all those police files wind up in the wrong hands?)
http://www.bespacific.com/mt/archives/021960.html
August 03, 2009
Police Chiefs: Intelligence Sharing Has Improved Since 9-11 But More Must Be Done
News release: "A report released today by the International Association of Chief of Police (IACP) finds that in the years since the September 11, 2001, state, local, and tribal law enforcement agencies have made great strides in their ability to share intelligence, which is a critical factor in our continuing effort to prevent terrorist attacks. [Am I missing something? Did any of these organizations have information that would have prevented the attacks? (The Feds had bits & pieces) Bob] However, the full benefits of intelligence sharing has not yet been realized because the process itself remains a mystery to many police officers, and some law enforcement executives consider their agencies too small or too remote to participate in criminal intelligence sharing. These obstacles to full participation could result in alarming gaps in the intelligence that guides our homeland security and crime fighting efforts. These findings, along with recommendations designed to assist law enforcement agencies in overcoming challenges, are contained in the IACP's report: National Summit on Intelligence: Gathering, Sharing, Analysis, and Use after 9-11."
(Related) How secure are those huge databases you ask?
http://www.databreaches.net/?p=6555
Employees sacked for ID card data breach
August 4, 2009 by admin Filed under Breach Incidents, Government Sector, Non-U.S., Unauthorized Access
The database in question holds data on 92 million people in the U.K. About 200,000 people have access to it. If they cannot adequately secure the database from misuse by employees, well…….
Nine local authority workers have been sacked after illegally accessing personal details of the public held on the government’s national identity database.
In total, 34 council workers were found to have illegally accessed the Customer Information System (CIS) database, part of a linked-up network of systems which constitute the government’s planned national identity database.
So how much is acceptable? Is evidence of 34 people misusing the database evidence that the system needs better security, or is it an acceptable level of risk? [Acceptable to whom? Bob]
A DWP spokesman told Computer Weekly: “The small number of incidents shows that the CIS security system is working and is protected by several different audit and monitoring controls, which actively manage [They do not manage. They merely report that an event has occurred. Bob] and report attempts at unauthorised or inappropriate access.”
Read more on politics.co.uk.
Isn't this the IP equivalent of a Quit Claim Deed? If so, can I sell the rights to AP stories the same way? (The AP was probably so amazed that someone actually wanted to pay them that they didn't bother checking who owned the quote.)
http://yro.slashdot.org/story/09/08/03/2125223/AP-Will-Sell-You-a-License-To-Words-It-Doesnt-Own?from=rss
AP Will Sell You a "License" To Words It Doesn't Own
Posted by kdawson on Monday August 03, @07:13PM from the almost-as-ironic-as-disappearing-1984 dept.
James Grimmelmann performed an experiment using the AP's form to request a license to use more than four consecutive words from one of their articles. Except that he didn't paste in words from the (randomly chosen) article, but instead used 26 words written by Thomas Jefferson 196 years ago:
If nature has made any one thing less susceptible than all others of exclusive property, it is the action of the thinking power called an idea.
The AP cheerfully charged him $12 to use Jefferson's 26 words. Both Boing Boing and TechDirt have picked up the story so far. Grimmelmann adds an update to his blog: the AP has rescinded his license to Jefferson's words and issued a refund for his $12. They did not exhibit the grace to admit that their software is brain-dead.
Post Hoc contract modification? Perhaps it was in the shrink wrap... I did warn you that automated updates gave the manufacturers too much control.
http://games.slashdot.org/story/09/08/03/228225/Ads-Retroactively-Added-To-emWipeout-HDem-Soon-Others?from=rss
Ads Retroactively Added To Wipeout HD, Soon Others
Posted by Soulskill on Monday August 03, @10:04PM from the brought-to-you-by-frungy,-the-sport-of-kings dept. playstation games
An anonymous reader writes
"American users of Wipeout HD might have noticed that there's an advertisement showing up all of a sudden during loading, both during online and offline play. This, according to a poster on the well-known gaming forum NeoGAF, is being done covertly. The writer suspects that the display software was installed during update 2.01, and the ad-content is now being snuck in. Gamasutra has a story on the company responsible for the software to deliver these ads, Double Fusion, which said it plans to launch in-game advertising in 'another handful' of PS3 games by the end of the year. So, what's next? Can we look forward to fighting the Kool-Aid Man and zombified Mars bars in Uncharted, or is there anything that can be done to hinder companies from adding advertisements retroactively, without the customer's prior knowledge?"
Another legal milestone!
http://it.slashdot.org/story/09/08/03/1731226/First-Ever-Criminal-Arrest-For-Domain-Name-Theft?from=rss
First Ever Criminal Arrest For Domain Name Theft
Posted by ScuttleMonkey on Monday August 03, @03:11PM from the slowly-catching-up-with-the-times dept. security court internet
Domain Name News writes
"Until recently, there hasn't been a case of a domain theft where the thief was caught and arrested. However, on July 30th, Daniel Goncalves was arrested at his home in Union, New Jersey and charged in a landmark case, the first criminal arrest for domain name theft in the United States. [His mother is so proud! Bob] 'Cases of domain name theft have not typically involved a criminal prosecution because of the complexities, financial restraints and sheer time and energy involved. If a domain name is stolen, the victim of the crime in most cases would need experience with the technical and legal intricacies associated with the domain name system. To move the case forward, they would also need a law enforcement professional who understands the case or is willing to take the time to learn. For example, the Angels told us that in their case they called their local law enforcement in Florida who sent a uniformed officer in a squad car to their home. The first thing you can imagine the officer asked was, "What's a domain?"'"
Think of this as a weapon test/proof of concept. How would you like to control millions of computers at the start of a CyberWar?
http://it.slashdot.org/story/09/08/03/1510243/Has-Conficker-Been-Abandoned-By-Its-Authors?from=rss
Has Conficker Been Abandoned By Its Authors?
Posted by CmdrTaco on Monday August 03, @12:19PM from the don't-leave-me-daddy dept. security worms
darthcamaro writes
"Remember Conficker? April first doom and gloom and all? Well apparently after infecting over five million IP addresses, it's now an autonomous botnet working on its own without any master command and control. Speaking at the Black Hat/Defcon Hat security conference in Las Vegas, Mikko Hypponen, chief research officer at security firm F-Secure, was told not to talk in detail about the Conficker gang — the problem is that not all researchers were under the same gag order. Just ask Roel Schouwenberg, senior anti-virus researcher at security firm Kaspersky, who says 'The Conficker botnet is autonomous; that is very strange in itself that they made Conficker replicate by itself. Now it seems like the authors have abandoned the project, but because it is autonomous, it can do whatever it wants and it keeps on trying to find new hosts to infect.'"
This is important for determining if the rest of the world is as wacko as we are...
http://www.bespacific.com/mt/archives/021964.html
August 03, 2009
Google quadruples number of articles included in News Archive Search
Google News Blog: "We've recently updated our index, quadrupling the number of articles included in News Archive Search. We now include articles from several new publications, including the Halifax Gazette, Sydney Morning Herald, the Milwaukee Journal Sentinel, and the Village Voice. Working with our partners, we've also added new international publications such as the Manila Standard, The Nation from Thailand, and many others...You can explore this historical treasure trove by searching on News Archive Search or by using the timeline feature after searching on Google News."
'cause Apple makes gooder Apps than we does...
http://www.pcworld.com/businesscenter/article/169507/microsoft_details_how_to_port_iphone_apps_to_windows_mobile.html
Microsoft Details How to Port IPhone Apps to Windows Mobile