Monday, April 18, 2011

There is a significant difference between being a customer of a company and being a target of their marketing department.

http://www.phiprivacy.net/?p=6485

GSK involved in Epsilon breach; context raises concerns

By Dissent, April 17, 2011

The Epsilon breach, covered extensively on DataBreaches.net, just got worse.

Yesterday, 12 days after they were notified of the breach by Epsilon, GlaxoSmithKline sent out notifications. Emphasis added by me, below:

From: “gskconsumerhealthcare@e.gsk-answers.com” <gskconsumerhealthcare@e.gsk-answers.com>
Date: April 16, 2011 1:30:36 PM EDT
To: [redacted]
Subject: An Important Message from GSK Consumer Healthcare
Reply-To: “gskconsumerhealthcare@e.gsk-answers.com”

Dear GlaxoSmithKline Consumer Healthcare Customer:

On April 4, 2011, we were informed by Epsilon, a company we have used to manage email communications on our product websites, that files containing the email addresses of some of our consumers were accessed by an unauthorized third party. You are receiving this message because you have registered on one of our product websites. For a list of our products, please visit our website, http://us.gsk.com/.

The information accessed included email addresses and first and last names. The file from which your name and email address were accessed may have identified the product website on which you registered. We take your privacy seriously and want you to be aware of this situation so that you can remain alert to any unusual or suspicious emails.

One of the primary concerns arising from a breach of this nature is that your information may be used to generate fraudulent email messages that may appear legitimate but are intended to gather confidential information that you would not otherwise reveal.

GlaxoSmithKline Consumer Healthcare will never ask you to provide or confirm any personal information in emails. Do not respond in any way to emails that appear to be coming from GlaxoSmithKline Consumer Healthcare that ask for personal information. If you receive an email requesting this information, you should delete it even if it appears to be legitimate. Any unusual or suspicious emails should be deleted without opening.

We also encourage you to take this opportunity to strengthen your passwords on any of your online accounts, particularly those that use the email address impacted by this breach as an account ID, to ensure your ongoing security. Additional information about protecting your personal information online is available at the Federal Trade Commission’s OnGuard Online website.

GlaxoSmithKline Consumer Healthcare values your privacy and will continue to work to ensure it is protected. We apologize if you receive more than one copy of this message as we are working diligently to ensure you are aware of this situation. If you have unsubscribed from our emails in the past, there is no need to unsubscribe again. Your preferences will remain in place.

If you have any questions about this communication, please feel free to contact one of our knowledgeable consumer relations representatives at 1-800-245-1040.

Regards,

GlaxoSmithKline Consumer Healthcare

This email was sent to you by GlaxoSmithKlne based on a past or present relationship with us or one of our brands. You may receive consumer notifications even if you have unsubscribed from our product promotional email.

A list of their pharmaceutical products can be found on this page of their web site.

According to the recipient who sent it to my blog, she has never signed up with them for anything, has no idea why they have her email address, and does not and has never used any of the listed products. She will be contacting them to ask how and when they obtained her email address, but this now adds another piece of information that can be used by spear-phishers, who now have names, email addresses, and the name of a medication that may have been taken.

This is not good. Not good at all.

Update: According to a commenter on Brian Kreb’s blog:

I rec’d an identical email to Mr. Mann’s above. I contacted Glaxo and they confirmed the email was from them and was associated with the Epsilon breach. They also said the most likely way they had a person’s email was thru prescription orders but could also be thru registering for coupons and other products.

So inclusion on the list does not mean that the name is definitely associated with a prescription medication, but if the entry does indicate the product name, then there is a greater risk of a privacy violation or targeted phishing.



If true, think of turning off ANY source of power during peak usage periods (air conditioning season in Florida?) and the potential to cascade outages as the grid struggles to replace the loss.

http://it.slashdot.org/story/11/04/18/0338216/Hacker-Claims-He-Broke-Into-Wind-Turbine-Systems?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Hacker Claims He Broke Into Wind Turbine Systems

"Claiming revenge for an 'illegitimate firing,' someone has posted screenshots and other data, apparently showing that he was able to break into a 200 megawatt wind turbine system owned by NextEra Energy Resources, a subsidiary of Florida Power & Light. In an e-mail interview, Bgr R said he's a former employee who discovered a vulnerability in the company's Cisco security management software that he then used to hack into the SCADA systems used to control the turbines. His motive was to embarrass the company, he said."



Interesting technique. (and it only took them 5 years?)

http://www.thetechherald.com/article.php/201116/7073/Coreflood-Botnet-takedown-introduces-a-potentially-risky-precedent

Coreflood: Botnet takedown introduces a potentially risky precedent

The Department of Justice has killed the Coreflood botnet. Using the courts, they replaced the command center of the botnet itself, and told the drones to halt operations. They did this, with nothing more than a Temporary Restraining Order (TRO), some research skill, and a single command. So what does this mean for the typical citizen and cyber investigations? Did the FBI go too far?

… The FBI asked the court to compel the domain registrars to modify DNS, so that instead of communicating with the criminal’s domain, the infected computer would be talking to a system setup by the federal agency itself. When the infected system started talking to the FBI’s server, a type of non-critical kill command was returned. In short, new C&C servers told the infected system’s Coreflood program to take a nap and stop running. Neither the FBI, nor ISC, removed the Coreflood Malware from the infected systems.

… “This action was benign and itself is not controversial. What is controversial is how jurisdiction rules apply to systems that are connected to a FBI operated Command and Control server. The infected systems included computers owned by US citizens who had no knowledge of the operation, in additional to systems outside the United States.”



Hear, hear! (The problem with receiving thousands of subpoenas each year is that you become desensitized...)

http://www.pogowasright.org/?p=22438

Texas supreme court says identities of anonymous bloggers should not be disclosed

April 17, 2011 by Dissent

Evan Brown writes:

The supreme court of Texas has issued an opinion that protects the anonymity of a couple of bloggers who were accused of defamation, copyright infringement and invasion of privacy by another blogger. The court ordered that a subpoena served on Google (who hosted the Blogger accounts in question) be quashed.

The case is In re Does, — S.W.3d —, 2011 WL 1447544 (Texas, April 15, 2011).

Read more on Internet Cases.

Reading Evan’s post and the court’s opinion, it seems that the plaintiffs and Google had agreed to turn over the requested information in response to a subpoena duces tecum and Google (merely?) gave the bloggers notice that it had received it. The bloggers challenged the subpoena on grounds that the plaintiffs had not made the necessary showings in court to justify the issuance of the subpoena.

Those who hope that Google might actually defend the anonymous speech of bloggers will be disappointed to read that Google did no such thing. It did notify the bloggers so that they’d have a chance to move to quash the subpoena, but that’s it. Ultimately, the bloggers prevailed on the subpoena issue, but the case was not argued on First Amendment grounds. It’s a good result in terms of pushing back against too-ready issuances of subpoenas, but it reminds me of what some big guns like Google may not do to protect speech rights.

I don’t realistically expect Google to spend a lot of corporate money defending speech rights of bloggers or users, but is this what they’ve come down to – a “just cover our a$$ and we’ll notify the defendants” approach?

I hope not.

If Google would like to explain under what conditions it might actually more actively defend or raise First Amendment right to anonymous speech in this country’s courts, I’d love to hear it.


No comments: