Papworth Hospital NHS Foundation Trust Document Breach

A reminder: data security involves more than people stealing stuff from your computers and hard disks.  Paper–that noble tree-based parchment–can be a source of information security weaknesses as well.  Problem is there can be only so many ways of securing such information:

• Lock it up
• Shred it to bits (and I mean to bits.  Bits so tiny they’re really powder-like)

Short of these two, there is no way to secure the information printed on paper.  Computers, for example, have a third option, besides locking it up and destroying it: encryption products like TrueCrypt.

Granted, encryption works on written records as well.  However, encrypting it and decrypting it would take significantly longer time.

Why do I mention such an obvious thing?  Papworth NHS had a breach of the most unusual kind.  A gift it was not.

Windows Patch Results In BLACK Screen of Death (Updated)

Well, if the original blue screen of death (BSOD) was not enough to strive fear into Windows machine users everywhere, now there is a black screen of death going around.  Call it “new BSOD” and “BSOD Classic.”

Microsoft has not confirmed it yet, but reports arose last week that the latest round of patches has resulted in the blacking out of computer screens in some computers (mine hasn’t, so I’m lucky.  I feel special).

Since I haven’t seen in first hand, I can’t comment on it much.  A description has been helpfully included in the ArsTechnica article:

After starting your Windows 7, Vista, XP, NT, W2K, W2K3 or W2K8 PC or server the system appears normal. However, after logging on there is no desktop, taskbar, system tray or sidebar. Instead you are left with a totally black screen and a single My Computer Explorer window. Even this window might be minimized making it hard to see. [my emphasis]

Updated (01 DEC 2009): Apparently, the BSOD is not caused by the latest round of patches.  From Microsoft:

“Microsoft has investigated reports that its November security updates made changes to permissions in the registry that that are resulting in system issues for some customers,” a Microsoft spokesperson told Ars. “The company has found those reports to be inaccurate and our comprehensive investigation has shown that none of the recently released updates are related to the behavior described in the reports.”

Also, Prevx, the company that had pointed out that the patches were affecting the computers:

“Having narrowed down a specific trigger for this condition we’ve done quite a bit of testing and re-testing on the recent Windows patches including KB976098 and KB915597 as referred to in our previous blog. Since more specifically narrowing down the cause we have been able to exonerate these patches from being a contributory factor.”

“We apologize to Microsoft for any inconvenience our blog may have caused. This has been a challenging issue to identify. Users who have the black screen issue referred to can still safely use our free fix tool to restore their desktop icons and taskbar.”

UK Pub Fined 13K For Shred Wi-Fi

A UK pub owner has been fined £8,000 (US$13,000) because copyrighted material was downloaded (illegally) through its open Wi-Fi.  Supposedly this is a grey area in UK law, so expect to hear more about this issue.

Incidentally, it reminds me of a post by security guru Bruce Schneier:

Whenever I talk or write about my own security setup, the one thing that surprises people — and attracts the most criticism — is the fact that I run an open wireless network at home. There’s no password. There’s no encryption. Anyone with wireless capability who can see my network can use it to access the internet.

I wonder if now he’ll see a need to secure his Wi-Fi connection.

Manchester NH Mayor’s E-mail Hacked

The mayor of Manchester (New Hampshire) had lots to be thankful for this Thanksgiving, I’m sure.  Not one of those things?  Getting his work  e-mail account taken over by spammy cyberhackers.  Mayor Frank Guinta was alerted to the hack by the city’s IT Director yesterday.  Approximately 650,000 people received the spam message. The data security implications are tremendous in this particular case.

1. It’s not a spoofed address; it’s the real deal (a *.gov e-mail address)
2. It’s the real deal and from “an important person” (what are the chances you won’t click on the e-mail?)

If the hackers had included a link to a legitimate-sounding site (say, NewHampshireTaxRefunds.org, letters capitalized for better recognition) controlled by the hackers, and they had some kind of malware waiting to be installed on a visitor’s computer…

Hm…upon further reading of the article, it looks like not everyone is assuming this to be a hack:

Let me guess, those 650,000 messages sent from the Mayor’s city email were soliciting contributions to his run for the House of Representatives. Then somebody realized that would be illegal so all of a sudden a “hacker” did it. I’ll bet that hacker is also good at tying up Democratic party phone lines…
- LJC, Manchester [my emphasis]

I guess that’s one way of interpreting “spam” (a cynical, and most probably wrong, way).

Tiger Wood’s Accident Being Used For Spreading Malware

Tiger Woods crashed his car this morning (very, very early in the morning).  There is some confusion/gossip/rumor over his condition at the time of the crash (insinuations that he was drunk and whatnot…something that the police investigating the situation have expressly denied).

However, what’s for certain is that a) there is a lot of interest in the story and b) hackers haven’t wasted any time of using it to their advantage.

What have hackers done?  Basically, they claim that they have videos of the crash…and require you to install a “video player” to see it.  Except that the video player is a trojan that will install all sorts of malware on your computer.

This is the same tactic used for other stuff, like offers of free porn or clips for the new Twilight: New Moon movie.  Don’t fall for it.  God knows there are plenty of videos going around; just go to youtube or something….

UK Officers Who Passed Sensitive Info Are Fingered

Due to the way certain laws are written, and the fact that it’s part of their job to look up information during an investigation, your friendly neighborhood cop has access to a lot of info….on you, your neighbors, etc.

Sometimes, they abuse this power.  Earlier this year, a UK policeman passed some old guy’s home address to a buddy of his.  This buddy put a brick through house window of the old guy.  Old guy died from fright.  There were other such cases where the police database was used (many will say abused) improperly.

Now, some of these people have been named in a government report.  Their names haven’t been made available to the general public, though.  Isn’t that ironic?  Those who are willing to abuse data privacy laws are being protected by the same.  I’d be they’d raise a ruckus if there were efforts to make said names public in the literal sense.

iPhone Worm Author Gets Job Offer

The Ozzie hacker who created the world’s first iPhone worm just scored a job.  I agree with what that Graham Cluley chap said.

You know what would be funny?  If a bunch of copy cats ended doing the same (for glory and a job offer), the Australian government decides it’s had more than enough of these shenanigans, and starts going after them, including the original guy.  Anyone know what the statute of limitations happens to be in the land down under?

BlueCross BlueShield Tennessee Starts Mailing Breach Letters

BlueCross BlueShield of Tennessee will be mailing notification letters to affected.  They lost something like 60 hard drives, which contained SSNs and other information.  Everything is on the up and up with this one, except for this:

“If you don’t get a letter, you are safe. No news is good news,” [BCBST spokeswoman Mary] Thompson says.

I would like to disagree.  What if a breach notification letter doesn’t reach the intended party?  I can understand BCBS’s situation though: what are they supposed to do, send a letter to notify someone that they are not affected by a data breach?  I mean, it would nice, but it would be costly.  That’s like my bank alerting me that my account hasn’t been hacked–like I wouldn’t know that after taking a look at the money remaining….

New Zealand Carpark Gets ATM Scam

You know, New Zealand is not a country that I tend to associated with high tech scams.  I generally tend to think of pristine wildlife and Hobbits.  However, there was nothing pristine-like of a garage (or car park, if you prefer) that fell victim to a scam.

Members of crime groups came to New Zealand to attach skimming devices to ATM machines and send credit card details back to their bosses overseas.

Now, when I read this, I thought, “who the heck pays for 2 hours of parking service via a credit card?”  In my neck of the woods, we still use cash.  Of course, it wasn’t the car park that was scammed.  It was the ATM machines in the garage that were the source of the credit card information breach.

Currently, it’s believed that the criminals come from Eastern Europe:

“I would guess they would come from the Eastern European countries, that’s where they all come from,” [Police National Electronic Crime Laboratory manager Maarten Kleintjes] said.

Hm…so there’s been no investigation whatsoever?  It’s just a guess?  What a guess, especially after finding that the cards were used “to buy goods at a Walmart chain store in the American city of Phoenix, Arizona.”  Not that I doubt that there aren’t any eastern europeans living in that area…but c’mon! Anyone can be card thief.

Spanish Credit Card Hack Affecting Czechs

It looks like the data leak from Spain is leaving even more countries in the lurch.  Czech banks are also cancelling ATM cards.   This follows actions by Germany, Finland, Austria, and Sweden.

Approximately 100,000 accounts in the Czech Republic are being blocked.

The breach in Spain is attributed to hackers getting into a credit card processor’s infrastructure, and essentially affects any non-Spain residents who visited the Mediterranean country during this past summer (apparently, there’s some kind of separate processor for foreign credit cards; foreign to Spain, that is).