Saturday, May 01, 2010

Lots of Data Breach articles today. Because it's the end of the month?



The kid was doomed. This wasn't some 'second class' citizen, this was a politician!

http://www.pogowasright.org/?p=9624

Hacker of Sarah Palin’s e-mail found guilty

April 30, 2010 by Dissent

A college student who hacked into former Republican vice presidential candidate Sarah Palin’s e-mail account and posted some of its contents on the Internet was found guilty Friday.

After four days of deliberations, a federal jury found David Kernell, the 22-year-old son of a Democratic Tennessee state legislator, guilty of obstruction of justice, a felony, and unauthorized access of a computer, a misdemeanor.

Kernell was cleared of a wire fraud charge, and the jury could not agree on a verdict on a charge of identity theft.

Read more on Reuters.



The increasing cost of Identity Theft

http://www.databreaches.net/?p=11505

Insurer rejects claims related to stolen U. medical records

May 1, 2010 by admin

Brian Maffly reports:

A Colorado insurance company contends it is not obligated to cover astronomical costs incurred by the University of Utah in 2008 after car burglars stole medical billings records filed with sensitive personal information on 1.7 million patients.

U. officials want Perpetual Storage to reimburse the university more than $3.3 million. That’s how much the school spent notifying patients of the theft and providing credit monitoring to any who asked, according to a suit filed by the firm’s insurer, Colorado Casualty Insurance Co., in U.S. District Court.

The insurer insists the claim is not covered by Perpetual’s policy and is seeking a judicial ruling to support its position.

Read more in the Salt Lake Tribune.

[From the article:

The money was pulled from clinical revenues over two fiscal years, and the loss did not affect taxpayers and the university's academic mission. [Oh, really? Bob]

… According to the insurer's suit, the U. claims it generated 6,232 in personnel hours responding to "the Incident" and spent $646,149 on printing and mailing costs and another $81,389 on a phone bank to field more than 11,000 calls over two weeks. But the big hit was nearly $2.5 million for credit-monitoring services for those whose Social Security numbers could have been poached.



Would you believe their Health Records are better secured than their financial systems? Would you believe the online bills contained no information that could be used to determine what treatment, by what doctor was being billed?

http://www.phiprivacy.net/?p=2599

MN: Bemidji med center’s online bill-pay service apparently hacked

By Dissent, April 30, 2010 5:27 pm

Bethany Wesley reports:

North Country Health Services’ online bill-paying function was apparently hacked into on April 18, compromising the security of 349 customers’ credit card and debit card accounts.

NCHS is sending letters to all those who could be affected by the breach, said Joy Johnson, NCHS vice president for marketing and business development.

The incident is only related to the health system’s online bill pay, she noted. Those who paid by credit card in person or use an ATM at the hospital are not affected.

Read more in the Grand Forks Herald.

At the time of this posting, there is no notice on NCHS’s web site, and the online payment page says that the page is down for maintenance.



This is the site where you can tell everyone how you spend you money... It also appears that they have no professional PR help. Their statements are naive at best.

http://www.databreaches.net/?p=11472

Announce A Data Breach And Say It’s No Big Deal?

April 30, 2010 by admin

Evan Schuman comments on the recent Blippy breach and lessons that should be learned:

Data Breach Etiquette Rule #8: The moment you announce you screwed up and exposed customers’ payment data to cyberthieves is a really bad time to lecture customers that “it’s a lot less bad than it looks” and that “it’s important to remember you’re never responsible if someone uses your credit card without your permission.” That rule is especially valid, as in the tale we’re about to tell, when both of those sentences are quite likely wrong.

[...]

We couldn’t put it any better than did Patricio Robles at EConsultancy: “Most cardholder agreements protect the cardholder against unauthorized charges provided that the cardholder has taken reasonable measures to protect his or her card against loss or theft. Can individuals willingly sharing purchasing information with a service like Blippy really claim to be exercising reasonable care to safeguard their credit card details?”

Read more on CBS.

[From the article:

On Friday (April 23), Kaplan announced on the company’s blog that four customers had their credit card numbers exposed on the site because Google cached some of its early testing. For some reason, Blippy publicly tested with live payment card numbers. [Very poor technique (even if you can secure it) because live data likely contains no errors, so you can't test the error handling routines. Bob]



First time I've seen mention of a contract to protect Privacy. I wonder if we will see more details? Note also that including “firstname.lastname.” as part of the URL is not the most sophisticated of security measures.

http://www.databreaches.net/?p=11481

The College of New Jersey outreach campaign leaks alumni info

April 30, 2010 by admin

When Bari Dzomba, an alumnus of The College of New Jersey (TCNJ), received a postcard this week about a new outreach campaign to alumni, she went and checked out the new site. To her dismay, she discovered that the new site was leaking alumni personal information. She contacted the college, but when, after two days, the site was still not adequately secured, Dzomba, a Senior IT Project Consultant, contacted DataBreaches.net.

Exploration of the site, which went ‘live’ a few days ago, confirmed Dzomba’s concerns. By entering an alumnus’ name in the url http://firstname.lastname.connect2tcnj.com/connect2tcnj.com, anyone could see the personal information of those who had responded to the campaign. A Google search for TCNJ alumni revealed lists of names, some of which this site tested. In some cases, I could see the individual’s name, address, telephone number, zip code, date of birth, marital status, maiden name, name of spouse, name of employer, job title, work e-mail address, and business telephone, if they had entered it. No login or password was required. The configuration also allowed anyone who accessed an alumnus’ page to edit or alter the information, with no password required. No Social Security numbers or financial information was included in the form.

DataBreaches.net made several calls and left several messages for TCNJ personnel concerning the leak, and delayed publishing this until the site was secured. By late this afternoon, the url was no longer working and attempts to connect to the outreach campaign site led only to a subscription form for a mail list.

According to Matthew Golden, Executive Director of Public Relations & Communications, the college had contractual language with the vendor, Pursuant, about ensuring the privacy and security of the data, and they had called the vendor after getting the report of the leak from their alumnus. In a statement to DataBreaches.net, Golden said, “We absolutely take the security of our alumni very seriously. As soon as we learned about the problem, we acted as quickly as possible to rectify the situation.”



“Hey, we just noticed that we've been running a school for Identity Thieves.”

http://www.databreaches.net/?p=11489

(Follow-up) Governor denounces security flaw

April 30, 2010 by admin

Tim Carpenter reports:

Gov. Mark Parkinson said Friday several state agencies were complying with an edict to reform a program that for decades allowed inmates in the custody of the Kansas Department of Corrections to access personal information of citizens.

He said new safeguards were being put in place at the Kansas Highway Patrol, Kansas Department of Transportation and the state corrections department to address security failures in a program that has been in place for 25 years. The program allows inmates to perform data entry for the state, cities, counties and nonprofits.

Read more in the Topeka Capital-Journal.



Another state with a website listing data breaches. I was curious as to where this list was, so I tried to get to the NY Attorney General's website, but they were down – I wonder if they were hacked or are merely saving money?

http://www.phiprivacy.net/?p=2589

Breaches recently reported to NYS

By Dissent, April 30, 2010 11:28 am

Last year, New York State began posting logs of breach reports they receive. Entities experiencing a breach are required to inform the state how many NYS residents were involved, but are not required to indicate the total number of individuals affected.

Unfortunately, their logs do not indicate precisely whether the NYS residents affected are employees, clients, or patients of the breached entity, and do not indicate what kinds of personal information were involved — SSN, financial, medical, etc. With that frustration in mind, here are some of the breaches that have showed up in the logs for April. An asterisk means that the breach has not been reported in the mainstream media, to date. In asterisked cases, I did try to search for a notification on the entity’s web site, if they have one:

[The report can be found here: http://www.consumer.state.ny.us/



Here's a bad use of a good service. (In fact, I mention it for my website students, below)

http://techcrunch.com/2010/04/30/posterous-starts-automatically-inserting-affiliate-links-into-sites-forgets-to-tell-users/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

Posterous Starts Automatically Inserting Affiliate Links Into Sites, Forgets To Tell Users

by Jason Kincaid on Apr 30, 2010

We’ve been tracking super-simple publishing service Posterous for quite a while now, and for the most part they’ve turned us into big fans. Unfortunately, they’ve just committed a fairly serious blunder. In a post earlier today, one Posterous user stumbled across the fact that his site was automatically converting all of his links to affiliate links using VigLink. There isn’t anything sinister about VigLink — the service helps publishers generate revenue without having to manually insert affiliate links themselves, and has received funding from Google Ventures, First Round Capital, and some prominent angel investors. But Posterous neglected to inform its users that it was starting to monetize all of their links, which is a breach of user trust.



The annual Wiretap Report.

http://www.pogowasright.org/?p=9643

Privacy, Crime and Security Online Police Wiretapping Jumps 26 Percent

May 1, 2010 by Dissent

Ryan Singel writes:

The number of wiretaps authorized by state and federal judges in criminal investigations jumped 26 percent from 2008 to 2009, according to a report released Friday by the Administrative Office of the U.S. Courts.

Courts authorized 2,376 criminal wiretap orders in 2009, with 96 percent targeting mobile phones in drug cases, according to the report. Federal officials requested 663 of the wiretaps, while 24 states accounted for 1,713 orders.

Not one request for a wiretap was turned down.

Read more on Threat Level.

[From the article – another recurring theme:

Law enforcement officials have long warned that encryption technology allows criminals to hide their activities, but investigators encountered encrypted communications only one time during 2009’s wiretaps. The state investigators told the court that the encryption did not prevent them from getting the plain text of the messages.

… The tally does not include subpoenas or warrants issued for e-mails or documents stored in the cloud using Gmail, Hotmail or ISP’s internet services, nor does it include search warrants issued to seize e-mails stored on a target’s home computer.



Quotable quotes? Would that users gave two minutes of thought to these issues before they plunged in...

http://www.pogowasright.org/?p=9641

The Right to Privacy is Not a Right to Facebook

May 1, 2010 by Dissent

Daniel Castro comments:

… Yet even if you accept the premise that consumers had an expectation of privacy, the last few years of debate over online privacy should make it clear to even the most casual user that this is no longer true. Many Internet companies clearly intend to continue to find innovative ways to use personal data to deliver products and services to their customers. While Facebook CEO Mark Zuckerberg may or may not “believe in privacy”, it is clear that Facebook thinks that companies should respond to changing social norms on privacy and that the overall trend is towards more sharing and openness of personal data. So going forward, no Facebook user (or privacy fundamentalist) can continue to use the service without admitting that the benefits of using the website outweigh any reservation the user has about sharing his or her personal data. As the saying goes, “Fool me once, shame on you. Fool me twice, shame on me.”

Certainly some users may still object to this tradeoff. But if you don’t like it, don’t use it.

Read his entire commentary on Information Policy.


(Related) An age limit for social networking?

http://news.cnet.com/8301-17852_3-20003912-71.html?part=rss&subj=news&tag=2547-1_3-0-20

Get your kids off Facebook, principal tells parents



Another version of Privacy Law...

http://www.pogowasright.org/?p=9620

Guernsey: Data protection law amended to include prison time

April 30, 2010 by Dissent

Michael Adkins of Collas Day summarizes amendments to the Data Protection (Bailiwick of Guernsey) Law. According to Wikipedia, Guernsey is a possession of the UK and not part of the UK nor part of the EU. Of particular interest to me in their amendments:

Section 55(2) has been amended to offer further exemptions to people who obtain, disclose or procure the disclosure of personal data without the consent of a data controller. A new paragraph has been introduced to exempt anyone who is in breach of these provisions if the breach was committed for a ’special purpose’ (defined as journalism, art or literary purposes) or in the reasonable belief that it was in the public interest to do so. However, more severe repercussions have been established for those found to be in contravention of law.

and:

Persons found guilty under Section 55 of the law of unlawfully obtaining (or disclosing) personal data without the consent of the data controller may now face a prison sentence. Previously, the most severe penalty available was a fine not exceeding Level 5 on the uniform scale (ie, £10,000). Under the amended provisions, the courts have the alternative sentencing options of 12 months’ imprisonment on summary conviction and two years on indictment.

Prison? This may be one of the toughest laws yet, if they actually enforce it.

To read the full article, subscription is required.



Is Microsoft concerned with Privacy or remaining regulation-free?

http://www.pogowasright.org/?p=9622

Researcher: Social networks shouldn’t reuse private info

April 30, 2010 by Dissent

Joab Jackson reports:

While social networking services may legally own customer-generated data generated on their sites, they still should not reuse that material outside the context in which it was created, contended a Microsoft researcher who studies social networks.

Willfully failing to respect the context of how that data was created may only lead to increased regulatory oversight in the future, warned Danah Boyd, in a series of talks given at the WWW 2010 conference, being held this week in Raleigh, North Carolina, as well as in a follow-up interview with IDG News Service.

“When the law comes down, it is usually not pretty,” she said.

Read more on Computerworld.



They should get this information – on a case by case basis and after presenting reasonable evidence to support their request.

http://www.pogowasright.org/?p=9627

Record Labels Can Seek Download Info From ISP’s

April 30, 2010 by Dissent

Anne Youderian reports:

Major record labels have the right to know who’s illegally downloading their music, the 2nd Circuit ruled Thursday. The court said a computer user’s right to remain anonymous does not trump the labels’ right to enforce their copyrights.

The alleged infringer, identified only as “Doe 3,” asked a federal magistrate judge to quash a subpoena served on his Internet service provider, the State University of New York at Albany. The record labels wanted to learn the names of 16 people who allegedly downloaded or distributed [Big difference. Shouldn't they specify which in order to get the subpoena? Bob] copyrighted songs through an online file-sharing network.

Doe 3 objected to having his identity revealed, claiming he has a First Amendment right to remain anonymous.

The magistrate judge refused to quash the subpoena, and U.S. District Judge Glenn Suddaby rejected Doe 3’s claims on appeal.

Read more on Courthouse News.

In the decision, the court rejected all of the defendant’s arguments, holding that

to the extent that anonymity is used to mask copyright infringement or to facilitate such infringement by other parties, it is unprotected by the First Amendment.

The case is Arista v. Doe 3.


(Related) Not all Internet users are as easy to identify as the casual down-loader. Perhaps there is a market for “How to remain anonymous on the Internet”?

http://www.databreaches.net/?p=11487

(update) Hacker remains at large year after cyberattack on Va. data

April 30, 2010 by admin

A year after a computer hacker breached Virginia’s statewide prescription drug database, investigators still don’t know who did it.

Computer functions at the state Department of Health Professions, which runs the program, were disabled for weeks as a result of the April 30, 2009, cyberattack. The hacker claimed to have stolen more than 35 million prescription records and demanded a $10 million ransom.

A criminal investigation by the FBI and State Police remains open, but the perpetrator has not been identified, Diane Powers, a department spokeswoman, said Thursday. There is no evidence of identity theft or other misuse of patient records, she added.

Read more in the Virginian-Pilot.



For my Ethical Hacking class. You have to secure the results of you hacks.

http://www.networkworld.com/news/2010/043010-us-air-force-phishing-test.html

US Air Force phishing test transforms into a problem

Rumors that "Transformers 3" will be filmed in Guam start after a phishing exercise goes viral

By Robert McMillan, IDG News Service April 29, 2010 08:41 PM ET

… This type of in-house phishing exercise is a routine occurrence in the military and in major corporations, and is generally seen as a good way of promoting security awareness. But in Andersen's case, the information in the phishing e-mail started leaking to the civilian world.

"Unfortunately, many of Andersen's personnel responded to this inject and submitted their personal information to the Web site, and forwarded the information outside of Andersen," the Air Force base said in a statement.

… This isn't the first time that some type of unforeseen consequence has come of a security training exercise. In August, a test of a bank's computer systems prompted the federal agency chartered with overseeing the nation's credit unions to issue a fraud alert. The "fraud" was actually a sanctioned penetration testing exercise conducted by security firm MicroSolved.



For my website students.

http://www.viglink.com/

VigLink

The easiest way to monetize links on your site.

How It Works

If one of your users clicks through to a product or service and buys something you automatically earn a commission. In return for the service we typically take 25% of those commissions. There is no risk, you only pay us a share of what you earn. Often you earn more with VigLink due to collective bargaining on commission rates, even after our 25% cut.

[Watch the video: http://www.youtube.com/watch?v=SIYBfHUY6cg



When you need to demonstrate how simple explaining complex science can be...

http://www.youtube.com/watch?v=rLDgQg6bq7o&feature=player_embedded

No comments: