Group items tagged

A defunct payment gateway has exposed as many as 19,000 credit card numbers, including up to 60 Australian numbers. The discovery by a local IT industry worker was made by mistake and appears to be caused by a known issue with the Google search engine, in which the pages of defunct web sites containing sensitive directories remain cached and available to anyone. The cached data, viewed by iTnews, includes 22,000 credit card numbers, including CVVs, expiry dates, names and addresses. Up to 19,000 of these numbers could be active. Most are customers in the US and Britain although some are Australian. The credit card numbers are for accounts held with Visa, Mastercard, American Express, Solo, Switch, Delta and Maestro/Cirrus. Within the address bars of the cached pages are URLs of companies, including UK retailers of laboratory supplies, sports and health goods, apparel, photo imaging and clothing.

When ethical hackers track down computer criminals, do they risk prosecution themselves? Security researchers at this week's Usenix conference in Boston believe this is a danger, and that ethical hackers have to develop a uniform code of ethics for themselves before the federal government decides to take action on its own. One such researcher introduced himself by saying "Hi, I'm Dave Dittrich, and I'm a computer criminal." Dittrich, senior security engineer and researcher at the University of Washington's Information School, has not been unlucky enough to be prosecuted. But ten years ago, he took actions to disrupt distributed denial-of-service attacks which he says could have been construed as criminal, he says. Working within the University of Washington Network, Dittrich says he "copied files from one host in Canada that was caching malicious software and logs of compromised hosts," allowing him to gain a fuller understanding of the nascent distributed denial-of-service tools, and to inform the operators of infected Web sites that a problem existed.

Maintaining privacy is on many people's minds these days, but sometimes that's the last thing they do. Allegations last week that two British tabloids, The Sun and The News of the World, had employed high-technology snoops to listen in on the mobile phone messages of public figures highlighted fears of what can happen when digital data fall into dubious hands. The reports came only days after another privacy debacle, this one self-inflicted. Photos and family information about Sir John Sawers, soon to be Britain's chief spy, appeared in another newspaper, The Mail on Sunday, after his wife posted them on Facebook. While attitudes toward privacy can appear paradoxical, the seeming contradiction is really about something else: control. When people bare their bodies on Facebook or their souls in the digital confessional of Google's search engine, they feel as if they are in charge. Not so, when the private embarrassments come to light unexpectedly.

One of the more interesting panel discussions at the IDC Cloud Computing Forum on Feb 18th in San Francisco was about managing the complexities of security, privacy and compliance in the Cloud. The simple answer according to panelists Carolyn Lawson, CIO of California Public Utilities Commission, and Michael Mucha, CISO of Stanford Hospital and Clinics is "it ain't easy!" "Both of us, in government and in health, are on the front-lines," Lawson proclaimed. "Article 1 of the California Constitution guarantees an individual's right to privacy and if I violate that I've violated a public trust. That's a level of responsibility that most computer security people don't have to face. If I violate that trust I can end up in jail or hauled before the legislature," she said. "Of course, these days with the turmoil in the legislature, she joked, "the former may be preferable to the later." Stanford's Mucha said that his security infrastructure was built on a two-tiered approach using identity management and enterprise access control. Mucha said that the movement to computerize heath records nationwide was moving along in fits and starts, as shown by proposed systems likeMicrosoft (NSDQ: MSFT)'s Health Vault and Google (NSDQ: GOOG)'s Personal Health Record. "The key problem is who is going to pay for the computerized of health records. It's not as much of a problem at Stanford as it is at a lot of smaller hospitals, but it's still a huge problem." Mucha said that from his perspective security service providers in the cloud and elsewhere are dealing with a shrinking security parameter or fence, which is progressing from filing cabinets, to devices, to files, and finally to the individual, who under the latest Health Insurance Portability and Accountability Act (HIPAA) privacy rules has certain rights, including rights to access and amend their health information and to obtain a record of when and why their Protected Health Information (PHI) record has bee