“Hello. We're an academic institution, so we have a checklist of things you are not supposed to do when handling Personally Identifiable Information. Watch, as we violate every rule!”
http://www.databreaches.net/?p=8926
Hacker hits NC community college system
December 17, 2009 by admin Filed under Breach Incidents, Education Sector, Hack, Of Note, U.S.
Kristin Collins reports:
Patrons of the state’s community colleges may have had their drivers license and Social Security numbers stolen by a hacker.
College officials announced late today that 51,000 library users at 25 campuses, including Wake Tech and Johnston County, were the victims of a security breach in August.
They said the libraries collect drivers license and Social Security numbers to help identify computer users. The information is stored on a central server in Raleigh. [AKA: “Hacker target.” Why is this information still online? Bob]
The colleges are in the process of notifying all users whose numbers were on the server when it was accessed by a hacker earlier this year.
However, they said their investigation suggests that the hacker did not access the information.
Read more on News&Observer.
The North Carolina Community Colleges System web site has a notification of the breach (pdf), but only if you click on the news link from the home page. Somehow, with all the good news that they managed to post to the home page, they did not post the security breach as news where people might see and find it right away. The notice says, in part:
On Sunday, August 23, 2009, a computer hacker accessed the library patron information on the computer server, housed in the community college System Office in Raleigh, via the Internet by decoding a user password. [AKA: “Guessing” Bob] The breach was discovered [Good for them! Bob] on Monday, August 24 during a routine security review and was reported to the state’s Information Technology Service (ITS). The System Office’s Information Services division immediately began an investigation to trace the activity of the attacker and the extent of the breach.
Forty-six community colleges that participate in the Community College Libraries in North Carolina consortium (CCLINC) maintain information on more than 270,000 library users on this server. The investigation revealed that 12,400 driver’s license numbers, originally collected by 18 colleges to help identify library users, were stored on the server.
[...]
The ongoing review revealed on October 19, 2009, that Social Security numbers of 38,500 library patrons were also stored on the breached server.
[...]
“Finding the Social Security numbers added another layer onto an already complex investigation,” said Dr. Saundra Williams, Senior Vice President of Technology and Workforce Development in the System Office. “We went from 12,400 library users to nearly 51,000 so the scope of our review was greatly increased. We felt it was necessary to be extremely cautious each step of the way to prevent future breaches and to ensure that the information was dealt with appropriately.”
For all their explanation, it still took them over two months to realize that they had SSN on a breached server. In my opinion, that’s not satisfactory. Nor, by today’s standards, is it good to take four months to reveal a breach. I hope that they’re right and that the data weren’t accessed, but if the data had been accessed, the delays experienced in notifying people could make a difference.
Elsewhere, Jon Ostendorff reports that an internal memo obtained by the Citizen-Times said, in part:
“At this time, it appears that the compromise was limited to the operating system and the installation of ‘chat’ software,” according to the memo from system Senior Vice President Saundra Williams. “There is no evidence that any data was accessed. The data is stored in an obscure database [I know of no technical basis for such a statement. Bob] which the unauthorized user would have to know the structure of the database [or spend several minutes looking at it. Bob] to piece the information together to match the person’s name with other personally identifiable information.”
Casual control of laptops is my guess. “Need training? Just grab a laptop – no need to consider what might be on it.” (Or why this information would be on a laptop in the first place!)
http://www.databreaches.net/?p=8916
VA: Laptop containing personal information about MWR customers stolen (update 1)
December 17, 2009 by admin Filed under Breach Incidents, Government Sector, Of Note, Theft, U.S.
FMWRC Public Affairs posted the following on www.army.mil:
A laptop computer containing names and personally identifiable information for slightly more than 42,000 Fort Belvoir Morale, Welfare and Recreation patrons was stolen from a Family and Morale, Welfare and Recreation Command employee Nov. 28.
The Family and MWR Command was made aware of the theft Dec. 1, and began assessing the extent of the security breach and preparing to notify affected customers. Letters were sent this week to all affected patrons explaining the nature of the breach.
[...]
Anyone attempting access to the data on the computer would have to bypass three layers of security access and encryption passwords.
[...]
The Family and MWR Command operates numerous facilities on Fort Belvoir, including childcare centers, bowling centers, restaurants, outdoor recreation facilities, and golf courses. Soldiers, family members, Department of Defense employees and other authorized MWR patrons who used an MWR facility on Fort Belvoir since 2005 may be included in the data on the laptop.
Update: CNN’s Samantha Hayes provides some additional details:
The security breach happened when the rental apartment of an employee with the Morale, Welfare, and Recreation Academy was burglarized in Clermont, Florida, officials said. The theft was reported to local police November 28, but the military was not notified until the employee returned to work three days later. [The employee may not have known what was on the laptop Bob]
Military officials say the employee was using the laptop for remote training courses, and it has not been determined whether any protocol was breached.
[...]
CNN obtained the notification letter sent, almost two weeks later, to those affected. It says, in part, that the alleged compromised information “includes your name, Social Security number, home address, date of birth, encrypted credit card information, personal e-mail address, personal telephone numbers, and family member information.”
Thanks to the good folks over at ITRC for alerting me to the CNN coverage.
Bigger than I thought...
http://www.databreaches.net/?p=8938
(update) RockYou admits security snafu exposed email login details
December 18, 2009 by admin Filed under Business Sector, Hack
John Leyden reports:
Social media application developer RockYou has vowed to improve its security and apply encryption following a breach that exposed 32 million user login credentials to hackers.
Sensitive login credentials – stored in plain text – were left open to attack as a result of an SQL injection vulnerability in RockYou’s website. In a statement, RockYou said the exposed password credentials applied to widgets it develops and potentially exposed user password and email addresses. The developer said user credentials about RockYou applications on partner sites – including Facebook, MySpace, and Orkut – was not exposed by the admitted breach.
Read more on The Register.
There goes 10% of my bonus!
http://www.databreaches.net/?p=8932
Heartland pays Amex $3.6M over 2008 data breach
December 18, 2009 by admin Filed under Financial Sector, Hack
Robert McMillan reports:
Heartland Payment Systems will pay American Express $3.6 million to settle charges relating to the 2008 hacking of its payment system network.
This is the first settlement Heartland has reached with a card brand since disclosing the incident in January of this year.
[...]
This settlement resolves “all intrusion-related issues between the two parties,” Heartland said in a statement Thursday. However, the company’s disputes with other brands such as Visa and MasterCard apparently remain unresolved. A company spokeswoman declined to comment further on the matter for this story.
Read more on Computerworld.
[From the article:
… Heartland was one of several companies that the hackers managed to break into using SQL injection attacks. [Have we seen “SQL injection” before? Bob]
In May, Heartland CEO Bob Carr said that his company had set aside $12.6 million to handle charges related to the hack. More than half of that money was to handle fines levied by MasterCard, he said.
The Privacy Policy is connected to the Terms of Use
The Terms of Use are changed at the Providers Whim
The Providers Whim results in Angry Customers
Now shake dem skeleton bones!
Eventually, these companies are going to notice that changing their customer Privacy or Security settings without notice is a bad thing. Eventually...
http://www.pogowasright.org/?p=6387
Privacy Groups Bring Facebook Complaints to FTC
December 17, 2009 by Dissent Filed under Featured Headlines, Internet
Robert McMillan reports:
Ten privacy and consumer groups, including the Electronic Privacy Information Center (EPIC), filed a complaint Thursday with the U.S.Federal Trade Commission, saying that Facebook’s newly revamped privacy settings are deceptive and unfair.
Facebook unveiled the new privacy settings last week, saying that they were giving users more granular control over their settings, but critics immediately jumped on the fact that Facebook’s new default settings push information that may previously have been semi-private onto the Internet and they now give users no way to block their friends’ Facebook applications from accessing personal data.
“Facebook is engaging in unfair and deceptive acts and practices,” that are “likely to cause substantial injury to consumers,” says the complaint, which was posted to EPIC’s Web site Thursday.
Read more on CIO.
Legislation initiated by the “We gotta do something” crowd (AKA: Knee-jerk legislation) rarely gets it right. Thank god for angry citizens!
http://yro.slashdot.org/story/09/12/18/040235/After-Berlusconi-Attack-Italy-Considers-Web-Censorship?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29
After Berlusconi Attack, Italy Considers Web Censorship
Posted by timothy on Friday December 18, @06:27AM from the streisand-should-charge-a-consulting-fee dept.
An anonymous reader writes
"The Italian government has proposed introducing new restrictions on the Internet after a Facebook fan page for the man who allegedly attacked Prime Minister Silvio Berlusconi on Sunday drew almost 100,000 users in under 48 hours. However, the planned clampdown on Internet hate speech sparked a heated debate over censorship and freedom of expression, leading Interior Minister Roberto Maroni to execute a partial U-turn."
Probably not an example of true, government sponsored cyber war tactics, but something to consider. If Twitter can be a source of information, it can also be a source of dis-information.
http://news.cnet.com/8301-1023_3-10418140-93.html?part=rss&subj=news&tag=2547-1_3-0-20
Twitter hijacked by 'Iranian Cyber Army'
by Steven Musil December 17, 2009 10:40 PM PST
… Security has been a thorny issue for Twitter in the past. In January, a hacker hijacked CNN anchor Rick Sanchez's feed and proclaimed the journalist was "high on crack." Twitter users have also been the target of a password-stealing phishing scam. Disguising itself as a private message that led to a fake Twitter log-in screen, the scam was widespread enough for Twitter to put a warning message on all members' home pages alerting them of the issue.
Certainly, there is a contentious history between Twitter and Iran. In the wake of supposed results of that nation's presidential election in June, protesters in Iran used Twitter to skirt government filters to report events, express outrage, and get people out to opposition rallies. Twitter even rescheduled some planned downtime in order to stay accessible for Iranian users in the midst of political upheaval at the request of the U.S. Department of State.
Hoist on their own petard.
http://entertainment.slashdot.org/story/09/12/17/1916241/DRM-Flub-Prevented-3D-Showings-of-emAvatarem-In-Germany?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29
DRM Flub Prevented 3D Showings of Avatar In Germany
Posted by timothy on Thursday December 17, @02:31PM from the token-of-our-appreciation dept.
Fraggy_the_undead writes
"According to German IT news site heise.de, yesterday several 3D showings of Avatar couldn't take place (German; Google translation to English), because the movies were DRM protected such that there had to be a key per copy of the film, per film projector, and per movie server in the theater. The key supplier, by the name Deluxe, was apparently unable to provide a sufficient number of valid keys in time. Moviegoers were offered to get a refund or view an analogue 2D showing instead."
Diversity is as diversity does. F. Gump For my statistics students.
http://www.bespacific.com/mt/archives/023042.html
December 17, 2009
Media Mention: Social Networking, Race and Ethnicity Facebook releases first-ever demographic look at users
Mercurynews.com: "Illustrating the growing diversity of online users as the Internet matures, a study by Facebook researchers found that about 11 percent of the social network's approximately 100 million U.S. members were African-American, about 9 percent were Latino and 6 percent were Asian, according to a post on Facebook's blog Wednesday evening — a much higher share for blacks and Latinos than four years ago."
[From the article:
Facebook does not ask its more than 350 million worldwide members to disclose their race. But researchers at the Palo Alto-based social network used a Census Bureau database of the demographic characteristics of 150,000 American surnames to track the rapidly changing racial makeup of its U.S. members over the past four years. [In other words, this is a SWAG (Scientific Wild-Ass Guess) Bob]
Interesting. I wonder if Google thinks it necessary to create cheaper hardware to get more people using their search engine (and seeing more ads)?
http://www.appleinsider.com/articles/09/12/17/beyond_nexus_one_google_rumored_to_create_netbook_hardware.html
Beyond 'Nexus One,' Google rumored to create netbook hardware
By Katie Marsal Published: 11:05 AM EST Thursday, December 17, 2009
As reports continue to state Google will sell a custom built phone very soon, a new rumor suggests the search company will also release its own branded netbook PC when Chrome OS debuts in late 2010.
If true, it would mean that Google and Apple are set to compete yet again, this time in the hardware and software PC business. The latest rumor is just more evidence of why Google CEO Eric Schmidt was forced to resign from the Apple Board of Directors in August, as the two companies face off with competing browsers, phones and, in the future, operating systems.
Finding start-ups (and other stuff)
http://trends.techcrunch.com/2009/12/17/onewire-jagtag-simplegeo-millenial-funding/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29
CrunchBase Funding Digest: JAGTAG, OneWire, SimpleGeo, Millennial Media
by Daniel Levine on December 17, 2009
Everyday I troll SEC Form D Filings to discover new startups, fundings and investments. I put everything I find into CrunchBase.
(Related) What if McDonald's sold wine?
http://www.techcrunch.com/2009/12/17/trefis-stock-charts/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29
Trefis Widgetizes Its Customizable Stock Price Charts
by Jason Kincaid on December 17, 2009
Last month we wrote about Trefis
, a new financial site that lets you tweak your stock predictions by adjusting variables in a company’s business model, depending on how you think different segments of the company will perform. These predictions are plotted out on attractive interactive charts, but until now those charts were all housed on the site’s homepage. Today, Trefis is launching support for widgets, giving bloggers and financial experts the chance to share their adjusted stock predictions with the world.
Free is good.
http://www.killerstartups.com/Search/inkmesh-com-looking-up-both-free-paid-ebooks?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+killerstartups%2FBkQV+%28KillerStartups.com%29
Inkmesh.com - Looking Up Both Free & Paid eBooks
http://www.inkmesh.com/
Research tool Because different search algorithms yield different results.
http://www.makeuseof.com/dir/searchzooka-advanced-search/
Searchzooka: Conduct Advanced Search On Multiple Search Engines
By Karl Gechlik on Dec. 12th, 2009
… makes it easy to do the same advanced search on multiple search engines (Google, Yahoo, Bing, Ask, Digg, Delicious and Technorati.).
www.searchzooka.com
What can you do with 26 gigapixels? Click on some of the images below the picture and wait a few seconds after the zoom for a clean-up of the image, then zoom again.. Now think UAV or satellite.
http://www.dresden-26-gigapixels.com/dresden26GP
