Saturday, December 04, 2010

Local (and typical) failure to manage security.

http://www.databreaches.net/?p=15644

CO: Informants outed in accidental Grand Junction data release

December 3, 2010 by admin

The Associated Press reports:

The names of confidential drug informants, home addresses of sheriff’s deputies and troves of other sensitive data were made public for months because of a mistake by an employee of Mesa County’s technology department, officials said.

Thousands of the internal records were accessible on the Internet starting in April until the mistake was discovered last month.

The (Grand Junction) Daily Sentinel reported that the leak was blamed on a former employee [because no manager was responsible? Bob] with the Mesa County Information Technology Department. That employee wasn’t named and is no longer with the department, though it’s unclear whether the employee was terminated because of the leak.

Read more in the Daily News.

[From the article:

Hilkey said the FBI has been called to help find computer users who may have accessed the information that was supposed to be kept private.

… The leak was discovered Nov. 24 by an individual who ran across his or her name mentioned in the files while searching the Internet and notified authorities.

Mesa County Administrator Stefani Conley said that the leak was unintentional. The employee who posted the information mistakenly believed the site was secure, she told the newspaper.

This employee thought this was a password-protected, encrypted site,” Conley said. [How do you distinguish a secure site from a public site? Big, flashing “Not Secure” signs might be useful... Bob]

… “We're re-evaluating our IT protocols and will take the necessary steps to make sure something like this can never happen again,” Conley said. [Looks like they didn't bother “evaluating” or “taking steps” before this happened. Bob]



For my Ethical Hackers looking for employment. Is information now available in the pubic domain still “classified?” I agree that adding your own interpretation (based on other classified knowledge) could “enhance” the value of the leaked data, but should you pretend the leak never happened?

http://yro.slashdot.org/story/10/12/03/2326207/Graduate-Students-Being-Warned-Away-From-Leaked-Cables?from=rss

Graduate Students Being Warned Away From Leaked Cables

"The US State Department has started to warn potential recruits from universities not to read leaked cables, lest it jeopardize their chances of getting a job. They're also showing warnings to troops who access news websites and the Library of Congress and Department of Education have blocked WikiLeaks on their own networks. Quite what happens when these employees go home is an open question."



What happens on the Internet ( or any place else), stays on the Internet... Forever!

http://www.pogowasright.org/?p=17954

Tel-Aviv District Court Finds No “Right to Forget”

December 3, 2010 by Dissent

Boris Segalis writes:

As reported by Dan Or-Hof, Manager of the Information Technology, Internet and Copyright group at the Israeli law firm of Pearl Cohen Zedek & Latzer, in a first of its kind decision, the Tel-Aviv district court ruled on November 30, 2010 that a subscriber of cellular services does not have a general right to have his phone records deleted.

Read more about the case on InformationLawGroup.



For my Ethical Hackers

http://yro.slashdot.org/story/10/12/03/1419200/History-Sniffing-In-the-Wild?from=rss

History Sniffing In the Wild

"Kashmir Hill at Forbes documents a recent study by UCSD researchers showing that 'history sniffing' is being actively used by mainstream ad networks like Interclick as well as popular porn sites like YouPorn in order to track what other sites you visit. The vulnerability has been known for almost a decade, but this paper documents hundreds of commercial sites exploiting it today (PDF)."

[From the comments:

In Firefox, even older versions (and perhaps some of the other browsers out there), you can change your "visited links" color (via Edit, Preferences, Appearance, Colors) to something other than purple. Then this script won't work. More, if you also change the "unvisited links" color, then even a modified script designed to tell the difference won't know which color is your "visited" color and which is your "unvisited" color.



“because our megabytes are better than their megabytes...”

http://mobile.slashdot.org/story/10/12/03/2059238/The-Odd-Variations-On-3G-Per-Megabyte-Pricing?from=rss

The Odd Variations On 3G Per-Megabyte Pricing

"Carriers are increasingly charging for 3G mobile access by the megabyte, to prevent 'unfair' subsidies of heavy users by everyone else. So why does the price of a 3G megabyte vary based on the device used to send or receive it? Why is an iPad megabyte cheaper than a MiFi one? After all, a megabyte is a megabyte as far as the network is concerned. InfoWorld has a comparison of 3G pricing for the four major US carriers for their various supported devices, so you can see whose 3G pricing is out of whack for which devices."



...or at least, what we want Copyright to be.

http://www.wired.com/threatlevel/2010/12/viacom-copyright-youtube/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Viacom Says YouTube Ruling Will ‘Completely Destroy’ Copyright

The media concern told the New York-based 2nd U.S. Circuit Court of Appeals on Friday that, if the lower decision stands, “it would radically transform the functioning of the copyright system and severely impair, if not completely destroy, (.pdf) the value of many copyrighted creations.”

The June 23 decision at issue by U.S. District Judge Louis L. Stanton of New York said internet companies, even if they know they are hosting infringing material, are immune from copyright liability if they promptly remove works at a rights holder’s request — under what is known as a takedown notice.

… Stanton ruled that YouTube’s “mere knowledge” of infringing activity “is not enough.”

… Stanton ruled that YouTube, which Google purchased in 2006 for $1.8 billion, had no way of knowing whether a video was licensed by the owner, was a “fair use” of the material “or even whether its copyright owner or licensee objects to its posting.”



For my Swiss Army Folder

http://www.makeuseof.com/dir/docsinoffice-access-google-docs-from-desktop/

DocsInOffice: Access Google Docs From Desktop Via Any MS Office Software

… DocsInOffice, a nifty app that lets you access google docs from desktop and work on them using your MS Office apps.

Once you have signed up, you only need to grant access to your Google Docs account. Then enter http://DocsInOffice.com/gdocs in the File Name field of your FileOpen dialog in your MS Office. Your office app will then connect to the Google Docs server where you can find and open your file from the cloud and edit on the spot.

Likewise, you can save your work by going to the address and saving the file there. All this is done without any plugin or toolbar installed. The seamless execution makes this tool very easy to work with.

www.docsinoffice.com

Similar Tools: Insync, and DocSyncer.


Friday, December 03, 2010

For my Computer Security students. Long suspected, this is the first true cost measurement.

http://www.databreaches.net/?p=15637

Lost Laptops Cost Billions

December 2, 2010 by admin

Thomas Claburn reports:

Businesses are losing billions of dollars annually as a result of lost and stolen laptop computers, a new study shows.

Representatives from Intel, which sponsored “The Billion Dollar Laptop Study,” and the Ponemon Institute, which conducted the study, announced their findings at a media event in San Francisco on Thursday.

The 329 organizations surveyed lost more than 86,000 laptops over the course of a year, the study found.

Read more on InformationWeek.

[From the Study:

It is important to point out that the smallest cost component is the replacement cost of the laptop. There are seven cost components used to arrive at the average value. These are: replacement costs, detection, forensics, data breach, lost intellectual property costs, lost productivity and legal, consulting and regulatory expenses.

2.3 percent of all laptops assigned to employees, temporary employees or contractors become missing each year. The average loss ratio over the laptop’s useful life is 7.12 percent. Hence, more than seven percent of all assigned laptops in benchmarked companies will be lost or stolen sometime during their useful life.



As we've seen repeatedly, the 'record count' tends to grow as victim organizations look more carefully at the breach.

http://www.databreaches.net/?p=15625

(Update) ALDI breach affected 17,000 New York residents

December 2, 2010 by admin

Back in October, I noted that the ALDI breach had affected 8,000 Maryland residents. New York State’s breach logs for October, posted online, indicates that ALDI had reported on October 1 that 17,000 NYS residents were affected.

Given that the breach affected customers in 11 states and there are 25,000 affected in just two of those states, it seems that the total number affected for this breach may be much higher than what ALDI’s statement of October 1 suggested (emphasis added by me):

ALDI Inc. recently learned that, from approximately June 1, 2010 to August 31, 2010, tampered payment card terminals were illegally placed in some ALDI stores, enabling unauthorized individuals to fraudulently obtain payment card information from a limited number of our customers.

What do they consider a “limited number of customers?”

ALDI’s notice on their web site has not been updated since the last update on October 1.



Backup, backup, backup! And then make certain that the backups are not accessible via the Internet!

http://it.slashdot.org/story/10/12/03/038255/Ransomware-Making-a-Comeback?from=rss

Ransomware Making a Comeback

"Ransomware is back. After a hiatus of more than two years, a variant of the GpCode program has again been released, kidnapping victims' data and demanding $120 for its return, InfoWorld reports. 'Like the ransomware programs before it, GpCode encrypts a victim's files and then demands payment for the decryption key. The new version of GpCode — labeled GpCode.AX by security firm Kaspersky — comes with a bit more nastiness than previous attempts. The program overwrites files with the encrypted data, causing total loss of the original data, and uses stronger crypto algorithms — RSA-1024 and AES-256 — to scramble the information.'"



Avast! Will this doom “Speak like a Pirate Day?” What else will it suppress? I think the lawyers will start finding this interesting.

http://search.slashdot.org/story/10/12/02/2058247/Google-To-Block-Piracy-Related-Terms-From-Autocomplete?from=rss

Google To Block Piracy-Related Terms From Autocomplete

"Google is making changes in the way it presents web search results to try to exclude links that may be tied to pirated content. In a move enthusiastically praised by the RIAA, Google says it will not include terms closely associated with piracy from appearing via autocomplete. The company acknowledged that it can be hard to know what terms are being used to find infringing content, but 'we'll do our best to prevent Autocomplete from displaying the terms most frequently used for that purpose.'" [How would you do this? If “pirated copy” is banned, would “not a pirated copy” survive? Bob]


(Related)

http://tech.slashdot.org/story/10/12/02/1755214/Google-Algorithm-Discriminates-Against-Bad-Reviews?from=rss

Google Algorithm Discriminates Against Bad Reviews

"According to the official Google blog, Google has altered their PageRank algorithm to not give back linking points to bad reviews of websites belonging to online retailers, following the publication of a recent article in the New York Times describing one woman's experiences in being harassed by an online retailer she found via Google. The specific changes to the algorithm are of course a guarded secret. So considering that these changes are already live, how do we know how the algorithm determines a bad review from a good one, and whether or not innocent online retailers will be wrongly punished by having their rankings downgraded?"

[From the Google Blog:

But if we demoted web pages that have negative comments against them, you might not be able to find information about many elected officials, not to mention a lot of important but controversial concepts. So far we have not found an effective way to significantly improve search using sentiment analysis.

… Instead, in the last few days we developed an algorithmic solution which detects the merchant from the Times article along with hundreds of other merchants that, in our opinion, provide an extremely poor user experience.



A guide for law enforcement. How to identify card types by account number and how to find the issuing bank.

http://www.pogowasright.org/?p=17893

DOJ’s “hotwatch” real-time surveillance of credit card transactions

December 2, 2010 by Dissent

Chris Soghoian writes:

A 10 page Powerpoint presentation (pdf) that I recently obtained through a Freedom of Information Act Request to the Department of Justice, reveals that law enforcement agencies routinely seek and obtain real-time surveillance of credit card transaction. The government’s guidelines reveal that this surveillance often occurs with a simple subpoena, thus sidestepping any Fourth Amendment protections.

[...]

While Congress has required that the courts compile and publish detailed statistical reports on the degree to which law enforcement agencies engage in wiretapping, we currently have no idea how often law enforcement agencies engage in real-time surveillance of financial transactions.

Read more on slight paranoia.

Maybe DOJ shouldn’t spend as much time worrying about Julian Assange and should spend more time worrying about Chris Soghoian, who does an outstanding job of exposing some of what our government would clearly prefer we not know.



The US will need to do some similar thinking.

http://www.phiprivacy.net/?p=5148

Ie: Protecting People’s Private Health Information: HIQA Guidelines Published

By Dissent, December 2, 2010

This press release from Ireland’s Health Information and Quality Authority is of note:

A new guide on how to protect people’s privacy within healthcare services has been published by the Health Information and Quality Authority.

Professor Jane Grimson, Director of Health Information at HIQA said: “With so much information being collected, used and shared in the provision of health and social care, it is important that appropriate steps are taken to protect the privacy of each person to ensure that personal information is handled legally, securely and efficiently.”

… It has been estimated internationally that up to 30% of a country’s total health budget is spent on health information – collecting, storing, managing and searching for it. It is therefore essential that it is managed as efficiently and effectively as possible in order to ensure value for money.

… “The public has the right to expect that their private information will be safeguarded and protected when it is given to those who deliver health services,” Professor Grimson said.

… “We have developed the Guidance on Privacy Impact Assessment in Health and Social Care as a resource to show service providers how to ensure that they protect the privacy rights of the people using their services and to assist them in strengthening their own governance arrangements around health information,” said Professor Grimson.

Hat-tip, Irish Medical Times



This has implications for Cloud Computing too. Where is your data? Will Oklahoma be able to enforce its laws in India or China or Russia?

http://tech.slashdot.org/story/10/12/02/1834248/Social-Media-Accounts-Part-of-Deceased-Oklahomans-Estates?from=rss

Social Media Accounts Part of Deceased Oklahomans' Estates

"Estate executors or administrators in Oklahoma have the power to access, administer or terminate the online social media accounts of the deceased, according to a new state law. '"The number of people who use Facebook today is almost equal to the population of the United States. When a person dies, someone needs to have legal access to their accounts to wrap up any unfinished business, close out the account if necessary or carry out specific instructions the deceased left in their will," Kiesel said.'"

[From the article:

The bill, which became a state law on Nov. 1, assumes a Facebook page or other social network account is the property of the person who creates and uses it. However, most websites claim the information as their own in service agreements when users sign up.



You could see this coming... But was this a case of “we forgot to tell the Defense” or was it “we need to make up some evidence?” Sounds like the latter...

http://games.slashdot.org/story/10/12/03/050237/Xbox-Modding-Trial-Dismissed?from=rss

Xbox Modding Trial Dismissed

It seems the harsh words from District Court Judge Philip Gutierrez on Wednesday had their intended effect; prosecutors in Matthew Crippen's Xbox modding case have now dismissed the indictment. Quoting Wired:

"Witness No. 1, Tony Rosario, was an undercover agent with the Entertainment Software Association. He told jurors Wednesday that he paid Crippen $60 in 2008 to modify an Xbox, and secretly videotaped the operation. Rosario had responded to Crippen’s advertisement on the internet and met Crippen at his Anaheim house. All of that had been laid out in pretrial motions. But during his testimony, Rosario also said Crippen inserted a pirated video game into the console to verify that the hack worked. That was a new detail that helped the government meet an obligation imposed by the judge that very morning, when Gutierrez ruled that the government had to prove Crippen knew he was breaking the law by modding Xboxes. But nowhere in Rosario’s reports or sworn declarations was it mentioned that Crippen put a pirated game into the console. ... [Prosecutor Allen Chiu] conceded he never forwarded that information to the defense."



Both Google and Microsoft (the other bidder) promised that GSA's data would be hosted in the USA only.

http://www.bespacific.com/mt/archives/025891.html

December 02, 2010

GSA First Fed to Choose Google Hosted E-Mail Service

Follow up to Google Files Bid Protest Against Dept. of Interior Over Hosted Email and Collaboration Services news that "the U.S. General Services Administration will become the first federal agency to use a hosted e-mail service, choosing Google, Unisys and others to offer the service."

[From the GSA Press Release:

GSA announced today an award for cloud-based email and collaboration tools that will reduce inefficiencies and lower costs by 50 percent over the next five years.



Think of it as pre-packaged PowerPoint slides...

http://www.bespacific.com/mt/archives/025893.html

December 02, 2010

Federal Reserve announces new interactive graphics feature of Data Download Program

"The Federal Reserve Board on Thursday announced a new feature of its Data Download Program that allows users to create custom charts. Users will now be able to create and view interactive graphics of data packages from the program before downloading the underlying data and charts. The charting feature allows users to view multiple data series on a single chart as well as to display individual data points. The charts can be saved as PDFs or in a standard image file format (PNG) for publication and redistribution. The Data Download Program allows users to create customized data sets or download preformatted packages in multiple formats, including XML. Additional information about how to use the program is available at: http://www.federalreserve.gov/datadownload/help/default.htm."



For my Ethical Hackers This is actually a bit scary. I was looking for something to confirm that my students were actually reading my emails and this allows me to do much more.

http://www.killerstartups.com/Web-App-Tools/pointofmail-com-track-who-reads-your-emails?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+killerstartups%2FBkQV+%28KillerStartups.com%29

PointOfMail.com - Track Who Reads Your Emails

Point Of Mail is a new online application that you can use in order to know exactly who is reading the emails you are sending out. Using this browser-based tool you will be able to track not only who has opened any email that you have sent, but also what has happened to the attachments that were sent along with the message.

Moreover, Point Of Mail will let you modify emails after they have been sent. That is a great option and no mistaking. If you have to send a report to your boss and you realize you have forgotten to attach it the minute you send the email out, then there is no need to panic. This application will let you undo the wrong, and avoid looking completely unprofessional.

Point Of Mail works with all email addresses, and it also supports virtually any email client that you could think of. And while you are not required to download anything in order to begin using it, a set of optional add-ins is featured. Again - all the main email clients and browsers on the market today are fully supported.

http://www.pointofmail.com/

[From the website:

  • Trace Email Reading Chain - Full History of Email Reads and Forwards

  • Detailed Information About Recipient

  • Totally Invisible To Recipient, Unless You Decide Otherwise

  • Change Email's Content

  • Add or Remove Attachments

  • Add or Remove Links

  • Recall or Erase Sent Email

  • Real-Time Self-Destructing Email

  • Disallow Email Forwarding

  • Disable Print or Save of Your Email



A handy USB backup tool (Also a great way to steal data?)

http://www.makeuseof.com/dir/usbflashcopy-copy-a-flash-drive/

USBFlashCopy: Automatically Copy A Flash Drive To Your Hard Drive

Many flash drive owners take their flash drives to work and save data on it. They then bring it back home, plug it into their computer, and copy all the contents to their computer’s hard drive. To copy, they have to go through a few steps after plugging in the drive. But USB Flash Copy ensures that the contents get automatically copied once you plug in the flash drive.

www.usbflashcopy.com



Something every computer user should know

http://www.smashingapps.com/2010/12/02/how-much-is-a-petabyte-graphic.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SmashingApps+%28Smashing+Apps%29

How Much Is A Petabyte? [Graphic]


Thursday, December 02, 2010

Now this is interesting... No indication if they were able to do this remotely or if they visited each ATM. Either way, this is ambitious.

http://www.databreaches.net/?p=15605

Russian gang used customized virus bought from hacker forum on ATMs

December 2, 2010 by admin

Members of an organized criminal group responsible for infecting ATMs with a computer virus have been arrested in Yakutsk, capital of the far eastern Russian Republic of Sakha (Yakutia) according to the Ministry of the Interior.

The leader of the gang sought the services of a hacker through an international Internet forum. Once recruited the hacker then customized a computer program specifically for the group, so they could use it to target bank accounts through ATMs. The virus cost the gang 100,000 rubles ($3200).

[..]

The criminals managed to infect and gain control of all the ATMs in the city of Yakutsk. However, officers from Department ‘K’ of the Ministry of the Interior in the Republic of Yakutia apprehended the members of the gang before the plan could be put into full operation.

Read more on Host Exploits.



Gary Alexander tipped me off to this. It is now mandatory reading for my Computer Security students.

http://www.networkworld.com/community/blog/verizon-2010-data-breach-report-eye-opening?source=NWWNLE_nlt_daily_am_2010-12-01

Verizon 2010 Data Breach Report Is Eye Opening

The 2010 Verizon and U.S. Secret Service breach report is chock full of enlightening facts, figures and statistics. I highly recommend you read it cover to cover. It breaks down the breaches by demographic, threat agents, threat actions, attack difficulty and targeting, vertical, and time span. It also compares how PCI compliance affected the number and severity of breaches.

You can grab it here www.verizonbusiness.com/go/2010databreachreport/



For my Ethical Hackers: Another way to “confirm” a user's ID. Also a Business Opportunity: Develop a “fingerprint eradicator”

http://www.pogowasright.org/?p=17854

Race Is On to ‘Fingerprint’ Phones, PCs

December 1, 2010 by Dissent

Julia Angwin and Jennifer Valentino-Devries report:

David Norris wants to collect the digital equivalent of fingerprints from every computer, cellphone and TV set-top box in the world.

Companies are developing digital fingerprint technology to identify how we use our computers, mobile devices and TV set-top boxes. WSJ’s Simon Constable talks to Senior Technology Editor Julia Angwin about the next generation of tracking tools.

He’s off to a good start. So far, Mr. Norris’s start-up company, BlueCava Inc., has identified 200 million devices. By the end of next year, BlueCava says it expects to have cataloged one billion of the world’s estimated 10 billion devices.

Read more in the Wall Street Journal.

[From the article:

… Advertisers no longer want to just buy ads. They want to buy access to specific people. So, Mr. Norris is building a "credit bureau for devices" in which every computer or cellphone will have a "reputation" based on its user's online behavior, shopping habits and demographics.

Tracking companies are now embracing fingerprinting partly because it is much tougher to block than other common tools used to monitor people online, such as browser "cookies," tiny text files on a computer that can be deleted.

There's not yet a way for people to delete fingerprints that have been collected. In short, fingerprinting is largely invisible, tough to fend off and semi-permanent.

Ori Eisen, founder of 41st Parameter, says using fingerprinting to track devices is "fair game" because websites automatically get the data anyway.



I don't know what they will do, but I hate it?”

http://politics.slashdot.org/story/10/12/01/1512220/FCC-To-Vote-On-Net-Neutrality-On-December-21?from=rss

FCC To Vote On Net Neutrality On December 21

"The FCC just released its tentative agenda for the December 21st open meeting, where the Commission will vote on whether to adopt rules to preserve net neutrality. According to the agenda the FCC will consider "adopting basic rules of the road to preserve the open Internet as a platform for innovation, investment, competition, and free expression." House Republicans have already promised to oppose any solution [When did this become a “Liberal” issue? Bob] put forth by FCC chairman Julius Genachowski."



How the government sees Privacy?

http://www.bespacific.com/mt/archives/025889.html

December 01, 2010

FTC Staff Issues Privacy Report Offers Framework for Consumers, Businesses, and Policymakers

News release: "The Federal Trade Commission, the nation’s chief privacy policy and enforcement agency for 40 years, issued a preliminary staff report today that proposes a framework to balance the privacy interests of consumers with innovation that relies on consumer information to develop beneficial new products and services. The proposed report also suggests implementation of a “Do Not Track” mechanism – likely a persistent setting on consumers’ browsers – so consumers can choose whether to allow the collection of data regarding their online searching and browsing activities.... The report states that industry efforts to address privacy through self-regulation “have been too slow, and up to now have failed to provide adequate and meaningful protection.” The framework outlined in the report is designed to reduce the burdens on consumers and businesses."

[From the report:

Some consumers are troubled by the collection and sharing of their information. Others have no idea that any of this information collection and sharing is taking place. Still others may be aware of this collection and use of their personal information but view it as a worthwhile trade-off for innovative products and services, convenience, and personalization. And some consumers – some teens for example – may be aware of the sharing that takes place, but may not appreciate the risks it poses.

[Four simple categories? Bob]



If this is Okay for Google, why isn't it Okay for YouPorn?

http://www.pogowasright.org/?p=17846

History Sniffing: How YouPorn Checks What Other Porn Sites You’ve Visited and Ad Networks Test The Quality of Their Data

December 1, 2010 by Dissent

OK, so you don’t go to any porn sites and may think this technology doesn’t affect you. Guess again and read on.

Kashmir Hill writes:

YouPorn is one of the most popular sites on the Web, with an Alexa ranking of 61. Those who visit the homemade-porn featuring site — essentially, a YouTube for porn enthusiasts — are subject to scrutiny, though, of the Web tracking variety. When a visitor surfs into the YouPorn homepage, a script running on the website checks to see what other porn sites that person has been to.

How does it work? It’s based on your browser changing the color of links you’ve already clicked on. A script on the site exploits a Web privacy leak [Actually, the intent was to show the users links that had already been visited, to avoid wasting time revisiting sites. Bob] to quickly check and see whether your browser reveals that the links to a host of other porn sites have been assigned the color “purple,” meaning you’ve clicked them before. YouPorn did not respond to an inquiry about why it collects this information, and tries to hide the practice by disguising the script with some easy-to-break cryptography.*

The porn site is not alone in its desire to know what other websites visitors have visited. A group of researchers from the University of California – San Diego trolled through the Web’s most popular sites to see which ones were collecting this information about visitors. They found it on 46 other news, finance, sports, and games sites, reporting their findings in a paper with the intimidating title, “An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications.”

Read more on Forbes.



http://www.databreaches.net/?p=15608

Recommended: Evaluating Data Breach Disclosure Laws

December 2, 2010 by admin

Sasha Romanosky writes:

I imagine most of you have received one or more letters from companies informing you that they lost your personal information. If so, what, if anything, did you do about it? Did you check your credit history?; close a financial account?; something else?; or nothing at all? If you did act, you likely did it to reduce your risk of suffering identity theft. My research question is: did it work? This is something that I’ve been examining for a number of years now.

In a paper coauthored with Rahul Telang and Alessandro Acquisti at Carnegie Mellon University, we empirically examine the effect of data breach disclosure (security breach notification) laws on identity theft. For a policy researcher, this represents a fantastic opportunity: a clear policy intervention (adoption of laws across different states), a heated controversy regarding the benefits and consequences of the laws that is both practically and academically interesting, good field data, and a powerful empirical analysis methodology to leverage (criminology).

An initial version of the paper used consumer reported identity theft data collected from the FTC from 2002-2006. Using just these data, we found a negative but not statistically significant result. In fact, I was quoted as saying, “we find no evidence that the laws reduce identity theft.” And it was true, we didn’t.

However, we have since augmented that work to include data up to 2009, which allowed us to include more observations, allowed the law to exist for longer, and allowed companies to adapt to them, and perhaps empowered more consumers to take action. We find that the laws did, indeed, reduce identity theft by about 6%. Moreover, we can say that we have a fair amount of confidence in this estimate because the results hold up to many kinds of permutations and transformations — which is very nice to see.

Read more on Concurring Opinions.



Legal extortion? Which Law School course teaches them how to do this?

http://www.techspot.com/news/41341-torrent-users-sue-us-copyright-group-for-fraud-and-extortion.html

Torrent users sue US Copyright Group for fraud and extortion

Dmitriy Shirokov is suing a Washington law firm that sent threatening letters to thousands of alleged movie downloaders, accusing the firm of fraud and extortion. He filed the 96-page lawsuit, which argues that lawyers at Dunlap, Grubb & Weaver made a business of threatening people with expensive litigation and fines unless they pay "settlement offers" of $1,500 to $2,500, in the US District Court of Massachusetts.

The firm was apparently never interested in actually litigating these claims. Although the legal firm threatened victims with expensive court action if they didn't cough up the cash, it neither had the resources nor the inclination to do so, meaning the letters in question were simply intended to frighten and get cash out of P2P users.

Shirokov wants to make the case a class action that represents him and 4,576 other people who received threatening letters for having allegedly downloaded copies of Far Cry. Despite being released in the summer of 2007 (Canada) and in December 2008 (US), the lawsuit says attorney Thomas Dunlap obtained a US copyright on the work by falsely asserting a date of "first publication" of November 24, 2009, allowing the law firm to claim that downloaders would be liable for statutory damages of up to $150,000 per download. Actual damages under the limited protection for works shown long before the copyright date would be a fraction of the retail DVD price of $27.

In short, Shirokov's lawsuit is accusing Dunlap, Grubb & Weaver of knowingly breaching copyright law to make money. The big picture is that it's alleging that the US Copyright Group is guilty of extortion, fraudulent omissions, mail fraud, wire fraud, computer fraud and abuse, racketeering, fraud upon the court, abuse of process, fraud on the Copyright Office, copyright misuse, unjust enrichment, and consumer protection violations.



It's not good to have a Judge tell you you made a mistake – a half-hour dressing down has got to really make you sweat. (But it is amusing to us non-lawyers)

http://games.slashdot.org/story/10/12/02/0528205/Judge-Berates-Prosecutors-In-Xbox-Modding-Trial?from=rss

Judge Berates Prosecutors In Xbox Modding Trial

"Opening statements in the first-of-its-kind Xbox 360 criminal hacking trial were delayed here Wednesday after a federal judge unleashed a 30-minute tirade at prosecutors in open court, saying he had 'serious concerns about the government's case.' ... Gutierrez slammed the prosecution over everything from alleged unlawful behavior by government witnesses, to proposed jury instructions harmful to the defense. When the verbal assault finally subsided, federal prosecutors asked for a recess to determine whether they would offer the defendant a deal, dismiss or move forward with the case that was slated to become the first jury trial of its type. A jury was seated Tuesday."



For my Ethical Hacker toolkit

http://www.killerstartups.com/Web-App-Tools/traceemail-com-for-the-tracking-of-email-senders?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+killerstartups%2FBkQV+%28KillerStartups.com%29

TraceEmail.com - For The Tracking Of Email Senders

As its name implies, Trace Email offers a suite of tools for the tracking of email senders. These include a reverse email address lookup tool, a tracer of email headers, a tracer of email IPs and an email finder by name. The four of them can be used at no cost, and without needing to sign up or anything like that.

None of these four tools is difficult to use. You seldom have to do more than cut and paste the relevant information such as the email header or the IP address to be tracked.

When it comes to the email finder by name, now, you must specify the State the person resides in for the search to be carried out. And if you are missing that information, you can simply do a countrywide search and see if your luck is in.

Ultimately, Trace Email is a great set of tools. It can lend itself both to personal and professional uses, and it brings a lot of transparency to something as pivotal as computerized communications.

http://www.traceemail.com/


Wednesday, December 01, 2010

For my Ethical Hackers. The market for stolen data is growing and becoming quasi-legitimate. I also see this as authorization to “create” data that includes “evidence” implicating my “enemies” and then claim it can be used because it was stolen. How would you disprove that?

http://www.databreaches.net/?p=15564

Liechtenstein Bank Data May Be Used in Probe, German Court Says

November 30, 2010 by admin

Karin Matussek reports:

Stolen Liechtenstein bank account data may be used to by prosecutors justify a search warrant in a criminal probe, Germany’s top constitutional court ruled.

Data which may have been stolen from a Liechtenstein bank and later sold to German authorities can be used by a judge when authorizing prosecutors to raid homes as part of a probe into tax evasion, the Karlsruhe-based court said in an e-mailed statement today.

Read more on Bloomberg Businessweek



Wait... Isn't the guy in the White House a Harvard law Alum? Is this the Academic equivalent of “un-friending” the president?

http://www.pogowasright.org/?p=17837

Harvard Law Students Sue TSA

December 1, 2010 by Dissent

Jenny Paul and Joey Seiler report:

Two Harvard Law students have filed a federal lawsuit against the Transportation Security Administration that claims the use of “nude body scanners” and new enhanced pat-down techniques at airport security checkpoints are unconstitutional.

Jeffrey Redfern ’12 and Anant Pradhan ’12 filed the lawsuit Monday in the District Court of Massachusetts. The complaint names Secretary of Homeland Security Janet Napolitano and TSA Administrator John Pistole as defendants. Beginning in March 2010, the TSA deployed 450 full-body scanners in airports throughout the country. Boston’s Logan International Airport has 17 of the full-body scanners at issue in the lawsuit, according to the TSA’s website.

The lawsuit claims the mandatory screening techniques violate the students’ Fourth Amendment right against unreasonable search and seizure. The suit seeks a permanent injunction against the use of either screening method without reasonable suspicion or probable cause and a declaratory judgment stating that mandatory screening using these techniques is unconstitutional where probable cause or reasonable suspicion do not exist.

Read more on Harvard Law Record.



Worth reading at the DataBreaches site.

http://www.databreaches.net/?p=15579

Data Breach Investigation | Due Process of Law

November 30, 2010 by admin

The following is cross-posted from PHIprivacy.net:

In September, I posted an excerpt from a thought-provoking commentary by attorney Benjamin Wright. In discussing a fine levied against Lucile Salter Packard Hospital for late notification under California’s breach notification law, he had written, in part:

The California Legislature made clear it wants notices to be issued quickly. However, the law should not be interpreted to require rash decision-making. If the law is interpreted as a hair-trigger requirement for notices before a competent investigation can be concluded, then I question the constitutionality of the law. That interpretation would render the law arbitrary, capricious, unreasonable, in conflict with the need for due process under the US Constitution.

At the time, I had a number of questions about his analysis and commentary, and I’m delighted to say that Ben recently got in touch with me and offered to expand on his previous article. The following, then, is a guest article and commentary by Benjamin Wright:



Would the list of “Do Not Track” opt-outers be available to anyone other than the Behavioral Advertising trackers? Like Homeland Security (they must be terrorists) or my Insurance company (He's got something to hide)

http://www.pogowasright.org/?p=17821

FTC to discuss Privacy report and “Do Not Track”

December 1, 2010 by Dissent

FTC Bureau of Consumer Protection Director David Vladeck will discuss a soon-to-be-released FTC report on online privacy and establishing an online “Do Not Track Me” list at a conference convened by Consumer Watchdog Wednesday at the National Press Club.

Vladeck will offer an 8:45 a.m. keynote speech about the FTC’s much anticipated report, which is expected to be released in advance of Thursday hearing on “Do Not Track Me” legislation in the House of Representatives. You can view the event online on Consumer Watchdog’s site.


(Related) “If rape is inevitable, one should relax and enjoy it” Raul Manglapus Oh, really?

http://www.phiprivacy.net/?p=5120

Will any loss of privacy from digitizing health care will be more than compensated for by the welfare gains from increased efficiency?

By Dissent, November 30, 2010

Over on The Economist, you can read a point/counterpoint between Peter Neupert and Dr. Deborah Peel on:

This house believes that any loss of privacy from digitising health care will be more than compensated for by the welfare gains from increased efficiency.

Cast your vote and/or join the debate there!


(Related) I'll keep an eye peeled for this one.

http://www.pogowasright.org/?p=17828

Privacy victory as Firefox plots system to stop firms tracking what you look at online

December 1, 2010 by Dissent

Daniel Bates reports:

The makers of the web-browser Firefox are working on a system which will allow Internet users to stop themselves from being tracked on-line.

Mozilla wants to build a mechanism which will allow people to opt out of companies secretly monitoring which websites they visit, currently a common practice.

Internet giants like Google and Facebook use such information to sell targeted adverts and make money without ever asking the consent of the user.

Read more in the Daily Mail



No choice, no opt-out – no problem?

http://games.slashdot.org/story/10/12/01/067248/Apples-Game-Center-Shares-Your-Real-Name?from=rss

Apple's Game Center Shares Your Real Name

"Apple's Game Center has just made itself a few enemies through a simple change to their Terms of Service. Now, whenever you send a friend invitation, your real name will be attached as well as your Apple ID."

Apparently they didn't learn from the poor reaction to Blizzard's similar idea.



Why wait for a relationship when you can gather data without it?

http://yro.slashdot.org/story/10/11/30/1734249/Facebooks-Like-This-Button-Is-Tracking-You?from=rss

Facebook's 'Like This' Button Is Tracking You

Stoobalou submitted a story about some of the most obvious research I've seen in a while ...

"A researcher from a Dutch university is warning that Facebook's 'Like This' button is watching your every move. Arnold Roosendaal, who is a doctoral candidate at the Tilburg University for Law, Technology and Society, warns that Facebook is tracking and tracing everyone, whether they use the social networking site or not. Roosendaal says that Facebook's tentacles reach way beyond the confines of its own web sites and subscriber base because more and more third party sites are using the 'Like This' button and Facebook Connect."

[From the article:

But data about the user is sent to Facebook regardless of whether the Like button is actually activated.

What becomes really scary is realising how Facebook can track your movements even if you haven't signed up to its fake-friend collection service for lonely teens and sad divorcees.

"When a user does not have a Facebook account, there is no cookie and no user ID available. In this case, an HTTP GET request for the 'Like' button doesn't issue a cookie.

"However, when a site is visited which includes Facebook Connect, this application issues a cookie. From that moment on, visits to other websites which display the 'Like' button result in a request for the Like button from the Facebook server including the cookie."

Which means Facebook has swiped another batch of valuable data without asking for permission.

"Every site that includes some kind of Facebook content will initiate an interaction with the Facebook servers, disclosing information about the visited web site together with the cookie."

[The paper: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1717563



Perhaps NOW you want to drop Facebook?

http://www.makeuseof.com/tag/properly-close-facebook-account/

How To Properly Close Your Facebook Account



The best approach or at least a better approach?

http://www.pogowasright.org/?p=17819

Article: Fourth Amendment Pragmatism

December 1, 2010 by Dissent

Daniel Solove writes that he has uploaded the final published version of his article, Fourth Amendment Pragmatism, 51 B.C. L. Rev. 1511 (2010) to SSRN. Here’s the abstract:

In this essay, Professor Solove argues that the Fourth Amendment reasonable expectation of privacy test should be abandoned. Instead of engaging in a fruitless game of determining whether privacy is invaded, the United States Supreme Court should adopt a more pragmatic approach to the Fourth Amendment and directly face the issue of how to regulate government information gathering. There are two central questions in Fourth Amendment analysis: (1) The Coverage Question – Does the Fourth Amendment provide protection against a particular form of government information gathering? and (2) The Procedure Question – How should the Fourth Amendment regulate this form of government information gathering? The Coverage Question should be easy to answer: The Fourth Amendment should regulate whenever government information gathering creates problems of reasonable significance. Such a scope of coverage would be broad, and the attention wasted on the Coverage Question would be shifted to the Procedure Question. This pragmatic approach to the Fourth Amendment is consistent with its text and will make Fourth Amendment law coherent and comprehensive.

The earlier version of Dan’s essay had generated a lot of discussion and response several months ago, and I look forward to reading the final version.


Tuesday, November 30, 2010

For my Computer Security students: Assume all servers in China are military. What would their responses be if China felt threatened? (Or simply wanted to rattle their sabers?)

http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders?from=rss

Chinese DNS Tampering a Real Threat To Outsiders

"China has long used the Internet's Domain Name Service to censor Web sites and information that the ruling Communist Party deems threatening. But now security experts warn that the government's censorship is in danger of spilling over China's borders, suppressing the ability of those living outside of China to find information online. An estimated 57% of all networks on Earth passed DNS requests through a Chinese DNS rootserver at some point in 2010, according to data from security firm Renesys. Tampering by the Communist Party there poses a danger to Internet security and freedom. In fact, DNS tampering may be a bigger threat than techniques like BGP (Border Gateway Protocol) hijacking, which is believed to be responsible for an unexpected shift in Internet routing in April that has recently been the subject of mainstream media reports in the US. There is already evidence that China's efforts to tamper with DNS have bled outside the country's borders. The same report to Congress from the US-China Economic and Security Review Commission that called attention to the BGP hijacking incident from April, 2010 also mentions a March, 2010 incident in which Internet users in the US and Chile attempted to connect to social networking websites banned by the Chinese government. However, their DNS requests were handled by a Beijing-based Domain Name Server, which responded with incorrect DNS information that directed the surfers to incorrect servers, the report says."



Some guidance for victims... And where do we draw the line?

http://www.pogowasright.org/?p=17748

Free Speech, Privacy & Cyberstalkers – Help For Those With Personal Cyberstalking Terrorists

November 29, 2010 by Dissent

Ms. Smith writes:

In the United States, we highly value free speech. It is a wonderful right, but there are truly twisted people who hide behind freedom of speech and the right to privacy by being anonymous online. Just because we can say most anything anonymously, doesn’t mean we should. People joke online about cyberstalking others, but the reality is that the U.S. Department of Justice estimates that there may be hundreds of thousands of cyberstalking victims in the U.S. Many times, the stalker is an ex-significant other (boyfriend, girlfriend, husband, wife). A cyberstalker could just as easily be out to destroy the victim’s reputation. Other cyberstalkers are trolls, looking for their comments to rile up other people, but then it escalates to obsession with someone. Cyberstalking is a crime and it’s on the rise.

Read more on Privacy and Security Fanatic (Network World).



For my Computer Security (Risk Management) students: What is an “appropriate” response? How do you convince Managers (Politicians) not to over-react?

http://news.slashdot.org/story/10/11/29/1821242/Causing-Terror-On-the-Cheap?from=rss

Causing Terror On the Cheap

"Bruce Schneier posts on his blog today about the value of terror with respect to cost-benefit for the terrorists. If you look at terror attacks in terms of what they cost the terrorists to implement, compared with what they cost the economy of the nation that was hit, the reward for terrorists is astronomical. Add in the insane costs of the security measures implemented afterward, particularly in America, and it's easy to see why the terrorists do what they do. Even when they're unsuccessful, they cost us billions in security countermeasures." [Billions to prevent attacks that failed the first time and will never be attempted again. Bob]



Occasionally rational thought breaks out!

http://yro.slashdot.org/story/10/11/30/0218217/Aussie-Govt-Decides-ISPs-Arent-Responsible-For-Infected-Computers?from=rss

Aussie Gov't Decides ISPs Aren't Responsible For Infected Computers

"In a sudden outburst of common sense, the Australian senate decided that it is not the government's responsibility to force ISPs to disconnect infected computers from the Internet. Peter Coroneos, chief of the Internet Industry Association, used a car analogy that actually makes sense: 'It would be like forcing car manufacturers to take responsibility for bad drivers.'"



...and there is no easy alternative. You can't examine an update and decide you don't want it installed on your computer. (Would auto manufacturers be allowed to install 4-barrel carbs at your next tune up without your permission?) Also, what differentiates this from systems “in the Cloud” that are not under a users control?

http://apple.slashdot.org/story/10/11/29/1539257/Apple-Microsoft-Google-Attacked-For-Evil-Plugins?from=rss

Apple, Microsoft, Google Attacked For Evil Plugins

"A Mozilla exec has attacked Apple, Microsoft and Google for installing plugins without users' permission. 'Why do Microsoft, Google, Apple, and others think that it is an OK practice to add plug-ins to Firefox when I'm installing their software packages?' Asa Dotzler asks. 'That is precisely how a Trojan horse operates... These additional pieces of software installed without my consent may not be malicious but the means by which they were installed was sneaky, underhanded, and wrong.' He called on them to 'stop being evil.'"



I suspect there's money to be made, and Comcast wants to be the one to make it.

http://yro.slashdot.org/story/10/11/30/0246235/Level-3-Shaken-Down-By-Comcast-Over-Video-Streaming?from=rss

Level 3 Shaken Down By Comcast Over Video Streaming

"It looks like the gloves are really coming off; Level 3 Communications had to pony up an undisclosed amount of cash to keep Netflix streaming to Comcast customers. Perhaps now the FCC might actually do something to ensure that the internet remains open. Level 3's Chief Legal Officer, Thomas Stortz, said: 'Level 3 believes Comcast's current position violates the spirit and letter of the FCC's proposed Internet Policy principles and other regulations and statutes, as well as Comcast's previous public statements about favoring an open Internet. While the network neutrality debate in Washington has focused on what actions a broadband access provider might take to filter, prioritize or manage content requested by its subscribers, Comcast's decision goes well beyond this. With this action, Comcast is preventing competing content from ever being delivered to Comcast's subscribers at all, unless Comcast's unilaterally-determined toll is paid — even though Comcast's subscribers requested the content. With this action, Comcast demonstrates the risk of a 'closed' Internet, where a retail broadband Internet access provider decides whether and how their subscribers interact with content.'"



Digital signatures ensure that you document was not altered.

http://www.makeuseof.com/dir/digisigner-digitally-sign-pdf-documents/

Digisigner: Digitally Sign Your PDF Documents

Digital signatures on PDF documents are highly useful. To digitally sign a PDF document you need a PDF modification application that usually comes with a price tag. But thanks to DigiSigner you can now easily digitally sign PDF documents for free.

www.digisigner.com

Also read related article: Electronically Sign Your PDF Documents For Free Using Adobe Signatures