Friday, January 15, 2010

I'm noticing more and more articles reporting that regulatory agencies are (finally!) starting to get serious about enforcing basic (common sense) security practices.

http://www.phiprivacy.net/?p=1835

(follow-up) Ca: Durham told to encrypt health data on mobile devices

By Dissent, January 14, 2010 1:17 pm

Ontario’s privacy commissioner is ordering Durham Region’s health officer to ensure medical data is encrypted on portable devices.

The order follows an incident in December when the health data of more than 83,000 people who received H1N1 flu shots went missing.

A nurse was taking a USB key containing the records to her car in Whitby, Ont., to take it to a clinic site when the device was lost.

Commissioner Ann Cavoukian says she also expects all health data stored on mobile devices in Ontario to include strong encryption.

Read more from The Canadian Press.



Apparently, this is now “where the money is.”

http://www.phiprivacy.net/?p=1839

FEATURED: Medical Identity Theft Is Low-Tech, High-Risk and Rapidly Growing

By Dissent, January 14, 2010 3:44 pm

Reprinted from REPORT ON PATIENT PRIVACY, the industry’s most practical source of news on HIPAA patient privacy provisions.

By Liana Heitin, Editor

With many legislators, law enforcement officials, and privacy experts now calling it the fastest-growing type of crime, medical identity theft has emerged as a forefront issue for health care providers.

And while ID theft may conjure images of hackers overriding systems with sophisticated technology, the reality is that stealing health care information is generally a low-tech endeavor. Stepping into 2010, health care providers should be vigilant about the physical safekeeping of portable tech equipment and take a hard look at their employee hiring and training practices.

Read more on AIS Health.

[From the article:

There are four types of medical ID theft, Rhodes explains:

(1) One-off: An insured individual gives his or her insurance card to a relative, and the relative accesses medical services under that person’s name. Or an individual sells his or her insurance card on the street.

(2) Insider: An employee at a health care organization who has the ability to process bills files false claims. Often the employee sets up a bank account and has the payment sent directly there.

(3) Organized crime: Insiders steal and sell patient information, or pay off beneficiaries to give it to them. The organized crime unit sets up a sham medical business and files false claims.

(4) Drug seeking: People buy or steal others’ insurance information for the purpose of obtaining narcotics.


(Related) but opposite? Still, the judge based his decision on the existence of a real (reasonable?) security effort

http://www.databreaches.net/?p=9447

(follow-up) Kr: Website not responsible for data theft

January 14, 2010 by admin Filed under Breach Incidents, Business Sector, Hack, Non-U.S., Of Note

This is one of the breaches in the top 10 list, where I had previously noted that some sources said 18 million were affected by the hack, while Auction claimed 10.8 million. Whatever the correct number, the online service was found not to be responsible for the breach.

Joong Ang Daily Reports:

A local court ruled against 146,000 users of online shopping mall Auction who filed a class-action suit asking for 150 billion won ($133 million) in compensation from the retailer for not preventing the leak of millions of users’ personal data by a 2008 hackers attack from China. Ending legal dispute more than a year old, the Seoul Central District Court handed down its verdict in its first trial on the issue.

There’s no evidence that the Auction was lenient about its security countermeasures against hacking,” said Lim Seong-guen, a judge who presided over the case. “It’s not legally mandatory for companies to set up firewalls for their Web sites and considering that there was low credibility over installing firewalls among businesses at that time, it’s hard to say Auction is liable for the breach.”

Though it’s regretful that the online retailer’s Web site was attacked by hackers that led a leak of names, ID numbers, addresses and phone numbers, Lim said Auction was unable to prevent the attack because security technology at that time couldn’t block the hackers. [Not that's an interesting argument. Bob] “Though Auction does not bare legal responsibility, it would be desirable if the company takes ethical responsibility and takes appropriate measures for users,” Lim continued.

Read more on Joong Ang Daily.

The Korea Herald also provides coverage of the decision:

Auction, a major online open market, is not responsible for the theft of its customers’ personal information, the Seoul Central District Court ruled yesterday.

Auction cannot be seen as having violated any duties as a Web service provider,” ruled the court.

The company also immediately reported the data breach to authorities and to its customers, and thus may be seen as having taken appropriate countermeasures, said the court.

Read more in The Korea Herald.


(Related) So, what's reasonable in the US? A Colorado lawyer has an opinion.

http://www.databreaches.net/?p=9454

Online Banking and “Reasonable Security” Under the Law: Breaking New Ground?

January 14, 2010 by admin Filed under Commentaries and Analyses, Of Note

David Navetta writes:

With the report of another data security-related lawsuit involving online banking (another 2009 lawsuit referenced here involved an alleged loss of over $500,000), and a recent victory for a plaintiff on a summary judgment motion in a similar online banking data security breach case, the question arises whether online banking breaches will yield some substantive case law on the issue of “reasonable” security procedures as a matter of law. [Interesting topic for a law journal article. Does the law say anything about “reasonable security” now? (Think “T. J. Hooper?”) Bob] Ironically, this question may be answered by reference to a 20 year old model code (UCC 4A) originally drafted to address technological advances from that era. This post explores two complaints recently filed against banks for online banking (Patco Construction Co. v. People’s United Bank (”PATCO”) and JM Test Systems, Inc. v. Capital One Bank (”JMT”)) and a court’s ruling on a motion for summary judgment in similar lawsuit (Shames-Yeakel v. Citizens Bank Memo and Memo Order on Motion for Summary Judgment – “Shames-Yeakel” case). In short, since the Shames-Yeakel case proceeded past the “damages” pleading phase, it (and possibly these other online breach suits) reveals how some courts view security “standards” and approach the question of whether a company has achieved “reasonable security.” I also believe they demonstrate the difficulty defendants face if they have to defend their security measures in a litigation context after a security breach.

Read more on InformationLawGroup.



This just keeps getting more interesting.

http://www.databreaches.net/?p=9469

Google Hack Attack Was Ultra Sophisticated, New Details Show

January 15, 2010 by admin Filed under Breach Incidents, Hack, Malware

Kim Zetter reports:

Hackers seeking source code from Google, Adobe and dozens of other high-profile companies used unprecedented tactics that combined encryption, stealth programming and an unknown hole in Internet Explorer, according to new details released by researchers at anti-virus firm McAfee.

We have never ever, outside of the defense industry, seen commercial industrial companies come under that level of sophisticated attack,” says Dmitri Alperovitch, vice president of threat research for McAfee. “It’s totally changing the threat model.” [No, it's not. Bob]

In the wake of Threat Level’s story disclosing that a zero-day vulnerability in Internet Explorer was exploited by the hackers to gain access to Google and other companies, Microsoft has published an advisory about the flaw that it already had in the works. McAfee has also added protection to its products to detect the malware that was used in the attacks and has now gone public with a number of new details about the hacks.

Read more on Threat Level.


(Related) Seems I've heard stories like this before.

http://blogs.laweekly.com/ladaily/city-news/law-firm-cyber-attack/

L.A. Law Firm Reports Cyber Attack From China

By Dennis Romero in City News, community, crime Thu., Jan. 14 2010 @ 6:00AM

A Los Angeles law firm representing a company suing China for allegedly stealing its software code announced its computers have come under a cyber-attack that originated in the Asian nation and that the FBI is investigating the attempted intrusion.

[See our original post about the lawsuit against China here].



If not Big Brother, at least “Getting Bigger” Brother. Of course, their job is: “overseeing policies relating to privacy,” so we have noting to worry about. No Conspiracy Theories here! This is not the Blogger you want!

http://politics.slashdot.org/article.pl?sid=10/01/14/2226219

Obama Appointee Sunstein Favors Infiltrating Online Groups

Posted by timothy on Thursday January 14, @05:28PM from the freedom-of-somethingeruther dept.

megamerican writes

"President Barack Obama's appointee to head the Office of Information and Regulatory Affairs advocated in a recent paper the 'cognitive infiltration' of groups that advocate 'conspiracy theories' like the ones surrounding 9/11 via 'chat rooms, online social networks, or even real-space groups and attempt to undermine' those groups. Sunstein admits that 'some conspiracy theories, under our definition, have turned out to be true' [But that's okay, we can undermine them too. Bob] Sunstein has also recently advocated banning websites which post 'right-wing rumors' [Like: “Liberals are nuts?” Bob] and bringing back the Fairness Doctrine. You can find a PDF of his paper here. For decades (1956-1971), the FBI under COINTELPRO focused on disrupting, marginalizing and neutralizing political dissidents, most notably the Black Panthers. More recently CENTCOM announced it would be engaging bloggers 'who are posting inaccurate or untrue information, as well as bloggers who are posting incomplete information.' In January 2009 the USAF released a flow-chart for 'counter-bloggers' to 'counter the people out there in the blogosphere who have negative opinions about the US government and the Air Force.'" [Yeah, but that's fighting lies with truth. This advocates fighting opinion (granted, often mis-informed) with lies. Boo! Bob]

[From the paper:

(1) Government might ban conspiracy theorizing.

(2) Government might impose some kind of tax, financial or otherwise, on those who disseminate such theories.

(3) Government might itself engage in counterspeech, marshaling arguments to discredit conspiracy theories.

(4) Government might formally hire credible private parties to engage in counterspeech.

(5) Government might engage in informal communication with such parties, encouraging them to help.

[How about: Government might ignore anyone who thinks Osama bin Laden is the Tooth Fairy? Bob]



Food for thought?

http://www.wired.com/thisdayintech/2010/01/0115martin-luther-king-warns?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Jan. 15, 1929: Birth of a Moral Compass, Even for Science

By Tony Long January 14, 2010 8:00 pm

… King delivered a lecture at the University of Oslo, Norway, on Dec. 11, 1964, the day after receiving the Nobel Peace Prize. He argued that progress in science and technology has not been equaled by “moral progress” — instead, humanity is suffering from a “moral and spiritual lag.”



How could they not be considered a trust? I don't understand all the arguments though.

http://yro.slashdot.org/story/10/01/15/1329200/Antitrust-Case-Against-RIAA-Reinstated?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Antitrust Case Against RIAA Reinstated

Posted by kdawson on Friday January 15, @08:45AM from the collusion-and-restraint dept.

NewYorkCountryLawyer writes

"After Starr v. SONY BMG Music Entertainment was dismissed at the District Court level, the antitrust class action against the RIAA has been reinstated by the US Court of Appeals for the Second Circuit. In its 25-page opinion (PDF), the Appeals court held the following allegations sufficiently allege antitrust violations: 'First, defendants agreed to launch MusicNet and pressplay, both of which charged unreasonably high prices and contained similar DRMs. Second, none of the defendants dramatically reduced their prices for Internet Music (as compared to CDs), despite the fact that all defendants experienced dramatic cost reductions in producing Internet Music. Third, when defendants began to sell Internet Music through entities they did not own or control, they maintained the same unreasonably high prices and DRMs as MusicNet itself. Fourth, defendants used MFNs [most favored nation clauses] in their licenses that had the effect of guaranteeing that the licensor who signed the MFN received terms no less favorable than terms offered to other licensors. For example, both EMI and UMG used MFN clauses in their licensing agreements with MusicNet. Fifth, defendants used the MFNs to enforce a wholesale price floor of about 70 cents per song. Sixth, all defendants refuse to do business with eMusic, the #2 Internet Music retailer. Seventh, in or about May 2005, all defendants raised wholesale prices from about $0.65 per song to $0.70 per song. This price increase was enforced by MFNs.'"



Strange to me. Are they admitting they were treating everyone like pirates and now they'll take your word you aren't a pirate?

http://torrentfreak.com/comcasts-bittorrent-settlement-excludes-pirates-100114/

Comcast’s BitTorrent Settlement Excludes Pirates

Written by Ernesto on January 14, 2010

A few weeks ago Comcast decided to settle one of the class action lawsuits brought against the ISP in response to its BitTorrent throttling actions. Affected users can now claim their part of the $16 million fund [$16 each. Bob] that was setup, but only if they state under penalty of perjury that BitTorrent was never used to download copyrighted content.

… Whatever the motivation to include this option, it is completely irrelevant to the case itself. Comcast has never used copyright infringement as a justification for stopping BitTorrent traffic, so the lawfulness of the traffic should not be an issue.



These cards allow employees to bypass all that pesky (and time consuming) security. Why don't we screen airport workers exactly the same way we screen passengers? Because they are the stage hands in our little “security theater.” (i.e. they know how the rabbit gets in the hat.)

http://it.slashdot.org/story/10/01/15/0744204/Airport-Access-IDs-Hacked-In-Germany?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Airport Access IDs Hacked In Germany

Posted by timothy on Friday January 15, @04:50AM from the wilkommen-sie-herr-aktentasche dept.

security

teqo writes

"Hackers belonging to the Chaos Computer Club have allegedly cloned digital security ID cards for some German airports successfully which then allowed them access to all airport areas. According to the Spiegel Online article (transgoogleation here), they used a 200 Euro RFID reader to scan a valid security ID card, and since the scanner was able to pretend to be that card, used it to forge that valid ID. Even the airport authorities say that the involved system from 1992 might be outdated, but I guess it might be deployed elsewhere anyway."



Interesting that this is happening in English speaking countries. Is that why we haven't seen it here?

http://www.pogowasright.org/?p=6970

AU: ALRC renews data loss financial penalty call

January 14, 2010 by Dissent Filed under Breaches, Legislation, Non-U.S.

Christina Zhou reports:

The Australian Law Reform Commission (ALRC) has renewed its call for fines for failing to notify the privacy commissioner of data breaches after the UK introduced penalties of up to half a million pounds. [Way to low a cap, in my opinion. Bob]

The ALRC initially made the call in its report: For Your Information: Australian Privacy Law and Practice released in 2008.

Authorities in the UK recently amended the Data Protection Act to allow the Information Commissioner to issue fines for data breaches of up to £500,000.

Read more in Computerworld (AU)



These “studies” never satisfy me. I need to check their assumptions, because as near as I can tell, I've never spent $9,000 on commuting so even if public transportation was free I couldn't save that much.

http://www.bespacific.com/mt/archives/023260.html

January 14, 2010

Report: Riding Public Transit Saves Individuals $9,242 Annually

News release: "Individuals who ride public transportation can save on average $9,242 annually based on the January 11, 2010 national average gas price and the national unreserved monthly parking rate. Compared to last year at this time, the average cost per gallon of gas was $1.79 which is nearly $1 less than the current price of gas at $2.75 per gallon. This increase in cost equates to an additional $600 in savings per year for transit commuters as compared to last year’s savings amount at this same time. “The Transit Savings Report” released monthly by the American Public Transportation Association (APTA) calculates the average annual and monthly savings for public transit users. The report examines how an individual in a two-person household can save money by taking public transportation and living with one less car."



At first, I thought this would be an interesting add-on for my website students. But it might also catch some plagiarism (not my students of course) if the tag was a bit more subtle (say a character or two) Better block all those pesky JavaScript thingies...

http://yro.slashdot.org/story/10/01/14/1818222/Tynt-Insight-Is-Watching-You-Cut-and-Paste?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Tynt Insight Is Watching You Cut and Paste

Posted by timothy on Thursday January 14, @01:31PM from the peeking-at-your-poke dept.

jerryasher writes

"In recent weeks I've noticed that when I copy and paste text from Wired and other websites, the pasted text has had the URL of the original website appended to it. Cool, and utterly annoying, and how do I make that stop? Tynt Insight is a piece of Javascript that sends what you copy to Tynt's webservers and adds the backlinks. Tynt calls that a service for the site owner, many people call that a privacy invasion. Worse, there are some reports that it sends not just what you copy, but everything you select. And Tynt provides no opt outs. Not cookie-based, not IP-based, but stop-it-you-creeps-angry-phone-call-based. It ain't a pure useful service, and it ain't a pure privacy invasion. But I sure wish they'd go away or have had the decency never to start up in the first place. I block it on Firefox with Ghostery."



Something for my Intro to Computer Security class. (The students love tricks like these.)

http://www.makeuseof.com/tag/four-funny-ways-to-prank-your-parents-with-the-family-computer/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Makeuseof+%28MakeUseOf.com%29

Four Funny Ways To Prank Your Parents With The Family Computer

By Justin Pot on Jan. 14th, 2010


(Related)

http://www.img4me.com/

IMG4Me

IMG4Me is an online tool to protect your private information from collected by crawlers by converting your text into image.



Monitizing my lecture notes?

http://news.cnet.com/8301-1023_3-10435753-93.html?part=rss&subj=news&tag=2547-1_3-0-20

Amazon expands Kindle self-publishing worldwide

by Lance Whitney January 15, 2010 7:16 AM PST

Authors worldwide can now self-publish Kindle versions of their books, Amazon.com said Friday.

Amazon also said that its Digital Text Platform will now support books written in German and French.

The self-publishing platform, which allows writers to upload electronic versions of their books to Amazon's e-book reader store, was previously limited to English and to authors based in the United States.

In an effort to expand global readership, Amazon said support for additional languages is expected to come over the next few months.

The Digital Text Platform enables writers to publish without the middleman (i.e. a book publisher) by uploading PDF, text, Word, or HTML versions of their books. Authors can set their own prices and in return grab 35 percent of sales.

No comments: