In the shortest data breach news I’ve read to date, the Arkansas National Guard has no idea where a missing hard drive happens to be at.
The external drive was used as a backup source, and contains personal data from the First Battalion 153rd Infantry Regiment of the 39th Infantry Brigade, based out of Malvern.
Man…with declarations as such, one wonders whether encryption software was used.
Three Google executives—arrested during a layover at an airport, if I remember right—have been convicted for a YouTube video that showed the bullying of an autistic child. A fourth was acquitted of charges.
Supposedly, showing such a video is illegal in Italy. The judge in the case”absolved the three of defamation but convicted them of privacy violations.”
The case has been described as ridiculous, and with good reason. According to the experts quoted at the BBC, it would mean that every single thing uploaded into YouTube would have to be vetted before shown. A consultant in the case has noted that “it is like prosecuting the post office for hate mail that is sent in the post.”
With the difference, I should note, that the post office is not in the business of letting anyone other than recipient seeing the contents of the mail…so that’s not quite an appropriate comparison. I understand what he means by it, though: Google just stores the stuff, and is not responsible for what gets uploaded.
On the other hand, the Italian court seems to be saying, “well, you should be if you’re going to allow the world to see it.” The post office doesn’t have that problem because, again, they’re in the business of delivering–be it hate mail or otherwise–to the correct person, as opposed to ensuring the contents of that letter is shared with the world.
If the following story shows us anything, it is that you shouldn’t mess with geezers that need help filling in their fountain pens.
NSW Government has accused a couple of reporters from the Sydney Morning Herald that they hacked into a government website. Turns out that the only “hacking” involved was typing in a URL into the address bar of one’s browser. (Security by obscurity…if this worked, squirrels would be our security czars.) Passwords were not even present to deny access.
Furthermore,
The IT help section at Fairfax will tell you that their staff run a mile whenever I [reporter Matthew Moore] call. I am squarely in the “learning disability” group.
And [Andrew] West’s disdain for technology is as well known as his fondness for fountain pens, for which he generally requires assistance to refill.
How can you tell these guys are old-fashioned, besides the fountain pen? They supposedly printed page after page of information, before the information disappeared.
They printed stuff. I mean, if I was in a hurry to get as much info as possible, I don’t know….I would have saved entire html pages onto my computer. You know, because it’s faster. I mean, the page is already there in front of you if you’re going to print it….
Pffffbbbbt. Hackers indeed…
Hm…some very serious allegation have surfaced in the case regarding the PA high school that was spying on its students via school-issued laptops.
According to this particular post, that goes really in depth,
In a strange twist, the makers of LANRev have come out with a statement saying that school network techs should never have used their software to engage in theft recovery:
I’ve watched the 50 minute screencast repeatedly, where Perbix describes his use of this feature outside of school grounds repeatedlyduring a conversation with Absolute Software employees. They were enthusiastic… now they’re throwing LMSD under the bus? I believe this can best be described as intense PR spin. It also completely confirms what I’ve asserted here, that LANRev was the implant of choice for this school. [my emphasis]
Perbix is supposedly one of the school’s IT admins. What the blogger is referring to in regards to the PR spin is this interview with computerworld.com, where
Absolute’s Midgley declined to speculate about whether his company might be liable to legal action for LANRev’s part in the alleged spying on students, but put the responsibility solely on the school district.
“The customer acted on their own to do what they did,” he said.
Midgley is the head of marketing at Absolute, according to the computerworld.com article, so what else would one expect other than PR? On the other hand, this would very well be a case of the guys at top, at their respective company and school, not knowing what their underlings are doing…in fact, that’s the argument I would make in defending myself.
BTW, I don’t share the above blogger’s notion of LMSD “being thrown under the bus.” Just like the manufacturer of a knife can’t be responsible for some guy stabbing another guy, Absolute can’t held responsible for stupidity by a particular school because they happened to use Absolute’s software (actually, part of the portfolio of an acquisition). As for “enthusiastic employees”…well, I’m not crazy about them being enthusiastic about breaches of privacy;maybe they didn’t know, or maybe they thought all the issues were squared away. Or maybe they thought the guy wouldn’t really implement what he was describing and showing off. Or maybe they’re idiots that will get fired; who knows?
The point is, I’m not going to blame the software company for a situation that was created by imbeciles.
A phishing attack on Twitter has gone viral and people should be on the lookout. It attempts to gain Twitter logins via Direct Messages.
If you receive a message reading “lol, is this you”, and linking to a site called “bzpharma”,do not click the link.
Users who do click that link and enter their details are inadvertently letting spammers take over their accounts, which are then used to spam the same Direct Message to all their friends.
How to tell you’ve been hit? If you find that “you’re” sending these messages, you’ve been taken. If you’re only receiving them, well..you’re fine, but someone who’s your friend on Twitter isn’t.
waxy.org has a post on how pleaserobme.com is not as interesting as it should be.
The problems of burglars breaking in after finding people haven’t been around has existed for decades, and can be traced to at least back to the 1970′s, when people visiting funeral parlors were burglarized.
On the other hand, it was never automated. I mean, if I were a burglar, I could just write up some code (OK, maybe not; but let’s suppose) that would let me know which places are empty as I’m driving around a particular neighborhood.
An ID theft ringleader has received a 309-year prison sentence for his involvement. His scheme involved dozens of victims.
According to the prosecutor, this is “the longest prison sentence for any white-collar crime in the history of his Baton Rouge-based office’s jurisdiction.”
That’s kind of depressing. I’m sure there have been in the past a number of financial shenanigans going on in Louisiana (not sure where their jurisdiction ends). You’re telling me that fraud involving just dozens of victims is the longest sentence for any white-collar crime?
I mean, just over the border there’s Mississippi, and they had the WorldCom fiasco that involved hundreds of thousands of people.
On the other hand, La. is to be congratulated for pursuing their white-collar criminals.
[wxvt]
A data breach at a Helsinki business, unnamed, has led to the illegal access to over 100,000 payment card numbers, of which 10,000 were credit cards.
The chief enabler of the breach was that the system was “old.” The breaches occurred numerous times in January.
“Card information covering several years was stored on a server. The security breach, which originated abroad, targeted this server and they were able to download large amounts of data,” says Inspector Jukkapekka Risu (with the Helsinki police, no doubt).
This appears to be the worst data breach of its kind in Finland. According to the article, “the case under investigation is the most extensive of its kind ever in Finland. Up to now similar cases have involved no more than a few hundred cards.”
An old system—which in the digital realm usually tends to mean, security-wise, unreliable; after all, the emphasis on application security is arguably a recent one—combined with data that goes back several years? Always a terrible combination.
[yle]
Canadians in and around Windsor, Ontario were affected by a “massive debit card fraud scheme” over the past weekend. Authorities have identified where the cards were compromised.
The interesting part is that the criminals switched debit card reading machines with their own. These machines had Bluetooth, allowing the thieves to gather PINs and card numbers wirelessly.
(A Bluetooth machine can transmit data to almost 100 m / 330 ft if it has the right amount of power.)
More and more illegal acquisitions of desirable information will come from such hacks as more and more companies turn to PCI compliance and other data security methods like data encryption to protect sensitive infromation.
For example, when a computer is protected with PGP encryption, some people will install keystroke loggers to gain direct access to the passwords.
Valdosta State University is investigating a data breach that was discovered on December 11, 2009. The incident could affect up to 170,000 students and faculty. The breach began on November 11 of the same year.
According to quoted VDU officials, a breached server contained grades and social security numbers (faculty get grades?!)
What I especially like is the fact that VSU has set up a site for checking whether a person was involved in the breach or not. (And, it looks like they may have done a pretty good job of ensuring that random attempts don’t lead to unwanted revelations, causing a further breach.)
[VSU site]
