barbara haven: Security

Fri, 23 Jan 2009 04:37:22 GMT

Separating the real and fake Twitter peeps

Twitter says purported White House account was a fake. An @TheWhiteHouse page on Twitter that gained thousands of new followers after President Barack Obama's inauguration turns out to not be affiliated with the White House. More at Computerworld patrick_thibodeau@computerworld.com. [Latest from Computerworld]
No big deal. Does Twitter have lists anywhere of the "fake" accounts?

Mon, 13 Oct 2008 02:17:00 GMT

Sharepoint Concept OK, But Every Implementation Hard and Miserable

Why some security pros hate SharePoint. Some SharePoint customers are finding that it's difficult to automate user administration, among other woes. [Latest from Computerworld]

User administration becomes more important in a large and changing workforce.

Sun, 28 Sep 2008 04:47:55 GMT

Browser Bugs 2008

Security researchers warn of new 'clickjacking' browser bugs. Security researchers today warned that a new class of vulnerabilities dubbed "clickjacking" puts users of every major browser at risk from attack.
[Latest from Computerworld]

Mon, 25 Aug 2008 04:39:15 GMT

British Memory Stick Loss had Inmate Data

British Inmates[base '] Private Data Is Lost in Latest Government Security Breach. A private consulting company working for Britain[base ']s Home Office has lost a memory stick containing personal details on all of the 84,000 prisoners serving time in England and Wales.[NYT > Technology] In the continuing saga of government data being hard to keep secret and inside government, I wonder how many cases involve contractors such as this one probably did. I recall reading that in a later update.

Sun, 03 Aug 2008 22:28:59 GMT

US Lawmakers Inquire about Online Tracking by 30+ Internet Companies

Lawmakers Demand Information on Web Tracking Practices. A Congressional committee sent letters to more than 30 Internet companies demanding to know whether they track where their users go online and use that information to deliver personalized advertising. [NYT > Technology] They are only asking. I wouldn't be surprised if 28+ out of 30 Internet companies track where users go. Have they looked at the evidence of tracking? In the past when I did research for another person, I would be amused how much my online ad displays would radically change.

Fri, 02 May 2008 04:04:40 GMT

California Court Publishes Personal Identifiable Information

California court posting SSNs and other personal data, privacy advocates charge. A court in California's Riverside County is openly posting sensitive personal data on its Web site, according to privacy watchdogs. But the court's IT director compared searching for that information to "finding a needle in a haystack."[Latest from Computerworld]

Sun, 27 Apr 2008 23:07:24 GMT

Recent Web Site Attacks

Microsoft: Massive site attacks not our fault. Microsoft late Friday responded to news reports that hackers have leveraged weaknesses in the company's Web and SQL software to attack hundreds of thousands of Web pages. [Latest from Computerworld] Bill Sisk, Communication Manager at Microsoft Security Response Center, said the post was in response to reports that over half a million pages, including some belonging to the United Nations, have been compromised by SQL injection attacks. Once hacked, those sites were modified to download malware to visitors' PCs. Is it my reading, or has security become worse recently--Not much place to be secure any more.

Fri, 11 Apr 2008 04:56:47 GMT

Gladwell at RSA 2008

Malcolm Gladwell tells security folks: Don't think too much. Author of Blink: The Power of Thinking Without Thinking, warns security professionals at RSA 2008 not to let too much data cloud their judgment. [CNET News.com]
Al Gore is speaking on Friday.

Tue, 12 Feb 2008 19:23:19 GMT

Canadian Privacy Blog

The Privacy Commissioner of Canada has a blog. This is an "official" blog covering issues of privacy issues and legislation in Canada. Their welcome note includes:

...With this tool, we hope to make the activities of the Office of the Privacy Commissioner more accessible to Canadians and to increase contact between the Office and Canadians interested about privacy issues and legislation.

As an Officer of Parliament, the Privacy Commissioner has a mandate to protect the privacy rights of individuals and promote the privacy protections available to Canadians.

Interestingly, any complaints tp the Privacy Commissioner need to made in writing and send by mail, not via email.

Sun, 09 Dec 2007 05:45:09 GMT

Social Security Numbers Part of Minnesota Laptop Theft

Stolen laptop had IDs on 268,000 Minnesota blood donors. Following a laptop theft, Memorial Blood Centers in Minnesota is notifying 268,000 blood donors that their Social Security numbers may have been stolen. [Computerworld Breaking News] Not the government's loss but a similar large-scale notification required.

Have people consider not using social security numbers in so many different ways? Recently I bought a used book that contained someone else's insurance paper with a social security number on it. I shredded it earlier today, but this paper has been handled by at least a used book dealer before me. Maybe several other people had it before that. A social security number should not have been on it.

Mon, 03 Dec 2007 00:59:47 GMT

State of Massachusetts has a Senior's Rx Plan Data Breach

Data theft touches 150,000 Massachusetts seniors. Senior citizens who participate in a Massachusetts insurance program have received word that their personal information may have fallen into the hands of an identity thief. The state of Massachusetts is warning 150,000 members of its Prescription Advantage insurance program that their personal information may have been snatched by an identity thief. [Computerworld Breaking News] They provide few details of this breach's nature or exactly whose information "might have been" involved and how.

Sat, 17 Nov 2007 03:44:10 GMT

Laptop Losses again at VA

Deja vu all over again at Veterans Administration. The U.S. Department of Veterans Affairs is once again attempting to explain a data breach. This time, two desktops and a laptop containing data on as many as 12,000 service members have gone AWOL. On Veterans' Day, no less. [Computerworld Breaking News]

I am late posting this but laptop loss provides a continuing stream of government security incidents. Let this be a reminder to you to secure your laptop.

Mon, 22 Oct 2007 18:34:20 GMT

Old and New Short Links from CNET

Make your plans for the Vintage Computer Festival 10.0 -- If you're interested in the history of the computer industry, you won't want to miss the tenth annual Vintage Computer Festival, to be held November 3-4, 2007 at the Computer History Museum in Mountain View, Calif. (JPGs later, More this evening)

DOJ merchant of death roundup for 2007 -- Department of Justice releases list of major US tech and weapons export violations for 2007. [CNET News.com]

Mon, 22 Oct 2007 18:25:31 GMT

California Position for Consumer Data Security Breach Responsibility

Schwarzenegger Says 'Hasta la Vista' to State Bill on Data Breach Costs. California Gov. Arnold Schwarzenegger vetoed a bill that would have made merchants in his state liable for the costs incurred by banks and credit unions because of retail data breaches. [Computerworld Breaking News]

Fri, 24 Aug 2007 04:47:00 GMT

CalPERS and then New York State Pensions Let Out Retirees' Information

First California, now New York lets pensioner personal information slip out. A laptop thought to contain Social Security numbers and other personal data on 280,000 New York pensioners is missing. [Computerworld Breaking News]

Last week CalPERS, the California Public Employees' Retirement System, inadvertently printed social security numbers on brochures about an upcoming election that were mailed to about 445,000 state retirees.

The privacy breach happened after an employee sent a disk containing the numbers to the printer responsible for the brochures. The disk was only supposed to contain the mailing list's names and addresses.

According to Computerworld, that error prompted several changes at the CalPERS, including new security awareness training for employees and a new process that involves sign-offs from three individuals before personal information can be released.

On a related subject, that of posting personally identifiable information such as social security numbers on websites, in the past, Google could search for numbers within a range on a particular domain, but that search to check for possible social security numbers posted on state websites now seems to return an error.

Sun, 29 Jul 2007 23:38:53 GMT

Security: Black-Hat Preview Podcast

Security Bites Podcast: Black Hat preview. On this week's show, Robert Vamosi talks with Fortify's Brian Chess and Jacob West about their planned "Iron Chef Black Hat" presentation. [CNET News.com] Mark this "to listen."

Sun, 08 Jul 2007 23:00:51 GMT

What's a Bug Worth?

Online auction for security bugs. Security researchers can now get cash rewards for the loopholes they discover in popular programs. [BBC News | Technology | UK Edition]
From Mozilla Foundation, finding a significant Firefox vulnerability can get you $500. and a t-shirt.

Sun, 17 Jun 2007 00:26:58 GMT

Security Certification for Red Hat Linux

Red Hat Linux awarded top government security rating. Red Hat Linux's latest security certification, EAL4 Augmented with ALC_FLR.3, puts its security on par with that of Trusted Solaris and potentially gives the OS entree to those government agencies requiring extreme multilevel security. [Computerworld Breaking News]

Thu, 24 May 2007 03:33:46 GMT

Private medical records of Colorado residents exposed on Internet

Yesterday over at Future Tense radio:

As medical records are created and transmitted electronically more and more, the chance of private information falling into the wrong hands is growing. Sometimes records are stolen by hackers, other times just improperly secured. Compromised records can lead to a range of problems, from loss of employment to identity theft to plain old embarrassment.

Future Tense has discovered that detailed, personally identifiable medical records of thousands of Colorado residents were viewable on a publicly accessible Internet site for an uncertain period of time through at least last Friday, May 18. The data included patient records from at least 10 Colorado clinics and hospitals, and one hospital in Peoria, Illinois. It's unclear how many people may have seen the records.

They found--or were tipped off to--an unsecured ftp server, and possible HIPAA violation. The story is available in several formats including mp3 and iTunes, so this show might make some interesting commuting listening.

Today this story has appeared on Boing Boing one of the most-read blogs. People care about stories like this.

Wed, 23 May 2007 04:44:37 GMT

Antispyware Bill passes House of Representatives

House passes more tech-friendly antispyware bill. In win for tech industry, bill that would not regulate the software industry clears the House of Representatives. [CNET News.com]

Also in Computerworld: Spyware bill passes House of Representatives. On Tuesday the House of Representatives passed an antispyware bill that would make it illegal to access a computer without authorization. The bill now proceeds to the Senate.

Wed, 23 May 2007 04:42:46 GMT

New Entry in Security Blog Space

Google enters the security (blog) space. Blog: With the launch of an online security blog, Google fuels speculation it might begin offering online security services. [CNET News.com]

My must-read security blog remains Schneier on Security from Bruce Schneier whose Cryptogram newsletter also provides a good read.

Wed, 23 May 2007 04:38:45 GMT

Public Records Go Too Far

Web Sites Listing Informants Concern Justice Dept.. The Justice Department is urging federal courts to make fundamental changes in access to electronic court files. By ADAM LIPTAK. [NYT > Technology] This includes:

[base "]We are getting a pretty significant push from the Justice Department to take plea agreements off the electronic file entirely,[per thou] Judge Tunheim said. [base "]But it is important to have our files accessible. I really do not want to see a situation in which plea agreements are routinely sealed or kept out of the electronic record.[per thou]

The significant balance is between public access to public records and public safety from revealing personal details. I don't feel comfortable linking to the site that reveals informants.

Fri, 04 May 2007 04:07:34 GMT

Getting ready for Second Tuesday

Microsoft pencils in seven bug fixes for next week. Microsoft plans to release seven bug fixes next Tuesday, with expectations centered around a security update for a DNS server zero-day flaw found in all editions of the company's server line. [Computerworld Breaking News]

Sat, 31 Mar 2007 05:06:45 GMT

Balancing Privacy and Public Access to "Public" Documents

Privacy advocate prompts Colorado to end web access to some public documents. Yesterday the Colorado Secretary of State's office moved quickly to shut down online access to documents with Social Security numbers after a privacy advocate notified them about the potential breach of sensitive information.[Computerworld Breaking News]

Earlier California Secretary of State Debra Bowen also removed these documents. She said her office was also freezing bulk electronic sales of its Uniform Commercial Code (UCC) database until all but the last four digits of Social Security numbers were removed from documents. The California Secretary of State has approximately 2 million UCC filings on record, of which about a third contain Social Security numbers.

How do I know if mine was among those?

Sat, 31 Mar 2007 04:56:35 GMT

An Unexpected Vulnerability

Users warned on Windows cursors. Microsoft is warning users about a flaw in Windows animated cursors that could leave PCs open to attack. [BBC News | Technology | UK Edition]

Have we reached the point where every feature of Windows has some possibility of attack? I think fonts fonts have been free from flaws so far, but correct me if I missed those.