Wednesday, May 18, 2011

How big? They don’t know?

http://www.databreaches.net/?p=18305

Massachusetts Executive Office of Labor and Workforce Development Reports a Virus Infiltrated the Computer Systems of Agencies tied to Employers, Unemployed Claimants and Career Center Customers

May 17, 2011 by admin

The Executive Office of Labor and Workforce Development (EOLWD) today reported that the Departments of Unemployment Assistance (DUA) and Career Services (DCS) network, individual computer terminals as well as individual computers at the One Stop Career Centers were infected with the W32.QAKBOT virus, a new strain of a computer virus, beginning on April 20, 2011. Steps were taken immediately with the assistance of EOLWD’s security provider Symantec to eliminate the virus.

EOLWD learned yesterday that the computer virus (W32.QAKBOT) was not remediated as originally believed and that the persistence of the virus resulted in a data breach. Once it was discovered, the system was shut down and the breach is no longer active. W32.QAKBOT may have impacted as many as 1500 computers housed in DUA and DCS including the computers at the One-Stop Career Centers.

There is a possibility that as a result of the infection, the virus collected confidential claimant or employer information. This information may include names, Social Security Numbers, Employer Identification Numbers, email addresses and residential or business addresses. It is possible that bank information of employers was also transmitted through the virus. Only the 1200 employers that manually file could be impacted by the possible data breach.

“I apologize to our customers and recognize that this is an unwanted problem. [Interesting phrase… Bob] We are hopeful that the actual impact on residents and businesses is minimal. The breach is no longer active. We are in the process of individually notifying all residents whom we think could be impacted and have advised all relevant and necessary state and federal agencies of the situation.

We are coordinating with the Attorney General to identify the perpetrators of this crime and to take the next steps to address their actions.

There is no mechanism available to EOLWD to assess the actual number of individuals affected [‘cause we don’t keep no logs? Bob] but any claimant who had their UI file manually accessed by could be affected. Additionally, businesses that file their quarterly statements manually (about 1,200 of 180,000) may have had identifying information transmitted through the virus. For a claimant to have been impacted, a staff person would have had to key in sensitive information at an infected work station.

Source: mass.gov

Probably nothing, but it needs following…

http://www.databreaches.net/?p=18308

France’s official P2P monitoring firm hacked

May 17, 2011 by admin

Dan Goodin reports:

The French government has temporarily suspended its reliance on the company designated to monitor file-sharing networks for copyright scofflaws following reports that a hack on its servers may have leaked sensitive information.

Eric Walter, France’s secretary general of internet piracy, made the announcement over Twitter on Tuesday, saying that Hadopi, short for the High Authority for the dissemination of works and the protection of rights, was taking control of Trident Media Guard “following the leak of IP addresses.”

Read more in The Register.

[From the article:

It remains unclear just how serious the leak from TMG was. As a government-sanctioned collector of IP addresses trading music, pictures and other media over file-sharing networks, it could possess a wealth of sensitive information about French citizens. But according to news reports published on Tuesday (Google translation here) TMG has said “no personal data was disclosed” and that the hacked machine was a test server.”

Sony updates… Maybe it was the DoD?

http://news.cnet.com/8301-27080_3-20063789-245.html

Expert: Sony attack may have been multipronged

When it comes to the attack on Sony's PlayStation Network, the only thing we're sure of is what we don't know: how it was done and who did it.

In the past four weeks since Sony shut down the gaming network, security researchers have been cobbling together theories of how someone broke into the PlayStation Network (PSN) and Sony Online Entertainment site, exposing personal data from more than 100 million accounts.

Security experts believe whoever was responsible exploited one or more security holes--but how they were exploited and who did it remains a bit of a mystery, despite a disputed to link to the loosely knitted hacking organization Anonymous.

Sony has said only that between April 17 and 19 an unauthorized person gained access to Sony's PSN servers in San Diego by hacking into an application server behind a Web server and two firewalls. The attack was disguised as a purchase, so it did not immediately raise any red flags, and the vulnerability exploited was known, according to Sony. A week and a half later, the company said that during its investigation into the PSN breach, it discovered that attackers may have also obtained data from the Sony Online Entertainment system. The network and online site were restored last weekend.

Chris Lytle, security researcher at Veracode, said he thinks there were actually multiple concurrent breaches, not necessarily by the same person or group. "Sony just happened to be a low-hanging fruit because of what was publicly known at the time, and they got attacked from every direction at once," he said in an interview this week.

Lytle discusses several theories in a recent blog post and notes that information from Sony would indicate that a SQL injection was used to exploit a hole in the database layer of an application or that the database server was publicly accessible and exploitable.

"According to web logs that Sony had been leaking for months prior to the attack someone from a US Department of Defense IP from the 214.0.0.0/8 netblock had probed Sony's systems for two weeks prior to the intruders gaining access," he writes. A program called Whisker, which only checks for known vulnerabilities, apparently was used to perform the scans, he added.

Depending on what actions Sony took or didn't take to secure its systems and how old any potential vulnerabilities were, the question of negligence could be raised, said Eugene Spafford, a computer science professor at Purdue and executive director of CERIAS (Center for Education and Research in Information Assurance and Security) at the university.

"It would seem, from what we've heard, that it is possible they didn't exercise due care," he said in an interview with CNET. "If you park your car in a high-crime area and leave the doors unlocked and the keys in the ignition, you are being careless when you should know better. That makes you somewhat culpable for the losses."

(Related)

http://news.cnet.com/8301-31021_3-20063764-260.html

Sony: PSN back, but no system is 100 percent secure

After switching PlayStation Network back on this past weekend, Sony executives are now speaking out about the security breach and its aftermath.

Several media outlets participated in a call with Chairman and CEO Howard Stringer and Executive Deputy President Kazuo Hirai today in which the execs admitted Sony still does not know who accessed the personal records of more than 100 million of its customers last month.

Putting the event in context, Stringer said that any company's security system is vulnerable. "Nobody's system is 100 percent secure," Stringer said, according to Bloomberg. "This is a hiccup in the road to a network future." [A little more empathy would be appreciated. Bob]

He also lamented how hard it is for everyone who does business online to keep ahead of hackers. According to the Huffington Post, Stringer called it "a kind of escalating competition between good and bad." [“Damn it, every penny we spend on Security comes out of my Bonus!” Bob]

(Related) I’ll ask my PS3 using students if this is sufficient.

http://www.wired.com/gamelife/2011/05/psn-hack-welcome-back/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Sony Details Free PS3, PSP Games in ‘Welcome Back’ Package

“He was a really big irritant.”

http://yro.slashdot.org/story/11/05/18/049232/Judge-Orders-Former-San-Francisco-Admin-Terry-Childs-To-Pay-15M?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Judge Orders Former San Francisco Admin Terry Childs To Pay $1.5M

" A judge Tuesday ordered a former city worker who locked San Francisco out of its main computer network for 12 days in 2008 to pay nearly $1.5 million in restitution, prosecutors said.' Keep in mind the network never went down and no user services were denied, and given that Terry Childs was the only one who had admin access (for years prior) it is difficult to understand how they came up in $1.5 million in costs, unless they're billing Terry Childs for the City's own failure to set up division of responsibility and standby emergency access procedures?"

Not enough swing in the legislative pendulum

http://www.databreaches.net/?p=18293

Breach Notification Proposal Lacks Teeth

May 17, 2011 by admin

Clearly I’m not the only one who was unimpressed with the Obama administration’s plan for a federal data breach notification law. Tracy Kitten reports:

The Obama administration’s plan for a federal data breach notification policy is too vague to be effective, and it lacks teeth to penalize violators, critics say.

Read more on BankInfoSecurity.com.

(Related)

http://www.phiprivacy.net/?p=6671

Final PHI Protection Rule Won’t Mandate Encryption

By Dissent, May 17, 2011

The omnibus federal final rule that will cover changes to the HIPAA privacy, security, breach notification and enforcement rules will not include a mandate for encryption of protected health information, confirms Susan McAndrew, deputy director for health information privacy in the Department of Health and Human Services’ Office for Civil Rights.

[...]

McAndrew wasn’t as clear when asked if the breach notification “harm threshold,” which enables an organization to not provide notification of a breach if it determines no consequential harm has or will result, will be eliminated in the final rule.

Read more on Health Data Management.

(Related)

http://www.pogowasright.org/?p=22924

EFF Applauds New Electronic Privacy Bill That Tells the Government: Come Back With a Warrant!

May 18, 2011 by Dissent

Kevin Bankston writes:

Today, Senator Patrick Leahy introduced much-needed legislation to update the Electronic Communication Privacy Act of 1986, a critically important but woefully outdated federal privacy law in desperate need of a 21st century upgrade. This ECPA Amendments Act of 2011 (S. 1011) would implement several of the reform principles advocated by EFF as part of the Digital Due Process (DDP) coalition, and is a welcome first step in the process of providing stronger and clearer privacy protections for our Internet communications and location data. Here is the bill text, along with a summary of the bill.

The upshot? If the government wants to track your cell phone or seize your email or read your private IMs or social network messages, the bill would require that it first go to court and get a search warrant based on probable cause. This is consistent with DDP‘s principles, builds on EFF’s hard-won court victories on how the Fourth Amendment applies to your email and your cell phone location data, and would represent a great step forward for online and mobile privacy protections.

The bill isn’t absolutely free of problems: although it clearly would require a warrant for ongoing tracking of your cell phone, it would also and unfortunately preserve the current statutory rule allowing the government to get historical records of your location without probable cause. It also expands the government’s authority to use National Security Letters to obtain rich transactional data about who you communicate with online and when, without probable cause or court oversight. You can count on EFF to press for these problems to be fixed, and for all of the DDP principles to be addressed, as the bill proceeds through Congress.

Read more on EFF.

“Reveal your source!” Should be a lot more fun when everything is in the Cloud.

http://www.pogowasright.org/?p=22926

Grubb’s story: privacy, news and the strong arm of the law

May 18, 2011 by Dissent

Yesterday I saw some conflicting news reports as to what happened to Australian reporter Ben Grubb after he covered a hacking story at a security conference. In time, the story got clarified, and here’s his report:

We’ve all seen it happen on TV a zillion times. But when a police officer recited to me those well-rehearsed words – ‘you have the right to remain silent … – I felt sick in the stomach.

The conversation with the two officers had started off in a friendly enough manner. I was in a session at the AusCERT security conference on the Gold Coast when I received a call from Detective Superintendent Errol Coultis.

I thought he was from the Queensland Police media unit to begin with, but it soon became clear he was an officer who wanted to question me over a story I had written regarding a security expert’s demonstration of vulnerabilities on social media sites such as Facebook.

Read more in The Age.

Taking a reporter’s iPad because it contained evidence of what might be a crime? Accusing a reporter of receiving illegally obtained information? Is this a mini-WikiLeaks? What Ben Grubb did is what journalists and bloggers do every day – we receive information and sometimes that information may not have been obtained by the party who provides it to us in totally legal ways. If what Ben Grubb did was wrong – and I don’t think it was – then the New York Times and every other mainstream news organization is at risk of having their reporters covering Australian news arrested and their computers seized.

This was just so wrong.

I look forward to seeing the report also.

http://www.pogowasright.org/?p=22931

Report: Limit Searches of Electronic Devices – and Jacob Appelbaum!

May 18, 2011 by Dissent

Okay, yes, I added Jacob Appelbaum’s name to the headline. It seemed appropriate.

The Associated Press reports:

Travelers carry so much personal information on laptops, computer disks and smartphones that routine searches of electronic devices at the nation’s borders are too intrusive now, in the view of a bipartisan panel that includes a Republican conservative who once headed border security.

A report released Wednesday by The Constitution Project, a bipartisan legal think tank, recommended that the Homeland Security Department discontinue its policy of searching electronic devices without a reasonable suspicion of wrongdoing.

From Oct. 1, 2008, to June 2, 2010, over 6,500 people — almost half of them U.S. citizens — had electronic devices searched at the border, the report found.

Read more on Fox News.

I do not see the report up on the organization’s web site as of the time of this posting, but look forward to reading it. Certainly anyone who has followed the tweets of Jacob Appelbaum (@ioerror) will be well aware that CBP routinely detains him and their actions seems more like downright harassment than anything else, since they no longer engage in even the pretext of searching for anything that would actually pose any risk to national security or be evidence of any criminal activity.

Harassment – even if conducted politely – is still harassment. I defy the DHS to provide any justification for their treatment of this American citizen. They are either being petty and malicious or they must think Appelbaum is so stupid that after having been detained so many times, he would still travel with anything that might be of remote use to the government.

For my Computer Security students. It’s a “feature” not a “problem,” right?

http://tech.slashdot.org/story/11/05/17/2355256/How-Windows-7-Knows-About-Your-Internet-Connection?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

How Windows 7 Knows About Your Internet Connection

"In Windows 7, any time you connect to a network, Windows tells you if you have full internet access or just a local network connection. It also knows if a WiFi access point requires in-browser authentication. How? It turns out, a service automatically requests a file from a Microsoft website every time you connect to any network, and the result of this attempt tells it whether the connection is successful. This feature is useful, but some may have privacy concerns with sending their IP address to Microsoft (which the site logs, according to documentation) every single time they connect to the internet. As it turns out, not only can you disable the service, you can even tell it to check your own server instead."

http://tech.slashdot.org/story/11/05/17/2111233/Righthaven-Hit-With-Class-Action-Counterclaim?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Righthaven Hit With Class Action Counterclaim

"Steve Green reports that one of the website operators accused of copyright infringement by Righthaven has retaliated, hitting the Las Vegas company with a class-action counterclaim, charging that defendants in all 57 Righthaven cases in Colorado 'are victims of extortion litigation by Righthaven, which has made such extortion litigation a part of its, if not its entire, business model.' The counterclaim says Righthaven has victimized defendants by failing to send takedown notices prior to suing, by threatening to take their website domain names when that's not provided for under the federal Copyright Act, by falsely claiming it owns the copyrights at issue and by failing to investigate jurisdictional and fair use issues before suing, among other things. The claim seeks an adjudication that Righthaven's copyright infringement lawsuits amount to unfair and deceptive trade practices under Colorado law, an injunction permanently enjoining Righthaven from continuing the alleged unfair and deceptive trade practices, an unspecified financial award to the class-action plaintiffs for damages as well as their costs and attorney's fees."

Will we agree? Somehow I doubt it.

http://www.pogowasright.org/?p=22915

Location data is personal and private confirms EU watchdog

May 17, 2011 by Dissent

Jennifer Baker reports:

The European Union data protection watchdog says that geo-location constitutes private data.

The opinion, which was approved by the Article 29 Working Party on Monday, looked at developments in mobile technology and the current legal framework around them and makes recommendations.

“Location data is certainly, in many instances, private data, and there then follows the obligations to inform users, and the opportunity to opt in or opt out,” Peter Hustinx, Europe’s Data Protection Supervisor (EDPS) and member of the working group, told IDG News Service.

Private or personal data receives a much higher level of protection under the E.U.’s Data Protection Directive than anonymous data.

Read more on IDG.no

Ah Jeff, I think it unwise to tell Congress, “Nah nah na nah nah!”

http://yro.slashdot.org/story/11/05/17/2242203/Jeff-Bezos-Calls-Sales-Tax-Requirements-On-Amazon-Unconstitutional?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Jeff Bezos Calls Sales Tax Requirements On Amazon Unconstitutional

"Amazon.com chief Jeff Bezos says the online retailer won't collect tax from most of its 90 million customers until Congress clearly mandates it. Although a growing number of states are demanding that Amazon collect and remit tax on sales within their borders, such demands are 'interference in interstate commerce' and prohibited by the Constitution, Bezos said."

Are game ‘terms of service’ like shrink-wrap licenses?

http://games.slashdot.org/story/11/05/18/0624256/The-FSFs-Campaign-Against-the-Nintendo-3DS?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

The FSF's Campaign Against the Nintendo 3DS

"The Nintendo 3DS's terms of so-called service, and the even more grotesquely-misnamed privacy policy, make it clear that you are in the service of Nintendo. Specifically, anything you do, write, photograph, or otherwise generate with the 3DS is Nintendo's possession, for them to use however, whenever, and for as long as they want. On the other hand, if you do something they don't like, they're prepared to turn your device into a doorstop — and you gave them permission when you started using it. And if you have a child's best interests at heart, don't give it to anyone too young to know to never use her real name, type in an address or phone number, or take any personally-identifiable photos. They might, at best, end up in a Nintendo ad."

A nation of movie watchers

http://tech.slashdot.org/story/11/05/17/190233/Netflix-Dominates-North-American-Internet?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Netflix Dominates North American Internet

"Accounting for 29.7% of all information downloaded during peak usage hours by North American broadband-connected households in March, Netflix Inc. received the title in the latest Global Internet Phenomena Report released by Sandvine Corp. on Tuesday. In its ninth such report, Waterloo, Ont.-based Sandvine found the amount of data consumed by users streaming television shows and movies from Netflix's online service exceeded even that of peer-to-peer (P2P) file sharing technology BitTorrent."

Tossing gasoline on the “off shoring” debate. Although this might be a useful service when writing a dissertation.

http://www.good.is/post/outsourcing-education-does-it-matter-if-someone-in-india-corrected-your-college-paper/

Outsourcing Education: Does It Matter If Someone in India Corrected Your College Paper?

Plenty of American businesses have outsourced jobs across the globe, and now colleges are jumping on the bandwagon. Colleges are hiring online "tutors" to check student work for grammar and other English mistakes and provide the kind of feedback students used to get from professors or teaching assistants before budget cuts resulted in staff layoffs and unmanageably large class sizes.

Here's how it works: Schools like West Hills Community College in central California hire services like Virginia-based RichFeedback. When a student turns in a paper, the professor sends it to RichFeedback, which then passes it along to its own tutors, mostly based in India. According to the Fresno Bee, the tutors return the papers "covered with color-coded corrections, suggestions for improvements and references to class text examples." Then professors only have to spend time evaluating a paper's subject-matter content.

No comments: