Ben Rooney of cnnmoney.com reports that the Google has admitted that it's Streetview cars have been collecting data from open WiFi hotspots. Google first admitted to collecting the publicly broadcast information of open hotspots, things like the network names and router numbers, on April 27th. But after being asked for more information, Google says that they discovered more data was being collected - private data in the packets being transmitted across the network. Supposedly the code that gathered data packets was accidentally entered into software used to gather public information on WiFi.
The software changes channels five times a second, so only bits and pieces of data would be gathered. Encrypted data, like the communications between you and your bank account, cannot be read, so it won't have been compromised by Google's illicit scans.
Google is, of course saying that it was an accident. In response they have stopped all scanning of open WiFi by their streetview cars until they can repair and replace the faulty software. They have arranged for a third party to review the software and the data collected from public WiFi networks.
This is a major blunder by Google. Whether it was a case of pushing the envelope to see what the reaction would be or an honest mistake, it's going to hurt Google's reputation. This one I tend to believe was an accident. In many nations it is illegal to tamper with electronic communications. Google may want to gather and use information, but breaking the law to do it isn't good business.
Showing posts with label Crime. Show all posts
Showing posts with label Crime. Show all posts
Monday, May 17, 2010
Monday, May 10, 2010
More Homeland (in)Security
In a report on Yahoo News, EILEEN SULLIVAN and MATT APUZZO of the Associated press tell us why Faisal Shahzad was almost able to leave the country by plane after his alleged failed bombing attempt. It's a sad statement that just four months after dumb luck kept the crotchbomber from blowing himself and his fellow passengers out of the sky in a plane he shouldn't have been able to board, dumb luck again prevents a terrorist wannabe from igniting his bomb - and in this instance, escaping by boarding a plane he should never have been able to board.
This sad statement on U.S. security reminded me of an almost 4 year old blog post by Bruce Schneier on the arrests in July, 2006 of terrorists reportedly hoping to set off a so-called "binary explosive" - something apparently extremely difficult to do. Regardless of the likelihood of that scenario, Mr. Schneier makes some very good points:
Last Christmas's intelligence fiasco points out the same thing. In 2001 we had a massive intelligence failure - all the pieces were there, but inter-agency, even intra-agency, rivalry prevented the all the pieces being gathered to be put together. In December 2009 all the pieces were there, but were ignored, or not communicated in a timely manner. In the two incidents of the last 6 months the terrorist boarded an international flight despite being on the no-fly list. All of this shows that we don't need more ways for the government to monitor and spy on us. Adding new ways to gather information so it can be misused - or not used at all - is not an answer. We need to make proper use of the methods we already have in place. Then we can know what is working and what needs changing.
This sad statement on U.S. security reminded me of an almost 4 year old blog post by Bruce Schneier on the arrests in July, 2006 of terrorists reportedly hoping to set off a so-called "binary explosive" - something apparently extremely difficult to do. Regardless of the likelihood of that scenario, Mr. Schneier makes some very good points:
"None of the airplane security measures implemented because of 9/11 -- no-fly lists, secondary screening, prohibitions against pocket knives and corkscrews -- had anything to do with last week's arrests. And they wouldn't have prevented the planned attacks, had the terrorists not been arrested. A national ID card wouldn't have made a difference, either.
Instead, the arrests are a victory for old-fashioned intelligence and investigation. Details are still secret, but police in at least two countries were watching the terrorists for a long time. They followed leads, figured out who was talking to whom, and slowly pieced together both the network and the plot."
Last Christmas's intelligence fiasco points out the same thing. In 2001 we had a massive intelligence failure - all the pieces were there, but inter-agency, even intra-agency, rivalry prevented the all the pieces being gathered to be put together. In December 2009 all the pieces were there, but were ignored, or not communicated in a timely manner. In the two incidents of the last 6 months the terrorist boarded an international flight despite being on the no-fly list. All of this shows that we don't need more ways for the government to monitor and spy on us. Adding new ways to gather information so it can be misused - or not used at all - is not an answer. We need to make proper use of the methods we already have in place. Then we can know what is working and what needs changing.
Tuesday, May 4, 2010
Alcohol + camera + Facebook = no play
Greg Cergol from nbcnewyork.com reports that several lacrosse players at Ward Melville High School in New York were suspended when school officials saw pictures of them drinking on Facebook.
Fifteen lacrosse players were suspended because of the pictures - six of them indefinitely. This kind of occurrence isn't anything new, although this may be the largest group of high school students to hose themselves on Facebook to date. If I had any illusions about high school students thinking about how private Facebook really is, my favorite quote from the article would have disabused me:
Fifteen lacrosse players were suspended because of the pictures - six of them indefinitely. This kind of occurrence isn't anything new, although this may be the largest group of high school students to hose themselves on Facebook to date. If I had any illusions about high school students thinking about how private Facebook really is, my favorite quote from the article would have disabused me:
"Maybe it's not the smartest move to have put the photos up," said senior Teddy Ouwerkerk. "I guess Facebook isn't the most private after all."
Monday, May 3, 2010
Facebook users risk blackmail
Everyone who follows this blog knows that I do not like the way Facebook pretends to protect our privacy. But my statements pale in comparison to what Jennifer Stoddart, Canada's Privacy Czar, has to say. In a story in the Globe and Mail she says:
That's a pretty strong assertion. I'm not sure how real a danger that is, but I understand her concern. It's embodied in another quote regarding how well Facebook is living up to the promise it made to the Canadian government to better protect members privacy. After the privacy changes announced last week she said, “They certainly seem to be moving in the opposite direction."
It's true that the constant privacy policy rewrites by Facebook would be better called 'personal publicity faciliators'. And with the odd, bewildering, and downright idiotic things that people post on Facebook blackmailable data will probably be posted by more than a few people. But once it's been posted to Facebook, how much of a lever can it be for blackmail?
“I’m very concerned about these changes. More than half a million developers will have access to this data. The information will be stored indefinitely and it opens the possibility that a lot of people can be blackmailed from all corners of the world.”
That's a pretty strong assertion. I'm not sure how real a danger that is, but I understand her concern. It's embodied in another quote regarding how well Facebook is living up to the promise it made to the Canadian government to better protect members privacy. After the privacy changes announced last week she said, “They certainly seem to be moving in the opposite direction."
It's true that the constant privacy policy rewrites by Facebook would be better called 'personal publicity faciliators'. And with the odd, bewildering, and downright idiotic things that people post on Facebook blackmailable data will probably be posted by more than a few people. But once it's been posted to Facebook, how much of a lever can it be for blackmail?
Friday, April 30, 2010
Choosing to host malware
ZDNet's Dancho Danchev report on a disturbing development in activism; the opt-in botnet.
In case you don't know what a botnet is, it is a group of computers that have been taken over by malware that allows someone besides the computers owner to take control and/or use the computer to attack other computers, servers, and even botnets. Usually the people hosting the computers in the botnet don't know they've been infected. In the case of an opt-in botnet, though, they do. Not only do they know, they've intentionally infected their computers so a coordinated attack against an entity their activist group doesn't like can be launched. This is similar to activists chaining themselves to trees, vandalizing government (or other) buildings, or bombing whatever they don't like.
This kind of activity is illegal, but most people who become part of opt-in botnets either don't know this, don't care, or think that, as part of a large group, they are less likely to be singled out. They may or may not be right about that last one.
One of the things that make opt-in botnets feasible is the rise of social networking sites such as Facebook and Twitter. But while they make such things easier, they don't guarantee success. The article examines some successful and not so successful opt-in botnets. It's interesting reading. If you find such things interesting, check it out.
In case you don't know what a botnet is, it is a group of computers that have been taken over by malware that allows someone besides the computers owner to take control and/or use the computer to attack other computers, servers, and even botnets. Usually the people hosting the computers in the botnet don't know they've been infected. In the case of an opt-in botnet, though, they do. Not only do they know, they've intentionally infected their computers so a coordinated attack against an entity their activist group doesn't like can be launched. This is similar to activists chaining themselves to trees, vandalizing government (or other) buildings, or bombing whatever they don't like.
This kind of activity is illegal, but most people who become part of opt-in botnets either don't know this, don't care, or think that, as part of a large group, they are less likely to be singled out. They may or may not be right about that last one.
One of the things that make opt-in botnets feasible is the rise of social networking sites such as Facebook and Twitter. But while they make such things easier, they don't guarantee success. The article examines some successful and not so successful opt-in botnets. It's interesting reading. If you find such things interesting, check it out.
Wednesday, April 28, 2010
Tori Pennington could have lived
Last Saturday Tori Pennington's body was found by her 12 year old son. In Tuesdays Avalanche-Journal Robin Pyle reported that she was allegedly killed by a man she met through an online dating service. At the time I'm writing this not a whole lot is known, other than she had been talking with Dustin Kendrick online and over the phone for an undisclosed amount of time. It is presumed that this was their first face-to-face meeting. This isn't the first online relationship in Lubbock to end in murder. In 2004 Joanna Rogers disappeared and was later found dead in the Lubbock Landfill. Her killer was initially connected to her by chat records and emails on his computer. We can only guess at the number of people in Lubbock who have been beaten by people they met online but never reported it.
Sometimes bad things happen. But often they can be avoided, and meeting online doesn't have to be any more dangerous than any other way to meet people. So here I am going to suggest a few steps to take when meeting people online. They won't guarantee your safety, but they will at least reduce the risk. They aren't in order of importance because they are all important.
To find more ideas for safely dating people you meet online, google "online dating guide" or "safe online dating."
My prayers go out to Tori Pennington's family, especially her children.
Sometimes bad things happen. But often they can be avoided, and meeting online doesn't have to be any more dangerous than any other way to meet people. So here I am going to suggest a few steps to take when meeting people online. They won't guarantee your safety, but they will at least reduce the risk. They aren't in order of importance because they are all important.
- If you're looking for dates online, go to a large, reputable site that does at least a little checking on it's members. The final call is still up to you, but every extra bit of screening helps.
- Spend plenty of time getting to know them online before meeting in person. The longer you interact and the more you see of their actions, the more likely you're seeing "the real them."
- Don't give them your address or home phone. Give a cell phone number - in most cases you can't get an address by looking up a cell phone number on the internet. With land lines you can.
- I don't care how nice he (or she) is, the first few times you meet in person, don't meet at home, a hotel, or any place you will be alone. That includes going there after the dinner, movie, whatever. Meet in public places, preferably with friends. They will probably see things you don't - good and bad. You will have to judge at what point you feel 'safe' being alone, but the first date definitely isn't it.
- Alchohol impairs judgment. Drink little or none the first few dates.
- When you do decide it's ok to meet in more private places, make sure someone knows where your going. Having a friend call to check up on you isn't a bad idea, and it can give you an out if you're getting uncomfortable.
To find more ideas for safely dating people you meet online, google "online dating guide" or "safe online dating."
My prayers go out to Tori Pennington's family, especially her children.
Tuesday, April 27, 2010
Who owns your Facebook?
ZDNET's Ryan Naraine and Dancho Danchev reported on a blackmarket sale of 1.5 million Facebook accounts. The accounts vary from active accounts with loads of friends to semi-autogenerated acounts that don't have any friends yet. The price depends on how many friends the account has.
The article is a FAQ on a report by Verisign's iDefense team, and covers a lot of ground, far more than I can cover here. But one of the things I find very intriguing is the section on "Cybercrime as a Service" (CAAS), something that I'd never thought about, but that is a logical progression when you think about the development of legal business on the web.
Of course, the real question that's probably on your mind right now is either "How concerned about this should I be," or "What can they do with my Facebook account?" Those might be closely followed by, "Why would anyone, especially a criminal, want my Facebook account?"
To answer the last question first, an established Facebook account is instant trust, allowing a criminal to get things from people with far less risk and effort than sending spam or actually burglarizing a house or robbing a bank. It just makes sense that if you can approach a person as someone they know and trust, they're more likely to agree to risky behaviors you might suggest. They also are more likely to open malware you send them and open links, making Facebook accounts perfect mules for infecting their friends.
So how worried should you be about this? Well, you're probably not one of the 1.5 million accounts being sold, but I'd change my password anyway from a computer that is known free of malware just because you can't be sure. There are reported to be more than 400,000,000 users on Facebook. That means that this list of accounts for sale has less than 1/2 of 1% of all Facebook users on it. I've seen people say they are leaving Facebook because of this breach, but I wouldn't leave Facebook because of this problem alone. Of course, there are plenty of other problems that make Facebook a risky proposition.
The article is a FAQ on a report by Verisign's iDefense team, and covers a lot of ground, far more than I can cover here. But one of the things I find very intriguing is the section on "Cybercrime as a Service" (CAAS), something that I'd never thought about, but that is a logical progression when you think about the development of legal business on the web.
Of course, the real question that's probably on your mind right now is either "How concerned about this should I be," or "What can they do with my Facebook account?" Those might be closely followed by, "Why would anyone, especially a criminal, want my Facebook account?"
To answer the last question first, an established Facebook account is instant trust, allowing a criminal to get things from people with far less risk and effort than sending spam or actually burglarizing a house or robbing a bank. It just makes sense that if you can approach a person as someone they know and trust, they're more likely to agree to risky behaviors you might suggest. They also are more likely to open malware you send them and open links, making Facebook accounts perfect mules for infecting their friends.
So how worried should you be about this? Well, you're probably not one of the 1.5 million accounts being sold, but I'd change my password anyway from a computer that is known free of malware just because you can't be sure. There are reported to be more than 400,000,000 users on Facebook. That means that this list of accounts for sale has less than 1/2 of 1% of all Facebook users on it. I've seen people say they are leaving Facebook because of this breach, but I wouldn't leave Facebook because of this problem alone. Of course, there are plenty of other problems that make Facebook a risky proposition.
Monday, April 26, 2010
Wylie's Angel identified
It's a sad tale reported by By Valerie Wigglesworth and Tanya Eiserer of The Dallas Morning News. No one know how Gerren Isgrigg's body wound up next to a parking lot by Lake Lavon Northwest of Dallas, but his maternal grandmother is in jail for murder after an anonymous tip helped police identify the child.
Apparently the father was making child support payments, but they were going to the mother, not to her parents. She lived in Oklahoma while Gerren lived in Texas with his grandparents.
It's very easy to pass judgement from a distance, even when you know very little of the circumstances in a situation. So I won't. From here I could point fingers at everyone involved, but the truth is that I know nothing about what went on. So all I'm going to do is pray for the parents and grandparents to be honest with themselves about everything and become better people because of what's happened. I suppose that is passing judgement as well, but we all could become better people, and that's the best I can do.
Apparently the father was making child support payments, but they were going to the mother, not to her parents. She lived in Oklahoma while Gerren lived in Texas with his grandparents.
It's very easy to pass judgement from a distance, even when you know very little of the circumstances in a situation. So I won't. From here I could point fingers at everyone involved, but the truth is that I know nothing about what went on. So all I'm going to do is pray for the parents and grandparents to be honest with themselves about everything and become better people because of what's happened. I suppose that is passing judgement as well, but we all could become better people, and that's the best I can do.
Friday, April 16, 2010
Biometric National ID - The big lie
In an article on fiercegovernmentit.com David Perera tells us more of the claims and controversy surrounding the proposed biometric national ID cards. The proposed cards would have some type of biometric data to make them tamperproof (there's no such thing) and are supposed to help stop illegal immigration. If you read this blog regularly you've probably already seen my opinion on that.
He links to an opinion piece by Senators Charles E. Schumer (D-N.Y.) and Lindsey O. Graham (R-S.C), the authors of the bill. This piece shows either the duplicity of the two legislators, or their unforgivable ignorance of just what it is they are proposing. Just a few sentences from one paragraph of their article raises all kinds of alarms with me:
Let's look at the two claims individually:
First, if the biometric data is only on the card, there is nothing to check it against. Without a database to check the data on the card against it will be difficult if not impossible to create a card that's really difficult to forge, let alone one that's anywhere near tamperproof. Once someone figures out how to move the biometric data from one card to another a single lost ID can be turned into as many different ID's as they want. The card is only checked against itself, so it will always report that it's legit. In other words, a national database loaded with U.S. citizens personal data is more than a requirement for an even remotely effective national ID, it's an absolute necessity.
Second, it's not supposed to contain any private information. Excuse me, but biometric data is extremely private. Social Security numbers are supposed to be private. By it's nature, an ID card has to have some type of personal data or it can't prove your identity. And don't believe there won't be medical data on it. It won't be there at first, but unless the health care reform bill is repealed, the most logical place for portable health info to go is a chip on an ID card. And don't trust the promises that none of this will happen. "It will not be used as an ID number" was one of the promises used to pass Social Security.
The ACLU and about 45 other organizations sent a letter to President Obama outlining their concerns over a national ID. Along with the concerns I've already noted, they included concerns over cost and enforceability, among others. Regarding cost, they point out that providing biometric ID cards for 1 million transportations workers is expected to cost the Department of Homeland Security 1.9 billion dollars. In other words, it will cost almost $300,000,000,000 dollars to ID the entire U.S. work force. Perhaps more important, they don't believe the plan has a snowballs chance of working:
If greater resources were dedicated to enforcing the law, there would be less perceived need for a national ID. In other words, this national ID thing is smoke and mirrors to gain more control over law abiding citizens while having minimal impact on the criminals.
He links to an opinion piece by Senators Charles E. Schumer (D-N.Y.) and Lindsey O. Graham (R-S.C), the authors of the bill. This piece shows either the duplicity of the two legislators, or their unforgivable ignorance of just what it is they are proposing. Just a few sentences from one paragraph of their article raises all kinds of alarms with me:
Each card's unique biometric identifier would be stored only on the card; no government database would house everyone's information. The cards would not contain any private information, medical information or tracking devices. The card would be a high-tech version of the Social Security card that citizens already have.
Let's look at the two claims individually:
First, if the biometric data is only on the card, there is nothing to check it against. Without a database to check the data on the card against it will be difficult if not impossible to create a card that's really difficult to forge, let alone one that's anywhere near tamperproof. Once someone figures out how to move the biometric data from one card to another a single lost ID can be turned into as many different ID's as they want. The card is only checked against itself, so it will always report that it's legit. In other words, a national database loaded with U.S. citizens personal data is more than a requirement for an even remotely effective national ID, it's an absolute necessity.
Second, it's not supposed to contain any private information. Excuse me, but biometric data is extremely private. Social Security numbers are supposed to be private. By it's nature, an ID card has to have some type of personal data or it can't prove your identity. And don't believe there won't be medical data on it. It won't be there at first, but unless the health care reform bill is repealed, the most logical place for portable health info to go is a chip on an ID card. And don't trust the promises that none of this will happen. "It will not be used as an ID number" was one of the promises used to pass Social Security.
The ACLU and about 45 other organizations sent a letter to President Obama outlining their concerns over a national ID. Along with the concerns I've already noted, they included concerns over cost and enforceability, among others. Regarding cost, they point out that providing biometric ID cards for 1 million transportations workers is expected to cost the Department of Homeland Security 1.9 billion dollars. In other words, it will cost almost $300,000,000,000 dollars to ID the entire U.S. work force. Perhaps more important, they don't believe the plan has a snowballs chance of working:
"Adding insult to injury, this unaffordable scheme will probably never work. Even ignoring the enormous difficulties of creating a system to fingerprint everyone and distributing readers to employers across the country, the truth is that some employers prefer the ambiguity of the current process. Unless significantly greater resources are dedicated to enforcing the law, employers will continue to have a strong incentive to circumvent a broken system. Such enforcement could be accomplished just as easily without a National ID."
If greater resources were dedicated to enforcing the law, there would be less perceived need for a national ID. In other words, this national ID thing is smoke and mirrors to gain more control over law abiding citizens while having minimal impact on the criminals.
Wednesday, April 14, 2010
$1000, Free on Facebook!
There are some legitimate "free" offers on the web, although by the time you jump through the hoops to qualify for them it would be cheaper to just buy the "prize" they offer.
Robert McMillan of IDG News reports on PCWorld that there's a free offer appearing on Facebook that's a lot easier, but the prize goes to the conmen, not to you. All you have to do is become a fan and get a free gift card. The scam has covered the gamut, from Ikea furniture to iTunes, and has offered as much as $1000 gift cards. One fan page gathered 70,000 fans before being taken down.
In another article by McMillan, Facebook Spokesman Simon Axten says that right now these pages are leading to marketing websites that generate money through advertising. But traditionally this kind of scam is associated with identity theft, and it is probably only a matter of time before the information gathering gets more personal and identity theft becomes the goal.
Remember, anybody can put up a page on Facebook and claim to be anyone else. And always remember that old adage, "If it looks too good to be true, it probably is.'
Robert McMillan of IDG News reports on PCWorld that there's a free offer appearing on Facebook that's a lot easier, but the prize goes to the conmen, not to you. All you have to do is become a fan and get a free gift card. The scam has covered the gamut, from Ikea furniture to iTunes, and has offered as much as $1000 gift cards. One fan page gathered 70,000 fans before being taken down.
In another article by McMillan, Facebook Spokesman Simon Axten says that right now these pages are leading to marketing websites that generate money through advertising. But traditionally this kind of scam is associated with identity theft, and it is probably only a matter of time before the information gathering gets more personal and identity theft becomes the goal.
Remember, anybody can put up a page on Facebook and claim to be anyone else. And always remember that old adage, "If it looks too good to be true, it probably is.'
Monday, April 12, 2010
Surviellance law needs updating
Scott M. Fulton, III, managing editor of betanews.com, wrote an in-depth article on technewsworld.com about the need to update the Electronic Communications Privacy Act (ECPA), an ancient (in technology terms) law that sought to update the code covering telephone communications so that it also covered computer communications. But it was written in 1986, almost a quarter of a century ago. Computer communications now are radically different than they were then. In 1986 most computer communications were between universities, government agencies and government contractors. Today the communication between those three segments is a fraction of the communications between private companies and citizens.
The Digital Due Process (DDP) group, led by the Center for Democracy and Technology, has defined some principles for Congress to take into consideration when they look at updating the ECPA. The goal is to get internet communications the same protection given to wiretapped telecommunications. This isn't the first time that the DDP has tried to influence policy, but this time they've enlisted two of the more visible company in recent privacy discussion, Microsoft and Google. Their involvement should put some weight behind the DDP's suggested principles.
Internet communications are in dire need of legislative protection. Despite recent court rulings, just how protected online communications such as email are is uncertain. And with more of individuals critical data being stored online or in third party cloud services, the current laws and precedents make the Fourth Amendment moot. By use of the Third Party Doctrine law enforcement can deny Fourth Amendment protections to anything you store online. That includes email, financial data (if you access your bank account online...) and even your dropbox account.
Check out Mr. Fulton's article to learn a lot more about this issue. I've only touched the surface of what he covers. Before I finish, I want to include one quote to emphasize how important it is that current laws be updated, and the standard of how much privacy protection is afforded online data be updated:
I don't know about you, but to me that sounds a lot like assuming guilt without evidence. Kind of flies in the face of "innocent until proven guilty" doesn't it?
The Digital Due Process (DDP) group, led by the Center for Democracy and Technology, has defined some principles for Congress to take into consideration when they look at updating the ECPA. The goal is to get internet communications the same protection given to wiretapped telecommunications. This isn't the first time that the DDP has tried to influence policy, but this time they've enlisted two of the more visible company in recent privacy discussion, Microsoft and Google. Their involvement should put some weight behind the DDP's suggested principles.
Internet communications are in dire need of legislative protection. Despite recent court rulings, just how protected online communications such as email are is uncertain. And with more of individuals critical data being stored online or in third party cloud services, the current laws and precedents make the Fourth Amendment moot. By use of the Third Party Doctrine law enforcement can deny Fourth Amendment protections to anything you store online. That includes email, financial data (if you access your bank account online...) and even your dropbox account.
Check out Mr. Fulton's article to learn a lot more about this issue. I've only touched the surface of what he covers. Before I finish, I want to include one quote to emphasize how important it is that current laws be updated, and the standard of how much privacy protection is afforded online data be updated:
"The Supreme Court has said that you can issue a subpoena -- not because you believe the law is being violated, but merely to assure yourself that the law is not being violated." Jim Dempsey, CDT Vice President for Public Policy
I don't know about you, but to me that sounds a lot like assuming guilt without evidence. Kind of flies in the face of "innocent until proven guilty" doesn't it?
Thursday, April 8, 2010
Court says "NO" to "potential damage" from data breach
When I first saw alerts on this story I thought it was another case of a bad court decision in favor of a corporation. Then I read Mark Mcreary's blog post, Aetna Wins Dismissal on "Increased Risk of Identity Theft" Damages Sought for Class Action. I also read the amended decision by Judge Legrome D. Davis, and after all that reading, I can see two things:
Aetna had a security breach on their employment website. The email addresses of over 400,000 applicants and 65,000 employees were stolen. Other information may have been stolen, but no one knows for sure (except the thief). Aetna sent notification of the breach to everyone who might have been affected by the breach. Some of those people received a bogus email claiming to be from Aetna asking for more information. One of the people who received the notice from Aetna, but not the phishing email, decided to sue Aetna for potential damages from potential identity theft.
Yes, that's right. Cornelius Allison sued Aetna for damages because he might, someday, have his identity stolen. Since he did not receive the phishing email, he didn't even know if his email address or any other data had been part of the breach.
He was suing for money the maybe perps would possibly take if they ever stole his identity. I wonder if either he or his lawyer was really surprised when the case was thrown out?
1. Had this lottery ticket paid off, it would have paid off big.
2. Even so, no lawyer should have been willing to plead this case.
Aetna had a security breach on their employment website. The email addresses of over 400,000 applicants and 65,000 employees were stolen. Other information may have been stolen, but no one knows for sure (except the thief). Aetna sent notification of the breach to everyone who might have been affected by the breach. Some of those people received a bogus email claiming to be from Aetna asking for more information. One of the people who received the notice from Aetna, but not the phishing email, decided to sue Aetna for potential damages from potential identity theft.
Yes, that's right. Cornelius Allison sued Aetna for damages because he might, someday, have his identity stolen. Since he did not receive the phishing email, he didn't even know if his email address or any other data had been part of the breach.
He was suing for money the maybe perps would possibly take if they ever stole his identity. I wonder if either he or his lawyer was really surprised when the case was thrown out?
Friday, April 2, 2010
Facebook puts new spin on old crimes
KTLA.com in LA reports a new spin on a not so new pastime. For that matter the spins probably not all that new. There's not really anything new about groups of teenagers or early twenty-somethings finding an unoccupied house, breaking in, and trashing it. It's also not new that the partiers don't really care if the house is empty because it's abandoned or because the occupants are away. Actually, they probably prefer the occupants be away, that way there's probably food and maybe alcohol already there.
What Facebook and other social media have made possible are a much shorter amount of time needed to setup the "party". Twenty years ago it took time to find a suitable house, let people know where the party was being held, and get everybody there. Today, thanks to Facebook, Twitter, Foursquare, and others, a careful online search can find empty houses in minutes. A Facebook update or a tweet can potentially allow thousands of people to find out about the party simultaneously, and in no time you have hundreds of people trashing your home.
As I said, this isn't exactly new. What is new is that many people are now transmitting to anyone who cares to look that they are leaving for an extended periods. So along with having your mail held, your newspaper subscription suspended, and your lights set to go on and off while your gone, make sure no one in your family reports to the world at large that you are going to be gone.
Remember, sites like Facebook are tools. It's up to us how we use them.
What Facebook and other social media have made possible are a much shorter amount of time needed to setup the "party". Twenty years ago it took time to find a suitable house, let people know where the party was being held, and get everybody there. Today, thanks to Facebook, Twitter, Foursquare, and others, a careful online search can find empty houses in minutes. A Facebook update or a tweet can potentially allow thousands of people to find out about the party simultaneously, and in no time you have hundreds of people trashing your home.
As I said, this isn't exactly new. What is new is that many people are now transmitting to anyone who cares to look that they are leaving for an extended periods. So along with having your mail held, your newspaper subscription suspended, and your lights set to go on and off while your gone, make sure no one in your family reports to the world at large that you are going to be gone.
Remember, sites like Facebook are tools. It's up to us how we use them.
Thursday, April 1, 2010
Suing downloaders new "revenue stream"
First it was Warner Brothers seeking an anti piracy intern in the U.K. Now it's the US Copyright Group taking a swing at stopping movie piracy. They are not doing it at the request of the MPAA, they are doing it an a straightforward attempt to find new and interesting ways to make money.
According to an article in The Hollywood Reporter, they are using a new proprietary technology that allows realtime inspection of torrent downloads. Supposedly it's been very successful in Germany. US Copyright Group has filed tens of thousands of lawsuits, with a handful being settled already, and there could be another 30,000 filed in coming months.
This tactic didn't work for the RIAA, and hopefully it won't work here despite the new technology. Litigating shouldn't be an option to avoid having to adapt to changing market conditions.
According to an article in The Hollywood Reporter, they are using a new proprietary technology that allows realtime inspection of torrent downloads. Supposedly it's been very successful in Germany. US Copyright Group has filed tens of thousands of lawsuits, with a handful being settled already, and there could be another 30,000 filed in coming months.
This tactic didn't work for the RIAA, and hopefully it won't work here despite the new technology. Litigating shouldn't be an option to avoid having to adapt to changing market conditions.
Wednesday, March 24, 2010
Hotels highly hackable
The ID Security Solutions blog reports that Data Breaches are Heaviest at Hotels. According to the post, both Trustwave's Spiderlabs and Verizon Business found that in 2009 Hotels were the had more data breaches than any other industry. That's not very encouraging when you realize that there's not a lot we can do as consumers to protect our data once we've turned it over to the hotel.
To make it worse, the weakest link appears to be the point of sale software. The software is often administered by third parties who log in to systems remotely. If they don't change default passwords, use weak password, or leave passwords blank, then it's easy pickings for data thieves. But I'm not sure I believe that most of the breaches are caused by poor password practices. The Heartland breach that occurred from late 2008 to early 2009 took place after they had passed security audits. Whether the audits were for Sarbanes-Oxley or PCI-DSS compliance, having blank or default passwords would not have passed.
As we move to more and more plastic based economy our financial data becomes more dependent on the security of the businesses we deal with. That is something we have little control over. I'm not sure what the best answer is, but we need to find one.
To make it worse, the weakest link appears to be the point of sale software. The software is often administered by third parties who log in to systems remotely. If they don't change default passwords, use weak password, or leave passwords blank, then it's easy pickings for data thieves. But I'm not sure I believe that most of the breaches are caused by poor password practices. The Heartland breach that occurred from late 2008 to early 2009 took place after they had passed security audits. Whether the audits were for Sarbanes-Oxley or PCI-DSS compliance, having blank or default passwords would not have passed.
As we move to more and more plastic based economy our financial data becomes more dependent on the security of the businesses we deal with. That is something we have little control over. I'm not sure what the best answer is, but we need to find one.
Wednesday, March 17, 2010
PlainsCapital vs Hillary: Symptom of a larger problem
Tom Field of the Field Report blog wrote an entry titled, "Trust on Trial" after returning from the RSA security conference. According to him there were three words on everyones mind: cloud, computing, and trust.
Trust was the surprise word. It seems a lot of business people are questioning the safety of using a bank at all, let alone banking online. Two cases are specifially mentioned in his post:
Experi-Metal, Inc. vs Comerica Bank and PlainsCapital vs Hillary Machinery.
These two aren't picked because of their unusual nature (although PlainsCapital vs Hillary is unusual), but because they are the latest in an ongoing trend: business customers account is pilfered, bank claims no responsibility. Normally the customer sues the bank, but in the case of PlainsCapital, the bank preemptively sued the customer, asking a court to declare it's security practices "reasonable".
What is reasonable security for a bank? Nobody really knows, since no clearcut definition has ever been coined. That doesn't mean there aren't standards and minimum requirements, it just means that there isn't an official definition of "reasonable."
If you think about it, there is actually a very good reason why that particular term isn't defined. And many security experts fervently hope it remains that way. Internet security changes quickly. What is reasonable today may be totally hopeless tomorrow. Defining reasonable security will give banks a hardcoded standard to comply with - a standard that will quickly become unreasonable. What needs to be done is not define "reasonable security," but to require financial institutions to keep abreast of the latest security risks and adapt their protections accordingly. Hopefully the judge in PlainsCapital vs Hillary will recognize the danger of giving banks a definition to hide behind and will refuse to define exactly what reasonable means when it comes to banking security.
So outside of lawsuits, what can be done to solve this problem of banks being robbed and refusing to accept any culpability? First of all, business accounts should be given the same protections that personal accounts enjoy. Second, the regional and smaller banks that seem to be the main offenders in the lack of adequate security category should honestly examine their security measures in light of what is currently out there in the way of bad guys and take steps to protect against them. Banks that are involved in lawsuits need to review their security and see if they should just settle to save time.
The business customers aren't totally innocent either, although the cases I've seen appear to implicate the banks more. If a customer who does 1 or 2 electronic transfers a month suddenly has 10 a day it should ring alarm bells and stop the transfers. This failure to stop unusual transfers is a common complaint by business customers who have had money stolen by electronic transfers. The business may have to accept some blame, however. Are their virus definitions up to date? Has someone been going to questionable websites? Are their security policies clear and well thought out?
If things keep going the way they are now, before long no business will trust their banks. That will make for some serious headaches, since it's almost impossible to do business without a bank account these days.
Trust was the surprise word. It seems a lot of business people are questioning the safety of using a bank at all, let alone banking online. Two cases are specifially mentioned in his post:
Experi-Metal, Inc. vs Comerica Bank and PlainsCapital vs Hillary Machinery.
These two aren't picked because of their unusual nature (although PlainsCapital vs Hillary is unusual), but because they are the latest in an ongoing trend: business customers account is pilfered, bank claims no responsibility. Normally the customer sues the bank, but in the case of PlainsCapital, the bank preemptively sued the customer, asking a court to declare it's security practices "reasonable".
What is reasonable security for a bank? Nobody really knows, since no clearcut definition has ever been coined. That doesn't mean there aren't standards and minimum requirements, it just means that there isn't an official definition of "reasonable."
If you think about it, there is actually a very good reason why that particular term isn't defined. And many security experts fervently hope it remains that way. Internet security changes quickly. What is reasonable today may be totally hopeless tomorrow. Defining reasonable security will give banks a hardcoded standard to comply with - a standard that will quickly become unreasonable. What needs to be done is not define "reasonable security," but to require financial institutions to keep abreast of the latest security risks and adapt their protections accordingly. Hopefully the judge in PlainsCapital vs Hillary will recognize the danger of giving banks a definition to hide behind and will refuse to define exactly what reasonable means when it comes to banking security.
So outside of lawsuits, what can be done to solve this problem of banks being robbed and refusing to accept any culpability? First of all, business accounts should be given the same protections that personal accounts enjoy. Second, the regional and smaller banks that seem to be the main offenders in the lack of adequate security category should honestly examine their security measures in light of what is currently out there in the way of bad guys and take steps to protect against them. Banks that are involved in lawsuits need to review their security and see if they should just settle to save time.
The business customers aren't totally innocent either, although the cases I've seen appear to implicate the banks more. If a customer who does 1 or 2 electronic transfers a month suddenly has 10 a day it should ring alarm bells and stop the transfers. This failure to stop unusual transfers is a common complaint by business customers who have had money stolen by electronic transfers. The business may have to accept some blame, however. Are their virus definitions up to date? Has someone been going to questionable websites? Are their security policies clear and well thought out?
If things keep going the way they are now, before long no business will trust their banks. That will make for some serious headaches, since it's almost impossible to do business without a bank account these days.
Tuesday, March 9, 2010
Maryland students teach teachers
The Washington Post reports that a group of students at Potomac high school stole teachers passwords and were changing their grades for several months before they were caught.
They used keylogging software to capture the passwords, then logged on to the teachers computers and change grades. Because of the computer system and the way it was accessed there is no way to discover who changed the grades. Instead of punishing all the students whose grades were changed (some may have been red herrings), the school is just changing them back to the original grades.
The tools the students used to log passwords is easily and cheaply available online. To prevent this kind of problem students need to be locked out of adding software and of mounting or running .exe files from USB drives - in fact, flash drives, or any USB drive shouldn't mount from teacher or student accounts. If schools don't take these kinds of steps we eventually won't be able to trust our schools to truly teach our kids the things they need to grow - up, or to trust anything they tell us about how well the students are doing their learning.
They used keylogging software to capture the passwords, then logged on to the teachers computers and change grades. Because of the computer system and the way it was accessed there is no way to discover who changed the grades. Instead of punishing all the students whose grades were changed (some may have been red herrings), the school is just changing them back to the original grades.
The tools the students used to log passwords is easily and cheaply available online. To prevent this kind of problem students need to be locked out of adding software and of mounting or running .exe files from USB drives - in fact, flash drives, or any USB drive shouldn't mount from teacher or student accounts. If schools don't take these kinds of steps we eventually won't be able to trust our schools to truly teach our kids the things they need to grow - up, or to trust anything they tell us about how well the students are doing their learning.
Thursday, March 4, 2010
TMI - some info shouldn't be realtime
February 2009 - "Just landed in Baghdad" tweeted Peter Hoekstra while on a 'secret' trip to Iraq. The media was aware of the trip, but agreed to embargo the information until after they arrived back in the U.S. for the safety of the congressmen. Since the congressman started tweeting before they left, the newspapers needn't have bothered.
March 3, 2010 - "On Wednesday we clean up Qatanah, and on Thursday, god willing, we come home," the soldier wrote on his Facebook page, refering to a West Bank village near Ramallah. That's from a story on Haaretz.com regarding a Facebook security breach. The mission the young man (he may not be a soldier, now) mentioned has been scrapped. According to Robert Mackey on the The Lede such details as the units name and the time of the raid were also revealed.
In the first case, Senator Hoekstra was former head, and senior member of the House intelligence committee. You would think a man with that kind of background would have more sense than to tweet details of his Baghdad itinerary. In the second, you would think a young soldier would be aware that posting details of an upcoming mission on Facebook would be a severe security breach - and could even be considered treason. But I wonder. How many of us actually realize how available things we put on Facebook and twitter really are? Do we really understand that what we put on Twitter and Facebook can be seen by just about anyone? With all the foolish things being put up on Facebook and Twitter, the real surprise isn't that two people posted national security breaking info on social networking sites, it's that we don't see a lot more of this happening.
I'm sure that most of my readers aren't in a position to spill national secrets, but spilling your own secrets can be bad enough. Think before you post on any site, and avoid the embarrassment of foot in mouth.
March 3, 2010 - "On Wednesday we clean up Qatanah, and on Thursday, god willing, we come home," the soldier wrote on his Facebook page, refering to a West Bank village near Ramallah. That's from a story on Haaretz.com regarding a Facebook security breach. The mission the young man (he may not be a soldier, now) mentioned has been scrapped. According to Robert Mackey on the The Lede such details as the units name and the time of the raid were also revealed.
In the first case, Senator Hoekstra was former head, and senior member of the House intelligence committee. You would think a man with that kind of background would have more sense than to tweet details of his Baghdad itinerary. In the second, you would think a young soldier would be aware that posting details of an upcoming mission on Facebook would be a severe security breach - and could even be considered treason. But I wonder. How many of us actually realize how available things we put on Facebook and twitter really are? Do we really understand that what we put on Twitter and Facebook can be seen by just about anyone? With all the foolish things being put up on Facebook and Twitter, the real surprise isn't that two people posted national security breaking info on social networking sites, it's that we don't see a lot more of this happening.
I'm sure that most of my readers aren't in a position to spill national secrets, but spilling your own secrets can be bad enough. Think before you post on any site, and avoid the embarrassment of foot in mouth.
Tuesday, March 2, 2010
High school predator stalks Facebook
In Wisconsin a darker side of Facebook was revealed last December when Anthony Stanci plead no contest to two felonies. It must have been a plea bargain, because the 19 year old had blackmailed at least seven of his fellow students for sex. Between 2007 and 2008 he had a Facebook page that he used to trick male classmates into sending him nude pictures of themselves. He pretended to be a girl, and after classmates exchanged pictures with him (it's not hard to find nude pictures of girls on the internet), he threatened to post the boys pictures online unless they had sex with him.
Stanci might still be blackmailing teens for sex, if he hadn't been greedy. One of his victims had been unwilling to speak up to protect himself, but when Stanci wanted pictures of the young mans brother that was too much. He went to his parents, and the police were called.
Last week Stanci was sentenced to 15 years in prison. According to his lawyer, that is a fair sentence, and will give him time to rebuild his life after he gets out. That's really great, but I wonder who is making sure the youngsters who were victimized by Stanci get their lives rebuilt?
It's important we make sure our children know that they cannot assume that they know someone online. And that we remember it ourselves. Otherwise we make it too easy for predators to prey on us.
Stanci might still be blackmailing teens for sex, if he hadn't been greedy. One of his victims had been unwilling to speak up to protect himself, but when Stanci wanted pictures of the young mans brother that was too much. He went to his parents, and the police were called.
Last week Stanci was sentenced to 15 years in prison. According to his lawyer, that is a fair sentence, and will give him time to rebuild his life after he gets out. That's really great, but I wonder who is making sure the youngsters who were victimized by Stanci get their lives rebuilt?
It's important we make sure our children know that they cannot assume that they know someone online. And that we remember it ourselves. Otherwise we make it too easy for predators to prey on us.
Friday, February 26, 2010
FTC: Beware P2P Breach
The Federal Trade Commission is warning 100 companies and organizations that their data has been compromised by P2P software. According to the FCC press release data on both employees and customers is involved.
The release also indicates that the breach is not because of any new exploit, but because of poorly configured P2P clients. Some P2P clients, like Limewire, set a specific share folder and only make files in that folder available to the network by default. Others share the entire hard drive by default. If you are using a client that shares the entire drive by default and don't set it to only show one specific folder, anything on your HD can be seen and downloaded by anyone else on the network.
This is nothing new, but it is obviously something that is still relevant. FTC Chairman Jon Leibowitz said,
I remember being amazed at what I could find with gnutella way back when. Sadly, it's not surprising that more than a decade since I first noticed really neat stuff that obviously shouldn't be on a P2P network the neat stuff that shouldn't be there still is. P2P is really neat, and really useful (not just for sharing music). But if you are a business, and you use P2P, or one of your employees decides he needs to use P2P on his work computer and it shares the wrong folder or the whole drive you could find yourself in violation of laws such as the Gramm-Leach-Bliley Act or HIPAA. As an individual, you know that Quicken or Microsoft Money file that has all of your banking info and can connect to your bank account? Your neighbors 14 year old in now has access to all your money. And all he wanted was music.
The FTC isn't just talking about the users of P2P software. The say that it's just as important that companies who "distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing. The easy way to do that is to have the P2P software's default setting "share this folder." And that's what you need to do if you are developing P2P software.
The release also indicates that the breach is not because of any new exploit, but because of poorly configured P2P clients. Some P2P clients, like Limewire, set a specific share folder and only make files in that folder available to the network by default. Others share the entire hard drive by default. If you are using a client that shares the entire drive by default and don't set it to only show one specific folder, anything on your HD can be seen and downloaded by anyone else on the network.
This is nothing new, but it is obviously something that is still relevant. FTC Chairman Jon Leibowitz said,
“Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers’ sensitive information at risk. For example, we found health-related information, financial records, and drivers’ license and social security numbers--the kind of information that could lead to identity theft,”
I remember being amazed at what I could find with gnutella way back when. Sadly, it's not surprising that more than a decade since I first noticed really neat stuff that obviously shouldn't be on a P2P network the neat stuff that shouldn't be there still is. P2P is really neat, and really useful (not just for sharing music). But if you are a business, and you use P2P, or one of your employees decides he needs to use P2P on his work computer and it shares the wrong folder or the whole drive you could find yourself in violation of laws such as the Gramm-Leach-Bliley Act or HIPAA. As an individual, you know that Quicken or Microsoft Money file that has all of your banking info and can connect to your bank account? Your neighbors 14 year old in now has access to all your money. And all he wanted was music.
The FTC isn't just talking about the users of P2P software. The say that it's just as important that companies who "distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing. The easy way to do that is to have the P2P software's default setting "share this folder." And that's what you need to do if you are developing P2P software.
Subscribe to:
Posts (Atom)