Source: Australian IT
A MISSING computer backup tape containing personal information on Ohio state employees also held the names and Social Security numbers of 225,000 taxpayers. The tape, stolen last week from a state intern’s car, was previously revealed to hold the names and Social Security numbers of all 64,000 state employees, as well as personal data for tens of thousands of others, including Ohio’s 84,000 welfare recipients.

The taxpayers’ information was on the backup tape because they hadn’t cashed state income tax refund checks. Ohio Governor Ted Strickland said an expert’s review could reveal the tape contained more sensitive data. The administration has maintained it does not believe the information had been accessed because it would require specific hardware, software and expertise. But data security experts said the unencrypted tape, described by police as roughly 10cm square and 2.5cm thick, could be breached by someone with computer expertise, time and money.

Mr Strickland said 20,000 state employees had signed up for identity-theft protection as of Tuesday night, and there had been no indications that someone had attempted to use their personal information. The state is paying more than $US700,000 to provide all state employees with identity-theft protection services and to hire an independent computer expert to review what data the tape contained. Officials said they would extend identity-theft protection services to the people in the categories announced on Wednesday.

The tape was stolen June 10 out of the unlocked car of a 22-year-old intern who had been designated to take the backup device home as part of a standard security procedure. The governor has since issued an executive order ending the practice of employees taking backup devices home for safekeeping. He also mandated a review of how state data is handled.

Source: Inquirer
IT’S OBVIOUS, REALLY, that the best way of penetrating users’ PCs to see what they get up to online would be to become a Firewall maker. Like, when I wanted a Firewall and was too tight to pay for one, I turned to Checkpoint’s little freebie Zone Alarm. It sits there between you and the Internet and lets you know when someone’s trying to sneak in through your backdoor or when a program you’re running tries to connect to the Web for no apparent reason. When you’re as techie as me – not very – you just have to trust it.

Of course, Checkpoint’s an Israeli company and as a foreign journalist working in Israel you know the hyperactive security services here would like to keep tabs on you. And you know that they do. It has been confirmed to me by a security sources here that mobile phone conversations I have had have been listened to – and in circumstances which I won’t reveal, the contents of a call I have been involved in have actually been relayed back to me. It’s part of the game – like the airport interrogation, or the surreptitious copying of your notepad while you’re off having a body search. You know what goes on but you have a job to do and just get on with it – hoping that what you get up to in the legitimate pursuit of your business won’t upset anyone to the extent that they’ll come break your door down and cart you off somewhere.

Now, the handsomely-named Mr Cringely has revealed that a colleague of his at Infoworld noticed that Zone Alarm 6.0 was sneakily sending off data to four different servers. Cringely says that Zone Labs (acquired by Checkpoint in March of 2004) at first denied the activity for a couple of months before deciding the software had a “bug” even though, as he points out, “the instructions to contact the servers were set out in the program’s XML code.”

The company says it will fix the “bug” soon. In the meantime you can work around it by adding:
# Block access to ZoneLabs Server
127.0.0.1 zonelabs.com
to your Windows host file.

The “bug” seems to be present in the retail version of Zone Alarm, so there’s no telling what the freebie gets up to. We called Checkpoint here in Israel to find out, but were referred to a US spokeszoner. Trouble is they’ll all be in bed there on this sunny Sunday morning.

Source: WTHR
Indianapolis - MasterCard is warning its member banks about a rash of thefts from the bank accounts of card holders, some here in Central Indiana. Kristin is good about checking her checking account. “I check the account online every day.” And good thing. When she logged on Tuesday she found it had insufficient funds.

“I was like, what’s going on?” Kristin said. Kristin has a MasterCard debit card and her bank, Sky Bank, blames a security breach. “We were notified very late last week that a member merchant of Master Card had a data breach and account numbers were compromised,” said Mike Newbold, Regional President of Sky Bank Indianapolis. If it sounds familiar it’s because it’s a little like the case last year when a hacker got into customer financial records at TJ Maxx and its affiliated stores. The crooks quickly bought merchandise and gift cards from major national retailers like Wal-Mart. This breach may not be as big as that one but look where someone was spending Kristin’s money with her stolen debit card data.

Kristin shows us her online bank statement. “Well they were Wal-Marts.” In two days, $2,000 in charges were rung up in California Wal-Marts. “Only the last charge was declined,” Kristin said, “and that was today for $700.” And that’s because the crooks had pretty much emptied out her account. “It really makes you realize how vulnerable you are,” Kristin said. She wishes her bank warned her Master Card accounts were targeted. The bank says it just learned of the group of cards that could be vulnerable in the last 24 hours. It urges we all be vigilant. If you have online access Mike Newbold with SkyBank recommends “log in periodically and look at your account activity and see if anything looks suspicious.” The bank says it will work to restore customers balances.

Source: Indy Star
In what appears to be one of the broadest online school security failures ever in the U.S., thousands of confidential Indianapolis Public Schools student records were available to the public through Google searches. An Indianapolis Star reporter using Google found information on at least 7,500 students and some staff members, including phone numbers, birth dates, medical information and Social Security numbers. Such student information is required to be kept private under federal law. Internet security experts said the inadvertent release of information resulted from a network setup that was sloppy. It appears that teachers and students unwittingly posted the files to the Web when they tried to save their work on the system.

Source: Daily Tech
Amsterdam’s Schiphol airport has become the first in the world to deploy a new “see-through” security system that allows screeners to view the shape of the traveler’s body beneath their clothes. The system is designed to detect weapons and explosives hidden under clothing. Numerous airports have tested the system, but this is the first permanent installation of the security devices. Schiphol officials are making the body scanners optional, allowing passengers to submit to the 3-scond scans in lieu of waiting in long security lines or being frisked by security personnel.

The “security scan” system uses a short blast of ultrahigh frequency radio waves to reveal the contours of the traveler. According to the airport officials, the person steps into the phone booth-like device and assumes what is known as the “ballerina position,” with both arms up in the air. While many consider the machines to be a safety improvement over X-ray scanners, and a better alternative to conventional strip searches, others feel the head-to-toe scans are an invasion of privacy. According to Reuters, Schiphol’s screeners will view the images in a room off-limits to other passengers, and the images will be destroyed after each passenger is screened.

The agency in charge of airport security, the Transportation Security Administration, has lost a hard drive containing detailed sensitive information on current and past employees, according to news stories including TSA Hard Drive With Employee Data Is Reported Stolen by Spencer S. Hsu in the Washington Post.

The FBI and the Secret Service have opened a criminal investigation into the apparent theft of a computer hard drive containing the personal, payroll and bank information of 100,000 current and former workers of the Transportation Security Administration, including airport security officers and federal air marshals, the TSA said yesterday.

What this and other stories and even the TSA news release don’t say is whether the employee data were encrypted or not. Be nice to know whether the agency in charge of airport security protocols is following best-practice data security protocols. While these data were reported to be “archived,” that does not mean encrypted. And, according to the TSA release, the treasure trove is richer than usual. It includes “name, social security number, date of birth, payroll information, bank account and routing information.” While even identity thieves still in short pants can take advantage of SSNs to create new identities, identity thieves still in diapers will be drooling over the bank account data.

Source: ITP
Cybercrime is on the rise, and what’s more the criminals are fast moving to non-PC devices and unsecured parts of the network. In the second issue of the Global Threat Report, McAfee researchers state that while the crimes themselves are not likely to change much, the mechanisms used to carry out such attacks will evolve to use other technologies.

“The security research being done today uncovers clues to the types of attacks that are likely to become commonplace tomorrow. And today’s infrequent attacks can easily turn into tomorrow’s epidemic,” states the report. The statement continues that some of the major threats coming our way, as digital offenders look beyond the PC, include mobile spam, spoofed VoIP phishing and the infiltration of RFID technology.

McAfee predicts that the growing smartphone market – which is expected to exceed US$250 billion by 2011 – is too lucrative for cyber thieves to ignore. Greater adoption of these devices, coupled with more users accessing personal and financial data on the phones, will lead to increased phishing attacks, spyware and identity theft. Mobile spam also has the potential to explode as spam and Trojan authors develop mobile malware. The report maintains that mobile network operators must adopt risk management measures to stay on top of these developments—not only to prevent costly disruptions but also to enable their environments for new, more secure services.

VoIP – the revenues of which will touch US$20 billion in 2009 according to Infonetics Research – is another ripe messaging medium for spam. Spam over Internet Telephony (SPIT) is predicted to increase as VoIP allows spammers not only to place large volume of calls, virtually for free, but also to forge them. Spoofed VoIP phishing attacks will likely be more successful than their e-mail counterparts, because anti-SPIT technology is far behind that of antispam. In addition to these social engineering attacks, the VoIP technology itself is vulnerable to eavesdropping, recording, and hijacking, which means that attackers can capture confidential information, such as account and PIN numbers as well as personal conversations.

Another emerging technology that poses a significant risk to privacy, as per McAfee’s research, is radio frequency identifications (RFID). Current RFID technology is vulnerable to eavesdropping, recording, cloning, and forgery. RFID readers could contain vulnerabilities that would allow RFID chips to contain exploits to steal information from backend databases. As RFID becomes more widely adopted by corporations and countries for tracking and identifying people and assets, these elements could become prime ground for new-age intruders, adds McAfee’s report.

Source: WREX TV
We’re used to giving personal information about ourselves when there’s a security issue, maybe using a credit card in a store or getting on an airplane. But new technology tracks us in places we may not even know about.

You can now put “going to a bar” on the list. Now when some places check your ID, they’ve got a permanent record of your information. The next time you request a table or order a round, the bartender might know your age, height, and eye color before you even make eye contact. That’s thanks to new scanning equipment that’s becoming mainstream. Rockford’s Silver Lounge uses scanners to uncover the underage. General Manager Addison Jun says, “It’s just pretty much this little scanner that’s meant to scan drivers licenses, business cards and it just kind of helps keep track of everybody.”

Bar-goers have mixed feelings about being cyber-carded and having their personal information saved in a database. One told 13 News, “It makes me pretty uncomfortable. You don’t know who’s working behind the door.” Billy Cook from Roscoe says, “I feel like it’s an invasion of privacy if they find out where you live. You never know where that info is going to go.”

But Jun says they do it for a good reason. “If it’s a fake, it lets us know that it’s not a valid ID. Security is a huge, huge issue in the nightlife business.”

But local security experts say don’t underestimate the old-fashioned role of the bouncer. Merchants Police Director Larry Hodges says, “It says here she’s 5′11″. The girl that produced the ID was only 5′5″. It says she’s 160 pounds, the girl that produced the ID was 125. So the machine doesn’t catch that. But the person does.” Cook says, “The established places that have good security will hopefully use it in the right manner and not abuse it.”

But bar owners also use it as a marketing tool. Because the scanner saves your address, they can then send out information about special events or upcoming promotions. They can only see and save what’s on the front of your license, including your address and picture. But they do not have access to a person’s criminal record, health information or credit background.

Source: Raw Story
At least 45.7 million customer credit and debit card numbers have been stolen from major US retailer TJX after the company’s computer system was hacked, the company said Thursday. The numbers were published in TJX’s annual report to the US Securities and Exchange Commission (SEC).

It was “the biggest breach of personal data ever reported,” The Boston Globe said in its online edition Thursday. According to TJX, the theft of personal data happened over an 18-month period. The company on Thursday gave the first concrete figures relating to the computer system break-in which had already been made public in January. Data from its computer system in Britain was also stolen, the retail giant said. The stolen information related to transactions dating back to December 2002.

TJX owns a number of department-store and retail chains in the US, including T J Maxx, Marshall’s and A J Wright, as well as Winners in Canada and T K Maxx in Britain and Ireland. The company’s profit in the last financial year was 776.8 million dollars on turnover of 17.4 billion dollars. Altogether, TJX owns some 2,466 shops.

Source: Computerworld
The punchline to an old cartoon is “On the Internet, nobody knows you’re a dog,” but these days, that’s no longer true.

It’s easier than ever for the government, Web sites and private businesses to track exactly what you do online, know where you’ve visited, and build up comprehensive profiles about your likes, dislikes and private habits. And with the federal government increasingly demanding online records from sites such as Google and others, your online privacy is even more endangered. But you don’t need to be a victim. There are things you can do to keep your surfing habits anonymous and protect your online privacy. So read on to find out how to keep your privacy to yourself when you use the Internet, without spending a penny. [more]

Source: ZDNet
A variant of the Trojan horse attacks known as Storm Worm emerged Monday, targeting people who post blogs and notices to bulletin boards. Storm Worm emerged in January and raged across the globe in the form of emails with attachments that, when opened, loaded malicious software onto victims’ PCs, commandeering the machines so they could be used for further attacks. The new Storm Worm variant attacks the machines of unsuspecting users when they open an email attachment, click on a malicious email link or visit a malicious site, said Dmitri Alperovitch, principal research scientist at Secure Computing. But the twist comes when these people later post blogs or bulletin board notices. The software will insert into each of their postings a link to a malicious website, said Alperovitch, who rates the threat as “high”.

“We haven’t seen the web channel used before,” he said. “In the past, we’ve seen malicious links distributed to people in a user’s address book and made to look like it’s an instant message coming from them.” The danger in this most recent case, he added, is that the user is posting a legitimate blog or bulletin board notice, unaware that a malicious link has been slipped into the text of the posting.

Everyone will have heard about Julie Amero, the small-town substitute teacher, who got convicted in court for exposing seventh-grade students to pornographic material on her classroom computer. Computer expert W. Herbert Horner testified for the defense that the images were the result of incessant pop-up ads served by spyware on the classroom computer. Because the license on Web-filtering software at her school had lapsed, according to published reports. As a result, pop-ups that appeared on the classroom PC also included pornographic images.

So, evidently, if this happens to you because the school has been neglecting their updates then you can get convicted and face 40 years in jail, just like Julie Amero. We are keeping track of this story and its details.

• Teacher’s porn conviction sparks tech debate (CNN)
• Teacher Convicted in Porn Case (ABC News)
• Teacher Porn Conviction Sparks Tech Debate (CBS News)
• Bloggers Back Teacher Convicted on Questionable Porn Charges (PBS TeacherSource)
• Juror speaks in Teacher Porn Case (PC World)

Source: Associated Press
The next time you walk by a shop window, glance at your reflection. How much do you swing your arms? Is the weight of your bag causing you to hunch over? Do you still have a bit of that 1970s disco strut? Look around — you might not be the only one watching. Never-blinking surveillance cameras, rapidly becoming a part of daily life in public and even private places, may be sizing you up, as well. And they may soon get a lot smarter.

Researchers and security companies are developing cameras that not only watch, but interpret what they see. Soon, some cameras may be able to find unattended bags at airports, guess your height, or analyze the way you walk to see if you are hiding something.

Most of the cameras used today are used to identify crooks after-the-fact. (Think grainy video on local TV news of convenience store robberies gone wrong.) But so-called intelligent video could transform cameras from passive observers to eyes with brains, able to detect suspicious behavior and potentially prevent crime. The innovations could mean fewer people would be needed to watch what cameras record, and make it easier to install more in public places and private homes.

“Law enforcement people in this country are realizing they can use video surveillance to be in a lot of places at one time,” said Roy Bordes, who runs an Orlando, Fla., security consulting company. Some advancements have already been put to work. Baltimore, for instance, installed cameras that can play a recorded message and snap pictures of graffiti sprayers or illegal dumpers. The gaming industry uses systems that can detect facial features, Bordes said. Casinos use their vast banks of security cameras to hunt cheating gamblers who have been flagged before. In London, one of the largest users of surveillance, cameras provided key photos of the men who bombed the underground system in July 2005 and four more who failed in a second attempt just days later. But the cameras were only able to help with the investigation, not prevent the attacks.

Companies that make the latest cameras say the systems, if used broadly, could make video surveillance much more powerful. Cameras could monitor airports and ports, help secure homes, and watch over vast borders. Intelligent surveillance uses computer algorithms to interpret what a camera records. The system can be programmed to look for particular things. “If you think of the camera as your eye, we are using computer programs as your brain,” said Patty Gillespie, branch chief for image processing at the Army Research Laboratory in Adelphi, Md. At the University of Maryland, engineering professor Rama Chellappa and graduate students have worked on systems that can analyze the way someone walks to determine if he is a threat.

With two cameras and a laptop computer, Chellappa recently demonstrated how intelligent surveillance works. A student walked into the room, dropped a laptop case, then walked away. On the laptop screen, a green box popped up around him as he moved into view, then a second focused on the case when it was dropped. After a few seconds, the box around the case went red, signaling an alert. In another video, a car pulled into a parking lot and the driver got out, a box springing up around him. It moved with the driver as he went from car to car, looking in the windows instead of heading into the building. In both cases, the camera knew what was normal: the layout of the room, and the location of the office door and parking spots in the parking lot. Alerts were triggered when the unknown bag was added and when the driver didn’t go directly into the building.

Still, industry officials say the technology needs to improve before it can be widely used. There are liability issues, such as if someone is wrongly tagged as a threat. And the cameras only see so much. They can’t see what you are wearing under your jacket — yet.