Nothing gets your attention like someone messing with your paycheck...
http://www.databreaches.net/?p=17811
MA: Computer access breach exposed UMass Memorial pay stub data
April 18, 2011 by admin
Lee Hammel reports:
Personal pay stub information of some UMass Memorial Healthcare employees was subject to unauthorized access for five months.
The organization learned March 10 that at 10 kiosks where employees could view their pay stub information, and also at shared workstations, subsequent users were able to access the information of previous users, according to Rob Brogna, UMass Memorial spokesman. Upon confirming the problem, UMass Memorial removed the kiosks from use, he said.
The day after the breach was discovered, UMass Memorial applied a systemwide software change to disable the pertinent setting on the organization’s HRConnect application, he said. On March 16, the direct deposit bank account number was redacted from the information on HRConnect, and subsequently the 10 kiosks were returned to the campuses for employee use, Mr. Brogna said.
The personal information potentially exposed included name, bank name, bank transit number and bank account number. The breach did not involve employee Social Security numbers or medical record or patient information, he said.
Only UMass Memorial employees who accessed HRConnect using the kiosks or a shared workstation between Oct, 7 and March 11 are potentially affected by the breach, Mr. Brogna said. What portion of the 13,500 employees of the health care system was affected was not available last night.
Read more in the Telegram.
So what happened in October? Was there an upgrade that was problematic, or were the kiosks first introduced in October, or…?
(Related)
http://www.databreaches.net/?p=17819
Ca: Software glitch kills electronic stubs for federal workers’ paycheques
April 18, 2011 by admin
Dean Beebe reports:
A mysterious security breach has shut down the federal government’s online pay system, affecting some 320,000 public servants.
The system was pulled offline for “urgent” repairs on April 4 after officials discovered the privacy of eight account-holders had been breached.
Pay is still being deposited as scheduled in employees’ bank accounts.
But electronic paystubs with information about basic salary, overtime, bonuses, reimbursement of travel expenses and other key data has been unavailable for more than two weeks.
The glitch affects virtually every federal department, from Health Canada to Public Works itself, which operates the self-serve online system for all government employees.
Read more on News1130
[From the article:
Bois was not immediately able to describe how the problem occurred or what personal information may have been put at risk, but suggested the software and systems were not primarily at fault.
"The errors were not due to the CWA itself, but rather due to the manual processes involved," [I don't see where a “manual process” would be required in an automated system... Bob] he said Monday
We got through an entire year without a major (reported) security breach!
http://news.cnet.com/8301-27080_3-20055116-245.html
Verizon: More breaches but less data lost. Huh?!
While there were 760 data breaches recorded by Verizon and the U.S. Secret Service in 2010 (up from about 140 in 2009), there were only 4 million compromised records involved (way down from 144 million in 2009), according to the Verizon 2011 Data Breach Investigations Report scheduled to be released on Tuesday. The figures represent both a record high number of incidents and a record low records lost amount for any of the seven years Verizon has been keeping track.
[The report:
http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf
(Related)
http://news.cnet.com/8301-27080_3-20055091-245.html?tag=topTechContentWrap;editorPicks
Cyber attacks rise at critical infrastructure firms
About 70 percent of the survey respondents said they frequently found malware designed to sabotage their systems during 2010, and nearly half of those in the electric industry said they found Stuxnet on their systems.
… The threat from sabotage includes electrical smart grids, which are being quickly adopted without adequate security measures in place, according to the U.S. Government Accountability Office and independent security experts. Fifty-six percent of the respondents whose companies are planning new smart grid systems also plan to connect to the consumer over the Internet. But only two-thirds have adopted special security measures for the smart grid controls, the report said.
[The report:
http://www.mcafee.com/us/resources/reports/rp-critical-infrastructure-protection.pdf
(Related) Speaking of attacks on infrastructure... Note: “Everyone is conspiring against us” – pretty much the definition of paranoia. (Of course, paranoids have enemies too)
Iran Says Siemens Helped US, Israel Build Stuxnet
"Iran's Brigadier General, Gholam Reza Jalali, accused Siemens on Saturday with helping US and Israeli teams craft the Stuxnet worm that attacked his country's nuclear facilities. 'Siemens should explain why and how it provided the enemies with the information about the codes of the SCADA software and prepared the ground for a cyber attack against us,' Jalali told the Islamic Republic News Service. Siemens did not reply to a request for comment on Jalali's accusations. Stuxnet, which first came to light in June 2010 but hit Iranian targets in several waves starting the year before, has been extensively analyzed by security researchers. Symantec and Langner Communications say Stuxnet was designed to infiltrate Iran's nuclear enrichment program, hide in the Iranian SCADA (supervisory control and data acquisition) control systems that operate its plants, then force gas centrifuge motors to spin at unsafe speeds. Jalali suggested that Iranian officials would pursue Siemens in the courts, and claimed that Iranian researchers traced the attack to Israel and the US. He said information from infected systems was sent to computers in Texas."
Should be an interesting argument...
Judge: was WiFi packet sniffing by Google Street View spying?
The question of whether Google is liable for damages for secretly intercepting data on open WiFi routers across the United States is boiling down to the definition of a “radio communication.”
… At the center of the legal flap is whether Google breached the Wiretap Act. The answer is important not only to Google, but to the millions who use open, unencrypted Wi-Fi networks at coffee shops, restaurants or any other business trying to cull customers.
Google said it is not illegal to intercept data from unencrypted, or non-password-protected Wi-Fi networks. Plaintiffs’ lawyers representing millions of Americans whose internet traffic was sniffed by Google think otherwise, and are seeking unspecified damages.
Judge Ware, however, suggested the answer to the far-reaching privacy dilemma lies in an unanswered question. He has asked each side to define “radio communication” (PDF) as it applies to the Wiretap Act, and wants to know whether home W-Fi networks are “radio communications” under the Wiretap Act.
In response, Google wrote last week that open WiFi networks are akin to “radio communications” like AM/FM radio, citizens’ band and police and fire bands — and are “readily accessible” to the general public. Indeed, packet-sniffing software, such as Wireshark and Firebug, is easily available online.
Hence, because unencrypted WiFi signals travel over the radio spectrum, they are not covered by the Wiretap Act, (PDF) Google responded.
“There can be no doubt that the transfer of any sign, signal, writing, images, sound, data, or intelligence of any nature transmitted over the radio spectrum constitutes a ‘radio communication.’ Indeed, there is nothing in the text or legislative history of the Wiretap Act that would exclude any transmission sent over the radio spectrum from the definition of ‘radio communication,’” Google wrote.
The plaintiffs’ lawyers countered that the communications in question started on a computer and only briefly were relayed on radio waves “across the living room from the recipient’s router to her laptop.”
“The fact that either the first or final few feet of the electronic communication may have gone via wireless transmission ['Wi-Fi'] does not transform the communication into a ‘radio communication’ broadcast similar to an AM/FM radio or a CB.,” (PDF) plaintiffs’ lawyer Elizabeth Cabraser wrote. “Nor is there anything in the statute to define ‘radio communications’ as synonymous with anything sent on a radio wave, however briefly and without regard to the entirety of the communication system at use.”
Both sides agree, however, that it’s illegal to listen in on cordless phones.
According to the Wiretap Act, it’s not considered felony wiretapping “to intercept or access an electronic communication made through an electronic communication system that is configured to that such electronic communication is readily accessible to the general public,” according to the text of the federal wiretapping statute.
The Federal Trade Commission closed its investigation into the brouhaha in October, without imposing any sanctions on the Mountain View, California internet giant. The Federal Communications Commission commenced a probe in November, but has not announced a conclusion.
… Google said it didn’t realize it was sniffing packets of data on unsecured WiFi networks in about a dozen countries over a three-year period until German privacy authorities began questioning what data Google’s Street View cars were collecting.
Personal Information has value? Who knew?
http://www.pogowasright.org/?p=22466
Lawsuit targeting RockYou data breach gets green light
April 18, 2011 by Dissent
Dan Goodin reports:
A federal judge has declined to dismiss a lawsuit filed against social-media application developer RockYou for exposing the personally identifiable information of 32 million of its users, which the site stored unencrypted when it suffered a major security breach 16 months ago.
Judge Phyllis Hamilton of the US District Court in the Northern District of California dismissed five causes of action brought by user Alan Claridge, but allowed four others to survive. RockYou argued that the suit should be thrown out in its entirety because Claridge didn’t suffer any injuries as a result of the data loss, which exposed the email address and password he supplied when establishing an account with the apps maker.
Read more in The Register.
[From the article:
"The court concludes that at the present pleading state, plaintiff has sufficiently alleged a general basis for harm by alleging that the breach of his [personally Identifiable Information] has caused him to lose some ascertainable but unidentified 'value' and/or property right inherent in the PII," Hamilton wrote.
… The finding that the loss of PII is sufficient grounds for a lawsuit is in stark contrast to rulings in other cases that have held that the exposure of social security numbers and other sensitive data gives rise to valid legal claims only when it results in actual damage to its owner, such as identity theft.
The 16-page ruling is available here.
Why indeed? (Profit?)
Sophos Slams Facebook Security In Open Letter
"Security experts are calling on Facebook to implement a three-point plan to improve safety online. Sophos says it receives reports every day of crime and fraud on Facebook, and that victims are desperate for advice on how to clean up their profiles and undo the consequences. In an open letter to Facebook, the firm calls upon the social networking giant to adopt three principles: privacy by default (opt-in sharing), vetted app developers, and use of https whenever possible. 'Our question to Facebook is this — why wait until regulators force your hand on privacy? Act now for the greater good of all.'"
For some (many?) of my Intro to Computer Security students, this is the first time they have thought about Security. Discussing article like this one may keep them thinking.
http://www.bespacific.com/mt/archives/027039.html
April 18, 2011
Digital Agenda: children using social networks at a younger age; many unaware of basic privacy risks, says survey
EU: "77% of 13-16 year olds and 38% of 9-12 year olds in the EU have a profile on a social networking site, according to a pan-European survey carried out for the European Commission. Yet, a quarter of children who use social networking sites like Facebook, Hyves, Tuenti, Nasza-Klasa SchuelerVZ, Hi5, Iwiw or Myvip say their profile is set to "public" meaning that everyone can see it, and many of these display their address and/or phone number. The figures highlight the importance of the European Commission's upcoming review of the implementation of the Safer Social Networking Principles for the EU. This agreement was brokered by the Commission in 2009 (IP/09/232) when major social networking companies agreed to implement measures to ensure the online safety of their under 18s users. Children's safety online is an important part of the Digital Agenda for Europe (see IP/10/581, MEMO/10/199 and MEMO/10/200)."
Ethics and Technology – or – The ethics of technology? – or – technically, we have no ethics?
Pirate Bay becomes "Research Bay" to aid P2P researchers
The Cybernorms group at Sweden's Lund University has partnered with The Pirate Bay to "help researchers to better understand habits and norms within the file-sharing community"—and the site has temporarily rechristened itself "The Research Bay" in response.
… A 2009 paper (PDF) based on initial Cybernorms research concluded first of all that there are "no social norms that hinder illegal file sharing. The surrounding imposes no moral or normative obstruction for the respondents file sharing of copyrighted content."
For my Computer Security students: Know your enemy!
http://www.makeuseof.com/dir/lavasoft-rogue-gallery-rogue-antimalware-software/
Lavasoft Rogue Gallery: Directory of rogue antimalware software
While browsing the Internet, you might have seen a banner or popup that asks you to install a new antivirus program to rid you of computer infections. Mostly these intruding banners and pop-ups advertise rogue anti-malware software that would have adverse effects if installed onto your computer. A list of this malware can be found at Lavasoft Rogue Gallery.
www.lavasoft.com/mylavasoft/rogues/latest
No comments:
Post a Comment