Friday, February 26, 2010

How big is this problem? If hundreds of companies are breached, do we have a problem hundreds of times larger than Heartland or TJX? Another big question: Will any of these companies be able to fully comply? (I doubt it.)

http://www.databreaches.net/?p=10171

FTC seeks extensive information from firms being investigated for P2P breaches

This entry was posted Friday, 26 February, 2010 at 9:42 am

Jaikumar Vijayan of Computerworld was able to see a redacted copy of a letter (Civil Investigative Demand) sent by the FTC to some of the organizations who were found to be leaking information via P2P networks:

It showed the agency is seeking information, dating back to mid-2007, on a wide-range of technology and process-related topics.

For instance, the FTC is asking for detailed information on the types of personal information being collected by the company, the purpose for which it is being used, and how the data is collected, shared and stored.

The letter seeks “detailed descriptions” on how the company compiles, maintains and stores personal information, as well as “high-level diagrams setting out the flow paths” of personal information from source to the point of use.

The company is also required to identify by name, location and operating system every computer that is used to collect and store personal information. In addition, it is required to provide a “narrative” or a blueprint that describes network components in minute detail, down to individual firewalls and routers, and even database tables and field names containing personal data.

The FTC is also requiring any information the company has about its knowledge of the data leaks. The details sought include who knew about the breaches, when, what attempts the company made to inform affected individuals, and why P2P software was allowed to be installed on a company system.

Read more on Computerworld.

Since these are “non-public” investigations, I’m not sure how much we’ll eventually find out, but these investigations and any actions may become a ‘cautionary tale’ for entities that still allow P2P on their networks or allow employees to transfer data to be taken home and used on computers that may have P2P software on them.



Banks have no duty to protect small business customers, right? This will make it harder to convince them their money is safe when they use online banking...

http://www.databreaches.net/?p=10181

Recommended: The Curious Case of EMI v. Comerica

February 26, 2010 by admin

David Navetta writes:

Security breaches in the online banking world continue to yield interesting lawsuits (you can read about three others in this post). The latest online banking lawsuit filed by Experi-Metal Inc. (“EMI”) against Comerica (the “EMI Lawsuit”) provides some new wrinkles that could further illuminate the boundaries of “reasonable security” under the law. Brian Krebs has a good article summarizing the case. In addition, bankinfosecurity.com has a recent article on this matter (in which yours truly was quoted). In this post we take a look at the EMI Lawsuit, consider some legal questions that the case raises, and analyze how it might impact the question of what constitutes “reasonable security” under the law.

Read his commentary and legal analysis on InformationLawGroup.



Coming soon to a legislature near you! How to guarantee strong Computer Laws (part II) “This is serious! Not like those leaks that only impact second-class citizens!”

http://www.databreaches.net/?p=10175

Data on hundreds of politicians leaked

This entry was posted Friday, 26 February, 2010 at 9:47 am

Karin Spaink provides an English summary of a recent breach reported in Dutch media:

The addresses, telephone numbers, mobile phone numbers, home e-mail addresses and work e-mail addresses of hundreds of politicians (all members of the PvdA, the Dutch social democrats) and a number of their sponsors are out in the open. Although the list focuses on party members in the Amsterdam area, it also contains the data of the chair of the Dutch Parliament and several members of the European Parliament. Google has indexed the file. A few hours after the news was published and the owners of the website were contacted, they managed to close the open directory.

Translated and summarized from Webwereld, Feb. 25, 2010



Understand the Cloud, because it is coming at you...

http://www.redbooks.ibm.com/abstracts/redp4614.html

Cloud Security Guidance IBM Recommendations for the Implementation of Cloud Security

An IBM Redpaper publication


(Related)

ftp://ftp.software.ibm.com/common/ssi/sa/wh/n/diw03004usen/DIW03004USEN.PDF

The Benefits of Cloud Computing


(Related) Maybe not every use of Cloud Computing will be beneficial... Watch the short video and decide for yourself. (I've grabbed a copy for my students.)

http://www.phiprivacy.net/?p=2060

GE healthymagination.com ad depicts discomfort with loss of privacy

By Dissent, February 25, 2010 3:31 pm

Aha! I’ve been waiting to find this on the Internet and thanks to MesoRx, I’ve found it:

[Get your own copy... Bob]

I agree with Millard Baker completely. Every time I see that ad run on TV I wonder if GE realizes that it’s ad backfires somewhat. Yes, it demonstrates the virtue of having one’s medical records available quickly, but it also depicts a very awkward-feeling patient who wants to protect his privacy from so many others’ eyes.

Is that how you see the ad, too?


(Related) Isn't this the same thing that's done for “physical” ailments? What's the beg deal? If you're innocent, you have noting to worry about. If you're not paranoid, you have nothing to worry about.

http://www.phiprivacy.net/?p=2065

NJ Psych Association sues State Health Benefits Commission, Horizon Healthcare Services and Magellan Health Services over patient confidentiality

By Dissent, February 25, 2010 3:47 pm

Susan K. Livio reports:

A psychologists group is suing two insurance companies and an administrative agency that serve 800,000 state employees, saying they are routinely demanding therapists hand over confidential patient information as a condition of getting paid.

The New Jersey Psychological Association accuses the state Health Benefits Commission, along with Horizon Blue Cross Blue Shield of New Jersey and Magellan Health Services, of telling therapists to turn over “treatment notes revealing patient thoughts and feelings revealed during therapy, and the treating psychologist’s specific guidance and counseling,’’ according to the lawsuit filed in Superior Court in Mercer County.

Read more on NJ.com.



How to commit computer crime. Oops, too late – you've already been victimized.

http://developers.slashdot.org/story/10/02/26/0542206/Anatomy-of-a-SQL-Injection-Attack?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Anatomy of a SQL Injection Attack

Posted by timothy on Friday February 26, @05:03AM

Trailrunner7 writes

"SQL injection has become perhaps the most widely used technique for compromising Web applications, thanks to both its relative simplicity and high success rate. It's not often that outsiders get a look at the way these attacks work, but a well-known researcher is providing just that. Rafal Los showed a skeptical group of executives just how quickly he could compromise one of their sites using SQL injection, and in the process found that the site had already been hacked and was serving the Zeus Trojan to visitors."

Los's original blog post has more and better illustrations, too.



Computer law for Computer Cops, Computer Psychologists, etc.

http://games.slashdot.org/article.pl?sid=10/02/26/0641244

Examining Virtual Crimes

Posted by Soulskill on Friday February 26, @01:41AM

GamePolitics has an article about a research paper issued by the AU government's Institute of Criminology titled "Crime Risks of Three-Dimensional Virtual Environments." The paper discusses the legal questions raised by game worlds and avatars, ranging from regulation of in-game currency to a report of virtual rape.

"A person controlling an avatar that is unexpectedly raped or assaulted might experience the physical reaction of 'freezing,' or the associated shock, distrust and loss of confidence in using [3D virtual environments]. While civil redress for psychological harm is conceivable, the 'disembodied' character of such an incident would invariably bar liability for any crime against the person. However, Australian federal criminal law imposes a maximum penalty of three years imprisonment for using an internet carriage service to 'menace, harass or cause offence' to another user. Further, US and Australian laws ban simulated or actual depictions of child abuse and pornography. Therefore, any representations of child avatars involved in virtual sexual activity, torture or physical abuse are prohibited, regardless of whether the real-world user is an adult or child."



We don't discuss the things we don't discuss. (Otherwise our citizens would want to discuss the things we don't discuss, and that would be disgusting!)

http://yro.slashdot.org/story/10/02/26/0128226/Aussie-Internet-Censorship-Minister-Censors-Self?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Aussie Internet Censorship Minister Censors Self

Posted by timothy on Thursday February 25, @10:50PM

An anonymous reader writes

"Communications Minister Stephen Conroy, the minister attempting to ram the great firewall of Oz down everyone's throat has been removing all traces of the unpopular legislation from his main website with a JavaScript filter. From the article: 'It was revealed today a script within the minister's homepage deliberately removes references to internet filtering from the list. In the function that creates the list, or "tag cloud," there is a condition that if the words "ISP filtering" appear they should be skipped and not displayed.' Bear in mind, this is the same minister that tried to get the ISP of tech forum Whirlpool to pull the site after users there posted a response email from the ACMA (Australian Communications and Media Authority)."



There should be a few interesting ones. Finding them is always a problem. Note: This is a great way to use PowerPoint!

http://news.slashdot.org/story/10/02/25/2341229/Next-Week-500-Geek-Talks-Around-the-World?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Next Week, 500+ Geek Talks Around the World

Posted by timothy on Thursday February 25, @07:42PM

Brady Forrest writes

"Next week, from March 1-5 there will be ~65 Ignite events happening around the world. Ignite is an opportunity for geeks to share their passions and ideas with local peers. Each speaker gets 20 slides that each auto-advance after 15 seconds for a total of just 5 minutes. The result is bite-size chunks of information that inform the crowd on new topics. Most of the Ignites will be streamed on the new Ignite video site."

Ignite Denver 6 Tuesday, March 2, 2010 - 18:00 · The Rackhouse Pub www.rackhousepub.com 208 South Kalamath Street

Ignite Fort Collins 4 Friday, March 5, 2010 - 01:00 · 802 West Drake Road, Suite 101, Fort Collins, Colorado



I love lists. I love free stuff. How could I pass on a list of free stuff?

http://www.smashapps.org/2010/02/free-open-source-software-for-windows.html

Free Open-Source Software For Windows



A list of applications, some that I might even use!

http://www.maclife.com/article/feature/15_great_services_you_had_no_idea_google_offered?page=0%2C0

15 Awesome Google Services You Never Knew Existed

Posted 02/25/2010 at 4:04:31pm | by Florence Ion



Tools & Techniques for Hackers

http://www.makeuseof.com/tag/hirens-boot-cd-allinone-boot-cd/

Hiren’s Boot CD – The All-In-One Boot CD For Every Need

No comments: