Local: Interesting that someone gets it right! But then, Interior has been answering very pointed security questions from the DC Court since the Bush I Administration, over royalty payments to native Americans,
http://www.databreaches.net/?p=12181
Interior loses CD with personal data for 7,500 federal employees
June 16, 2010 by admin
Alice Lipowicz reports:
A compact disc that contains personally identifiable information for about 7,500 federal employees has been reported lost by the Interior Department’s shared services center.
The incident occurred on or about May 26, when a procurement specialist at Interior’s National Business Center in Denver reported that the CD could not be located. The disc was sent to the business center by a third-party service provider, according to a June 10 news release.
The CD has not been found, Terri Raines, a spokeswoman for the National Business Center, said today.
The data on the CD was encrypted and password-protected, and was used to support billings from the vendor, Raines said. The disc was presumed to be lost in the center’s secured, restricted-access area, she added.
Read more on FCW. It seems that even though the data were encrypted, they are notifying individuals.
Gee, some of these sites may have security problems. Who knew!
http://www.databreaches.net/?p=12177
Massive keylogger cache posted to Pastebin.com
June 16, 2010 by admin
Steve Ragan reports:
Details for thousands of accounts, from Facebook to PayPal, have surfaced over the weekend on Pastebin.com. The details, which come from keylogging software, appear to have been dumped automatically to the site based on observations from BitDefender, who tipped The Tech Herald off to their existence on Friday.
Along with usernames and passwords, which are expected, the user’s browser details, computer name, and IP address are included with several reports.
Read more on Tech Herald. Also see the post on MalwareCity.
For my Ethical Hacking class. How can you tell which applications are growing (and at what rate) or which fail frequently unless you record the activity?
http://www.pogowasright.org/?p=11271
Employee monitoring: When IT is asked to spy
Tam Harbert reports:
Michael Workman, an associate professor at the Florida Institute of Technology’s Nathan M. Bisk College of Business who studies IT security and behavior at corporations, estimates that monitoring responsibilities take up at least 20% of the average IT manager’s time. [Very unlikely, unless they are reviewing logs manually. Bob]
Yet most IT professionals never expected they’d be asked to police their colleagues and co-workers in quite this way. How do they feel about this growing responsibility?
Workman says he sees a split among tech workers. Those who specialize in security issues feel that it’s a valid part of IT’s job. [Just like quality insprctions in manufacturing. Bob] But those who have more of a generalist’s role, such as network administrators, often don’t like it. [Fire them! Bob]
Computerworld went looking for IT managers who would share their experiences and attitudes, and found a wide variety of viewpoints, ranging from discomfort at having to “babysit” employees to righteous beliefs about “protecting the integrity of the system.” Read on for their stories.
Read more on Computerworld.
(Related)
http://news.slashdot.org/story/10/06/17/1243249/DePaul-University-To-Offer-Degree-In-Predictive-Analysis?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29
DePaul University To Offer Degree In Predictive Analysis
Posted by samzenpus on Thursday June 17, @09:22AM
"The Chicago-based DePaul University will offer what it says is the nation's first master's degree in predictive analysis, the school announced on Wednesday in conjunction with IBM, which will provide resources for the program. 'We realized there was a need to create a program that prepared students in careers in data analytics and business intelligence,' said Raffaella Settimi, an associate professor at DePaul's College of Computing and Digital Media, who helped craft the program. 'A lot of the professionals who work in these fields have a variety of backgrounds, but there really isn't a program dedicated to data analytics,' Settimi said."
We call this the “Please sue me!” strategy.
http://yro.slashdot.org/story/10/06/16/2257223/HP-and-Yahoo-To-Spam-Your-Printer?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29
HP and Yahoo To Spam Your Printer
Posted by samzenpus on Wednesday June 16, @10:35PM
"As many suspected when HP announced its web-connected printer, it didn't take long for the company to announce it will send 'targeted' advertisements to your new printer. So you'll get spammed, and you'll pay for the ink to print it. On the bright side, the FCC forbids unsolicited fax ads, so this will probably get HP on a collision course with the Feds."
I told you this would keep growing...
http://www.pogowasright.org/?p=11338
Google Wi-Fi Data Collection Discussed by 30 Attorneys General
Karen Freifeld and Joel Rosenblatt report:
Google Inc.’s collection of data via Wi-Fi networks was the subject of a conference call among law enforcement officials from 30 U.S. states, according to Connecticut Attorney General Richard Blumenthal.
“We’re looking to establish where, when, why, for how long and for what purpose there was this collection of information on wireless networks,” Blumenthal said yesterday in an interview. The call included representatives of the states’ attorneys general.
[...]
The U.S. Federal Trade Commission said last month that it is reviewing Google’s data gathering. An Oregon judge has ordered the company turn over similar data collected in that state, including any e-mails, files or digital phone records, according to court documents.
Also this month, Google said it was turning over to regulators in Germany, France and Spain data it mistakenly collected from unsecured Wi-Fi networks.
Read more on Bloomberg.
(Related) Interesting idea. Might be fun to see what the courts have recognized as true (admissible) for each technology.
http://www.bespacific.com/mt/archives/024506.html
June 16, 2010
Privacy International Launches System to Shed Light on Controversial Technologies
EPIC: "International watchdog Privacy International has announced the launch of a new website for bringing transparency to "technical mysteries" behind controversial systems. Cracking the Black Box identifies key questions regarding mysterious technologies and asks experts, whistleblowers, and other concerned parties to "help crack the box" by anonymously contributing ideas and input. The organization responsible for the technology in question is then invited to provide an official response. The first two issues addressed on the PI site are the Google Wi-Fi controversy and the EU proposal to retain search data."
Is this where we are heading? Won't the Lower Merion School District be happy! “Winston, You were supposed to read “1984,” but we watched you read the Cliff Notes.”
http://www.pogowasright.org/?p=11304
OR Supreme Court ok’s policy to ease searches of students
Rachel Cheeseman reports:
The Oregon State Supreme Court ruled that warrantless searches of students in public schools by officials need only “reasonable suspicion” rather than “probable cause,” making it easier for school officials to search property of students.
The opinion of the Court, released June 10, stated that the Article I Section 9 rights of the Rex Putnam High School student had not been violated when David Pogel, a teacher at Rex Putnam, reached into the student’s pocket and removed the contraband inside.
Read more on Oregon Politico.
Comment: This is really a terrible decision in terms of basically giving students less privacy protection and schools more authority to conduct warrantless searches. It also opens the door to many more such searches and expansion of schools’ ability to search students for violations of school rules that have nothing to do with imminent danger or safety issues.
Maybe when they teach the Constitution in Oregon, they could save valuable time and just skip the Fourth Amendment because the students don’t get its protection?
The made the change because it would be easier to remember – and never considered rethinking their security. Typical!
http://www.databreaches.net/?p=12171
OH: Treasurer’s site exposes taxpayers’ information to hackers
June 16, 2010 by admin
Barbara Carmen reports:
Franklin County property owners paying taxes online before Monday’s deadline might have innocently allowed thieves trolling cyberspace to snag checking-account or credit-card numbers.
Computer experts installed safeguards in 2001 when the county adopted a second Web address, one thought to be more memorable. But many people were familiar with the old address, which still pops up among the top choices on Yahoo and Google searches. So the county kept that one live, too.
Residents who use the newer address, www.franklincountyohio.gov/treasurer, to pay 2009 property taxes will see the same Web pages as those using the original URL, www.co.franklin.oh.us.
Only the newer one, however, has a secure connection for paying bills. The county saved money by buying a single, umbrella certification for the newer address.
Read more in the Columbus Dispatch.
Makes me ask how thorough their security testing is...
http://www.databreaches.net/?p=12166
AT&T hit by another data breach
June 16, 2010 by admin
AT&T customers logging into their accounts to pre-order the Apple iPhone 4 reported that they were given access to the account information of other customers.
Despite entering their own usernames and passwords, the AT&T system would take them to another user’s account, according to gadget blog Gizmodo, which broke the news.
Some users said when they refreshed the web page, the site returned the correct account information.
AT&T said told Gizmodo that it could not replicate the problem but noted that reports of the problem indicated some data, such as social security numbers and credit card numbers, was not disclosed.
Read more on InfoSecurity Magazine.
Gizmodo is all over this one, with a possible explanation offered by an unnamed AT&T insider about a weekend update that may be the source of the problem.
For my Statistics class. There are no reliable statistics – deal with it! (The annual wiretap report was one of my surveillance touchstones.)
http://www.pogowasright.org/?p=11354
DOJ’s surveillance reporting failure
Chris Soghoian writes:
In both 2004, and 2009, the US Department of Justice provided Congress with a “document dump”, covering 5 years of Pen Register and Trap & Trace surveillance reports. Although the law clearly requires the Attorney General to submit annual reports to Congress, DOJ has not done so, nor has it provided any reason for its repeated failure to submit the reports to Congress in a timely manner, as the law requires.
[...]
Based on 10 years of repeated failures, it seems clear that the Department of Justice is unable to supply Congress with annual reports for pen register and trap & trace surveillance. As such, I think it is time for Congress to take a serious look at this problem, and consider shifting the responsibility for the reporting to the Administrative Office of the U.S. Courts, which has a proven track record of reliably collecting and publicly disseminating similar statistics regarding wiretap orders.
Read more on Slight Paranoia, where Chris includes some surveillance statistics, drawn from an upcoming law review article.
One wonders why Congress continues to permit the Department of Justice to ignore its obligation [because they didn't really care? Bob] to provide annual reports on time. Chris suggests assigning responsibility to another agency, but in the alternative, if Congress were firmer that DOJ would not get some of its funding until it turned in its required paperwork on this, perhaps the DOJ would manage to do what it is supposed to do.
Then too, if we actually had a Privacy and Civil Liberties Oversight Board that had anyone on it….. but the Board continues to remain empty under Obama’s administration.
(Related) Another flaw in the statistics.
http://www.databreaches.net/?p=12164
The Tie Between ID Theft & Illegal Immigration
June 16, 2010 by admin
Sarah Buduson reports on the relationship between ID theft and illegal immigration. What I particularly like about this piece is comments from Mark Pribish pointing out that although such cases are counted as ID theft, they’re not really ID theft and are (just) employment fraud. Of course, even employment fraud as opposed to cases where identity info is stolen and misused can have a serious impact on the person who’s SSN has been fraudulently used for employment, but I’m glad to see the distinction being made.
Valley identity theft expert said there’s a strong correlation between high rates of ID theft and the numbers of illegal immigrants in a state.
The states with the highest rates of identity theft complaints are also states with “illegal immigration issues,” according to Mark Pribish, an identity theft expert who works for Merchants Information Solutions.
“In those states,” said Pribish, “You have a lot of illegal immigrants filling out employment numbers with nine random numbers of where a Social Security number is supposed to be.”
“The Federal Trade Commission counts it as an identity theft event, so even though an actual ID theft event did not take place,” he said. “In reality, it’s an employment fraud event. You have misrepresentation on an employee application.”
In 2009, the states with the highest rates of identity theft complaints were Florida, Arizona, Texas, California and Nevada, according to the Federal Trade Commission’s website.
“It does skew the statistic on how many ID thefts are taking place,” said Pribish.
Read more on KPHO.
Our negotiators are better?
http://www.pogowasright.org/?p=11350
EU plan to share bank data with US is ‘wholly unbalanced’, says expert
The European Commission has agreed with the US the terms on which it will allow that country’s authorities access to the banking details of EU citizens. The agreement must be approved by the European Parliament and Council before coming into force.
[...]
Chris Pounder, director of Amberhawk Training and formerly of Pinsent Masons, the law firm behind OUT-LAW.COM, disagreed. In a blog post, he said that that requirement is no barrier to excessive information transfer. “The Draft Agreement appears to be wholly unbalanced,” he said.
“Article 4 allows the US Treasury to obtain ‘Data’ on request,” he said. “All the Treasury need do is specify the categories of data it wants as being necessary in connection with terrorism, get the formal approval of fellow security officers in Europol, and then the personal data can be transferred. Note there is no judicial warrant needed in relation to requests which could involve considerable amounts of personal data.”
“However, when the EU want data from the USA, Article 10 requires them to identify ‘a person or entity that there is reason to believe has a nexus to terrorism or its financing’. The difference between the two approaches is profound,” said Pounder.
Read more on Out-Law.com
A report worth reading?
http://www.bespacific.com/mt/archives/024505.html
June 16, 2010
Rand - Security at what cost? Quantifying trade-offs across liberty, privacy and security
Rand - Security at what cost? Quantifying trade-offs across liberty, privacy and security, by Neil Robinson, Dimitris Potoglou, Chong Woo Kim, Peter Burge, Richard Warnes
"The balance between liberty, privacy and security is often polarised around concerns for civil liberties and public safety. To balance these concerns, policymakers need to consider the economic and social consequences of different security options as well as their effectiveness. In particular, they need to know whether individuals are willing to surrender some liberty or privacy in return for security benefits. Research in this domain has been mainly qualitative and as such, simple polling techniques that are likely to lead to unrealistic and unquantifiable responses are not usable for economic analysis. RAND Europe undertook a self-funded initiative to try to understand and quantify the trade-offs that people might make when confronted with real-life choices about privacy, liberty and security. The study used stated preference discrete choice experiments to present respondents with alternative options, each with advantages and disadvantages that they must explicitly trade-off when selecting between options. Respondents could also state where they would prefer the status quo. We examined three scenarios where trade-offs might arise: applying for a passport; traveling on the national rail network; and attending a major public event. Our approach showed that is possible to obtain and quantify the views and preferences of citizens as users of security infrastructure. In particular, stated choice discrete choice experiments provided a refined understanding of the importance people place on a number of factors describing each scenario such as the degree of comfort in providing personal data to obtain a passport or when passing through different types of security checks."
One of those “Well, DUH!!” reports
http://www.bespacific.com/mt/archives/024502.html
June 16, 2010
New GAO Reports: Credit and Debit Cards, Cybersecurity, Federal Energy Management, Cost of Major Oil Spills
Cybersecurity: Continued Attention Is Needed to Protect Federal Information Systems from Evolving Threats, GAO-10-834T, June 16, 2010
“We will definitely (make it look like we can) protect our infrastructure!” Congress
http://www.wired.com/dangerroom/2010/06/dhs-geek-squad-understaffed-with-no-juice-and-no-plan/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29
DHS Geek Squad: No Power, No Plan, Lots of Vacancies
The federal government still sucks at protecting its networks. One big reason why: The agency that’s supposed to tighten up Washington’s information security has neither the authority nor the manpower to respond effectively to the threat of electronic attacks.
Back in 2003, the Department of Homeland Security set up with U.S. Computer Emergency Readiness Team (US-CERT) to spot vulnerabilities in the government’s networks, and coordinate responses when those flaws are exploited. But seven years later, US-CERT is still “without a strategic plan,” DHS Inspector General Richard Skinner tells the House Homeland Security Committee.
Legal stuff, NOT a guide to hacking the iPhone.
http://www.wired.com/threatlevel/2010/06/iphone-jailbreak-prime/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29
iPhone Jailbreak Videos: A Legal Primer and a How-To
Do we have a “Right to Privacy” or a “Right to Balance Privacy against Safeguards?”
http://www.pogowasright.org/?p=11267
E.U. Tries to Balance Terror War and Privacy
James Kanter reports:
The European Commission proposed ways Tuesday to safeguard information used by the authorities to track the finances of terrorism suspects and to ensure that body scanners at European airports do not jeopardize the health or privacy of passengers.
The commission, the European Union’s executive, made the proposals in Strasbourg against a background of mounting concerns in the Union on how to balance protecting privacy with combating terrorism.
Read more in the New York Times.
(Related) If you can't use Behavioral Advertising, go back to the old model.
http://www.pogowasright.org/?p=11273
Website owners lobby against bill
Kim Hart reports:
Dozens of small online publishers descended on Capitol Hill Tuesday to make an appeal to lawmakers, saying proposed privacy regulations could put them out of business.
Owners of websites such as IKEAFANS.com and JoyOfBaking.com make their living by selling ads on their sites. They fear advertising revenue will evaporate under regulations proposed by Reps. Rick Boucher (D-Va.) and Cliff Stearns (R-Fla.), chairman and ranking member of the House Subcommittee on Communications, Technology and the Internet.
Read more on Politico.
Tanya Forsheit also continues her report on reactions to the proposed legislation on InformationLawGroup.
[From the Politico article:
In a draft version of the bill, Boucher and Stearns want Internet users to give explicit consent before websites can share their personal data with third-party advertisers. Small websites that rely on third-party advertising networks for nearly all of their ads say securing consent from every visitor before showing an ad would be difficult.
The rise of the Internet of Things...
http://www.foxnews.com/scitech/2010/06/11/everyday-items-hackers-targeting-right/
10 Everyday Items Hackers Are Targeting Right Now
(Related) Just wait...
http://tech.slashdot.org/story/10/06/17/138210/Why-Intel-Wants-To-Network-Your-Clothes-Dryer?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29
Why Intel Wants To Network Your Clothes Dryer
Posted by Soulskill on Thursday June 17, @10:04AM
"Intel has shown off a working prototype of a small box that, among other things, can monitor your clothes dryer to see how much it's contributing to your power bill. The Intelligent Home Energy Management proof-of-concept device is a small box with an 11.56" OLED touchscreen that is designed to act as an electronic dashboard for monitoring energy use in the home. By equipping devices like home entertainment systems and clothes dryers with wireless networked power adapters, the system can actually report back the power draw for a particular power point. Leave the house, and it can make sure power draining devices like that plasma TV are turned off. It is unlikely the device will enter production (there are apparently only four in existence), however this story about the box shows something we can expect to see in the home of tomorrow. Ultimately, it's not only about saving money, but also reducing load on the electricity grid by removing needless power use."
Another attempt to make Open Source comprehensible...
http://www.bespacific.com/mt/archives/024504.html
June 16, 2010
New on LLRX.com: What is Open Source?
What is Open Source? - In the past few years, the term open source has been bandied about not just in library-land, but in every industry. When a term is talked about this much, some would say to the point of overuse, people start to think it's a fad. In this and upcoming articles, Nicole C. Engard is here on LLRX to tell you that open source is no fad, and why.
...and sometimes Statistics are just impossible to believe. Especially since Optinet is in the “child protection” business.
http://idle.slashdot.org/story/10/06/16/1722258/Over-a-Third-of-the-Internet-Is-Pornographic?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29
Over a Third of the Internet Is Pornographic
Posted by samzenpus on Wednesday June 16, @04:20PM
"Pornography makes up 37% of the total number of web pages online, according to a new study published by Optenet, a SaaS provider. According to the report, which looked at a representative sample of around four million extracted URLs, adult content on the Internet increased by 17% in the first quarter of 2010, as compared to the same period in 2009."