Mrs. Mecomber’s Scrapbook

I blogged about the grocery store, Hannaford’s, problem with security a few weeks ago. Hannaford’s is a huge grocery store chain here in the Northeast. I was affected by the data breach (as were most Northeasterners) and had to get new credit and bank cards. I am closely monitoring my statements, still.

To be more accurate, Hannaford’s security wasn’t the real issue; the finger of blame goes (once again) toward credit card companies. You can read more about it here.

But Hannaford’s is to be commended for their speedy response to this problem.

The supermarket chain Hannaford Bros. Co. has spent millions of dollars on additional security measures since last month’s revelation that hackers may have accessed up to 4.2 million credit and debit card numbers, it said yesterday.

The grocer, based in Scarborough, Maine, has stores in Massachusetts and several other states. It has started encrypting card numbers from the moment they are swiped at checkout counters. And it has tapped IBM to monitor security for its computer network around the clock.

But Hannaford’s top security executive said some other retailers are probably still vulnerable to similar attacks. “The latest threat wasn’t anticipated,” said chief information officer Bill Homa. “The bad guys are one step ahead.”

Hannaford told Massachusetts authorities it found unauthorized computer programs, called malware, on servers in more than 270 stores. When customers swiped their credit cards, the malware intercepted the data as it was transmitted from cash register to credit card processors.

The malware stored the data - card numbers and expiration dates - on store computers and later sent the information to offshore computers, where it could presumably be picked up by the thieves.

I am appalled– APPALLED– at the complete disregard bankers and companies, and the government, for that matter, have toward us and our data. It has gone too far and we really need to pressure these people to halt their data mining!

I have discovered that the President and CEO of Bluehost, my new and favorite web hosting company, has a blog! It’s Matt Heaton.com. I love it when CEOs have blogs. Blogs are extremely personal and allow you to interact with the higher folks up the food chain. He has some great insights to offer about his business. This recent post about identity theft is very good.

There is no incentive to fix security problems. In fact, there is TONS of money being made by these companies on all that fraud that is happening out there. Chargeback fees to companies doing the billing are getting higher and higher. As the fraud increases Visa and others simply increase the discount rate that merchants like us pay to interchange for processing to compensate. No problem right? Wrong, guess who pays? The consumer always pays in the higher prices that merchants are forced to pass on in ever increasing credit card fees.

I’m no high-falutin’ businesswoman, but I do have some interest in how businesses run. And some of his posts are extremely enlightening to consumers like me. Give it a read, you’ll find it very interesting and readable.

Plus, it’s very interesting to know that he was a missionary in Taiwan and now has five children! Cool!

I discovered another free program for kids. It’s a paint program called Tux Paint. It’s adorable. My 11-year old is probably too old for it now; I’d say kids ages 3 to 8 would really like it. It’s bright and it’s got big buttons. Very easy to use. And, it’s free! It’s a great way to introduce the world of graphic design to the little tot. It’s really an adorable little program. But don’t blame me of your little ones suddenly all want their own laptop computers!

As with “rap music” and “government intelligence,” I’ve discovered another oxymoron for ya: ATM security. Not! Watch this ‘expose’ and fasten your seatbelts. I never use ATMs anymore, and watch cashiers like a hawk when they take my card. And I always cover the numberpad when I punch in my PIN.

Watch this video. It’s a little lengthy, but a good one.

Beware of those ATMs, folks! Remember the good old days when theives were only interested in your designer jewelry? Now they want everything.

Hat tip Daily Tech Impressions.

This company just never ceases to amaze me. Next thing you know, they’ll have an online blood bank! I should be quite and not give them any ideas. But there is NO WAY I’d ever stick my finger in a drive to give blood to Google!

Anyway, this is the news that floored me: Google to Store Patients’ Health Records.

Google Inc. will begin storing the medical records of a few thousand people as it tests a long-awaited health service that’s likely to raise more concerns about the volume of sensitive information entrusted to the Internet search leader.

The pilot project to be announced Thursday will involve 1,500 to 10,000 patients at the Cleveland Clinic who volunteered to an electronic transfer of their personal health records so they can be retrieved through Google’s new service, which won’t be open to the general public.

Each health profile, including information about prescriptions, allergies and medical histories, will be protected by a password that’s also required to use other Google services such as e-mail and personalized search tools.

Google views its expansion into health records management as a logical extension because its search engine already processes millions of requests from people trying to find about more information about an injury, illness or recommended treatment.

This is really weird. I’m not the only one who thinks so, either.

What about you? Would you like Google to store your health records? Do you think they should first secure their AdSense coding so hackers can no longer hack into that? The whole thing about online health records is ridiculous. I love online and I love the convenience. But it is not a stable medium, especially for the storage and security of personal records. The Internet is not capable of doing it.

I noticed that YouTube was not online Sunday. Anyone else notice? I, for one, was shocked. Since YouTube is so enormous and probably the most website on the Net, I thought it must have been something really big to disrupt service. I read this morning that it was caused by Pakistan’s attempt to censor YouTube.

Most of the world’s Internet users lost access to YouTube for several hours Sunday after an attempt by Pakistan’s government to block access domestically affected other countries.

The outage highlighted yet another of the Internet’s vulnerabilities, coming less than a month after broken fiber-optic cables in the Mediterranean took Egypt off line and caused communications problems from the Middle East to India.

… An Internet expert likened the cause of the outage to ‘identity theft’ by a Pakistani telecommunications company, which accidentally started advertising itself as the fastest route to YouTube. But instead of serving up videos of skateboarding dogs, it sent the traffic into oblivion.

On Friday, the Pakistan Telecommunication Authority ordered 70 Internet service providers to block access to YouTube.com, because of anti-Islamic movies on the video-sharing site, which is owned by Google Inc.

The authority did not specify what the offensive material was, but a PTA official said the ban concerned a trailer for an upcoming film by Dutch lawmaker Geert Wilders, who has said he plans to release a movie portraying Islam as fascist and prone to inciting violence against women and homosexuals.

The block was intended to cover only Pakistan, but extended to about two-thirds of the global Internet population, starting at 1:47 p.m. EST Sunday, according to Renesys Corp., a Manchester, N.H., firm that keeps track of the pathways of the Internet for telecommunications companies and other clients.

… John Palfrey, executive director for the Berkman Center for Internet & Society at Harvard Law School, said that while all the facts in the case are not yet known, it appeared that the repercussions were due to Pakistan taking a relatively heavy-handed approach in trying to censor YouTube.

‘It points in many respects to the difficulty, if not the folly, in Internet filtering at the state level,’ he said.

Misrouting occurs every year or so among the world’s Internet carriers, usually as a result of typos or other errors, Underwood said. In a more severe example, a Turkish telecom provider in 2004 started advertising that it was the best route to all of the Internet, causing widespread outages for many Web sites over several hours.

‘Nobody ran any viruses or worms or malicious code. This is just the way the Internet works. And it’s not very secure or reliable,’ Underwood said, adding that there is no real solution to the problem on the table.

You can read more of the story here. This is a good example of how insecure the Internet really is.

This news story made me laugh.

STOCKHOLM, Sweden (AP) — Criminals were seconds away from robbing a bank by remote control when an alert employee literally pulled the plug on their brazen scam, Swedish investigators said Wednesday.

The would-be robbers had placed “advanced technical equipment” under the employee’s desk that allowed them to take control of his computer remotely, prosecutor Thomas Balter Nordenman said in a statement.

The employee discovered the device shortly after he realized his computer had started an operation to transfer “millions” from the bank into another account, Nordenman said.

“By pulling out the cable to the device, the employee managed to stop the intended transfer at the last second,” he said.

Talk about a low-tech way of foiling crooks! Hurray for this quick-thinking Swede! The bank is eerily quiet on how the “advanced technical equipment” was installed under the desk, or what kind of equipment it was. Hmm

Wanna know what really irks me? The latest public radio ads I keep hearing on TV. They are set to corny country music, trying to be humorous about something that is not humorous at all. In the ad, a guy sings a song, telling why he is now working at a cheap diner trying to scrape by– because he didn’t protect his identity and it was stolen… and he was robbed out of his skin. So, he works three lousy jobs trying to build his life back again.

Hardy har har! So funny! The ad ends with the government telling you how you really should protect your identity more.

Then I read stories like this one:

Personal information on about 650,000 customers of J.C. Penney and up to 100 other retailers could be compromised after a computer tape went missing. GE Money, which handles credit card operations for Penney and many other retailers, said Thursday night that the missing information includes Social Security numbers for about 150,000 people.

The information was on a backup computer tape that was discovered missing last October. It was being stored at a warehouse run by Iron Mountain Inc., a data storage company, and was never checked out but can’t be found either, said Richard C. Jones, a spokesman for GE Money, part of General Electric Capital Corp.

Jones said there was “no indication of theft or anything of that sort,” and no evidence of fraudulent activity on the accounts involved.

Iron Mountain spokesman Dan O’Neill said it would take specialized skills for someone to glean the personal data from the tape. He said the company regretted losing the tape, “but because of the volume of information we handle and the fact people are involved, we have occasionally made mistakes.”

Uhhh.. occasionally? When else have we been notified of these occasional mistakes? They are popping up left and right!

It irks me to no end to be hounded over “protecting” my “identity” when God-knows-who else has it and “loses” it; and without penalty, too. These companies should be driven out of business. Funny thing is, the companies’ names are one of the best kept secrets in the country!

Well, I’m ignoring my own technical problems with my stupid printer to let you know about some important developments in the computer world. One has to do with an important security breach on home routers. It’s important because more and more people are using routers to connect to the Internet via broadband or cable.

In this particular attack, an email is infected with malware. if you open the email, malicious code takes over.

According to Symantec researcher Zulfikar Ramzan, the attack changes a router’s settings controlling the domain name system server that translates domain names like theregister.co.uk into numerical IP address.

Malicious javascript code embedded into one email message he uncovered caused the URL for a popular Mexico-based bank to map to a fraudulent website controlled by the attackers. Anyone who tried to do business on the rogue site would have their banking credentials lifted.

If you have changed the default administration name and password (most routers use “admin”), you should be OK. But a lot of people never bother to change these things. Secure your network and Internet connection, people! Even in my small town, my wireless laptop has picked up multiple neighbors with no security. I could connect to their networks without a hitch! If the users had no firewall, I could even view their computer’s files or change them. This is awful! If you don’t know how to change your router’s settings, look in your manual, or do a search for your manufacturer online. Or find a geeky teen-aged relative to help you. Always secure your connection!

I flipped out when I read the latest in security news:

New mass hack strikes sites, confounds researchers; May be linked to November 2007 break-in at U.K. hosting firm

A massive hack of legitimate Web sites has been spreading malware to visitors’ PCs, using a new tactic that has made detection “extraordinarily difficult,” security experts said today.

According to the researcher who broke the news, the hack, which involves several hundred sites, may be related to a November 2007 break-in at Fasthosts Internet Ltd., a U.K.-based hosting service that in early December acknowledged that some clients’ log-in credentials had been pinched.

…Visitors to the compromised domains have been assaulted with multiple exploits, notably one for a vulnerability in Apple Inc.’s QuickTime media player that was patched only last month. Another exploit being served, said Landesman, is the “tried and true” attack against Windows 18-month-old MDAC flaw.

If successful, the client-side attack infects the PC with a variation of the Rbot Trojan, a backdoor also known as Zotob that has been active since the middle of 2005. There, too, however, users are at special risk. “Just three out of 33 antivirus vendors detected that [variation],” Landesman claimed.

This is insane. For one, companies have GOT to get control of their data. Two, why are the crooks always a step ahead of these “security” wizards?!

The story offers no help, no suggestions, no detection help, nothing.

I was aghast to discover a few months ago the policies of search engine companies. The SEOs hold on to your searches information for inordinate periods of time. I’d read recently about a new policy by Ask.com. They are hoping their new policy will give them the edge over the giants (and you know who they are).

Jumping on the privacy bandwagon, Ask is offering users the chance to take charge of what happens with their search history.

An AskEraser link will feature prominently on the Ask.com homepage and, when enabled by the user, will delete all future search queries and associated cookie information from its servers.

The information it destroys includes IP address, user ID and session ID along with the complete text of a query.

I could wish all SEOs did such. MSN and Yahoo save the information for 18+ months, although policies bounce up and down more than stock market numbers. And when the Bush Administration demands the numbers from AOL, MSN, and Yahoo, they obediently hand it over. AOL might even broadcast that information– oopsie!

Google holds on to the info forever. Well, they say they’ve changed that to be 18 months, but who believes them?

Here’s a great comparison chart by CNet, showing the policies of the SEOs.

Moral of the story: your searches are monitored, and may be used against you. Be clean with your searches and use a variety of search engines frequently.

Eventually all the information will be condensed anyway, but at least we’re stemming the tide.

The title is from an old Frank Zappa song, “I’m the Slime.”

You will obey me while I lead you
And eat the garbage that I feed you
Until the day that we don’t need you
Don’t go for help…no one will heed you
Your mind is totally controlled
It has been stuffed into my mold
And you will do as you are told
Until the rights to you are sold

There’s a newsstory at the Washington Post today. This is just over the top: FBI Prepares Vast Database of BioMetrics.

Digital images of faces, fingerprints and palm patterns are already flowing into FBI systems in a climate-controlled, secure basement here. Next month, the FBI intends to award a 10-year contract that would significantly expand the amount and kinds of biometric information it receives. And in the coming years, law enforcement authorities around the world will be able to rely on iris patterns, face-shape data, scars and perhaps even the unique ways people walk and talk, to solve crimes and identify criminals and terrorists. The FBI will also retain, upon request by employers, the fingerprints of employees who have undergone criminal background checks so the employers can be notified if employees have brushes with the law.

“It’s going to be an essential component of tracking,” said Barry Steinhardt, director of the Technology and Liberty Project of the American Civil Liberties Union. “It’s enabling the Always On Surveillance Society.”

If successful, the system planned by the FBI, called Next Generation Identification, will collect a wide variety of biometric information in one place for identification and forensic purposes.

What on earth ever happened to the Fourth Amendment in this country– the right to be secure in our persons and possessions?!

It’s a big blow to Hewlett-Packard/Compaq: A hacker named “porkythepig” published an online report of a bug and consequent hacks that can affect nearly every HP/Compaq laptop.

According to porkythepig’s post, the Software Update bugs let an attacker corrupt Windows’ kernel files, making the laptop unbootable, or with a little more effort, allow hacks that would result in a PC hijack or malware infection. In either case, a drive-by attack could be conducted by feeding users an e-mail message with a link to a malicious Web site.

“Every HP notebook machine containing the HP Software Updates application is vulnerable,” claimed porkythepig. “It is possible that the vulnerable machine model list disclosed by the vendor as a confirmation to the previous issue concerning HP laptops, [the] HP Info Center case, will be similar in this case.”

Here’s the painful part:

The researcher said he had tested the exploit code on Windows 2000, XP, Server 2003 and Vista, and that the vulnerabilities pose a risk to any user with either Internet Explorer 6 (IE6) or IE7 on the PC. Nor will HP be able to use the down-and-dirty fix it deployed last week, said porkythepig. After he revealed several bugs in HP’s Info Center a week ago, HP issued an update that simply disabled the vulnerable software.

“Simple disabling of the vulnerable control by the vendor’s patch, like in the other HP software vulnerability case, HP Info, [could still] result in the machine['s] software update system [being] compromised, and would leave the user vulnerable to future security issues,” porkythepig said in the milw0rm.com write-up.

HP did not reply to e-mailed requests for confirmation and comment.

I keyed in on that it’s Internet Explorer that is the hub of the risk. Yeah, that Internet Explorer crapware– the browser that protects the right to show ads!

The worst thing HP can do is say nothing. Say something, even if it’s an “oops” or “we’ll look into this right away.”

I’ve always said to check for coupons and promo codes before you buy anything online. But always be wary of anything that comes in your email inbox. Apparently, criminals are at it again, this time with fake coupons. If you click the coupon, you are redirected to a phishing site. Your money, account information, or your identity can be stolen from you.

IBM is urging online shoppers not to click on links within e-mails that appear to come from an online retailer. Instead, open a new Web browser, go to the retailer’s site, navigate to special coupons or promotions and see if it’s there.

That’s excellent advice. Please take care of what you click on.