Wednesday, August 30, 2006

beSpacific: EPIC Reports $50M Class Action Verdict Against Bank for Privacy Violation EPIC: "A Florida bank was required to pay $50 million in a class-action settlement resulting from violations of federal privacy law. Fidelity Federal Bank & Trust purchased 656,600 names and addresses from the Florida DMV for use in direct marketing. The purchase violated the Drivers Privacy Protection Act, a 1993 law passed after it was shown that stalkers and other criminals had used motor vehicle records to locate their victims. EPIC filed a "friend of the court" brief in favor of the plaintiffs before the Eleventh Circuit, arguing that the penalties provided by the law create a necessary incentive for both states and private entities to preserve the privacy of drivers' personal information." EPIC's Kehoe v. Fidelity Federal Bank and Trust page 9:57:38 AM  PermaLink   / trackback []

On YouTube, Charges of Security Flaws "What I am going to tell you is going to seem preposterous," De Kort solemnly tells viewers near the outset of the 10-minute clip. Posted three weeks ago, the video describes what De Kort says are blind spots in the ship's security cameras, equipment that malfunctions in cold weather and other problems. "It may be very hard for you to believe that our government and the largest defense contractor in the world [are] capable of such alarming incompetence and can make ethical compromises as glaring as what I am going to describe." In response to De Kort's charges, a Coast Guard spokeswoman said the service has "taken the appropriate level of action." A spokeswoman for the contractors said the allegations were without merit. A Web site normally reserved for goofy home-movie outtakes and Paris Hilton parodies may seem an odd place to blow the whistle on potential national security lapses that require complex technical explanations. But receiving millions of hits a day and carrying the intimacy of video, YouTube.com and other sites have become an alluring venue for insiders like De Kort who want to go directly to the public when they think no one within the system is listening. "This is an excellent example of the democratization of the media, where everyone has access to the printing press of the 21st century," said Dina Kaplan, co-founder of Blip.tv, a site that hosts grass-roots television programming. 9:47:11 AM  PermaLink   / trackback []

YouTube Used for Whistleblowing. YouTube Used for Whistleblowing. fightmaster writes "A Lockheed Martin engineer with concerns about the safety and security flaws in a fleet of refurbished Coast Guard patrol boats turned to YouTube in order to publicize concerns he felt were being ignored by his employer and the government. From the article: 'The 41-year-old Lockheed Martin engineer had complained to his bosses. He had told his story to government investigators. He had called congressmen. But when no one seemed to be stepping up to correct what he saw as critical security flaws in a fleet of refurbished Coast Guard patrol boats, De Kort did just about the only thing left he could think of to get action: He made a video and posted it on YouTube.com.'" [Slashdot: Your Rights Online] 9:44:01 AM  PermaLink   / trackback []

AT&T: Hackers Took Credit Card Info - New York Times Hackers illegally accessed a computer system and stole credit card information and other personal data from thousands of customers who purchased DSL equipment from an AT&T online store, the company said Tuesday. AT&T Inc. said the system was hacked into over the weekend. The data of ''fewer than 19,000 customers'' were affected, the company said. AT&T said it shut down its online store selling the high-speed Internet access equipment and would pay for credit monitoring services for the people whose files were accessed. The San Antonio-based telephone company notified the major credit card companies whose customer accounts were affected. It also sent notification to customers involved via e-mail, phone and letter. 9:36:31 AM  PermaLink   / trackback []

Desktop Security Policy Enforcement - How to Secure Your Corporate Mobile Devices. Desktop Security Policy Enforcement - How to Secure Your Corporate Mobile Devices. This paper, written by Jason Meyer, will discuss the items that make up a secure desktop security policy and explore a few of the available solutions from vendors that meet some or all of the basic requirements. By Jason Meyer. [Infosec Writers Latest Security Papers] 9:29:09 AM  PermaLink   / trackback []

Anti-Virus Testing and Consumer Reports. Anti-Virus Testing and Consumer Reports. Consumer Reports recently came under heavy fire from some in the anti-virus industry for creating some 5,500 new virus variants to see how well a dozen leading products fared in detecting the new nasties. More than 100 security experts and executives from companies like Microsoft and HP as well as anti-virus vendors F-Secure, Kaspersky, McAfee, Sophos, Symantec and Trend Micro signed their names to a declaration denouncing Consumer Reports' methods, stating that it is "not necessary and ... not useful to write computer viruses to learn how to protect against them." Some of the signatories noted -- via various media reports about the scandal -- that with so many viruses already in circulation today (estimates vary from 100,000 to 180,000) it was hardly necessary for Consumer Reports to gin up new ones that could, in theory, be leaked into the wild. Today, however, I read a rather thoughtful article written by Juergen Schmidt, an editor with the German technology magazine Heise Security. Schmidt picks apart what he sees as the source of the industry's angst on this. He argues that testing anti-virus products against known viruses is a non-starter because the real battle against malicious worms and viruses these days is against previously unknown threats, of which he says about 250 emerge each day. From the article: "The commandment 'Thou shalt not create new viruses' is a sensible self-imposed commitment by the manufacturers of anti-virus software, which prevents them from creating an atmosphere of threat to promote their products. In contrast, meaningful comparative testing of anti-virus software requires that testers work with self-generated virus variants. Anyone condemning such tests in general is certainly not doing so in the interests of the user." Schmidt says that in light of the poor job most anti-virus programs do at spotting new threats (without the benefit of code snippets), it is clearly necessary to test anti-virus software using previously unseen malware. "Known viruses no longer represent any great danger for users with anti-virus software -- pretty much every product will recognize them reliably. The real danger lies with the estimated 250 new malware programs that are released every day. And recognizing these as a threat is where many anti-virus products still fail miserably." As I have noted here before, many malware authors are increasingly outpacing the security vendors by "automagically" updating the genetic makeup of their creations before anti-virus companies have time to ship updates. As a result, we have an industry whose business is predicated on 10 percent to 20 percent of its customers being successfully attacked before it can even begin to respond, according to some estimates. Security Fix] 9:26:59 AM  PermaLink   / trackback []

Agencies Release FAQs For Internet Banking Authentication. Agencies Release FAQs For Internet Banking Authentication. The bank regulatory agencies recently released a frequently asked questions ("FAQs") document to aid in the implementation of the interagency guidance on Authentication in an Internet Banking Environment issued October 12, 2005 (the "Interagency Guidance"). The Interagency Guidance addresses the need for risk-based assessment, customer awareness, and security measures to reliably authenticate customers remotely accessing their financial institutions' Internet-based financial services.[Privacy and Security Law Blog] 9:23:20 AM  PermaLink   / trackback []

Cable Modem Hacker Publishes a Tell-All. Cable Modem Hacker Publishes a Tell-All. Cable Modem Hacker Publishes Tell-All The founder of a hardware-hacking group that helps scofflaw internet speed junkies "uncap" their cable modems has written a how-to book. From the press release: Written for people at all skill levels, Hacking the Cable Modem features step-by-step tutorials with easy to follow diagrams, source code examples, hardware schematics, and previously unreleased cable modem hacks. Readers of "Hacking The Cable Modem" will learn: -the history of cable modem hacking -how a cable modem and DOCSIS work -the importance of firmware (including ways to install new firmware) -how to unblock network ports and unlock hidden features -how to hack and modify a cable modem -what uncapping is and how it makes cable modems upload and download faster "I don't like black boxes; I like to know how things work. The goal of this book and my point in publishing it is to show the many cable modem users how that black box works, how to understand it, and how to control it," said Bill Pollock, founder of No Starch Press. NoStarch Press is the independent publisher that took in Andrew "bunnie" Huang's book Hacking the Xbox after Wiley -- in a shameful moment in publishing -- spiked it out of an abundance of respect for the DMCA. This book could be as controversial. Like the Xbox, cable modems are meant to be tamper resistant -- to only run code that's been digitally signed by the cable provider, even if you own the modem. This is to prevent you from doing things like sniff your neighbors' packets off the wires, get service before you've activated it, or uncap your modem to get extra bandwidth. Author "DerEngel" and his gang, TCNiSO, have gotten around that several ways -- some of them very cool. They found a vestigial serial port on a modem's circuit board that, with a little soldering, lets you plug in a computer terminal and interact with a command prompt. Later they found a buffer overflow that allows you to soft-mod some modems without ever cracking the case. They started off developing methods and software to allow amateurs to easily uncap their modems (tsk) and wound up writing a complete firmware replacement for the Motorola Surfboard 5100 cable modem. I don't know how much of that is in the book, but the table of contents looks fun. There's also a sample chapter (.pdf) online. [27B Stroke 6] 9:19:52 AM  PermaLink   / trackback []

AT&T hack exposes 19,000 identities | CNET News.com AT&T on Tuesday said hackers broke into one of its computer systems and accessed personal data on thousands of customers who used its online store.  The information that was illegally accessed includes credit card numbers, AT&T said in a statement. The cyberattack affects about 19,000 customers who purchased equipment for high-speed DSL Internet connections through AT&T's Web site, the company said. "We deeply regret this incident," Priscilla Hill-Ardoin, chief privacy officer for AT&T, said in the statement. "We will work closely with law enforcement to bring these data thieves to account." The break-in occurred over the weekend and was discovered within hours, after which the online store was shut down, AT&T said. The telecommunications company quickly notified credit card companies and is in the process of contacting the affected customers via e-mail, phone and letter, it said. The incident is the latest in a long string of data security breaches. Since early last year, more than 90 million personal records have been exposed in dozens of incidents, according to information compiled by the Privacy Rights Clearinghouse. 9:16:34 AM  PermaLink   / trackback []

Slashdot | AT&T Breached, Exposes 19,000 Identities mytrip writes to tell us News.com is reporting that a recent attack on AT&T's systems saw thousands of customer's personal data compromised. About 19,000 customers of AT&T's online store who purchased equipment for a DSL connection were effected. ---  From the article:  "AT&T is offering to pay for credit monitoring services for customers whose accounts have been impacted because they could be at risk of identity fraud. The company also has made available a toll-free number to affected customers to call for more information." 9:14:26 AM  PermaLink   / trackback []