[SecurityRatty] tag: discs

Chinese pirates crack Blu-ray DRM, sell pirated HD discs

Tue, 18 Nov 2008 10:50:02 +0000

A recent bust in China netted several hundred pirated HD discs ripped from Blu-ray masters. The discs were only 720p, not 1080p, but their mere existence shows that Blu-ray's amped-up DRM schemes, AACS and BD+, won't be enough to stop pirates.

Can The Gov Be Trusted With Your Personal Data?

Thu, 26 Jun 2008 08:44:35 +0000

Survey says…(insert buzzer noise)

Faith in the (UK) gov’s ability to securely manage personal data is out the window.

From Reuters:

The inquiries followed Britain’s biggest data loss scandal, when two discs containing child benefit records, including names, addresses and bank details, of some 25 million people, went missing after being put in the post by a junior employee.

The reports concluded that it wasn’t individuals who were to blame - some 30 were officials played some role in events leading to the loss of the discs - but institutional and systematic failures at Britain’s tax authority.

But the HMRC is not alone in such security breaches. A separate report into a stolen laptop containing the details of 600,000 potential recruits revealed similar failings at the Ministry of Defence. In all, four MoD computers had been stolen since 2004 and the report said the MoD was probably in breach of several principles set out in the Data Protection Act.

Well, where do you stand? Do you trust your respective government not to punt on data security?

Read on.

Article Link

Cloud computing - I want my cake and eat it too

Sun, 08 Jun 2008 18:20:19 +0000

Its easy to dismiss Don Dodge's asking "Do you really want your data in the cloud" as a Microsoft guy defending their turf. Don uses some recent uptime problems at Amazon, Twitter, Disqus and Typepad to show that keeping your information in the cloud and relying on the net to deliver your applications gives you less control, less security, less scalability and less reliability.

Don has a point, even though net access and SaaS services are much more mature than they were in the past, there is always the times when it does not work. For that matter, cell phones, blackberries, and cable TV don't always work either. An indication of how vital something has become is how much we miss it if it is not available. But to the point, I remember when the personal computer first came into being. The idea of your data and the applications being "portable" to your device was revolutionary. The idea of keeping your data on those big floppy discs was so empowering. But even than, problems accessing data on a disk or an application not behaving or security problems could render you just as frustrated on your non-networked device as an Amazon or twitter being down does now.

Ultimately I think these things go in cycles and we are entering a centralized cycle now. However, I think this turn of the cycle could be different. Never before has net access been so ubiquitous. Never before have we seen the depth of optimized applications for the net. The infrastructure is finally in place to recognize the dreams of many of "thin clients" and net terminals. But I think the best model is a hybrid model. I like the Microsoft solution where I can work on stuff online and off line on my computer, than sync up later. Ultimately when it comes cloud versus local computing, I want my cake and eat it too.

Drama surrounds People's United Bank breach

Tue, 08 Apr 2008 08:47:21 +0000

Technorati Tag: Security Breach

Date Reported:
4/6/08

Organization:
People's United Bank

Contractor/Consultant/Branch:
Various branches

Victims:
Customers

Number Affected:
"hundreds"

Types of Data:
"confidential financial data" and "private information, including customers' Social Security numbers and account information"

Breach Description:
"For four months, James Hastings dove into Dumpsters outside People's United Bank branches throughout Fairfield County, pulling out bags of paperwork containing private information, including customers' Social Security numbers and account information."

Reference URL:
The Connecticut Post
Newsday/Associated Press

Report Credit:
The Connecticut post

Response:
From the online sources cited above:

For four months, James Hastings dove into Dumpsters outside People's United Bank branches throughout Fairfield County, pulling out bags of paperwork containing private information, including customers' Social Security numbers and account information.

Bank employees didn't know what Hastings was doing until the Fairfield resident told them and delivered a video depicting him digging through the Dumpsters and sitting in front of a wall in his home he had papered with the documents.
[Evan] People's Bank would have had no idea that confidential documents were taken from dumpsters had Mr. Hastings not approached them. How long could the practice of discarding confidential information in the garbage have gone on before someone else noticed? How long has this practice been accepted, and is it still occurring?

The bank got a restraining order against Hastings on March 20, and detectives from the State Police, on a search-and-seizure warrant, raided his home. He is scheduled to appear in Bridgeport Superior Court Monday and he said he could face prison for violating the order the bank secured from the court to stop Hastings from discussing or distributing any of the material.
[Evan] Judging from what I read, Mr. Hastings is appearing in court to faces charges of violating the restraining order, not for taking the documents from the dumpster. I don't think it's against the law to rummage through dumpsters. If it were, how could you enforce it well?

The restraining order also came into play Wednesday when Hastings tried to turn over the remaining boxes of documents to Attorney General Richard Blumenthal.

The AG's office late Wednesday refused to talk to him until lawyers there investigated the restraining order. It had not made a determination on how it can proceed.
[Evan] This is sad. I think it is in the public's and the victims' best interests to have the Attorney General investigate fully.

In a series of interviews, Hastings says he's not an identity thief. He says he wants the bank to react to what he calls a serious lapse in security.
[Evan] The bank has reacted, but obviously not in the way Mr. Hastings had preferred.

On Tuesday, he displayed two boxes filled with documents he says he culled from bags of garbage People's United Bank threw away.

People's, however, doesn't see it that way, and said Hastings is attempting to extort money from the bank. It is also demanding the information be turned over to the bank.

Brent DiGiorgio, a People's spokesman, says the bank's primary concern is protecting the customers' information that Hastings has taken.
[Evan] If "protecting customers' information" were the bank's primary concern, then should they have done more to disallow these documents to be thrown in the garbage? Should they address the root issue more aggressively? The information that Mr. Hastings found does not belong to the bank, the information belongs to the victims.

"We're going to provide one year of free credit monitoring for customers whose information was taken when this gentleman rummaged through our trash," DiGiorgio said.
[Evan] Big deal. Broken record... Credit monitoring helps to alert a person only after they have become an identity theft victim. A one year time frame is insufficient for information that has a life span which far exceeds this limit.

He said the bank notified police immediately when it found out what Hastings had. That notification resulted in a search of Hastings home and the seizure of documents.

Letters are being mailed out to affected customers, DiGiorgio said.

About four months ago, Hastings says he was driving out of a People's branch parking lot in Fairfield when he saw a Dumpster brimming with garbage bags. When he looked more closely, he saw the clear garbage bags were stuffed with financial documents.
[Evan] An opportunist.

Hastings says he wanted to try to determine the extent of the problem, so he says he worked nights and weekends digging into Dumpsters at People's and other financial institutions.

"I'm disgusted by what I've pulled out of those bags," Hastings says, adding that the paperwork contains information on how much money individuals have in their accounts and where they live. He's got Social Security numbers and more on customers.

"I've got a guy in here that's got $8 million in gold," Hastings says.

He turned over a lot of those documents to police during the raid, but retained some in boxes, he says, that he hoped Blumenthal's office would accept.

During trips to People's branches from Stratford to Stamford, he made a video to, he claims, to protect himself from the charge of extortion. "It needs editing," he said, before turning one of the many discs over to the Connecticut Post.

There are applications for credit cards, reports on bank deposit and account information.

Hastings says after several months he contacted People's and the bank set up a meeting with him. On March 19, he met with People's Director of Corporate Security William A Gniazdowski.

Gniazdowski's affidavit of the meeting is on file with the court.

In it, he says Hastings went to the bank's headquarters at Main Street in Bridgeport, met with executives and dropped off DVDs and toy handcuffs. In the video the bank saw, and Hastings confirms, he wears an orange jumpsuit to indicate People's employees should face criminal charges if any of this private information is made public.
[Evan] I can think of a more tactful way for Mr. Hastings to present the information.

Gniazdowski says Hastings asked People's to hire him as a "fraud consultant." When Gniazdowski asked what would happen if the bank didn't comply, Hastings allegedly said he'd take "great pleasure shoving it up their nose."
[Evan] Thus the charge of extortion.

Hastings said the bank's security chief trapped him in the room and wouldn't let him leave, so Hastings got mad and told the security officer to take the DVDs and shove them up his nose.
[Evan] Thus the defense.

As for the charge of extortion, Hastings says, that's the bank trying to protect its reputation.

The fact that the police didn't arrest him when they searched his house shows that it's clear he wasn't trying to extort anything, he says. He adds that if he were a criminal he would have never gone to the bank because he could be living off the information he found. He noted the bank didn't know he was out there until he came to People's.
[Evan] More defense.

Hastings, who admits he's concerned about his freedom and reputation, says he wishes he'd never started this, but now that he has he's not going to just roll over.

He volunteered that he has a record. He was arrested and served a two-year probation for trying to secure drugs from a pharmacy by impersonating a doctor, but that was for a painkiller he needed, and he was convicted of drunken driving. The Post confirmed he has a small criminal record.

As for what he offered the bank, Hastings says, "What I said is you need a consultant. You don't need to hire me."

The bank disagrees, and a law professor says he would tend to side with the bank.
[Evan] Interesting choice of words. I assume that the professor is basing his assumptions on past experiences and not necessarily on the detailed facts of this case.

Jeffrey Meyer, a Quinnipiac University Law School associate professor and former assistant U.S. attorney, says he's heard of situations like this, but they usually involve computer hackers.

In those scenarios, a hacker finds a weakness in a corporation's Web site, exploits it and sabotages the site. The hacker will do it several times, Meyer says, before contacting the company to suggest it hire him or her as a consultant.

This has resulted in prosecution for extortion, Meyer says.

"It's the quid pro quo," Meyer said, which makes it a problem.

If the person demands payment not to damage the company, "it certainly crosses the legal line," he said.

This is not the first time Hastings says he's investigated a company's procedures and asked to be hired as a consultant. He says he found a problem with a cell phone company and it paid him $10,000 as a consultant in the late 1990s.

Hastings said the bank's Dumpsters aren't properly secured and it isn't shredding documents, he says.
[Evan] Yes, the ROOT of the problem. We shouldn't lose sight of the fact that the bank did not adequately secure the personal information of some of it's customers. If the documents had been destroyed appropriately, we would have no story, no search warrant, no restraining order, no court case, no victims, etc., etc. This is all a waste of valuable resources due to poor security (business) practices.

"We believe this is an isolated incident to the greater Bridgeport and greater Stamford," DiGiorgio said. "It's unfortunate."
[Evan] It is more than "unfortunate"!

DiGiorgio says the bank has training on how to safeguard customer information and takes that obligation very seriously. It is reviewing its policies, he said when asked if People's will still throw documents into Dumpsters.

"We do have a policy of how to dispose of customer information," DiGiorgio says, but security reasons prevented him from revealing what those policies are.
[Evan] Why do people state that they cannot disclose a security policy for "security reasons"? There is no "confidential" information in any one of the security policies I write for companies. Maybe "internal" information on occasion. Sometimes there is "confidential" information and processes in procedures, but never in policies. I share my information security policies openly with colleagues and partners.

DiGiorgio says that since Hastings went to the bank it has posted "no trespassing" signs and has installed locks on the Dumpsters it controls. But some of those receptacles, the bank shares with other companies and therefore cannot lock
[Evan] No trespassing signs and locks are a deterrent to the casual opportunist, but do not stop criminals. I'm not saying it is or is not a good practice (I don't have enough detail), but proper shredding is optimal.

While the bank is reviewing its procedures, DiGiorgio said it does not believe that Hastings has a right to take the documents to "extort money from the bank."
[Evan] The question is his motive I suppose. I don't think he broke the law by taking the documents out of the garbage, but the legal questions surround what he intended to do with the information.

Blumenthal said Thursday his office is still investigating the matter and attempting to verify Hastings' story.

But he said in an earlier interview banks have a legal responsibility to secure customers' financial information.
[Evan] Amen.

Blumenthal questioned how People's could be securing customers' information by throwing it away unshredded or even shredded in a state that could be pieced together.
[Evan] Wait. Now, Amen.

The bank "might have an explanation," Blumenthal says. "But then again it might want to change its current practices or buy a new shredder."

Commentary:
Another interesting story. The circumstances and drama that surround this breach should not take away from the original cause. It seems as though the bank broke the law by not adequately securing customer information and Mr. Hastings may or may not have broken the law in the way he handled the disclosure. I guess the lawyers will have to haggle and the court will ultimately have to decide.

Past Breaches:
Unknown

Slysoft AnyDVD (HD) 6.4.0.0 cracks BD+ for real

Thu, 20 Mar 2008 13:00:06 +0000

They finally did it, discs are fully playable after ripping! Down with DRM!

Highlighting the importance of data privacy... one person at a time

Fri, 11 Jan 2008 06:29:07 +0000

I've seen an increasingly common trend for vendors or others to post sensitive personal information in public places, to prove that no harm will come, or that their solution will protect against any possible misuse. One person to do this recently, in response to the data loss by HM Revenue and Customs is Jeremy Clarkson, a TV broadcaster specializing in cars. Despite having no background in finance and fraud, he published his personal information in a newspaper column trying to diminish the idea that harm could come from the data breach. And that has come back to haunt him, as someone set up an automatic debit from his account of 500 GBP a month to be given to charity. My favorite part of the story is his new attitude:

"We must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy."

Beyond a good laugh, what can we get from this story?

Review your bank accounts online regularly whenever possible. He did not check his account until the end of the month statement came and lost valuable time to oppose the debits.
Don't make yourself an easy target. He obviously called attention to himself as a TV personality that most regular people wouldn't be able to do (publish their bank account in a newspaper), but you should still remove the low-hanging fruit (easy data to steal). For instance, shredding sensitive information and only sharing it when mandatory.
As more people are harmed by misuse of their data, the outcry for better protection will grow stronger. This will filter up to the ears of our legislatures who will strengthen data protection laws to assist identity theft victims. Especially once it strikes their parent, sibling, or children.

The Breach Blog November Review

Tue, 04 Dec 2007 10:55:55 +0000

Technorati Tag: Security Breach

The Breach Blog Month in Review November, 2007

Thirty-nine (39) breaches were reported on the The Breach Blog during the month of November, 2007 compared with thirty-five (35) during the month of October. November ranks second to September (44) in the number of breaches reported in a month, since The Breach Blog began compiling reports in August.

The month started out like most of the others, with our first breach report coming on the first day of the month. On October 27th, Art.com, Inc. issued a statement to customers alerting them to the fact that a criminal Internet "hacker" illegally accessed a system or systems containing names and encrypted credit card information. We reported it on November 1st. Art.com should be complimented on their decision to encrypt sensitive data.

The most read breach of the month concerned a stolen laptop belonging to the United States Postal Service in Oahu, Hawaii that affected 3,000 postal workers. This breach was reported on The Breach Blog on November 2nd, so this may contribute to its link popularity for the month.

There were multiple organizations that reported their 2nd (or 3rd or 4th) breach since we started keeping track, and there were two organizations that reported more than one breach in November alone! Organizations that have reported breaches before, in addition to one or more in November include Her Majesty’s Revenue and Customs (3 total), Montana State University (4), Capital Health (2), United States Department of Veterans Affairs (2), and the State of Massachusetts (2). Montana State University reported three breaches and Her Majesty’s Revenue and Customs (HMRC) reported two in November alone!

The breach reported by Her Majesty’s Revenue and Customs (HMRC) was by far the single largest breach offender in terms of the number of affected individuals. HMRC reported lost “discs” containing sensitive information belonging to Standard Life pensioners on November 2nd, then followed up with lost “discs” containing sensitive information about 25,000,000 individuals AND 7,250,000 families. This single breach alone reportedly affects ½ of the British population! The head of HMRC resigned, and victims are left wondering. This breach occurred not only because of poor security but also lack of common sense.

It was an interesting month to say the least.

Summary
Anytime there is even one breach to report it means that someone’s life has been impacted by a failure of information security. It wasn’t the worst of months, but it certainly wasn’t the best either. November closed out with an estimated five billion dollar price tag with HMRC contributing 96+%.

Stats for November:
Number of breaches: 39
Number of victims: 25,944,451 (seven breaches unknown, 944,451 without HMRC) Average number of victims/breach: 665,242 (24,854 without HMRC)
Average cost/breach: $131,052,674 ($4,896,238 without HMRC)*
Total Cost: $5,111,056,847 (186,056,847 without HMRC)*
Most popular breach type: Stolen unencrypted laptop or device (9), Employee mistake (9)

Stats for October:
Number of breaches: 35
Number of victims: 943,419 (eight breaches unknown)
Average number of victims/breach: 26,954
Average cost/breach: $5,309,938*
Total Cost: $185,853,543*
Most popular breach type: Stolen unencrypted laptop (11)

*based on the number of victims multiplied by the average cost of $197 per lost/stolen record "investigating the breach, notifying customers, restoring security infrastructures and recovering lost business." (source Ponemon Institute's 2007 Cost of Data Breach Study)