Saturday, April 16, 2011

Makes me wonder if politicians notice the breach or notice that other politicians noticed the breach...

http://www.pogowasright.org/?p=22429

Pryor Urges FTC to Investigate Data Breach that Exposes Millions of Consumers

April 15, 2011 by Dissent

U.S. Senator Mark Pryor has sent a letter to the Federal Trade Commission urging the Chairman to investigate the recent data breach of Epsilon, an online marketing firm that handles email lists for companies such as Target, Best Buy, Walgreens, and Citi Group.

Pryor said the information that was stolen is likely limited to e-mail addresses and possibly names. However, he is concerned this information alone will lead to a surge of phishing attacks – emails disguised to be from a legitimate business but are intended to steal more personal information, including account numbers, usernames, passwords or Social Security numbers.

Pryor’s letter to FTC Chairman Jon Leibowitz can be found here.

Source: Senator Mark Pryor



Okay, perhaps not everything is bigger in Texas. Many Breached companies now provide two years of credit monitoring...

http://www.databreaches.net/?p=17794

Comptroller offers discount on credit monitoring after data breach

April 15, 2011 by admin

I read the following news story by Dan Wallach and thought, “Are you kidding me?!”

The Texas Comptroller’s office has arranged for individuals affected by an inadvertent exposure of personal data to receive a 70 percent discount on one year of credit monitoring to alert them if their information is misused.

On Monday, the comptroller’s office revealed that as many as 3.5 million Texans – state employees and unemployment insurance applicants from 2007 through 2009 – could have had their private information posted on a publicly accessible server for more than a year.

Read more on Beaumont Enterprise.

The state should foot the bill totally, not the victims. This is just wrong. Doesn’t the state carry insurance that it can use to fund the services?



Is this a response to the theft of information reported earlier or is this new? I doubt they would be too clear, either way.

http://www.bespacific.com/mt/archives/027015.html

April 14, 2011

OnGuardOnline.gov Urges Taxpayers to Contact the IRS If They Suspect Tax-Related Identity Theft

News release: "OnGuardOnline.gov, a partnership of fourteen federal agencies managed by the Federal Trade Commission (FTC), is informing consumers that an unexpected message from the Internal Revenue Service (IRS) could be a warning sign that their Social Security number is being misused by an identity thief. OnGuardOnline.gov suggests that people contact the IRS if they receive a notice that: more than one tax return was filed in the consumer’s name, or IRS records show the consumer was paid by an employer that he or she does not know. People who think they have tax issues related to identity theft should let the IRS know as soon as possible, even if the taxpayer doesn’t have any evidence that the identity theft affected a tax return. Specialists in the IRS Identity Protection Specialized Unit will help identity theft victims file their tax returns, get any refund they are due, and protect their IRS accounts from identity thieves in the future. The IRS website has more information here, or consumers can call 1-800-908-4490. The unit’s hours are 8:00 am to 8:00 pm (local time)."



Now this is interesting.

http://yro.slashdot.org/story/11/04/15/1956243/DOJ-Seizes-Online-Poker-Site-Domains?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

DOJ Seizes Online Poker Site Domains

"Federal authorities have seized Internet domain names used by three major poker companies. The indictment charges eleven defendants (PDF), including the founders of PokerStars, Full Tilt Poker and Absolute Poker, with bank fraud, money laundering and illegal gambling offenses, according to Federal authorities in New York. The United States also filed a civil money laundering and in rem forfeiture complaint against the poker companies, their assets, and the assets of several payment processors for the poker companies."



TSA has the right! Us “second Class” citizens don't.

http://tech.slashdot.org/story/11/04/15/2051220/TSA-Investigates-People-Who-Complain-About-TSA?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

TSA Investigates... People Who Complain About TSA

"CNN has obtained a list of roughly 70 'behavioral indicators' that TSA behavior detection officers use to identify potentially 'high risk' passengers at the nation's airports, and report that arrogant complaining about airport security is one indicator TSA officers consider when looking for possible criminals and terrorists. When combined with other behavioral indicators, it could result in a traveler facing additional scrutiny. 'Expressing your contempt about airport procedures — that's a First Amendment-protected right,' says Michael German, a former FBI agent who now works as legal counsel for the American Civil Liberties Union. 'It's circular reasoning where, you know, I'm going to ask someone to surrender their rights; if they refuse, that's evidence that I need to take their rights away from them. And it's simply inappropriate.' Interestingly enough, some experts say terrorists are much more likely to avoid confrontations with authorities, saying an al-Qaeda training manual instructs members to blend in."



Words, just words. But it looks like a plan for an electronic National ID. “e-Papers, Citizen.”

http://www.pogowasright.org/?p=22418

White House Releases Trusted Internet ID Plan

April 15, 2011 by Dissent

Grant Gross reports:

The U.S. government will coordinate private-sector efforts to create trusted identification systems for the Internet, with the goal of giving consumers and businesses multiple options for authenticating identity online, according to a plan released by President Barack Obama’s administration.

The National Institute of Standards and Technology (NIST) will work with private companies to drive development and adoption of trusted ID technologies, White House officials said. The National Strategy for Trusted Identities in Cyberspace (NSTIC), released by the Department of Commerce on Friday, aims to protect the privacy and security of Internet users by encouraging a broad online authentication market in the U.S.

Read more on PCWorld.

[From the PCWorld article:

"The fact is that the old password and username combination we often use to verify people is no longer good enough," Commerce Secretary Gary Locke said at an NSTIC release event hosted by the U.S. Chamber of Commerce. "It leaves too many consumers, government agencies and businesses vulnerable to ID and data theft."

… The trusted ID technologies described in NSTIC would allow online users to dump passwords in favor of credentials that can be used on multiple websites. The Obama administration hopes that multiple trusted ID technologies will emerge, officials said.



Interesting summary of Web 2,0

http://www.bespacific.com/mt/archives/027018.html

April 15, 2011

Presentation: Web 2.0, New Media Ecology, Mobile Information 2.0 and Beyond: Where are we, where are we going?

Information 2.0 and Beyond: Where are we, where are we going? by Kristen Purcell, Mar 29, 2011 at APLIC's 44th Annual Conference in Washington, DC



Now here's an interesting idea. If you run across a pothole in the road, fill it in! Might be amusing to see how they would reimburse the talent – which I am sure they would do.

http://news.slashdot.org/story/11/04/15/2118220/Why-Google-Should-Buy-the-Music-Industry?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Why Google Should Buy the Music Industry

"According to one story about Google's attempts to launch its own music service, 'the search giant is "disgusted" with the labels, so much so that they are seriously considering following Amazon's lead and launching their music cloud service without label licenses.' So here's a simple solution: Google should just buy the major record labels — all of them. It could afford them — people tend to forget that the music industry is actually relatively small in economic terms, but wields a disproportionate influence with policy makers. Buying them would solve that problem too." [Fire the management, keep the lobbyists. Bob]



Another pet peeve. Google is demonstrating a 1 gigabyte network and everyone else is trying to squeeze the last possible nickle out of their crummy service. “You can have really fast service, but only for a short time each month?

http://tech.slashdot.org/story/11/04/16/0142205/Comcasts-105MBit-Service-Comes-With-Data-Cap?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Comcast's 105MBit Service Comes With Data Cap

"Comcast just announced the ultrafast, ultra-broadband "Extreme 105" 105 Mbit/sec Internet service for an introductory price of $105, when bundled with other services. That's the good news. The bad news: Comcast 'put a data cap on the service of 250 Gbit per month — about five hours worth of full-bandwidth use,' writes blogger Kevin Fogarty."



For my students who must do research, i.e. ALL of them. Try this as an RSS reader.

http://www.makeuseof.com/dir/webreader-desktop-client-for-google-reader/

Webreader: Wonderful AIR-based desktop client for Google reader

You can easily add your RSS feeds to Google Reader and stay updated with your favorite websites. But for many people, the interface of Google Reader is too basic. For them, a better alternative to Google Reader’s native web interface would be the visually appealing desktop Reader client, WebReader.

www.getwebreader.com

  • Also read related articles:


Friday, April 15, 2011

Another “Typical” breach. Note that bank is unlikely to reimburse the Dealership, since their security was breached, not the bank's.

http://www.msnbc.msn.com/id/41743727/ns/technology_and_science-security/from/toolbar

Cybercrooks Drive Away With $63,000 from Car Dealership

On Nov. 1, 2010, the controller for Abilene, Kan.-based Green Ford Sales, Inc. submitted $51,970 in payroll checks to First Bank Kansas through the bank’s online banking website, according to the blog Krebs on Security.

The bank’s authentication program sent the company's controller an e-mail to confirm and approve the transaction details, which he did. Unbeknownst to the controller, however, cybercriminals had infected his Windows PC with the infamous Zeus Trojan, a piece of malware engineered to aid criminals in hijacking online banking information.

With total access to the company’s online finances, the crooks were able to siphon $63,000, and even intercept the bank’s confirmation e-mail so the controller had no idea any illicit transaction took place.

Green Ford recovered $41,000, and although the company has since changed its security procedures, Krebs said that as long as PC viruses exist, online banking sessions will continue to be high-priced targets for cybercriminals.

“If a bank’s system of authenticating a transaction depends solely on the customer’s PC being infection-free, then that system is trivially vulnerable to compromise in the face of today’s more stealthy banking Trojans,” Krebs wrote.



For my Computer Security students. Not everyone fixes problems immediately – even some who should know better...

http://www.databreaches.net/?p=17772

Hundreds of College and Government websites still redirecting to fake stores

April 14, 2011 by admin

In January, I talked about high-profile websites, which had been hacked to redirect users to fake online stores. One unique aspect of the hack was the fact that the attackers had set up additional web servers on non-standard ports. Most of the domains I listed in the post were cleaned up pretty quickly.

Three months later, there are still a number of hijacked sites redirecting to the same fake stores. One day recently, I found 68 hijacked domains, mostly college and government sites, including:

Berkeley: cshe.berkeley.edu
Harvard: research4.dfci.harvard.edu
Purdue University: web.ics.purdue.edu
Oklahoma State University: osu.okstate.edu
Australian Government: brokenhill.ses.nsw.gov.au

Read more on The Security Blog.



Add to your “If I ever become a Stalker” folder

http://www.makeuseof.com/tag/creepy-shows-geolocation-data-broadcast-online/

Creepy Shows Just How Much Geolocation Data You Broadcast Online

Enter someone’s Twitter or Flickr usernames and see everywhere they’ve been and when. If this sounds creepy then it is.

Ever wonder how much information geolocation leaves behind? As it turns out, quite a lot. The Creepy geolocation tool is a program for Ubuntu and Windows made primarily made to demonstrate just how much information that is, and how easily it could be used for nefarious purposes.



The pendulum swings back...

http://www.pogowasright.org/?p=22401

FL Sup. Ct: Dog sniff of home violates Fourth Amendment

April 14, 2011 by Dissent

So no sooner than I post a link to an article of how courts have expanded dog sniffs (drugs) to the home, than John Wesley Hall of FourthAmendment.com points me to a decision overturning some previous rulings:

The Florida Supreme Court held today that a dog sniff in the home violates the Fourth Amendment. The court discusses all cases decided to this point from all jurisdictions. Jardines v. State, SC08-2101 (April 14, 2011)

Read the excerpt on FourthAmendment.com



Perhaps not the best way to deflect the question. Likely to stir up a “Striesand effect”

http://yro.slashdot.org/story/11/04/14/2323203/RIM-Co-CEO-Cries-No-Fair-On-Security-Question?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

RIM Co-CEO Cries 'No Fair' On Security Question

"When asked about letting governments in Asia and the Middle East into the 'secure' message service used by their BlackBerry devices, Mike Lazaridis, the co-chief executive of RIM, walked out of the interview and said, 'We've dealt with this, the question is no fair.' By 'dealt with, 'we can only assume he meant: 'been paid handsomely to let governments read what they wish.'"



...and they knew they would be tested!

http://www.thetechherald.com/article.php/201115/7066/Trusteer-User-education-can-t-protect-against-social-engineering

Trusteer: User education can’t protect against social engineering

An experiment by security firm Trusteer has shown that even the most educated user can be fooled by a Phishing attack. By using 100 well-informed participants on social/business portal LinkedIn, Trusteer sent out messages similar to the ones site users would see on a regular basis. Interestingly, almost 70 percent of the test group fell for the con.

… Within the first 24 hours, 41 participants had fallen for the scam. Within seven days, 68 people had clicked the button. If this had been a real attack, those numbers would have marked a high return on a criminal’s investment. In all, Trusteer spent about 17 hours on the study.

As for the other 32 people, Boodaei explained that, when approached: “Sixteen said they haven't seen this email (it probably went into their spam folder). Seven said they usually don't read LinkedIn updates. Nine said that the update was not interesting enough for them to click the link.”


(Related) Don't use your real email address unless and until you trust the site on the receiving end.

http://www.smashingapps.com/2011/04/14/ten-great-tools-to-help-you-secure-from-spam-emails.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SmashingApps+%28Smashing+Apps%29

Ten Great Tools To Help You Secure From Spam Emails



Well, well, well. Looks who is calling the kettle black. Interior has a history of making poor IT decisions.

http://yro.slashdot.org/story/11/04/14/2129252/Groklaw-Microsoft-Cloud-Services-Arent-FISMA-Certified?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Groklaw: Microsoft Cloud Services Aren't FISMA Certified

"If you were as puzzled as I was by the blog fight, as Geekwire calls it, between Google and Microsoft over whether or not Google was FISMA certified, then you will be glad to know I gathered up some of the documents from the case, Google et al v. USA, and they cause the mists to clear. I'll show you what I found, but here's the funny part — it turns out it's Microsoft whose cloud services for government aren't FISMA certified. And yet, the Department of the Interior chose Microsoft for its email and messaging cloud solution, instead of Google's offering even though Google today explains that in [actuality] its offering actually is. It calls Microsoft's FUD 'irresponsible.'"



Something for my Computer Security students to play with... Not free, but there is a free trial for up to 2,000 emails.

http://www.killerstartups.com/Web-App-Tools/spockly-com-analyze-who-emails-you?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+killerstartups%2FBkQV+%28KillerStartups.com%29

Spockly.com - Analyze Who Emails You

Spockly gives sending and receiving emails a whole new layer - a social one. Spockly can take your existing inbox and turn it into a whole different entity, as you will become enabled to know more about any person who sends you an email.

That data is pulled from public sources. In no event does Spockly resort to cookies, and the kind of data people might mistakenly have made public is also obviated when figuring out who is who.

A service like Spockly is great for running targeted campaigns. The service has a dashboard that will let you look at different attributes such as the occupation of your contacts and their age to the influence they exert on the Internet, and then segment everything accordingly.

http://spockly.com/

[From the website:

And to those of you concerned about privacy, we only collect data that is publicly available on the web and we go further by anonymizing any personally identifiable information gleaned from social media.

This way, our customers get the maximum of marketing data with none of the privacy-related headaches.



For my Ethical Hackers.

http://www.reuters.com/article/2011/04/14/us-china-usa-cyberespionage-idUSTRE73D24220110414

Special report: In cyberspy vs. cyberspy, China has the edge

As America and China grow more economically and financially intertwined, the two nations have also stepped up spying on each other. Today, most of that is done electronically, with computers rather than listening devices in chandeliers or human moles in tuxedos.

And at the moment, many experts believe China may have gained the upper hand.

Though it is difficult to ascertain the true extent of America's own capabilities and activities in this arena, a series of secret diplomatic cables as well as interviews with experts suggest that when it comes to cyber-espionage, China has leaped ahead of the United States.

According to U.S. investigators, China has stolen terabytes of sensitive data -- from usernames and passwords for State Department computers to designs for multi-billion dollar weapons systems. And Chinese hackers show no signs of letting up. "The attacks coming out of China are not only continuing, they are accelerating," says Alan Paller, director of research at information-security training group SANS Institute in Washington, DC.


(Ditto)

http://www.bespacific.com/mt/archives/027011.html

April 13, 2011

Leaping Over the Firewall: A Review of Censorship Circumvention Tools

"A new Freedom House report found that while the majority of circumvention tools used to evade government censorship online perform similarly well, the country in which they are used and the nature of the censorship dictate their effectiveness. No one tool provides a silver bullet for security as governments become more sophisticated in filtering content and monitoring user activity. Freedom House recently released the findings of the report, which were based on user surveys..."



For my Graphic Design students: Blender is a free, open source 3D graphics application that can be used for modeling, texturing, skinning, animating, rendering, and creating interactive 3D applications, including video games, animated film, or visual effects.

http://news.slashdot.org/story/11/04/14/233225/Blender-257-Released-mdash-and-Its-Easy-To-Use?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Blender 2.57 Released — and It's Easy To Use!

"Past Blender releases, as capable as they were, had learning curves somewhere between straight up and down and 90 degrees. The release of Blender 2.57 changes all that. No longer are simple features 'non discoverable.' It has more or less a completely redesigned user interface that is clean, sensible and newbie friendly (hey, I'm using it!). It has a handy tab interface for Actions/Properties such as Render, Scene, World and Object etc. Plus, it's fast and CPU friendly. I'm running the official Blender standalone binary on Fedora 14, with 2GB RAM, Radeon X1300 (free drivers) and a cheap CPU Intel duel e2200. No more more slow GUI, no more 100% unexplained CPU, just great stuff. Kudos to all who made this possible."



For my Website students

http://developers.slashdot.org/story/11/04/15/016225/Maqetta-Open-Source-HTML5-Editor-From-IBM?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Maqetta: Open Source HTML5 Editor From IBM

"IBM has released an online HTML5 editing tool called Maqetta, hosted by the Dojo Foundation. eWeek calls it an open source answer to Flash and Silverlight. That remains to be seen, but it does look interesting."


Thursday, April 14, 2011

This is a biggie, but still too early to know what the hacker got.

http://it.slashdot.org/story/11/04/13/1925244/WordPress-Hacked-Attackers-Get-Root-Access?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

WordPress Hacked, Attackers Get Root Access

"A hacker has gained access to WordPress.com servers and site source code was exposed including passwords/API keys for Twitter and Facebook accounts. From the official blog post: 'Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partner's code. Beyond that, however, it appears information disclosed was limited.'"


(Related)

http://thefastertimes.com/tech/2011/04/13/cyber-attack-compromises-18-million-wordpress-blogs/

Cyber Attack Compromises 18 Million WordPress Blogs


(Related)

http://cybersecurityreport.nextgov.com/2011/04/wordpress_insecurity_compromised_blog_puts_government_and_commercial_clients_at_risk.php?oref=latest_posts

WordPress Hack Puts Government and Commercial Clients at Risk



Smaller, but a typical breach announcement for my Computer Security students.

http://www.databreaches.net/?p=17736

PA: Theft Of College Computers May Result In Breach Of Personal Data

April 13, 2011 by admin

WFMZ-TV alerts us to a breach at Albright College in Reading, PA. Although there does not appear to be any easy-to-find notice on the college’s web site at the time of this publication, WFMZ reports:

Albright College in Reading is putting its current, prospective, and former students on alert about a possible breach of their confidential information following a theft of several computers.

According to a letter distributed by Albright on Wednesday, the computers were stolen from the school’s financial aid office in February.

College officials said they held off in publicizing the thefts because they first had to hire a risk management firm to sift through the data that was on the computers. [Translation: We don't know what is on those computers... Bob]

“The information on the stolen computers includes name, address, date of birth, and Social Security number, may include data supplied by students or parents, and may affect not only the supplying parties but also spouses or joint account holders, among others,” Gregory E. Eichhorn, vice president for enrollment management and dean of admission at Albright, said in the letter.

Albright said as many as 10,000 people could be affected by the thefts, include current and prospective students, graduates, college faculty, and staff.

Read more on WFMZ-TV.

Great thanks to Bart Porter of Redemtech for alerting me to this breach.



Another “all too typical” breach

http://www.cbc.ca/news/canada/edmonton/story/2011/04/13/edmonton-school-board-employee-privacy-breach.html

School board loses memory stick with employee data

In a massive privacy breach, a USB memory stick containing information, including resumes and employment records of about 7,000 employees, was lost on March 22.

The stick was used by a school board computer technician working in human resources to download the data, but then he lost it. [Computer Techies do not need data. The only reason to do this is to backup the data – required only when the network backups have failed. Bob]

… Provincial privacy commissioner Frank Work said the school board violated its own policies.

"First of all, according to school board policy, you're not supposed to use an unencrypted stick," said Work." They did."

"Second of all … they're supposed to keep a list of what they download … onto a portable device, like a stick. They did not. And the third way they breached their own policy was they had kept too much information too long."

… But he said there is no point in penalizing the board financially because it has already spent thousands of taxpayer dollars to sort out the mess.



Computer crime, a growth industry …

http://www.databreaches.net/?p=17755

Aussie data breaches doubled in 2011

April 13, 2011 by admin

Darren Pauli reports:

The number of Australian data breaches reported to forensic investigators has already doubled those experienced in 2010, even though it’s only April.

Some of the worst breaches have cost businesses many hundreds of thousands of dollars, and involved significant loss of credit card information and customer information.

Yet it seems that none of the breaches handled by forensic investigators Verizon and Klein&Co have been reported by the media.

“The old adage that all press is good press has been thoroughly dispelled,” Verizon investigative response director Mark Goudie said. “None of the cases have been reported by media to my knowledge.”

Most of the breaches, which this year were twice as numerous as those reported over same time in 2010, succeeded through basic information security bungles such as the use of lax passwords and default user access rights, Goudie said.

Klein&Co has already handled more than a third of the number of severe credit card breaches this year than it handled in 2010.

“This year we’ve handled between ten to 15 [credit card] breaches. We handled 33 during the whole of 2010,” director Nick Klein said.

He said the major banks and card issuers have reported similar increases.

Read more on ZDNet (AU). It sounds like Australians should be protesting loudly that they need legislation requiring mandatory data breach notification.



This should make all “electronic filers” a bit nervous... (or was it a Third Party breach?)

http://blogs.forbes.com/williampbarrett/2011/04/13/massive-identity-theft-with-help-from-the-irs/

Massive Identity Theft With Help From The IRS

Someone has hijacked the tax identity of more than 2,300 tiny or defunct nonprofits, apparently taking advantage of a hole in a new electronic Internal Revenue Service filing system to list the same person as a charitable official at the same mail box drop in Las Vegas.

… Yet a would-be charitable donor consulting one of the official IRS databases would find all listed as valid and most with the ability to offer tax deductibility for contributions. It doesn’t take a lot of thought to imagine the mischief or even fraud that could be caused by use of this official agency imprimatur in what looks like a massive case of identity theft.

… News of this problem breaks at a bad time for the agency. The deadline for personal tax returns is Monday and IRS officials are encouraging taxpayers to file electronically, which saves the feds huge amounts of money.

… The agency outsources the electronic annual reporting requirement of small nonprofits–generally, those with less than $25,000 in revenue–to the Urban Institute, a well-known Washington nonprofit and think tank that was an early advocate of charitable transparency. Thomas Pollak, an Urban Institute official who oversees the system, said he was unaware of the problem until Forbes called. He confirmed that a random check of nonprofits with the word “ministries” in their name and the Las Vegas zip code of the N. Rainbow Blvd address–89107–showed William Alexander listed as the responsible charitable official.

A search on Melissa Data of nonprofits in that zip code produced 2,370 listings.



Big Brother cometh?

http://www.gsnmagazine.com/node/22997?c=access_control_identification

Privacy groups decry San Francisco ID scan proposal

A plan by the City of San Francisco’s Entertainment Commission that would require nightclub and concert goers to have their personal identification scanned at events in the city, then stored for 15 days on the city’s databases, drew protests from privacy rights groups on April 12.

The information would be available to law enforcement without a warrant, subpoena or court order, said the groups.

A rash of shootings in and around nightclubs in the city in 2010 prompted Mayor Gavin Newsom to look for ways to stem the violence. In September, Newsom’s office proposed scanning nightclub patrons' IDs, along with installing metal detectors, security cameras, increased outside lighting and an added police presence at the clubs.



Law Enforcement in Cyberspace... A whole new approach to crime on the Internet?

http://www.databreaches.net/?p=17750

DOJ takes steps to take down Coreflood botnet that infected 2.3 million computers

April 13, 2011 by admin

Today the Department of Justice and FBI announced the filing of a civil complaint, the execution of criminal seizure warrants, and the issuance of a temporary restraining order as part of the most complete and comprehensive enforcement action ever taken by U.S authorities to disable an international botnet.

The botnet is a network of hundreds of thousands of computers infected with a malicious software program known as Coreflood, which installs itself by exploiting a vulnerability in computers running Windows operating systems. Coreflood allows infected computers to be controlled remotely for the purpose of stealing private personal and financial information from unsuspecting computer users, including users on corporate computer networks, and using that information to steal funds.

The U.S. Attorney’s Office for the District of Connecticut filed a civil complaint against 13 “John Doe” defendants, alleging that the defendants engaged in wire fraud, bank fraud and illegal interception of electronic communications. In addition, search warrants were obtained for computer servers throughout the country , and a seizure warrant was obtained in U.S. District Court for the District of Connecticut for 29 domain names. Finally, the government obtained a temporary restraining order (TRO), authorizing the government to respond to signals sent from infected computers in the United States in order to stop the Coreflood software from running, thereby preventing further harm to hundreds of thousands of unsuspecting users of infected computers in the United States.

“The seizure of the Coreflood servers and Internet domain names is expected to prevent criminals from using Coreflood or computers infected by Coreflood for their nefarious purposes,” said U.S. Attorney David B. Fein for the District of Connecticut. “I want to commend our industry partners for their collaboration with law enforcement to achieve this great result.”

Coreflood steals usernames, passwords and other private personal and financial information allegedly used by the defendants for a variety of criminal purposes, including stealing funds from the compromised accounts. In one example described in court filings, through the illegal monitoring of Internet communications between the user and the user’s bank, Coreflood was used to take over an online banking session and caused the fraudulent transfer of funds to a foreign account.

In the enforcement actions announced today, five C & C servers that remotely controlled hundreds of thousands of infected computers were seized, as were 29 domain names used by the Coreflood botnet to communicate with the C & C servers. As authorized by the TRO, the government replaced the illegal C & C servers with substitute servers to prevent Coreflood from causing further injury to the owners and users of infected computers and other third parties.

The Coreflood malware on a victim’s computer is programmed to request directions and commands from C & C servers on a routine basis. New versions of the malware are introduced using the C & C servers on a regular basis, in an effort to stay ahead of security software and other virus updates. If the C & C servers do not respond, the existing Coreflood malware continues to run on the victim’s computer, collecting personal and financial information. The TRO authorizes the government to respond to these requests from infected computers in the United States with a command that temporarily stops the malware from running on the infected computer. During that time, the defendants will not be able to introduce different versions of the Coreflood malware onto the infected computers. By limiting the defendants ability to control the botnet, computer security providers will be given time to update their virus signatures and malicious software removal tools so that all victims can have a reliable tool available to them that removes the latest version of the malware from an infected computer.

While this enforcement action completely disabled the existing Coreflood botnet by seizing control from the criminals who ran it, this does not mean that Coreflood malware or similar forms of malware have been removed from the Internet entirely.

The law enforcement actions announced today are the result of an ongoing criminal investigation by the FBI’s New Haven Division, in coordination with the U.S. Marshals Service. Additional assistance was provided by Microsoft, the Internet Systems Consortium and other private industry partners. The matter is being prosecuted by the U.S. Attorney’s Office for the District of Connecticut, led by Assistant U.S. Attorney Edward Chang, and attorneys from the Computer Crime and Intellectual Property Section in the Justice Department’s Criminal Division.



“Hey, we just write the laws, we don't understand them!”

http://www.pogowasright.org/?p=22388

Sens. Franken, Blumenthal Ask Justice Department to Clarify, Enforce Data Privacy Law

April 13, 2011 by Dissent

Yesterday, U.S. Sens. Al Franken (D-Minn.) and Richard Blumenthal (D-Conn.) asked the U.S. Department of Justice (DOJ) to clarify its interpretation of a critical federal law that protects the private and personal data of Americans. Recently, servers owned by Epsilon Data Management were hacked, exposing the names and e-mail addresses of millions of American consumers. Separately, public securities filings disclosed a broad investigation by the U.S. Attorney’s Office of New Jersey into alleged privacy breaches by several popular applications or “apps” for smartphones.

These incidents are likely to be investigated under the Computer Fraud and Abuse Act (CFAA). Sens. Franken and Blumenthal, both members of the Senate Judiciary Committee, have asked the DOJ to clarify its interpretation of the CFAA so that consumers know their privacy rights and law enforcement officials know how to best enforce the law. They also asked the DOJ to update its manuals to reflect that smartphones and other personal devices are recognized as “computers” under the CFAA. Finally, they asked the DOJ to provide insight into how the Senate can strengthen existing privacy protections.

We write to the Department to clarify how it determines the scope of authorization under the CFAA in the absence of a written policy or agreement addressing the issue,” the senators wrote in their letter. “We further ask that the Department communicate this interpretation to consumers, prosecutors, and industry stakeholders. We believe that a clear statement on the application of the CFAA in these circumstances will help consumers know their rights, help industry develop new products and services, and help law enforcement take action against bad actors.”

Earlier this year, Sen. Franken was named chairman of the Senate Subcommittee on Privacy, Technology, and the Law. Last year, he pressed U.S. Attorney General Eric Holder to incorporate an analysis of geotags into an updated stalking victimization study connected to the National Crime Victimization Survey. Last month, Sen. Franken led several of his Senate colleagues in urging Facebook to reverse proposed plans that would allow the disclosure of users’ home addresses and phone numbers to third parties.

The full text of Sens. Franken and Blumenthal’s letter can be read here.

Source: Senator Richard Blumenthal



The downside of Copyright protection. Your limited license just got a bit more limited...

http://games.slashdot.org/story/11/04/14/0418222/DRM-Broke-emDragon-Age-Originsem-For-Days?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

DRM Broke Dragon Age: Origins For Days

"Ars Technica reports that a server problem with the DRM authentication servers has caused Dragon Age: Origins players to be locked out of any saved games that include downloadable content. Quoting: 'Thanks to a combination of DRM idiocy and technical and communications failures on the part of EA and Bioware, I (along with thousands of fellow EA/Bioware customers) spent my free time this past weekend needlessly trapped in troubleshooting hell, in a vain attempt to get my single-player game to load. The problem, it turns out, was the Bioware's DRM authorization servers.'"

An update to the article indicates the problems have finally been resolved.



For my Computer Security students. This sounds too easy. But before you think it will solve the unencrypted laptop problem, remember that free software that does the same thing has been available for years...

http://www.computerworld.com/s/article/9215787/Toshiba_releases_self_erasing_drives

Toshiba releases self-erasing drives

Toshiba Wednesday unveiled its first family of self-encrypting hard disk drives (HDDs) that can also erase data when connected to an unknown host.



For my Ethical Hackers (who carry their toolkit everywhere...)

http://www.makeuseof.com/tag/codysafe-application-launcher-powerful-companion-portable-apps-windows/

CodySafe: An Application Launcher & Powerful Companion For Your Portable Apps [Windows]



Build your own Cloud...

http://news.slashdot.org/story/11/04/13/2110255/VMware-Releases-Open-Source-Cloud-Foundry?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

VMware Releases Open Source Cloud Foundry

"VMware shook the cloud world with an announcement that it was releasing an open source platform-as-a-service called Cloud Foundry. Not surprisingly, the new cloud platform takes direct aim at Microsoft's Azure and Google's Google Apps platforms. Cloud Foundry is made up of several technologies and products that VMware has acquired over the recent past and is released under an Apache 2 license. While VMware isn't the first-and-only player to launch an open source cloud initiative (Red Hat has DeltaCloud, Rackspace and Dell have OpenStack), some believe that with VMware now in the open source cloud business, pressure could be mounting for Microsoft and Google to release versions of their cloud that could be hosted somewhere other than their own data centers."



How different things would have been...

http://www.makeuseof.com/tech-fun/moses-internet/

If Moses Had The Internet


Wednesday, April 13, 2011

Again, a small breach but illustrative for my Introduction to Computer Security students. There is no mention of encryption (which would mean there was no possibility of a breach) so it is safe to assume they didn't bother...

http://www.databreaches.net/?p=17725

OK State Dept. of Health: Stolen laptop contained personal and medical information on 133,000

April 12, 2011 by admin

A press release from the Oklahoma State Department of Health, issued today:

The Oklahoma State Department of Health (OSDH) is notifying nearly 133,000 individuals that their names and some personal information may have been contained on an agency laptop computer that was stolen from an OSDH employee’s car last week.

A database related to the Oklahoma Birth Defects Registry was on the computer. The Oklahoma Birth Defects Registry provides statewide surveillance of birth defects to reduce the prevalence of birth defects through prevention education, monitoring trends and analyzing data. The laptop was used to record data from hospital medical records. An additional 50 paper files containing abstracted medical information were also taken in the theft.

“We are mindful that Oklahoma’s citizens trust the OSDH to do all it can to protect the personal data [except take common actions like encrypting data? Bob]we acquire as part of our disease prevention services,” said State Health Commissioner Dr. Terry Cline. “We offer our apologies to those who may be affected.”

The OSDH sent letters to affected persons and posted information on the OSDH website about the theft and potential data loss. The OSDH is cautioning those whose data might be compromised to contact credit reporting agencies and take other steps to protect their personal information. The OSDH will also make available identity protection services.

We are reviewing our administrative policies to strengthen safeguards to better protect the confidentiality of the data we collect. [“Now that we've screwed up, maybe we should look at some of those Computer Security fundamentals.” Bob] We recognize our obligation to make any changes that will ensure a similar incident cannot happen again,” Cline said.

A copy of the notification letter and an FAQ on the breach were posted to the state’s web site as well. The notification letter informs people that the laptop was stolen in Yukon on April 6. The letter also notes:

Information may include names for you and your child, any previous full name for your child, birthdates, mailing address, Social Security numbers, medical record information, laboratory and/or test results, or Tribal membership for your child.

Great thanks to Bart Porter of Redemtech for alerting me to this incident.

[From the FAQ:

The laptop was used to record data from hospital medical records. [Another case of bad reporting? Why wouldn't the state require the hospitals to record the data and transfer it to a secure state server? More likely, the laptop had a copy of the data from the server. Bob]

[From the Notification Letter:

OSDH took immediate steps to further protect any personal information by filing a police report, launching an internal investigation and working with the police investigation. [Note that none of these actions actually protect data. Perhaps they don't know how to protect data? Bob]



This is sure to stir debate. Government is exempt (We don't need no stinking rules!), corporations are granted permission and citizens aren't protected. Other than that, no problem...

http://www.pogowasright.org/?p=22348

Senators Kerry, McCain introduce ‘‘Commercial Privacy Bill of Rights Act of 2011’’

April 12, 2011 by Dissent

A bill that’s generated a lot of buzz has been introduced today by Senators Kerry and McCain.

The text is online on Senator Kerry’s web site.

A summary of the bill is also available on his web site.

I haven’t had a chance to read either yet, but hope to do so tonight after work. Expect to see a lot of news articles and commentaries on this one.


(Related)

http://www.pogowasright.org/?p=22360

Nice try, but no cigar yet? Reactions to ‘‘Commercial Privacy Bill of Rights Act of 2011’’

April 12, 2011 by Dissent

Preliminary responses to the Kerry-McCain commercial privacy bill are in, and as I expected, most privacy groups are not endorsing it as proposed.

I still haven’t had a chance to actually read it yet, but Jacqui Cheng of Ars Technica reports:

Not everyone is cheering, though. A coalition of consumer groups—including Consumer Watchdog, Center for Digital Democracy, Consumer Action, Privacy Rights Clearinghouse, and Privacy Times—said that while they welcome the effort, they cannot yet get behind it. The groups reiterate the need for “Do Not Track” legislation and enforcement, saying the bill relies too much on the “notice and choice” model that already exists at most companies. They also criticize the bill for giving “special interest treatment to Facebook and other social media marketers” by allowing them to continue gathering data without real safeguards, and they especially don’t like that the Department of Commerce—meant to promote the interests of companies, not individuals—has some say in developing the privacy policies.

“Title VII of the act, which appears to usurp the FTC’s traditional lead role in protecting privacy and turn much of its responsibility over to the Commerce Department, is troubling. It is important to note that the Commerce Department—as it should—primarily seeks to promote the interests of business. It is not, nor should it be expected to be, the primary protector of consumers’ interests. Commerce, therefore, must not have the lead role in online privacy. That is a role best left to a new independent Privacy Protection Office and the Federal Trade Commission,” the groups wrote in a letter to the two senators.

“Protecting consumers’ privacy rights should transcend politics and we thank you for exercising leadership and seeking to deal with this challenge in a bipartisan way. But we must also express our concern that your Commercial Privacy Bill of Rights Act needs to be significantly strengthened if it is to effectively protect consumer privacy rights in today’s digital marketplace.”

Not surprisingly to me, the Center for Democracy & Technology is not on the listed organizations who have not gotten behind the bill. In a series of tweets last month, I disagreed with CDT over any “baseline” bill which they tried to argue was really “comprehensive.” Some of this is tactical, no doubt. But I do not feel disposed to settle for a weak or even bad bill just because maybe it’s all we can get at this time.

So I will go through the bill when time permits and offer my own comments. I realize that I am somewhat of an extremist compared to most folks. That’s fine. I can live with that. What I can’t live with is everyone pretending bad bills are good bills or that they’re serious about putting individuals’ privacy rights over corporate profits and greed. I do not think that we need to continue to kowtow to corporations making billions of dollars in profits each year – including health insurers. That’s bullshit. It’s time to REALLY take back our privacy.


(Related) Just keeping the status quo? See the next article...

http://www.pogowasright.org/?p=22372

Privacy ‘bill of rights’ exempts government agencies

April 13, 2011 by Dissent

Declan McCullagh reports:

Two U.S. senators introduced sweeping privacy legislation today that they promise will “establish a framework to protect the personal information of all Americans.”

There is, however, one feature of the bill sponsored by senators John Kerry (D-Mass.) and John McCain (R-Ariz.) that has gone relatively unnoticed: it doesn’t apply to data mining, surveillance, or any other forms of activities that governments use to collect and collate Americans’ personal information.

At a press conference in Washington, D.C., McCain said the privacy bill of rights will protect the “fundamental right of American citizens, that is the right to privacy.” And the first sentence of the legislation proclaims that “personal privacy is worthy of protection through appropriate legislation.”

But the measure applies only to companies and some nonprofit groups, not to the federal, state, and local police agencies that have adopted high-tech surveillance technologies including cell phone tracking, GPS bugs, and requests to Internet companies for users’ personal information–in many cases without obtaining a search warrant from a judge.

Read more on cnet.

Good for Declan for headlining this exemption! How can anyone consider this a “comprehensive” privacy bill when it exempts government?


(Related)

http://www.techworld.com.au/article/382991/us_police_increasingly_peeping_e-mail_instant_messages/

US police increasingly peeping at e-mail, instant messages

Police and other agencies have "enthusiastically embraced" asking for e-mail, instant messages and mobile-phone location data, but there's no U.S. federal law that requires the reporting of requests for stored communications data, wrote Christopher Soghoian, a doctoral candidate at the School of Informatics and Computing at Indiana University, in a newly published paper.

… "As such, this surveillance largely occurs off the books, with no way for Congress or the general public to know the true scale of such activities."

… In 2009, Facebook told the news magazine Newsweek that it received 10 to 20 requests from police per day. Sprint received so many requests from law enforcement for mobile-phone location information that it overwhelmed its 110-person electronic surveillance team. It then set up a Web interface to give police direct access to users' location data, which was used more than 8 million times in one year, Soghoian wrote, citing a U.S. Court of Appeals judge.



This is interesting in a “it's not what you say, it's what you do” kind of way... If your Privacy Policy (what you say) says you protect user data, but your software (what you do) is designed to share that data with others, which would prevail in a lawsuit?

http://www.pogowasright.org/?p=22383

Website Design as Contract

April 13, 2011 by Dissent

Woodrow Hartzog writes:

Few website users actually read or rely upon terms of use or privacy policies. Yet users regularly take advantage of and rely upon website design features like privacy settings. Could these designs be part of the contract between websites and users? A draft of my new article argues just that by developing a theory of website design as contract. This article is coming out in Volume 60 of the American University Law Review later this year. In sum, I argue that in an age where website interactivity is the hallmark for many sites, courts must re-think what constitutes an online agreement. This is particularly true with respect to user privacy.

Read more on CIS.



Does this mean the government isn't covered by the Fourth Amendment either?

http://www.pogowasright.org/?p=22374

Court denies preliminary injunction against new TSA screening procedures

April 13, 2011 by Dissent

Via FourthAmendment.com, word that the Southern District of Florida has denied a preliminary injunction against the new TSA screening procedures. The court found that the plaintiff was unlikely to succeed on the merits of his Fourth Amendment claim. The case is Corbett v. United States, 2011 U.S. Dist. LEXIS 38531 (S.D. Fla. March 1, 2011).

See FourthAmendment.com for an excerpt from the decision.



...so there isn't a regulation that covers the TSA when they put on the rubber gloves and ask you to bend over?

http://www.pogowasright.org/?p=22362

Article: Disentangling Administrative Searches

April 12, 2011 by Dissent

Columbia Law Review (2011, vol. 111; 254-312) Disentangling Administrative Searches Eve Brensike Primus

Abstract:

Everyone who has been screened at an international border, scanned by an airport metal detector, or drug tested for public employment has been subjected to an administrative search. Since September 11th, the government has increasingly invoked the administrative search exception to justify more checkpoints, unprecedented subway searches, and extensive wiretaps. As science and technology advance, the frequency and scope of administrative searches will only expand. Formulating the boundaries and requirements of administrative search doctrine is therefore a matter of great importance. Yet the rules governing administrative searches are notoriously unclear. This Article seeks to refocus attention on administrative searches and contends that much of the current mischief in administrative search law can be traced to the Supreme Court’s conflation of two distinct types of searches within one doctrinal exception—namely “dragnet searches” of every person, place, or thing in a given area or involved in a particular activity and “special subpopulation searches” of individuals deemed to have reduced expectations of privacy. Dragnets came first, and special subpopulation searches came later. As the category of administrative searches tried to accommodate both kinds of searches, it gradually lost the ability to impose meaningful limitations on either one. To bring clarity and sense to this area of the law, this Article proposes that we disentangle these two kinds of administrative searches.

Full article on Columbia Review site (pdf).



Just because a Cloud service says your data is secure doesn't mean you should believe them. Your data isn't protected by “encryption” when the service provider holds the keys...

http://www.pogowasright.org/?p=22352

Researcher uncovers serious privacy and security concerns with Dropbox

April 12, 2011 by Dissent

Last week, I read some commentary about Dropbox by Derek Newton that left me thinking that what he was raising as a security issue was not necessarily a huge deal. So today, when I saw more references to Dropbox, I thought it was just continued discussion of his commentary. Thankfully, Chris Soghoian tweeted, “How Dropbox sacrifices user privacy for cost savings. New privacy flaw, not related to Kevin Newton’s recent disclosure. ”

I just read Chris’s commentary, and for now, all I can say is, if you’re using Dropbox, do yourself a favor and read his analysis immediately.

[From the article:

Last year, the New York Attorney General announced that Facebook, MySpace and IsoHunt had agreed to start comparing every image uploaded by a user to an AG supplied database of more than 8000 hashes of child pornography. It is easy to imagine a similar database of hashes for pirated movies and songs, ebooks stripped of DRM, or leaked US government diplomatic cables.


(Related) Does anyone get it right?

http://www.digitaltrends.com/computing/the-5-best-cloud-storage-services-compared/

The 5 best cloud storage services compared



Now here's a scary idea... Not sure I can tell exactly how this will happen from the article.

http://www.techworld.com.au/article/383125/facebook_biggest_bank_by_2015/?fp=2&fpid=1

Facebook to be 'biggest bank' by 2015

The explosion of social networking commerce will lead to the unlikely candidate of Facebook becoming the world’s biggest bank by the middle of the decade, according to a technology observer and entrepreneur.

People who don’t have a Facebook account should get one or risk having a financial profile created for them says founder and president of Metal International, Ken Rutkowski.

… “Facebook has 680 million users and that’s massive,” he said. “Who doesn’t have a Facebook profile? Let me tell you why it’s important why you do.”

“Facebook will be the largest bank by 2015. I hear you say ‘how can they be a bank’ what’s going on?”

According to Rutkowski, Facebook credits allow people to play games and Facebook is already doing deals with the banks for credit profiles.

“If you play games on Facebook, which, by the way 40 to 50 per cent of the time spent on Facebook is playing games, and those games – like Farmville and Mafia Wars – are paid for and you have to buy credits for that and they are called Facebook Credits.”

Rutkowski cited the company Zynga that created Farmville as being worth almost $12 billion now and it “didn’t even exist 18 months ago”.



This suggest a much smaller impact than I was expecting. Could Rupert Murdock be right?

http://www.thetechherald.com/article.php/201115/7055/The-NYTimes-com-paywall-causes-traffic-to-drop

The NYTimes.com paywall causes traffic to drop

Hitwise, an online intelligence and marketing firm, looked at traffic to NYTimes.com 12 days before the paywall went live, and compared its collated figures to the traffic flow 12 days after.

“For the majority of the days, there was a decrease in the overall visits between 5% and 15%. The one exception was Saturday, April 9th, 2011 where there was a 7% increase, likely due to visitors seeking news around the potential government shutdown and ongoing budget discussions,” explained Heather Dougherty, director of research at Hitwise.

“The effect of the pay wall has been somewhat stronger upon the total page views for the NYTimes.com,” she added. “For all 12 days, there was a decline in total page views which ranged between 11% and 30%.”

… Some visitors were given a free subscription to the paywall, courtesy of a promotion from Lincoln, but that doesn’t seem to have helped. Moreover, the paywall is more like a low fence; considering it can be dodged easily enough after the visitor's 20 free views have been used. [Could it be that NYT readers are smart enough to bypass the paywall when they want the news? Bob]



For the Software Tool folder...

http://www.makeuseof.com/tag/free-cad-drawing-linux-windows-mac-librecad/

Free CAD Drawing For Linux, Windows & Mac Using LibreCAD

LibreCAD can be used for any 2D architectural drafting, engineering designs, mechanical parts drawing, construction, simulation, interior design, creative design work or other diagrams.

Files are saved as DXF format or can be exported to a number of picture formats, such as JPG or PNG.

http://www.librecad.org/

If you’re into CAD programs or design in general, you’ll love these articles:



May have come value in the classroom...

http://www.makeuseof.com/dir/freedocumentarytv-free-full-length-documentary-films/

FreeDocumentaryTV: Watch free full-length documentary films

[For example:

The Secret History Of Hacking

Can You Hack It? – Hackers Wanted

www.freedocumentary.tv


Tuesday, April 12, 2011

Smaller that Epsilon, but still clear that things are bigger in Texas!

http://www.databreaches.net/?p=17709

Texas comptroller’s office data breach exposes 3.5 million teachers’ and employees’ Social Security numbers and other personal information

April 11, 2011 by admin

Kelley Shannon reports:

Texas Comptroller Susan Combs revealed Monday that the personal information of 3.5 million people has been inadvertently disclosed by her agency, making Social Security numbers, dates of birth and other data accessible to the public.

The information was available on a publicly accessible computer server and included data transferred by the Teacher Retirement System of Texas, the Texas Workforce Commission and the Employees Retirement System of Texas.

Combs said that on Wednesday her office will begin sending letters to notify those affected by the data breach, which is thought to be the largest in Texas history.

Read more on Dallas News.

The Comptroller’s Office has issued a press release today:

The Texas Comptroller’s office is sending letters beginning Wednesday, April 13, to notify a large number of Texans whose personal information was inadvertently disclosed on an agency server that was accessible to the public. The records of about three and a half million people were erroneously placed on the server with personally identifying information.

There is no indication the personal information was misused. [A common, if meaningless statement in Breach Notices. Bob]

“I deeply regret the exposure of the personal information that occurred and am angry that it happened,” Texas Comptroller Susan Combs said. “I want to reassure people that the information was sealed off from any public access immediately after the mistake was discovered and was then moved to a secure location. We take information security very seriously and this type of exposure will not happen again.”

The records contained the names and mailing addresses of individuals. The records also included Social Security numbers, and to varying degrees also contained other information such as dates of birth or driver’s license numbers – all the numbers were embedded in a chain of numbers and not in separate fields. [In other words, a typical computer record. Bob]

The information was in data transferred by the Teacher Retirement System of Texas (TRS), the Texas Workforce Commission (TWC) and the Employees Retirement System of Texas (ERS).

The TRS data transferred in January 2010 had records of 1.2 million education employees and retirees. The TWC data transferred in April 2010 had records of about 2 million individuals in their system. And the ERS data transferred in May 2010 had records of approximately 281,000 state employees and retirees.

The data files transferred by those agencies were not encrypted as required by Texas administrative rules established for agencies. In addition to that, personnel in the Comptroller’s office incorrectly allowed exposure of that data. Several internal procedures were not followed, leading to the information being placed on a server accessible to the public, and then being left on the server for a long period of time without being purged as required by internal procedures. The mistake was discovered the afternoon of March 31, at which time the agency began to seal off public access to the files. The agency has also contacted the Attorney General’s office to conduct an investigation on the data exposure and is working with them.

The information was required to be transferred per statute by these agencies and used internally at the Comptroller’s office as part of the unclaimed property verification system.

The Comptroller views the protection of personal information as a serious issue. She will be working with the Legislature to advance legislation to enhance information security as outlined in the Protecting Texans’ Identities report she released in December. This would include the designation of Chief Privacy Officers at each agency as well as the creation of an Information Security Council in the state.

The agency has set up an informational website for individuals at www.TXsafeguard.org to provide additional details and recommended steps and resources for protecting identity information.



Could Spammers connect an email address to a phone number? Sure. Why would they leave “noise” rather than a sales pitch for Viagra?

http://www.databreaches.net/?p=17670

Readers question whether Epsilon breach was really names and email addresses only (updated to include response from Epsilon)

April 11, 2011 by admin

From comments under another blog entry, it seems clear that a lot of people are not believing Epsilon’s assurance that the breach involved names and email addresses only.

I received the following email, which I am reproducing except for redacting the name of the sender and the name of the Epsilon employee and their phone number, although that information was provided to me and to CERT:

I saw that you posted an article about the Epsilon breach and I am trying to make consumers aware of more information. Phone numbers were taken along with the email addresses. I am getting over 100 phone calls per day and nothing is being done about it. When contacting the phone company, they give me no other choice but to change my phone number. But I need my phone number for work and it would be very difficult to change it. I am sure there are hundreds of other people dealing with the same issue. At the least, people need to know that it was not just email addresses taken, phone numbers were taken and who knows what else. Epsilon lied to us.

———- Forwarded message ———-
From: [redacted]
Date: Sun, Apr 10, 2011 at 7:23 PM
Subject: Epsilon breach included phone numbers
To: phishing-report@us-cert.gov

Ever since I was notified that my information was compromised during the Epsilon breach, I have been getting phone calls every 4 minutes constantly for over a week. The calls will come from random computer-generated 11 digit numbers, blocked numbers, and unknown numbers. Even though the numbers are different, they always leave the same 29 second voicemail that sounds like frequencies when adjusting an old TV antenna. I called Epsilon and spoke to [redacted employee name] at [redacted phone number], and she confirmed that other customers were getting the same types of calls and it was widespread. However, they only reported that email addresses were taken and denied anything else. Clearly other information was taken and is still being abused.

I am blocking all calls that are not in my contact list. Here is a brief history of the calls that were blocked for 3 days.

Is anyone doing anything about this???

*********************************************
* Received and Blocked Calls
*********************************************

[A very very long list of timestamps and blocked calls was included in the email to CERT but is deleted here to save space]

In subsequent correspondence, the writer indicated that the phone calls started on March 31 around 2:00 pm ET and have been non-stop ever since. Note that the phone calls reportedly started after the breach occurred but the day before Epsilon issued its press release on the breach.

I asked which notifications s/he had received following the announcement of the breach, and s/he indicated New York & Company, Hilton Honors, and Capital One. The correspondent indicated some surprise that more notifications hadn’t been received because s/he has accounts with some of the other entities who were reportedly affected.

Epsilon did not respond to an email inquiry sent by DataBreaches.net by the time of this publication, but if I receive a response, I will update this post.

Update: An Epsilon spokesperson responds:

As stated in our releases, the ONLY information that was comprised was email address and/or customer name.

At this point, all I’m able to share are the statements on our website as we conduct an ongoing investigation.



No indication of numbers, yet. Data includes “sales leads” so apparently you don't need to be associated with the company to be a victim.

http://www.databreaches.net/?p=17713

Hacker breaks into Barracuda Networks database

April 12, 2011 by admin

Robert McMillan reports:

A hacker has broken into a Barracuda Networks database and obtained names and e-mail addresses of some of the security company’s employees, channel partners and sales leads.

The hacker, who called himself Fdf, posted proof of his attack to the Web on Monday, showing e-mail addresses of company employees and names, e-mail addresses, company affiliations and phone numbers of sales leads registered by the company’s channel partners.

Read more on Computerworld. Additional coverage on The Register. Barracuda’s response here.

[From the Register article:

Screenshots showed what was purported to be names, email addresses and phone numbers for Barracuda partners from organizations including Fitchburg State University in Massachusetts and the UK's Hartlepool College of Further Education.

… It was unclear if the hashed passwords were salted to prevent them from being cracked using various free tools available on the internet.

… SQL injection attacks exploit poorly written web applications that fail to scrutinize user-supplied data entered into search boxes and other fields included on the targeted website. By passing database commands to the site's backend server, attackers can harness the vulnerabilities to view and even modify the confidential contents.

In all, 22 databases with names including new_barracuda, information_schema and Marketing were exposed, according to the post, which was published on Tuesday.

[From barracuda:

The Barracuda Web Application Firewall in front of the Barracuda Networks Web site was unintentionally placed in passive monitoring mode and was offline through a maintenance window that started Friday night (April 8 ) after close of business Pacific time.

After approximately two hours of nonstop attempts, [Which no one noticed because they had turned off the firewall? Bob] the script discovered a SQL injection vulnerability in a simple PHP script that serves up customer reference case studies by vertical market.

… We have logs of all the attack activity, and we believe we now fully understand the scope of the attack.



Building a Hacker Target... Your data is secure, except that “almost everyone at the university?” will have access.

http://www.pogowasright.org/?p=22330

UK: Student database raises privacy concerns

April 11, 2011 by Dissent

Alice Kinder reports:

Oxford University’s decision to add students to the University’s Development and Alumni Relations System database has provoked mixed reactions.

An email was sent out to students on Thursday stating that the University will be adding information on all students to the new database “in order to facilitate better communication and engagement for the entire Oxford community.”

However, students wishing to opt out of having their information migrated are given the opportunity to do so before the 4th May.

This data includes name, contact details, date of birth, gender, marital status, nationality, supervisor, college advisor, programme of study and educational history. Academic results will not be transferred.

Read more on Cherwell.

I imagine hackers are licking their lips already over this one. I thought Oxford was supposed to have some smart people, but look at this self-contradictory explanation:

It is said that details in DARS are held securely, and the data can then be used for networking purposes so that those who have left university can “connect with other, like-minded alumni”.

The email sent to students also states that the data may be used by colleges, faculties, departments, administrative units, international offices, recognised alumni societies, and sports and other entities associated with the University.

Hopefully, the students at Oxford are smarter or more savvy than the folks who came up with this plan and they will opt out immediately.



Now those Privacy Policies no one reads are even more important. Absent a Policy, you have no Privacy?

http://www.pogowasright.org/?p=22339

Judge rules emails in Hamilton’s case admissible

April 12, 2011 by Dissent

Frank Green reports:

A federal judge in Richmond has ruled that the government may use emails between former Del. Phillip A. Hamilton and his wife in his upcoming bribery and extortion trial.

[...]

Hamilton’s lawyers said the emails are not admissible because of his Fourth Amendment right to privacy and the privilege of protecting confidential marital communications.

But, wrote U.S. District Judge Henry E. Hudson in an eight-page ruling Monday, “Neither affords him the protection he seeks.”

The emails were stored on Hamilton’s work computer with the Newport News school system. At the time they were written, the school system had no policy on privacy expectations.

Read more in the Richmond Times-Dispatch. Related coverage from Associated Press can be found on PilotOnline.com



Should be amusing to watch...

http://www.pogowasright.org/?p=22343

Draft PRC Guidelines on Personal Data Protection

April 12, 2011 by Dissent

Gabriela Kennedy writes:

While personal data privacy law has been developing in many jurisdictions with the increasing prevalence of internet usage, the People’s Republic of China (“PRC”) has not yet enacted comprehensive laws or regulations governing the collection, use and transfer of personal data. However, this may change soon, as indicated by the recent issuance of the draft Information Security Technology — Guide of Personal Information Protection (the “Guidelines”, issued jointly by the General Administration of Quality Supervision Inspection and Quarantine and the Standardization Administration of the PRC on 30 January 2011). The draft Guidelines were developed in consultation with the Ministry of Industry and Information Technology, the government agency charged with regulating the telecoms and internet industries, and would create broadly applicable rules and principles for handling and transferring personal information. Although the draft Guidelines could be revised before implementation and have not yet been enacted, upon entering into force they could significantly impact business practices relating to storage, processing and transfer of information.

Read more of their description of the draft guidelines on Hogan Lovells Chronicle of Data Protection.



E-Discovery Changing technology, large data volumes, and the Joy of Computer Forensics...

http://www.bespacific.com/mt/archives/026978.html

April 11, 2011

Sedona Conference® Database Principles - Addressing the Preservation & Production of Databases & Database Information in Civil Litigation

The Sedona Conference® Database Principles - Addressing the Preservation & Production of Databases & Database Information in Civil Litigation. A Project of The Sedona Conference®Working Group on Electronic Document Retention & Production (WG1), March 2011 Public Comment Verson, by the The Sedona Conference®. Editor-in-Chief: Conrad J. Jacoby

  • "Disputes over the discovery of information stored in databases are increasingly common in civil litigation. Part of the reason is that more and more enterprise-level information is being stored in searchable data repositories, rather than in discrete electronic files. Another factor is that the diverse and complicated ways in which database information can be stored has made it difficult to develop universal “best-practice” approaches to requesting and producing information stored in databases. The procedures that work well for simple systems may not make sense when applied to larger server-based systems. Similarly, retention guidelines that make sense for archival databases—that is, databases that add new information without deleting past records—rapidly break down when applied to transactional databases where much of the system’s data may be retained for only thirty days—or even thirty seconds."


(Related) Not everyone tries to hide evidence, but here's what happens when you get caught.

http://e-discoveryteam.com/2011/04/10/judge-refers-defendant%E2%80%99s-e-discovery-abuse-to-u-s-attorney-for-criminal-prosecution-of-the-company-and-four-of-its-top-officers/

Judge Refers Defendant’s e-Discovery Abuse to U.S. Attorney for Criminal Prosecution of the Company and Four of Its Top Officers



Not the typical knee-jerk reaction...

http://games.slashdot.org/story/11/04/11/2353248/DRM-Drives-Gamers-To-Piracy-Says-Good-Old-Games?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

DRM Drives Gamers To Piracy, Says Good Old Games

"Independent retro games retailer Good Old Games has spoken out about digital rights management, saying that it can actually drive gamers to piracy, rather than acting as a deterrent. In an interview, a spokesperson for Good Old Games said that the effectiveness of DRM as a piracy-deterrent was 'None, or close to none.' 'What I will say isn't popular in the gaming industry,' says Kukawski, 'but in my opinion DRM drives people to pirate games rather than prevent them from doing that. Would you rather spend $50 on a game that requires installing malware on your system, or to stay online all the time and crashes every time the connection goes down, or would you rather download a cracked version without all that hassle?'"



Interesting idea for an application. First, find a big market (dieters) then sell them something they can use... (Now we'll have people texting and snapping photos at the table next to us when we want a quiet dinner.)

http://news.yahoo.com/s/nm/us_technology_app_meals;_ylt=A0LEapEVAqNNt.QAmxis0NUE;_ylu=X3oDMTNzc2Fha3RmBGFzc2V0A25tLzIwMTEwNDExL3VzX3RlY2hub2xvZ3lfYXBwX21lYWxzBGNjb2RlA21vc3Rwb3B1bGFyBGNwb3MDMTAEcG9zAzcEcHQDaG9tZV9jb2tlBHNlYwN5bl9oZWFkbGluZV9saXN0BHNsawNuZXdhcHBjYWxjdWw-

New app calculates calories through photos of food

Worried about how many calories you are going to consume in that slice of pizza, chocolate cake or bag of fries? A new iPhone application may help.

After taking a picture of the meal with the phone, the app gives a calorie read-out almost instantly.

The app, called MealSnap, was developed by DailyBurn, a fitness social network that has created several other fitness and diet-related iPhone applications.

Within minutes of taking a picture of a meal and matching it to a database of some 500,000 food items, the app sends users an alert with a range of calories for the meal that was photographed.



Might be interesting to add to your business cards as a pointer to an “always up-to-date” resume... Or the current price list... Or your Blog... Or ??? ...

http://www.makeuseof.com/dir/uqr-share-websites-qr-codes/

Uqr: Share Websites & Other Various Things Through QR Codes

uQR is a simple and free to use web service that lets you share anything on the web using QR codes. Basically the website gives you a public profile that has two parts: a URL and a QR code pointing to this URL. When people scan the code, they are taken to your uQR sharing page where you can share almost anything: specially formatted text, your vCard, a YouTube video, or any other URL of your choosing. Things you share on the profile can be changed anytime.

You can print out the QR code and paste it anywhere in public. This way you will be sharing material with everybody who has the ability to scan the code and reach your uQR profile ““ an interesting idea indeed.

www.uqr.me

Similar tools: QRVCards, QRcore and LocationBookmark.



For my fellow Sci-Fi fans. I always wanted to build one in my garage...

http://www.wired.com/wiredscience/2011/04/shuttle-manual-excerpt/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Book Excerpt: Space Shuttle Owners’ Workshop Manual