http://www.databreaches.net/?p=10875
Student loan company: Data on 3.3M people stolen
March 27, 2010 by admin
From the Associated Press:
A company that guarantees federal student loans said Friday that personal data on about 3.3 million people nationwide has been stolen from its headquarters in Minnesota.
Educational Credit Management Corp. said the data included names, addresses, Social Security numbers and dates of birth of borrowers, but no financial or bank account information.
The data was on “portable media” that was stolen sometime last weekend, ECMC said in a statement.
Read more on Updated News.
ECMC’s statement is prominently linked from ECMC’s home page at the time of this posting.
Kevin Diaz of the Star Tribune adds that “Congressional sources said the data were stored on discs contained in a safe.”
[From the Star Tribune article:
U.S. Department of Education officials said it is believed to be one of the biggest cases of student identity theft in the nation, affecting 5 percent of all students with federal loans in the United States.
I'd lie to meet whoever negotiated this plea. I'd like to know what would have come out in court.
Hacker Sentenced to 20 Years for Breach of Credit Card Processor
By Kim Zetter March 26, 2010 3:11 pm
BOSTON — Convicted TJX hacker Albert Gonzalez was sentenced to 20 years and a day, and fined $25,000 on Friday for his role in breaches into Heartland Payment Systems, 7-Eleven and other companies.
The sentence will run concurrently with a 20-year sentence he received on Thursday in two other cases involving hacks into TJX, Office Max, Dave & Busters restaurants and others, so it adds only one day to his total prison term. Restitution will be decided at a future hearing.
(Related) I don't remember getting a letter from JC Penny...
http://www.databreaches.net/?p=10878
JC Penney, Wet Seal: Gonzalez Mystery Merchants
March 27, 2010 by admin
While major news sources rushed to report yesterday that Albert Gonzalez was sentenced yesterday to 20 years plus one day for the Heartland Payment Systems breach, a term to run concurrently with his other sentence, Brooklynne Kelly Peters and Evan Schuman of StorefrontBacktalk led with providing the answer to a question many of us had: who were the two unidentified retailers who were also hit by the hacking ring?
JCPenney and Wet Seal were both officially added to the list of retail victims of Albert Gonzalez on Friday (March 26) when U.S. District Court Judge Douglas P. Woodlock refused to continue their cloak of secrecy and removed the seal from their names. StorefrontBacktalk had reported last August that $17 billion JCPenney chain was one of Gonzalez’s victims, even though JCPenney’s media representatives were denying it.
Good for Judge Woodlock! [Agree! Bob] The blog reports that despite the retailers’ efforts to prevent disclosure of their identities, the judge ruled in favor of disclosure:
“I’m not convinced,” Woodlock said, adding that he believed that both retailers should have announced their involvement from the start, that consumers had the right to know. He said he would not provide the companies “insulation from transparency.”
The judge stressed that the companies were seeking privacy as though they were individual victims, which he said was like “hermaphroditing a business corporation.” Back in November, an attorney for J.C. Penney asked the judge to protect its “dignity,” phrasing that might have set his Honor off.
Read more on StorefrontBacktalk.
[From Storefront:
Michael Ricciuti, in Boston federal court Friday, argued to the judge that no consumers were impacted by the breach as the data grabbed from JCPenney was not sufficient to create bogus cards. Ricciuti added that there was therefore no need for consumers to know the company’s vulnerabilities.
(Related) Perhaps we should forward this to JC Penny and Wet Seal?]
http://www.databreaches.net/?p=10882
Federal Information Security and Data Breach Notification Laws
March 27, 2010 by admin
From Congressional Research Service:
Federal Information Security and Data Breach Notification Laws
Gina Stevens
Legislative Attorney
January 28, 2010
The following report describes information security and data breach notification requirements included in the Privacy Act, the Federal Information Security Management Act, Office of Management and Budget Guidance, the Veterans Affairs Information Security Act, the Health Insurance Portability and Accountability Act, the Health Information Technology for Economic and Clinical Health Act, the Gramm-Leach-Bliley Act, the Federal Trade Commission Act, and the Fair Credit Reporting Act. Also included in this report is a brief summary of the Payment Card Industry Data Security Standard (PCI DSS), an industry regulation developed by VISA, MasterCard, and other bank card distributors.
Information security laws are designed to protect personally identifiable information from compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or other situations where unauthorized persons have access or potential access to such information for unauthorized purposes. Data breach notification laws typically require covered entities to implement a breach notification policy, and include requirements for incident reporting and handling and external breach notification.
Expectations of many are that efforts to enact data security legislation will continue in 2010. In the first session of the 111th Congress the House passed H.R. 2221 (Rush and Stearns), the Data Accountability and Trust Act, which would apply only to businesses engaged in interstate commerce, and require data security programs and notification of breaches to affected consumers. The Senate Judiciary Committee approved S. 139 (Feinstein), the Data Breach Notification Act, which would apply to any agency, or business engaged in interstate commerce; and S. 1490 (Leahy), the Personal Data Privacy and Security Act of 2009, which would apply to business entities engaged in interstate commerce and require data security programs and notification to individuals affected by a security breach. S. 1490 also includes data accuracy requirements for data brokers, and requirements concerning government acccess to and use of commercial data.
For related reports, see the Current Legislative Issues Web page for “Privacy and Data Security” available at http://www.crs.gov/Pages/subissue.aspx?cliid=2105&parentid=14. This report will be updated.
Full Report (pdf) via Docuticker.
Predicting the joy of Electronic Health Records.
http://www.phiprivacy.net/?p=2307
EMR Data Theft Booming
By Dissent, March 26, 2010 12:48 pm
Nicole Lewis reports:
Acceleration in the use of electronic medical records may lead to an increase in personal health information theft, according to a new study that shows there were more than 275,000 cases of medical information theft in the U.S. last year. Unlike stealing a driver’s license or a credit card, data gleaned from personal health records provides a wealth of information that helps criminals commit multiple crimes, according to Javelin Strategy & Research, a Pleasanton, California-based market research firm.
Information such as social security numbers, addresses, medical insurance numbers, past illnesses, and sometimes credit card numbers, can help criminals commit several types of fraud. These may include: making payments from stolen credit card numbers and ordering and reselling medical equipment by using stolen medical insurance numbers.
A key finding from the report is that fraud resulting from exposure of health data has risen from 3% in 2008 to 7% in 2009, a 112% increase.
Read more on InformationWeek.
[From the article:
Van Dyke's prediction is that as medical providers increase their use of electronic medical records, the incidents of fraud will increase. [That prediction falls into the “Well, Duh!” category. Bob]
"We think medical providers aren't up to the task. They won't have security best practices in place to match the incidents of fraud, and we think theft of personal health information is going to get worse," Van Dyke said.
… The study also found that there's a big difference between the misuse of data obtained through medical records, compared to other types of identity theft. For example, on average, criminals use information from medical records to commit fraud for 320 days as opposed to 81 days of misuse of information from other types of identity theft.
Additionally, it takes more than twice the time to detect medical information fraud and the average cost is $12,100, more than twice the cost for other types of identify theft.
Another site that aggregates information easily available on the Internet. Lots of bad information, but lots of accurate information too. Type your name and see for yourself. To “Opt out” you just give them more information...
http://www.pogowasright.org/?p=8589
Your personal information posted online
March 27, 2010 by Dissent
Jeremy Wolf reports:
It can list your address, a picture of your home, how much it cost, how long you have lived there, your approximate age and income, your relationship status and more. And it is online for anyone to see.
Spokeo.com takes information from social networking sites like Facebook and Twitter, and from phone books, marketing surveys and real estate listings to create a profile on you without asking.
“Some of the info that’s here on Spokeo is essentially public info and there’s no getting around it. Real estate sales for example,” Steave Beaty, a computer science professor at Metro State College, said.
[..]
In the lower right corner of the page there is a link labeled “Privacy.” Click on “Privacy” and paste the URL in the URL field. Then you need to enter your valid e-mail address and the code listed. Then click “Remove Listing.”
You should then get an e-mail and when you get the e-mail confirmation, you should follow the instructions to complete the removal of your name from the site.
Read more on 9News.
Government as usual. I can't believe Soprano & Soprano would miss an opportunity like this (or half the politicians in NY either)
NYC Drops $722M On CityTime Attendance System
Posted by Soulskill on Saturday March 27, @10:20AM
theodp writes
"New York City is reportedly paying 230 consultants an average annual salary of $400K for a computer project that is seven years behind schedule and vastly over budget. The payments continue despite Mayor Bloomberg's admission that the computerized timekeeping and payroll system — dubbed CityTime — is 'a disaster.' Eleven CityTime consultants rake in more than $600K annually, with three of them making as much as $676,000. The 40 highest-paid people on the project bill taxpayers at least $500K a year. Some of the consultants have been working at these rates for as long as a decade."
...and there is no off switch!
New RFID Tag Could Mean the End of Bar Codes
Researchers from Sunchon National University in Suncheon, South Korea, and Rice University in Houston have built a radio frequency identification tag that can be printed directly onto cereal boxes and potato chip bags. The tag uses ink laced with carbon nanotubes to print electronics on paper or plastic that could instantly transmit information about a cart full of groceries.
“You could run your cart by a detector and it tells you instantly what’s in the cart,” says James M. Tour of Rice University, whose research group invented the ink. “No more lines, you just walk out with your stuff.”
It is far easier to 'ban' anything we don't understand, rather than learn how to deal with it.
Fixing Internet Censorship In Schools
Posted by Soulskill on Friday March 26, @03:58PM
jcatcw writes
"Schools and libraries are hurting students by setting up heavy-handed Web filtering. The problem goes back for years. A filter blocked the Web site of former House Majority Leader Richard Armey because it detected the word 'dick,' according to a 2001 study from the Brennan Center of Justice. The purpose of schools should be to teach students to live in a democratic society, and that means teaching critical thinking and showing students controversial Web sites, says Craig Cunningham, a professor at National-Louis University. He quoted from a National Research Council study: 'Swimming pools can be dangerous for children. To protect them, one can install locks ... [or] teach them to swim.' Web filtering also leads to inequities in education based on household income. Students from more affluent areas have access to the Internet at home and, often, more enlightened parents who can let them access information blocked in schools and libraries. Poorer students without home access don't have those opportunities."
Keep a sharp eye on those rascally employees.
http://www.bespacific.com/mt/archives/023847.html
March 26, 2010
New Application Can Monitor Employee Use of Social Networks
News release: "Social Sentry provides corporations the ability to monitor the social networking communications of their employees. Delivered as an easy to deploy SaaS offering, Social Sentry enables businesses to monitor employee activity on all major social networks such as Facebook and Twitter. It provides granular and real-time tracking to eliminate significant corporate risks related to: Compliance issues; Leakage of sensitive information; HR issues; Legal exposure; Brand damage; Financial impact."
For your Security Manager. Another example of what can go wrong with “automatic updates”
New Malware Overwrites Software Updaters
Posted by Soulskill on Friday March 26, @02:31PM
itwbennett writes
"Researchers at Bach Khoa Internetwork Security (BKIS), a Vietnamese security company, have found a new type of malware that 'masks itself as an updater for Adobe Systems' products and other software such as Java,' wrote BKIS analyst Nguyen Cong Cuong in a post on the company's blog. BKIS showed screenshots of a variant of the malware that imitates Adobe Reader version 9 and overwrites the AdobeUpdater.exe, which regularly checks in with Adobe to see if a new version of the software is available."
The latest version of “Maybe we can make money this way...” If I had to bet, my money would be on “Not a chance.”
The Times Erects a Paywall, Plays Double Or Quits
Posted by timothy on Saturday March 27, @05:42AM
DCFC writes
"News International, owners of The Times and The Sunday Times announced today that from June readers will be required to pay £1 per day or £2 per week to access content. Rupert Murdoch is delivering on his threat to make readers pay, and is trying out this experiment with the most important titles in his portfolio. No one knows if this will work — there is no consensus on whether it is a good or bad thing for the industry, but be very clear that if it succeeds every one of his competitors will follow. Murdoch has the luxury of a deep and wide business, so he can push this harder than any company that has to rely upon one or two titles for revenue."
Record labels have never treated their artists as “Clients” – to be protected and nurtured. Why would this be any different?
http://www.motherboard.tv/2010/3/26/beyonce-s-record-company-puts-a-ring-on-her-youtube-channel--2
Of Course, Beyonce's Record Company Puts a Ring On Her YouTube Channel
Posted by Will_Han on Friday, Mar 26, 2010
It’s not really surprising at all: today Beyonce’s official YouTube channel is blocked in the US due to a copyright infringement issue with her own record label, Sony. Below a banner that reads “Congratulations for winning six Grammy Awards” – presumably from Sony, the video for “Single Ladies (Put a Ring On It)” has been replaced by this notice: “This video contains content from Sony Music Entertainment, who has blocked it in your country on copyright grounds.”
I would never say that Microsoft “owns the legislature in Washington” but I can say that they bend over bacward to devise Microsoft-friendly laws.
10% Tax On Custom Software, $100M Tax Cut For Microsoft
Posted by Soulskill on Friday March 26, @03:14PM
reifman writes
"Last week, the Washington State House of Representatives passed a bill which would impose a 10% tax on custom software while all but eliminating a $100 million yearly tax obligation that some say Microsoft is wrongfully avoiding by routing large chunks of business through an office in Nevada. 'I believe we've got an issue of justice and fairness here,' said Rep. Maralyn Chase. 'Most of the custom software purveyors are small businesses. It's a question for me of how we fairly distribute the tax burden.' 'It means that a 5 person team of entrepreneurs building a cool custom software suite, or a group of system integrators, would face a 10% tax on their services while keeping the exact same project in-house would not be taxed,' wrote Rep. Reuven Carlyle. 'It would be a massive blow to the entrepreneurial community in our state.' The bill won't become law until the House and Senate work out how best to raise another $300 million in taxes. A sales tax increase on consumers is also being considered."
For my Computer Security students.
http://news.cnet.com/8301-1023_3-20001250-93.html?part=rss&subj=news&tag=2547-1_3-0-20
Survey: 63% don't change passwords very often
Security firm Symantec on Friday released results of a survey on password management that showed 63 percent of respondents don't change their passwords very often, 45 percent use a few passwords that they alternate for all accounts, and some 10 percent don't change their passwords at all.
These are a startling numbers as, according to the survey, 44 percent of respondents said they have more than 20 accounts that require a password.
For my website students. A “multiple choice” hyperlink.
http://www.killerstartups.com/Web-App-Tools/butns-com-more-intelligent-hyperlinks
Butns.com - More Intelligent Hyperlinks
Butns is a new technology that will empower you to display hyperlinks that are more intelligent, or richer at the very least. You see, using this site you can come up with hyperlinks that could direct your visitors to several destinations. When they place the pointer over the word in question, a window will pop up displaying the possible destinations that you (as the webmaster) have preconfigured. It is all a mere matter of choosing one and they will be taken straight to it.
Think of this as the Internet equivalent of those Ransom Notes with letters cut form magazines...
http://www.makeuseof.com/dir/picurious-spell-words-with-flickr
PiCurious: Spell Words With Flickr Images
PiCurious is a dead simple and fun tool that lets you spell words with Flickr. Just enter any word and PiCurious will fetch Flickr photos displaying each alphabet of the word. If you don’t like a particular alphabet, just click on it and PiCurious will display a new one.
Similar tool: Spell With Flickr
Wow! I can grab some background beats for my security-rap lectures!
They call you a Nerd
'least, that's what I've heard
so, make 'em change their password
Word! Word! Word!
Friday, March 26, 2010
Free Royalty Free Music for Education
When creating an audio podcast or a video that uses music tracks, the sure way to avoid any worries about copyright infringement is to use music you created. Unfortunately, often that is not a feasible option for a lot of folks. The next best thing to using music you created is to use Creative Commons licensed music or royalty free music. Royalty Free Music hosts music tracks that can be reused in numerous ways. Royalty Free Music charges the general public for their downloads, but students and teachers can download quite a bit of the music for free. To access the free music tracks students and teachers should visit the education page on Royalty Free Music.
… Here are some related items that may be of interest to you:
Sound Bible - Free Sound Clips