[SecurityRatty] tag: trash

Anti-Terror Law Mission Creep in the U.K.

Fri, 07 Nov 2008 05:18:44 +0000

First terrorists, then trash cans:

More than half of town halls admit using anti-terror laws to spy on families suspected of putting their rubbish out on the wrong day.
Their tactics include putting secret cameras in tin cans, on lamp posts and even in the homes of 'friendly' residents.

The local authorities admitted that one of their main aims was to catch householders who put their bins out early.

Wells Fargo Opt Out 800 Number

Thu, 30 Oct 2008 15:04:26 +0000

I have been a happy customer of Wells Fargo for a couple of years now, but one thing has always bothered me: being solicited by loosely affiliated companies. Well, I finally found out how to fix this. I called 888.528.8460, which is their "privacy preference line". From there I was able to opt out of all solicitation for new services.

We'll see how well it works.

I'm not a crazy environmentalist, but waste makes me cringe. I make it a habit to contact companies that mail me catalogs that I don't read, telling them to take me off of their lists. I also do little things like bring a couple of bags to the grocery store every time I go in order to avoid generating more plastic waste.

The other day, I was buying my son a sweatshirt in T.J. Maxx, and the clerk popped it into a plastic bag. I said, "Thanks, but I really don't need that bag." He promptly balled it up and threw it in the trash. It makes me sad how so many people just don't get it. If everyone would just think a little bit about this in their daily lives, I think it'd make a big difference for the world we leave to our kids and grandkids.

Leave Your Webcam On 24/7? Might Want To Reconsider...

Mon, 01 Sep 2008 11:46:09 +0000

It's nothing new that many hackers use programs that allow them to "spy" on their victims once they've compromised the PC (as long as they have a webcam switched on, of course). Similarly, hacking culture has always had a fascination for memes, incorporating them into part of the design of their latest DDoS tools.

However, the strange obsession with shock memes has now spilled into a "fun" game currently doing the rounds on various hacking sites and forums.

What this involves is hackers compromising a PC, ensuring the victim has a webcam switched on then opening up shock meme websites at the most inopportune moment, recording the moment of impact with the webcam feed. Or, as one guy put it:

If you don't know what Meatspin is, you can probably count yourself lucky. If you still want to know, click here (for an explanation. Not Meatspin itself, though the explanation might be classed NSFW anyway).

Here's a real life example of one such incident, taken from a message board:

Click to Enlarge

Typically, the shock meme website is opened up at full blast, which startles the victim (most sites of this nature loop a piece of music in the background while the, er, action takes place on screen). The bigger the shock, the better. Here's one guy who sounds like he shot about six feet in the air when the meme site fired up in his browser:

Click to Enlarge

This might all sound like fun and games - sort of - but note that the above individual did try to grab the victims credit card details.

Generally, the attacker doesn't interact with the victim (because they want friends, relatives or others to think the victim actually brought the site up themselves) but here's a little trash talk anyway:

At this point, the attacker may or may not grab a screenshot for posterity. I've seen quite a few galleries on sites comprised of people looking shocked at Tubgirl, or being spun round baby right round by Meatspin, and there's no doubt countless others out there floating around. Of course, not everybody is shocked (or indeed impressed) by a shockmeme site popping up on their computer. As an example of that, take this guy:

Full credit to anyone that counters a shockmeme site appearing on their desktop by picking their nose for five minutes. At any rate, the golden rule with this is that the hackers only bother doing this when a webcam is present and left switched on. If there's no webcam, there's no point trying to elicit a response (because for all they know they're popping open 2 Girls and 1 Cup to an empty server room).

Webcams can be a fun tool, but remember to switch them off every now and again or they could come back to haunt you. Of course, depending on the shock meme site deployed (and who happens to be in the room with you at the time), that could be the least of your worries...

U.S. Government Policy for Seizing Laptops at Borders

Fri, 01 Aug 2008 08:21:25 +0000

Amazing. The U.S. government has published its policy: they can take you laptop anywhere they want, for as long as they want, and share the information with anyone they want.

Here's the actual policy:

Federal agents may take a traveler's laptop or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing, as part of border search policies the Department of Homeland Security recently disclosed. Also, officials may share copies of the laptop's contents with other agencies and private entities for language translation, data decryption, or other reasons, according to the policies, dated July 16 and issued by two DHS agencies, US Customs and Border Protection and US Immigration and Customs Enforcement... DHS officials said that the newly disclosed policies — which apply to anyone entering the country, including US citizens — are reasonable and necessary to prevent terrorism... The policies cover 'any device capable of storing information in digital or analog form,' including hard drives, flash drives, cell phones, iPods, pagers, beepers, and video and audio tapes. They also cover 'all papers and other written documentation,' including books, pamphlets and 'written materials commonly referred to as "pocket trash..."

It's not the policy that's amazing; it's the fact that the government has actually made it public.

Slashdot thread. My previous essay on crossing borders with laptops, and how to protect yourself.

Although honestly, the best thing is probably to keep your encrypted archives on some network drive somewhere, and download what you need after you cross the border.

Houston law firm threw confidential client information in the trash

Thu, 17 Jul 2008 10:59:25 +0000

Technorati Tag: Security Breach

Date Reported:
7/15/08

Organization:
Weber Law Firm

Contractor/Consultant/Branch:
"his wife"

Victims:
Clients

Number Affected:
"hundreds"

Types of Data:
"personal financial records, documents with Social Security numbers, people's medical files and more"

Breach Description:
"HOUSTON -- Harris County Sheriff's deputies uncovered hundreds of people's personal financial files that had been discarded in a dumpster in northwest Houston on Monday."

Reference URL:
KHOU-TV News (original)
KHOU-TV News (follow-up)

Report Credit:
Jeremy Desel, KHOU-TV

Response:
From the online sources cited above:

Harris County Sheriff's deputies uncovered hundreds of people's personal financial files that had been discarded in a dumpster in northwest Houston on Monday.

The records were mostly bankruptcy case files from a Houston attorney's office that found their way into a dumpster belonging to a Houston day care.
[Evan] There is little doubt about the sensitivity of the information found in a person's bankruptcy files. Don't you think that an attorney should know better?

The discovery came in a trash bin in the 9100 block of Jones Road, with box after box of records including personal financial records, documents with Social Security numbers, people's medical files and more.

When the sheriff's office first arrived, the responding deputies had no idea what to do with the records.

So, they called the law office from where the records had come from. 11 News called the law offices of William Weber as well.
[Evan] Mr. Weber's bio is pretty extensive.

Weber, who eventually arrived to pick up the discarded records, told both 11 News and the sheriff's office that it was "no big deal"
[Evan] Obviously, this answer probably doesn't go over very well. In hindsight, I am guessing that Mr. Weber wishes he could take these words back.

Still, at the insistence of the sheriff's office, Weber did arrive to pick the boxes up.

Weber had a different answer for 11 News when he showed up to retrieve the 32 boxes.

"It's a mistake," he said. "We regret it. We regret it. They weren't intended to be put here. I didn't put them here. It was a misunderstanding between me and my wife."
[Evan] Ugh. Blaming the wife would not be a good idea in my house, even if it were my her fault.

He added it was a one-time problem.

But he also said his firm does not have a policy for disposing of sensitive documents.
"No, I do not. I don't think there is a formal disposal policy. Legally," he answered.

Don't tell that to Radio Shack or Select Medical Corporation. Both settled lawsuits with the Texas Attorney General's Office this week for violating the Texas ID Theft Law that was passed in 2005.

It requires businesses to destroy any documents that contain sensitive information. Select Medical dumped 4,000 documents in its own dumpster, but did not destroy them first.

Both companies settled this week with the state for hundreds of thousands of dollars in fines.
[Evan] Don't forget about EZMONEY, L.P. and EZPAWN L.P. They agreed to pay $660,000 to the Texas Attorney General. Don't mess with Texas!

However, it's not just a civil law question. It is also an ethics question.

"If a customer of Radio Shack had an interest in privacy and an interest to have their identity protected (and) not just tossed to the wind, I can assure you that a medical provider or a lawyer has a higher duty," said 11 News legal expert Gerald Treece.

The sheriff's office is looking into the possibility laws were broken by throwing away the records in that dumpster, but were unsure if anything illegal happened.

As a matter of fact, there's a good possibility no laws were broken.
[Evan] Not criminal. This case may be ripe for a civil proceeding, however.

Weber spent several minutes loading the boxes into his car, but he also spent a lot of time avoiding the 11 News cameras as he picked up the discarded records.

Eventually, he left the scene, leaving a few boxes behind when he was confronted by 11 News cameras.

In his rush to get away, a box was left on the trunk lid of his vehicle and some of the papers inside flew out as he sped off.
[Evan] Embarrassed?

Weber told 11 News that all the documents were shredded on Wednesday morning.
[Evan] Any thought given to notifying the affected individuals? If not, it is probably too late now.

Weber also said he has talked with an attorney at the attorney general's office and told them he would cooperate fully.

11 News also spoke with one of the clients whose file was found in the dumpster on Monday. She said she's angry and feels betrayed.

Commentary:
We have read about organizations dumping sensitive confidential information in dumpsters before, but this is the first time I have read about a lawyer being responsible (or his wife). Mistakes do happen, but I question how much of a mistake this actually was due to Mr. Weber's initial "no big deal" reaction.

Past Breaches:
Unknown

How personal information wound up at the side of the road is a mystery

Thu, 10 Jul 2008 06:50:31 +0000

Technorati Tag: Security Breach

Date Reported:
7/10/08

Organization:
Liberty Furniture*

*"a North Carolina based company with Mid-South ties to Cromcraft - a furniture warehouse in Tate County", Mississippi. According to the report, Liberty Furniture may have gone out of business more than 20 years ago.

Contractor/Consultant/Branch:
Unknown

Victims:
Former employees

Number Affected:
"hundreds, maybe even thousands of people"

Types of Data:
Personal information including W-2 forms and tax forms containing names, addresses, and Social Security numbers

Breach Description:
"Eyewitness News Everywhere Uncovers the personal information of hundreds, maybe even thousands of people - dumped along a Mid-South road."

Reference URL:
Eyewitness News Everywhere

Report Credit:
Kevin Holmes, Eyewitness News Everywhere

Response:
From the online source cited above:

Eyewitness News Everywhere Uncovers the personal information of hundreds, maybe even thousands of people - dumped along a Mid-South road.
[Evan] For those readers who may be unsure where this "Mid-South" is located, in this case it is Mississippi.

We even found W-2 forms, tax forms with people's names, addresses and social security numbers.

Investigators in Tate County are trying to figure out how the papers got there.

Larry Davis made the discovery.

He says he was driving into town when he came across thousands of forms.

"That's just uncalled for...you are entrusting these people with a lot of information that could ruin you very quickly, but yet they treat it like it's trash," said Davis.
[Evan] I think most people share Mr. Davis' feelings. It is puzzling. What was the person who dumped the information on the side of the road thinking, supposing the the person was thinking and supposing the information was dumped and not lost (i.e. fell off a truck).

Financial records, shipping order forms, and W-2's of former employees

"Stupidity on the person that threw it out on the road. The people who disposed of these, there should be some legal action against them, but to me that's mismanagement," said Davis.
[Evan] Again, I think many people share the same feelings as Mr. Davis.

Many of the records are from Liberty Furniture, a North Carolina based company with Mid-South ties to Cromcraft - a furniture warehouse in Tate County

"There all from North Carolina, how did they get here? This is Mississippi. We got some strong wind, but they ain't that strong," says Davis.

Even Cromcraft employees were shocked when we brought this to their attention.

Most of the W-2's are from the late 1970's and early 80's.
[Evan] Wow! These W-2's are 20-30+ years old?!

we're told Liberty Furniture went out of business more than twenty years ago.

Larry Davis' daughter Susan Herron said, "This could be someone's grandparents on fixed income, now their social security number is floating around somewhere and it's awful, people need to be more careful."

Eyewitness News Everywhere caught up with one of the former employees whose personal information was exposed.

"My initial feeling was a very sinking, horrified, scared, feeling....You feel vulnerable and hope your social security number hasn't fallen into the wrong hands. So I have to be diligent in checking my credit report," said the employee.
[Evan] It is interesting to read how a person feels when they learn that their personal information has been compromised. I feel bad for these people. This employee doesn't need to feel "horrified and scared", but he/she does nonetheless, and it's all due to negligence. This is just one reason why information security is so personal to me.

Other former Liberty Furniture employees tell Eyewitness News Everywhere they will be doing the same thing - checking their credit report.

Eyewitness News Everywhere will keep those forms in a secure place until we hand them over to the proper authorities.

Commentary:
There is a lot of mystery surrounding this breach. How did the information get there? Why was the information still kept? Who was in possession of the information before it was found on the side of the road? Why wasn't the information already destroyed if the company who was responsible for it is no longer in business?

Past Breaches:
Unknown

Petroleum Wholesale charged with exposing customers

Sun, 22 Jun 2008 17:58:23 +0000

Technorati Tag: Security Breach

Date Reported:
6/19/08

Organization:
Petroleum Wholesale, L. P.

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
"sensitive personal information, including Social Security numbers, bank account numbers, and credit or debit card information"

Breach Description:
”HOUSTON -- Petroleum Wholesale, which operated Sunmart Travel Centers and Convenience Stores in 10 states, was charged by the Texas Attorney General of improperly disposing of customer records"

Reference URL:
The Pasadena Citizen
KHOU-TV Channel 11 News
Convenience Store News

Report Credit:
The Pasadena Citizen

Response:
From the online sources cited above:

HOUSTON - Texas Attorney General Greg Abbott today charged Houston-based Petroleum Wholesale, L.P., which operates Sunmart Travel Centers & Convenience Stores in 10 states, for exposing its customers to identity theft.

According to the state's enforcement action, Petroleum Wholesale improperly discarded customer records containing sensitive personal information, including Social Security numbers, bank account numbers, and credit or debit card information.

"This defendant is charged with failing to protect its customers' sensitive information," Attorney General Abbott said.

"With more than 20,000 Texas victims each year, identity theft remains one of the nation's fastest-growing crimes. The Office of the Attorney General will continue working to protect Texans from identity theft."

Investigators with the Office of the Attorney General (OAG) discovered that the company improperly discarded hundreds of customer records in a publicly-accessible trash container outside its former headquarters.
[Evan] According to information posted on the Petroleum Wholesale web site, "Petroleum Wholesale services more than 350 retail locations throughout ten states." This breach has the potential to affect many, many people.

According to investigators, the records included sales receipts with customers' names and full credit or debit card numbers with expiration dates.

The records also included returned checks, along with forms listing customers' names, banking routing numbers, driver's license and Social Security numbers.

The defendant is charged with violating the 2005 Identity Theft Enforcement and Protection Act, which requires the safeguarding and proper destruction of clients' sensitive personal information.

State law establishes penalties of up to $50,000 per violation of the Act.
[Evan] This could add up quick. What's a better business decision, a few hundred bucks for a cross-cut shredder and accompanying procedures, or fifty grand per incident? Although, I am not sure that a shredder and procedures are not all that is needed in Petroleum Wholesale's information security program (assuming one exists).

The OAG also charged the company with violating Chapter 35 of the Business and Commerce Code, which requires businesses to develop retention and disposal procedures for their clients' personal information.

The law provides for civil penalties of up to $500 for each abandoned record.

For more information about preventing identity theft, contact the Office of the Attorney General at (800) 252-8011 or visit the agency's Web site at www.texasattorneygeneral.gov.

style="font-weight: bold;">Commentary:
One question that isn't clear from the news reports is whether or not this was a common practice at Petroleum Wholesale. Organizations should take heed of this case. I think actions taken by Mr. Abbott and other State Attorney Generals will only become more frequent.

I look forward to more information in the future about this case.

Past Breaches:
Unknown

Insurance claims and policy information in the dumpster

Wed, 18 Jun 2008 08:41:02 +0000

Technorati Tag: Security Breach

Date Reported:
6/13/08

Organization:
Texas Insurance Claims Services

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
"hundreds of files"

Types of Data:
Insurance claims and policy paperwork including "names, social security numbers and policy numbers"

Breach Description:
Files containing sensitive confidential information were discovered in a dumpster in Richardson, Texas. The files are believed to have been thrown out by the owner of a company called Texas Insurance Claims Services.

Reference URL:
WFAA Channel 8 News

Report Credit:
Rebecca Lopez, WFAA-TV

Response:
From the online source cited above:

on Friday, hundreds of files with people's names, social security numbers and policy numbers were found in a Richardson dumpster

The files contain a lot of private information.

The people who filled out the forms probably never expected them to end up where anyone could simply walk away with them.
[Evan] There we go with expectations again. See my comments in the "Tucson area Domino's Pizza customer information exposed" breach.

You expect when you give your private information to an insurance company, it will stay that way.

Mike McCarty was driving by a dumpster near his work in Richardson. He saw a man taking pictures of trash inside, so he stopped.
[Evan] Taking pictures?

"[The man] said he was looking for empty boxes because he was going to move but he found a bunch of these files."
[Evan] But why was the man taking pictures? The story isn't clear on this point, so I wonder.

There were files with people's names, addresses, social security numbers and even pictures of their homes and cars.

The files were dumped here by a company called Texas Insurance Claims Services which processes people's claims.

We asked the owner why he threw them away. He wouldn't go on camera but said he was only required to keep the files five years and could then toss them.
[Evan] Oh, well then. Sounds like a good enough explanation to me... NOT! Where is the corporate and social responsibility?

The company says it sometimes uses commercial shredding services but decided not to do so this time.
[Evan] Let me see if I understand this correctly. The company obviously knows the importance of shredding confidential papers in general, otherwise they wouldn't "sometimes use commercial shredding services". What the @#$^ explains why the company chose not to use the shredding services in this instance?

Authorities say it's not unusual for criminals to dumpster dive to look for ways to get personnel information that they can use to illegally run up huge bills.
[Evan] This is very true. There are even people who organize and belong to dumpster diving clubs, not to imply that THESE people are "criminals", but only to point out that people DO dumpster dive.

The dumpster was full of files. Most of them were taken away by garbage collectors. We are shredding the few we took for our story.
[Evan] The files were taken away by garbage collectors? I wonder how much confidential information a person could find at the dump (landfill)?

Commentary:
It may just be the context of the owner's remarks, or it may just be me, but the owner seems to be oblivious to the risk of throwing confidential customer information out with the garbage.

Past Breaches:
Unknown

Employment records in a New Mexico dumpster

Thu, 05 Jun 2008 19:32:53 +0000

Technorati Tag: Security Breach

Date Reported:
6/3/08

Organization:
State of New Mexico

Contractor/Consultant/Branch:
Department of Workplace Solutions

Victims:
Employees and job applicants

Number Affected:
Unknown

Types of Data:
"employment records with names and Social Security numbers"

Breach Description:
"ROSWELL, N.M.—State documents with names and Social Security numbers were thrown into a trash bin behind the state Department of Workforce Solutions office in Roswell."

Reference URL:
The Associated Press via Las Cruces Sun-News
Roswell Daily Record
KRQE Channel 13 News

Report Credit:
Roswell Daily Record

Response:
From the online sources cited above:

Four boxes of manilla folders with documents containing names and social security numbers were mistakenly thrown into a trash bin Monday behind the New Mexico Department of Workforce Solutions office near Main and Bland streets.
[Evan] New Mexico does not currently have a data breach disclosure law on the books. The state is one of eleven that do not. The others are Alaska, South Dakota, Iowa, Missouri, Kentucky, West Virginia, Virginia, Mississippi, Alabama, and South Carolina.

Employees at Savedra's Tienda, a nearby business, contacted County Commissioner Dick Taylor and Magil Duran of the New Mexico Department of Workforce Solutions to help remove the documents from the bin.
[Evan] This is what a model citizen does. How many people are model citizens?

papers were flying out of the Dumpster they were inside.

Duran said the Roswell office of the Department of Workforce Solutions recently moved to a new location and a janitor inadvertently threw the documents in the bin on Monday.
[Evan] Not a good excuse.

"It was a misunderstanding," Duran said.

After arriving at the scene, Duran and Taylor sifted through the bins and retrieved the files.

Duran said he would shred the files immediately.
[Evan] The files should be inventoried and their destruction should be certified.

Taylor said the files looked like employment records with hours worked along with names and social security numbers printed on them.

"That's the bad thing," Taylor said. "They should have been shredded and not dumped in the trash. The state needs to be more careful with records like that."

"We do have a standard procedure," said Carrie Moritomo of the department. "We are currently reevaluating that and making sure all of our field staff offices are aware of what that policy is."
[Evan] A "standard procedure" ain't worth the paper it's written on if nobody knows about it or follows it.

Commentary:
I doubt that this is an isolated incident and I doubt that the agency has a sound information security strategy.

Past Breaches:
Unknown

Whats a Phlash?

Tue, 20 May 2008 15:49:00 +0000

So instead of taking over the computer, you just have it trash itself?
It would be messy for sure. No software to run.
Jeez.

clipped from www.darkreading.com

Permanent Denial-of-Service Attack Sabotages Hardware

Smith will demonstrate how network-enabled systems firmware is susceptible to a remote PDOS attack — which he calls “phlashing” — this week at the EUSecWest security conference in London. He’ll also unveil a fuzzing tool he developed that can be used to launch such an attack as well as to detect PDOS vulnerabilities in firmware systems.

The danger with embedded devices is that they are often forgotten. They don’t always get patched or audited, and they can contain application-level vulnerabilities, such as flaws in the remote management interface that leave the door open for an attacker, according to Smith. And remote firmware updates aren’t typically secured, but rather set up to occur by default.