Wednesday, March 03, 2010

Today's theme seems to be: Updating old stories.



Unfortunately, the most common “learning method” seems to be the lawsuit.

http://www.databreaches.net/?p=10356

Lawsuit filed against Elgin clinic over P2P breach

March 3, 2010 by admin

Steven Ross Johnson reports on a lawsuit involving P2P filesharing and patient data:

Officials from a local medical clinic remained silent Monday about claims they allowed sensitive information on AIDS patients to be leaked.

Calls to the Open Door Clinic of Greater Elgin, 164 Division St., were not returned Monday. The allegations, made in a lawsuit filed last week in 16th Judicial Circuit Court in Geneva by five AIDS patients, claimed the clinic failed to secure personal information, including their HIV/AIDS status, that was made available to the public.

[...]

According to the complaint, a staff computer with a client list of more than 200 patients was accessed and became public domain because the computer had a file-sharing, peer-to-peer program installed — the same type used for popular music downloading sites such as Napster.

Once the information was made public, it was “…searched, accessed, downloaded and re-shared by various P2P file sharing users throughout the world from May 26, 2008, through the present,” according to the complaint.

In at least two cases, information later was stolen and used to commit identity fraud, the complaint says.

One of those who allegedly downloaded the list, according to the complaint, was a known identity thief from Apache Junction, Ariz., who continued to re-share the information on other file-sharing networks.

Read more in http://www.suburbanchicagonews.com/couriernews/news/2078046,3_1_EL02_05AIDS_S1-100302.articlel The Courier-News



Update: Dare we hope that some useful guidelines will be developed?

http://www.databreaches.net/?p=10338

TD Ameritrade data theft settlement talks resume

March 2, 2010 by admin

A lawsuit over the theft of contact information for more than 6 million TD Ameritrade customers has been ordered into mediation, so the search for a satisfactory settlement will continue.

Last fall, U.S. District Judge Vaughn Walker in San Francisco rejected a proposed settlement last fall that offered anti-spam software and a promise of tighter security at TD Ameritrade. Walker ruled that deal offered little significant benefit to the Ameritrade customers affected.

Walker recently ordered more settlement talks under the supervision of a magistrate judge.

Read more on BusinessWeek.



Another way to reduce Health Care costs? Might be an interesting problem for my Data Analysis class.

http://www.databreaches.net/?p=10346

Medical identity theft strikes 5.8% of American adults

March 3, 2010 by admin

Ellen Messmer reports:

Identity thieves are not only interested in tapping financial resources, but are also after your medical identification data and services.

Medical identity theft typically involves stolen insurance card information, or costs related to medical care and equipment given to others using the victim’s name. Roughly 5.8% of American adults have been victimized, according to a new survey from The Ponemon Institute. The cost per victim, on average, is $20,160.

[...]

According to the survey, 29% of victims of medical ID theft discovered the problem a year after the incident, and 21% said it took two or more years to learn about it.

Read more on IDG News.


(Related) Let us demonstrate how to steal your medical information right off your home computer! I will have my Computer Security class duplicate this one!

http://www.phiprivacy.net/?p=2131

File-Sharing Software Potential Threat to Health Privacy

By Dissent, March 3, 2010 9:45 am

The personal health and financial information stored in thousands of North American home computers may be vulnerable to theft through file-sharing software, according to a research study published online in the Journal of the American Medical Informatics Association.

[...]

El Emam’s CHEO team used popular file sharing software to gain access to documents they downloaded from a representative sample of IP addresses. They were able to access the personal and identifying health and financial information of individuals in Canada and the United States. The research for the study was approved by the CHEO ethics board.

[...]

A sample of the private health information the CHEO team was able to find by entering simple search terms in file-sharing software:

  • an authorization for medical care document that listed an individual’s Ontario Health Insurance card number, birth date, phone number and details of other insurance plans;

  • a teenage girl’s medical authorization that included family name, phone numbers, date of birth, social security number and medical history, including current medications;

  • several documents created by individuals listing all their bank details, including account and PIN numbers, passwords and credit card numbers.

Read more on Science Daily.

The research article is: Khaled El Emam, Emilio Neri, Elizabeth Jonker, Marina Sokolova, Liam Peyton, Angelica Neisa, Teresa Scassa. The inadvertent disclosure of personal health information through peer-to-peer file sharing programs. Journal of the American Medical Informatics Association, 2010; 17: 148-158.

The full article is available online.



Update: Remember the “overprotective” system administrator in San Francisco? What do I advise my Network Security students to do?

http://yro.slashdot.org/story/10/03/02/2238231/Terry-Childss-Slow-Road-To-Justice?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Terry Childs's Slow Road To Justice

Posted by kdawson on Tuesday March 02, @11:21PM

snydeq writes

"Deep End's Paul Venezia provides an update on the City of San Francisco's trial against IT admin Terry Childs, which — at eight weeks and counting — hasn't even seen the defense begin to present its case. The main spotlight thus far has been on the testimony of San Francisco Mayor Gavin Newsom. 'Many articles about this case have pounced on the fact that after Childs gave the passwords to the mayor, they couldn't immediately be used. Most of these pieces chalk this up to some kind of secondary infraction on Childs's part,' Venezia writes. 'Just because you give someone a password doesn't mean that person knows how to use it. Childs's security measures would have included access lists that blocked attempted logins from non-specified IP addresses or subnets. In short, it was nothing out of the ordinary if you know anything about network security.' But while the lack of technical expertise in the case is troubling, encouraging is the fact that the San Francisco Chronicle's 'breathless piece reporting on the mayor's testimony' drew comments 10-to-1 in Childs's favor, which may indicate that 'public opinion of this case has tilted in favor of the defense,' Venezia writes. Of course, 'if [the trial] drags into summer, Childs will have the dubious honor of being held in jail for two full years.' This for a man who 'ultimately protected the [City's] network until the bitter end.'"



I'm always learning new ways to hide evidence... (Very punny headline)

http://news.cnet.com/8301-17852_3-10462687-71.html?part=rss&subj=news&tag=2547-1_3-0-20

Man swallows flash drive, charged with obstruction



Is this really a story about misunderstanding technology?

http://www.pogowasright.org/?p=8087

Faculty on Facebook: Privacy concerns raised by suspension

March 2, 2010 by Dissent

Jack Stripling reports:

Whether it’s avoiding bars frequented by students or politely declining the occasional social invitation, professors often make an extra effort to establish boundaries with their students. But social networking sites, which are often more public than they may appear, are lifting the veil on the private lives of professors in ways they may not have expected.

Gloria Gadsden said she thought she was talking only to close friends and family as she vented on Facebook about her students, but the East Stroudsburg University sociology professor has since learned the hard way that her frustrated musings were viewable by some of the very students she had consciously declined to “friend” in the past. A small change to the settings for Gadsden’s online profile allowed the “friends” of Gadsden’s own “friends” to read her updates, and in so doing created a controversy that the professor now feels could damage her career and her chances at tenure.

Gadsden was placed on administrative leave last week after a student reported two Facebook postings that some have interpreted as threats. On Jan. 21, Gadsden wrote “Does anyone know where to find a very discreet hitman? Yes, it’s been that kind of day …” Another post in the same vein came a month later, as Gadsden opined: “had a good day today, DIDN’T want to kill even one student :-) . Now Friday was a different story.”

Read more on USA Today.



Hey! This is not a bad idea! However, I think a Law School might make a better guide, since so much depends on a bazillion different laws... At least this will be shared and discussed in my Risk Management class.

http://www.databreaches.net/?p=10335

Verizon releases framework for reporting security incidents

March 2, 2010 by admin

William Jackson reports:

Verizon Business on Monday released for public use a framework for collecting and reporting information about security incidents in the hope of creating a standardized way for government and industry to share information about breaches.

“If we don’t have a common language to collect and communicate data, we are going to be handicapped,” said Wade Baker, director of risk intelligence for Verizon.

The company announced the availability of the Verizon Information-Sharing framework at the RSA Security Conference. The site also contains a forum for VerIS users. Baker said the framework is expected to evolve with input from the security community.

Read more on GCN.



(Related) ...at least as far as the need for legal review is concerned,

http://www.wired.com/threatlevel/2010/03/us-declassifies-part-of-secret-cybersecurity-plan/

U.S. Declassifies Part of Secret Cybersecurity Plan

By Kim Zetter March 2, 2010 4:19 pm

… The declassified portion of the plan published Tuesday includes information on only part of the initiative and does not discuss cyberwarfare. The plan instead discusses the deployment of Einstein 2 and Einstein 3, intrusion detection systems on federal networks designed to inspect internet traffic entering government networks to detect potential threats.

… The Einstein programs have raised concerns among privacy and civil liberties groups, such as the Center for Democracy and Technology, because they involve scanning the content of communications to intercept malicious code before it reaches government networks.



I guess I hadn't really thought about this before. Automating a takedown suggests you are able to make the legal distinctions...

http://yro.slashdot.org/story/10/03/02/2056201/A-Second-Lessig-Fair-Use-Video-Is-Suppressed-By-WMG?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

A Second Lessig Fair-Use Video Is Suppressed By WMG

Posted by kdawson on Tuesday March 02, @05:48PM

Bios_Hakr points out an ironic use of the DMCA: for the second time, a video tutorial on fair use that Larry Lessig uploaded to YouTube has been muzzled. This time the sound has been pulled from the video; last time the video was taken off of YouTube. (Video and sound for the new "webside chat" can be experienced together on BlipTV.) Both times, Warner Music Group was the party holding copyright on a song that Lessig used in an unarguably fair-use manner. TechDirt is careful not to assume that an actual DMCA takedown notice was issued, on the likelihood that Google's automatic copyright-violation detectors did the deed.

"The unintended consequences of asking tool providers [e.g., Google] to judge what is and what is not copyright infringement lead to tremendous problems with companies shooting first and asking questions later. They are silencing speech, on the threat that it might infringe on copyright. This is backwards. We live in a country that is supposed to cherish free speech, not stifle it in case it harms the business model of a company. We live in a country that is supposed to encourage the free expression of ideas — not lock it up and take it down because one company doesn't know how to adapt its business model. We should never be silencing videos because they might infringe on copyright."



Is this another Copyright Consortium initiative? Sure looks that way.

http://news.slashdot.org/story/10/03/03/1026238/BBC-To-Make-Deep-Cuts-In-Internet-Services?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

BBC To Make Deep Cuts In Internet Services

Posted by kdawson on Wednesday March 03, @06:31AM

Hugh Pickens writes

"The NY Times reports that the BBC has yielded to critics of its aggressive expansion, and is planning to make sweeping cuts in spending on its Web site and other digital operations. Members of the Conservative Party, which is expected to make electoral gains at the expense of the governing Labor Party, have called for the BBC to be reined in and last year James Murdoch criticized the BBC for providing 'free news' on the internet, making it 'incredibly hard for private news organizations to ask people to pay for their news.' [Screw the taxpayer! Prop up the newspapers! Bob] Mark Thompson, director-general of the BBC, said 'After years of expansion of our services in the UK, we are proposing some reductions.' The BBC is proposing a 25 percent reduction in its spending on the Web, as well as the closure of several digital radio stations and a reduction in outlays on US television shows. The Broadcasting Entertainment Cinematograph and Theatre Union, which represents thousands of workers at the BBC, says that instead of appeasing critics, the proposed cuts could backfire. 'The BBC will not secure the politicians' favor with these proposals and nor will the corporation appease the commercial sector, which will see what the BBC is prepared to sacrifice and will pile on the pressure for more cuts,' says Gerry Morrissey, general secretary of the union."



Pass this to your IT staff. Remind them they can be easily replaced with people who take security seriously..

http://tech.slashdot.org/story/10/03/02/199205/New-Spear-Phishing-Attacks-Target-IT-Admins?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

New "Spear Phishing" Attacks Target IT Admins

Posted by kdawson on Tuesday March 02, @04:18PM

snydeq writes

"A new breed of 'spear phishing' aimed at IT admins is making the rounds. The emails, containing no obvious malicious links, are fooling even the savviest of users into opening up holes in their company's network defenses. The authentic-looking emails, which often include the admin's complete name or refer to a real project they are working on, are the product of tactical research or database hacks and appear as if having been sent by the company's hosting provider. 'In each case, the victim remembered getting a similar sort of email message when they first signed on with a service and, thus, thought the bogus message was legitimate — especially because their cloud/hosting providers keep bragging about all the new data centers they're continuing to bring online.' The phishing messages often include instructions for opening up mail servers to enable spam relaying, to disable their host-based firewalls, and to open up unprotected network shares. Certainly fodder for some bone-headed mistakes on the part of admins, the new attack 'makes the old days of hoax messages that caused users to delete legitimate operating system files seem relatively harmless.'"


(Related) Another warning that needs to be communicated.

http://tech.slashdot.org/story/10/03/02/1924237/Microsoft-Says-Dont-Press-the-F1-Key-In-XP?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Microsoft Says, Don't Press the F1 Key In XP

Posted by kdawson on Tuesday March 02, @07:22PM

Ian Lamont writes

"Microsoft has issued a security advisory warning users not to press the F1 key in Windows XP, owing to an unpatched bug in VBScript discovered by Polish researcher Maurycy Prodeus. The security advisory says that the vulnerability relates to the way VBScript interacts with Windows Help files when using Internet Explorer, and could be triggered by a user pressing the F1 key after visiting a malicious Web site using a specially crafted dialog box."



Perhaps we have moved beyond “commodity” to “strategic national resource?” More likely, this would be seen as a new way to tax – now how should we spend this windfall... Oh yeah, we should consider setting up a committee to think about developing a plan to study how we can address whatever we said this tax would address.

http://yro.slashdot.org/story/10/03/02/2025237/Microsoft-VP-Suggests-Net-Tax-To-Clean-Computers?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Microsoft VP Suggests 'Net Tax To Clean Computers

Posted by kdawson on Tuesday March 02, @05:05PM

Ian Lamont writes

"Microsoft's Vice President for Trustworthy Computing, Scott Charney, speaking at the RSA conference in San Francisco, has floated an interesting proposal to deal with infected computers: Approach the problem of dealing with malware infections like the healthcare industry, [Let's pick the most screwed up model we can... Bob] and consider using 'general taxation' to pay for inspection and quarantine. Using taxes to deal with online criminal activity is not a new idea, as demonstrated by last year's Louisiana House vote to levy a monthly surcharge on Internet access to deal with online baddies."


(Related) Unfortunately, the tools needed to clean your computer is most likely to be found on the Internet. Perhaps Microsoft thinks we'll just buy a new computer?

http://news.cnet.com/8301-27080_3-10462649-245.html?part=rss&subj=news&tag=2547-1_3-0-20

Microsoft exec: Infected PCs should be quarantined (Q&A)

by Elinor Mills March 2, 2010 3:42 PM PST

SAN FRANCISCO--In his keynote at the RSA security conference on Tuesday, Scott Charney, Microsoft's corporate vice president of Trustworthy Computing, suggested that the security industry should follow the health care model of quarantining infected PCs to prevent them from being used to send spam and conduct denial-of-service attacks.



One of the oldest old stories. Maybe you can't kill this zombie...

http://linux.slashdot.org/story/10/03/02/1819211/SCO-Zombie-McBrides-New-Plan-For-World-Litigation?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

SCO Zombie McBride's New Plan For World Litigation

Posted by kdawson on Tuesday March 02, @03:32PM

eldavojohn writes

"Years after you thought it was all over, Groklaw is reporting that Darl McBride (ex-CEO of SCO) has formed a new company that is buying SCO's mobile business for peanuts — but he's also going to get 'certain Intellectual Property' with the deal. You may recall that McBride was the brains behind the Linux lawsuits that SCO launched and it appears he may be orchestrating an exit route where he escapes with some IP intact, in order to wreak havoc once again. Hopefully this is the part at the end of the movie where the zombie comes back to life one last time only to have the hero deliver the final final blow. When this news broke upon the investment world, SCO's stock skyrocketed a blistering 11%, bringing it up seven cents to a full seventy cents — a level which it has not achieved since 2007."



I wonder if Toyota would give us a few cars to hack test?

http://news.slashdot.org/story/10/03/02/233246/1M-Prize-For-Finding-Cause-of-Unintended-Acceleration?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

$1M Prize For Finding Cause of Unintended Acceleration

Posted by kdawson on Wednesday March 03, @02:22AM

phantomfive writes

"Edmunds Auto has announced that it will be offering a $1 million prize to anyone who can find the cause of unintended acceleration. As Wikipedia notes, this is a problem that has plagued not only Toyota, but also Audi and other manufacturers. Consumer Reports has some suggestions all automakers can implement to solve this problem, including requiring brakes to be strong enough to stop the car even when the accelerator is floored."



Because you shouldn't be reading while you drive...

http://www.makeuseof.com/dir/booksshouldbefree-free-downloadable-audio-books

Booksshouldbefree: Get free downloadable audio books in mp3 & iTunes format

www.booksshouldbefree.com

Similar sites: AudioOwl, ThoughtAudio, NewFiction, WellToldTales, PodioBooks and LibriVox.



Might be useful when I create teaching videos.

http://www.makeuseof.com/dir/easyprompter-free-teleprompter-software

EasyPrompter: Web Based & Free Teleprompter Software

www.easyprompter.com

Similar tool: CuePrompter.

No comments: