This past year has been a renaissance of sorts for search engine companies, with investors renewing their interest in the search industry and Google Inc., Yahoo Inc. and Microsoft Corp. leading the pack in a fast-paced race to win customers with souped-up search services. But there's a dark side to search sites, which can also give savvy Internet searchers and hackers an entree to mine sensitive data from documents stored on the Web.
Hacking into Google and other search engines isn't anything new, but recent data breaches and identity theft cases have highlighted the ease at which some thieves are able to get their hands on Social Security numbers and other sensitive information.
"All manner of personal data are left exposed in nooks and crannies of the Web by individuals, companies and government agencies. Would-be identity thieves can find such information using the search engines of Google Inc., Yahoo Inc. and other companies in a technique known as 'Google hacking,'" The Wall Street Journal reported in an article yesterday. "Security experts held a contest this month to show just how quick and effective Google hacking can be. During a technology security-industry meeting in Seattle, contestants using only Google for less than an hour turned up sensitive information -- potentially useful for financial fraud -- on about 25 million people. They dug up various combinations of people's names, dates of birth, Social Security numbers, and credit-card information, including some card numbers apparently left exposed by the U.S. Department of Justice."
More from the article: "Google hacking isn't new: Web sites and books are devoted to the method, which involves submitting targeted search queries with special commands to elicit sensitive information. But the technique's effectiveness provides an alarming illustration of how sloppy Web sites still are, a decade into the Web age and despite numerous warnings that companies and government agencies are leaving valuable information exposed," the article said.
So how easy is it to find Social Security numbers and other financial details on the Web? "It doesn't take computer scientists, or Ph.D.s or anything," Joshua Pennell, chief executive of Seattle-based technology security firm IOActive Inc., told the paper. "It would probably take somebody 30 to 40 minutes with a book on Google hacking to figure it out -- tops."
School House Hacking
While search engines are often used as tools to tap into data, another popular target for some hackers these days is centralized databases (the Atlanta-area ChoicePoint breach is a major example of this). Other popular targets include government databases and university records. UC Berkeley is the latest school to reveal hackers may have been able to get their hands on sensitive data. This follows a recent breach at another Northern California school, California State University at Chico.
At Berkeley, a "thief recently walked into a University of California, Berkeley office and swiped a computer laptop containing personal information about nearly 100,000 alumni, graduate students and past applicants, highlighting a continued lack of security that has increased society's vulnerability to identity theft," The Associated Press reported. The school reported the problem to comply with a California identity theft law, one of the few in the country (which might explain why we have mostly been hearing about breaches at California universities).
UC Berkeley posted information about the theft on its Web site, which the university said happened on March 11 when someone entered a restricted area of the school's graduate division that was "momentarily unoccupied" and swiped the computer. "At this time the campus has no evidence that personal data were actually retrieved or misused. However, in accordance with state law, UC Berkeley officials are making every reasonable effort to notify by mail and e-mail all 98,369 individuals whose names and Social Security numbers were on the computer and, as a precaution, suggest they consider placing a fraud alert on their credit reporting accounts," the university said on the site.
The San Jose Mercury News reported these additional details. (Note: If you have been a graduate student at Berkeley , you should be alarmed): The computer "contained personal information on graduate applicants from 2001 to 2004, graduate students enrolled from 1989-2003, and doctoral degree recipients dating from 1976. University officials estimate that in addition to the individuals' names and Social Security numbers, about one-third of the files contained birth dates, addresses or both. The UC system has required since the fall that such sensitive data on portable equipment be encrypted. But in this case, the information was downloaded onto a new laptop the day before it was stolen, and was scheduled for encryption the afternoon a thief walked off with it," university spokeswoman Maria Felde told the paper.
Universities are common targets and UC Berkeley has had other brushes with identity theft. "Universities have accounted for 28 percent of the 50 security breaches of personal information recorded by California since 2003, said Joanne McNabb, the chief of the state's Office of Privacy Protection. That's more than any other group, including financial institutions, which have accounted for 26 percent of the breaches affecting Californians," the AP said. "This is the second time in six months that UC Berkeley has been involved in a theft of personal information. Last September, a computer hacker gained access to UC Berkeley research being done for the state Department of Social Services. The files contained personal information of about 600,000 people. That security breach hasn't been linked to any cases of identity theft, Felde said. The risks of identity theft have risen in recent years as technological advances make it easier for businesses, schools and other organizations to create vast databases containing Social Security numbers, credit card account numbers and other personal information."
The latest incident at Berkeley has led U.S. Sen. Dianne Feinstein (D-Calif.) to push for stronger identity theft laws. "The incident at Berkeley was the latest in a series of recent compromises of Social Security numbers or other personal financial information that could be used by identity thieves," Feinstein said in Riverside, Calif., Reuters reported. "It clearly demonstrates the need for a comprehensive approach to identity theft in order to give Americans more control over their personal information." From the article: "Congress is considering greater regulation of data brokers following a rash of break-ins and other data losses that have heightened concern about identity theft, a crime that costs consumers and business an estimated $50 billion annually."
The U.S. government is not alone in its attempts to thwart identity theft – or for a rise in database hacking incidents. Meantime, some privacy advocates in the United Kingdom are concerned about legal access to sensitive health information of British citizens. "A new NHS computer database may threaten the privacy of patients' medical records, the BBC has learned. A senior Department of Health civil servant said people would not be able to decide what details were stored. Critics said this went against earlier government assurances that patients would be able to veto the information," The BBC said.
USA Today this week has a column about ways to safeguard your financial information from identity theft, including listings of credit agencies to contact for fraud alert.
eBay's Way
Some good news for eBay, which has had some bad PR as of late with eBay seller discontent over raised fees and tax confusion for some eBayers: The company so far is getting the upper hand in a patent volley filed by Great Falls, Va.-based MercExchange. In response to legal challenges by the company "eBay had asked the U.S. Patent and Trademark Office to review the patents. The office said in an initial notice posted on its Web site that it may revoke one patent owned by MercExchange, which relates to the online sale of consigned goods. The move could be the first step toward revoking a 1995 patent that is central to a $29.5 million jury award won two years ago by MercExchange. The award later was reduced to $25 million," The Wall Street Journal reported.
Satellite Radio Wars
The Wall Street Journal has a front page piece today on how XM Satellite Radio and Sirius Satellite Radio are duking it out to come out ahead in the satellite radio wars, with rah-rah campaigns, star-power hires (Howard Stern for Sirius, namely) and other business moves. "When satellite radio launched, few thought consumers could be persuaded to pay for a service that was similar to what they already got free. But the services' high-quality programming and minimal commercial interruptions have been a strong lure. XM and Sirius have signed up more than four million subscribers who pay $12.95 a month. That's tiny compared with the total universe of 229 million radio listeners, as measured by the ratings service Arbitron Inc., but double the number of subscribers compared with a year ago. So far, XM is running ahead with 3.2 million subscribers to Sirius's 1.2 million, although Sirius is narrowing the gap. The companies say publicly there's room for two players but some analysts disagree. Both sides acknowledge, and downplay, the other's strengths," the paper said.
Match Point, File-Sharers
In day-after coverage in the Supreme Court's first look at the case pitting Hollywood studios against file-sharing companies Grokster and StreamCast, the peer-to-peer companies are coming out rosier than some might have expected, with the court showing initial concern that tech innovation could be in peril if new legal restrictions are put in place related to copyright.
From Linda Greenhouse at The New York Times, who wrote the justices were "surprisingly responsive on Tuesday to warnings from Grokster, the software maker that allows Internet users to share computer files on peer-to-peer networks, that a broad definition of copyright infringement could curtail innovation." However, Greenhouse said predicting the outcome of the case at this point was still "perilous." The Boston Globe noted: "Every member of the court except Justice Clarence Thomas took part in the discussion, asking pointed and sometimes humorous questions that demonstrated considerable knowledge of the Internet, file-swapping, and popular high-tech gadgets like Apple Computer's iPod music player. Intense questions were directed at all of the parties, giving few hints as to how the justices might rule."
The Associated Press said that even if the court rules in the entertainment industry's favor, stopping illegal file-sharing networks won't be an easy task (which begs the question of what the point of this suit really is). "Justices appeared divided on important issues during courtroom arguments. In a lively hourlong debate, the court openly worried that new lawsuits could stunt the next iPod. Justices also wondered aloud whether lawsuits against manufacturers might have discouraged past inventions like copying machines, videocassette recorders and MP3 music players — which consumers can use to make illegal copies of documents, movies and songs. Justice Antonin Scalia said a ruling for entertainment companies could mean that if 'I'm a new inventor, I'm going to get sued right away.' Scalia, 69, referred to the company as 'Grokster, whatever this outfit is called,'" the wire service reported.
The Chicago Tribune has its own take on the day's events, noting "the high-tech community contends a ruling against Grokster and StreamCast would have far more troubling consequences, by stifling the creativity of inventors and slowing the lightning-quick development of Internet-related technologies. The justices struggled during the argument with how to balance those competing interests. Several clearly were troubled by the entertainment industry's arguments and asked whether such an approach would have stifled other inventions such as the copy machine, videocassette recorder, iPod portable music player and even the Gutenberg press. The makers of the copy machine, for example, surely knew that some people would use their product to reproduce copyrighted materials, such as magazines and books, several justices suggested. 'You see the problem,' said Justice Stephen Breyer. 'In each of those instances, there could be vast numbers of infringing uses that are foreseeable.'" There's more coverage from the BBC News.
No Mac Bounty
A company that was trying to offer money for the creation of an Apple Computer virus targeted at the OS X operating system is changing its tune. DVForge, which was ponying up $25,000 "for the first virus that automatically spreads among Apple Computer computers running the OS X operating system cancelled the virus writing contest and retracted the offer of cash, citing concerns about legal liability. DVForge says that it will not offer cash for a Mac virus, after legal concerns were raised about the contest and in the wake of complaints from Apple security experts," IDG News Service reported.
The contest came in response to a Symantec report that Apple threats were growing, a report that many tagged as alarmist and PR-spinning from Symantec. Turns out, however, that Symantec has some security flaws of its own. "Symantec has reported glitches in its antivirus software that could allow hackers to launch denial-of-service attacks on computers running the applications," CNET's News.com reported.
Terrorists on the Net
Reuters has a frightening piece about how some terrorist groups are able to get gory pictures of beheadings and terrorist attacks on the Net, despite efforts to stop the online publishing of the events. Terrorists are able to use Web sites to host the images and the sites have become "a powerful propaganda and recruiting tool for militant groups. Despite being a target of the U.S.-led war on terrorism, they can quickly switch Web-hosting companies and authorities have found it difficult to close them."
Hurd on the Street
Mark Hurd, the newly tapped chief executive for Hewlett-Packard, plans to do what any newbie employee would do: learn the ropes at the new job. The ex-NCR leader doesn’t need a lot of media training. He already knows how to give non-answers to reporters. "When asked if he would consider layoffs, Hurd said, 'I have no pre-conceived notions about workforce reductions.' He added that he would work on the areas that need to be cost efficient," The San Jose Mercury News reported. The San Francisco Chronicle also gave Hurd's hiring some ink.
A Dart for Technology
Just when things are looking up for technology, here's a sign that tech spending isn't as brisk as it used to be: The IT trade show Comdex has been canceled for the second year in a row, TechWeb reported. Comdex organizers posted a rambling note about the show's delayed status, but indicated a Comdex could be held in November 2005 (that's apparently if the stars line up right).
Comments