East Washington University Computer Breach 130,000 Affected

130,000 students, current and former, at Eastern Washington University will be notified about a potential data breach involving their names, births of date, and Social Security numbers.

According to the seattlepi.com, it’s unknown whether actual risks stem from the breach, although the potential is there (and, hence, the breach notification letters).

The breach was discovered in December in an unsecured system with a database that went as far back as 1987.

It appears that hackers were storing video on the system (for distribution?  I guess kind of like a P2P node?).

Urine Samples Stolen

In some of the most disgusting news reported yet this holiday season, it has been announced that urine samples were stolen from the Logan office of the Bear River Health Department in Utah.

Why am I cover this story?  What does piss have to do with data security?  Maybe it’s just me, but it seems to me that this is something of a information security problem because you could take those samples and contaminate a crime scene.

In other words, it could be used to frame someone.  Or, it could be sold to someone who needs a clean urine sample (assuming these were clean ones, that is).

And it’s not just a case of swiping something, à la pie cooling on the window ledge.  No, siree…someone,

…broke the lock on a storage room and made off with all 17 of the 4-ounce, lidded cups containing the refrigerated samples used for corporate as well as court-ordered drug tests.

The thief or thieves seemed obsessed with the urine cache, ignoring expensive computer equipment and office supplies in the same room.

Man, this is going to piss someone off….

Adobe Top Target Next Year (2010)

Flash and Reader products from Adobe will become the preferred hacker targets in 2010.  Networkworld.com notes that they’ll be preferred even over MS’s Office suite applications. (Wha-!?)

That’s like crazy talk.  I didn’t think I’d see the day….  The thing is, I didn’t think I’d see the day because I found it hard to believe that anything would be realistically supplanting MS Office.  And, it turns out that it’s true.  The reason why MS is giving over this dubious honor is because, “he software giant has tightened security in its recent OS releases, leading hackers to look for additional targets.”

In other words, there’s nothing (ahem) wrong with MS…it’s, in a sense, Adobe’s fault (yeah, yeah….they’re the victims here, I know).

Baby Blood Data Breaches?

Things certainly have become much more interesting over the weekend.  A number of countries have suddenly realized that there is something of a data privacy issue when it comes to heel prick tests of babies.

Take the instance of Ireland.  According to the timesonlink.co.uk, a Dublin hospital has created a DNA database of babies born in the country that goes as far back as 1984.  (Ooooh…Orwellian!)

Unknown to the DPC, the hospital has amassed 1,548,300 blood samples from “heel prick tests” on newborns which are sent to it for screening, creating, in effect, a secret national DNA database. The majority of hospitals act on implied or verbal consent and do not inform parents what happens to their child’s sample.

Now, there are other controversies to the above controversy, such as this not really being a database.  Someone made this comment:

Mark Sugrue wrote:

In what sense is this a DNA database? No computer system exists – this is blood samples on paper in a room. No database exists.

This is a non story.

A non-story? Perhaps because his Pollyanna-ish outlook in life limits him from seeing the obvious.  Well, that, and his inability to read the article to the end:

The retention of newborn screening cards has caused controversy in Australia and New Zealand where the DNA has been used by police to help to solve crimes. A sample in New Zealand was used to identify the father of a dead child against the wishes of the mother.

Let’s make it clear: in the above cases, too, the blood was on cards. Do Kiwis and Ozzies posses special magic that allows them to turn blood on cards into usable information?

Yes.  These magicians are officially called lab technicians.  Sheesh, some people.  A database is not called a database because it exists on a computer.  It’s called a database because it contains data.  Blood = data.  Especially ever since the human genome was fully mapped.

Two Arrested For Australia Fraud Involving McD’s- $4 Million

A Briton and a Canadian were arrested for the audacious swindling of four million Aussie dollars.  The two are believed to have illicitly gained the credit card information by rigging up hand-help POS devices at McDonald’s stores in Western Australia.  The tampering allowed them to gain credit card numbers and their PINS.  But, it wasn’t a solo job (or even a “duo” job):

Police will allege the men formed part of a well organized international crime syndicate responsible for the skimming crimes and theft of significant sums of money from the credit card and bank accounts of West Australians, at automatic teller machines in NSW, Victoria, Canada, Great Britain, USA, India and Malaysia.

Both men are being extradited to Western Australia to face charges.

Amazon, Walmart, Expedia Knocked Off Line

E-commerce companies such as Amazon, Wal-Mart, and Expedia were unavailable Wednesday evening in some parts of the US.  This was due to an attack on these companies’ DNS provider, Neustar (better known by its brand name, UltraDNS).

…the company received a disproportionately high number of queries coming into the system, and analyzed it as an attack. Neustar deployed “a mitigation response” within minutes of the attack, he said, and brought matters under control within an hour. The response limited the problems to Northern California, he said.

What is DNS?

Web sites need DNS providers to translate the character-based URLs that people can remember to the IP addresses that Web sites actually use to list themselves on the Internet. When a DNS provider is overwhelmed with malicious requests for IP addresses, the system can overload and prevent legitimate users from reaching their destinations.

In other words, the language of the internet is based on IP addresses: 192.12.122.1 and similar addresses.  Remembering such numbers is not as easy as remembering “google.com.”  DNS does the translation between google.com and the IP address. (Hint: if you were type in the actual IP address in the URL bar of your web browser, you’d still be directed to the correct site!).

Conde Nast Files Suit Against Hackers

A lawsuit was filed by Condé Nast against people behind FashionZag, a blog hosted on Google’s Blogger service.  They supposedly ”hacked into the company’s computer system, downloaded unpublished photos and articles, and then published them online.”

You know what’s really weird?  Condé Nast knows of the issue, but hasn’t done anything about blocking these hackers:

“…lawsuit alleges that the intruder obtained the login details from a third party and downloaded 1100 files from the company in September, and — as of the date the lawsuit was filed in December — the company hasn’t stopped the leak!?”

US Drone Encryption Proposal

The news last week, reported by the WSJ, that Predator drones were “vulnerable” because of a lack of encryption in its transmissions has prompted several to come forward (I had a short entry here.)

Wired interviews Rex Buddenberg from the Naval Postgraduate School, who notes that “the military’s data security problem is bigger — and much more difficult to fix — than the original reporting lets on.”

According to Buddenberg, solutions that were offered in the wake of the Predator video feeds problem last week are just scratching the surface.  The solutions discuss protecting the wireless video feed.

However, the bigger problem lies in the fact that information can always be leached off during the time it goes from the Predators (in Iraq) to Nevada, where the machines are controlled from. (How do the feeds reach Nevada?  Internet, anyone?)

So, the real fix needs to be some kind of end-to-end encryption solution.

BlackBerry + Verizon = Bing?

The Register has a story on how Verizon unilaterally decided to snuff out all search engines with the exception of Bing as the default one.

Verizon has unilaterally updated user Storm 2 BlackBerries and other smartphones so that their browser search boxes can only be used with Microsoft Bing.

The move is part of the five-year search and advertising deal Verizon signed with Microsoft in January for a rumored $500m.

Wow.  I guess Microsoft really doesn’t want to give up on its search engine wars.

Verizon says that they’re a “proud supporter” of the Bing search engine.  I’m sure they are: with $500 million in my pocket, I’d be, too.  This doesn’t mean other search engines, like Google, are not available.  It means they can’t be made the default one, though.

(Actually, there are reports that some users can’t access any other search engines…but it could just be people who just don’t know how to use some other search engine…you know what I mean?)

Doh! Guy Gets Arrested For Medical Breach After Spying On Woman

A man in northeast Ohio is going to prison because he inadvertently got involved in a medical data breach.

He had sent a woman an attachment spyware (jealous ex-boyfriend?).  The woman, however, opened the the file at work–at Akron Children’s Hospital:

“…the spyware picked up confidential information about medical procedures and patients — as well as financial records for four employees — over the course of about three weeks.

The spyware slowed the computer network system down, leading to its discovery by hospital officials. The FBI was called in.”

Doh, anyone?