It's one thing to leave sensitive documents out in the open, but to label them "shred" and "confidential" and then abandon the rooms is beyond comprehensible negligence.
I wonder if a student or non-employee found these; otherwise I might not expect to hear public disclosure.

 Story is at the Eyeopener Ryerson newspaper.

Ars Technica has posted a great article about some common security mistakes and assumptions tailored specifically for large enterprise entities. There is excellent information on how not to handle things, as well as some suggestions for ways to deploy projects in a more secure fashion. Great reading, and doesn't get lost in to many technical details.

Carnegie Mellon research begs the question, "Are breach laws only informing us that identity theft is occurring, or do the laws actually help reduce breaches?"

So far, identity theft doesn't appear to be decreasing.  Is more legislation needed, or has the existing legislation simply not been around for long enough?

 SecurityFocus has the scoop.

When thieves steal copper from the wiring and plumbing in American homes, where does it go? How is this bad for the U.S. Defense department? Why isn't it being recycled domestically?

Answers via this article and this article.

This article should be a good reminder why we all need to change our passwords frequently, especially if running remote services. Full article can be found here.

A fresh discovery by security vendor Finjan provides yet another example of how easy it is becoming for almost anyone to find the tools needed to break into, infect, or steal data from corporate Web sites. The vendor announced Wednesday that it has uncovered an illegal database containing more than 8,700 stolen FTP server credentials including user name, password, and server addresses. Anyone can purchase those credentials and use them to launch malicious attacks against the compromised systems. The stolen credentials belong to companies from around the world and include more than 2,500 North American companies, some of whose Web sites are among the world’s top 100 domains, according to Finjan’s CTO. The FTP credentials would allow someone with malicious intent to break into and upload malware to a compromised server with a click or two, he said. “You could pick any server you wanted in the list, pay for it,” and launch an attack with very little effort. A trading interface on the server hosting the illegal database allows purchasers to buy FTP server credentials based on the country in which the servers are located, or even by the Google ranking of the Web sites, he said. It also appears designed to give criminals looking to resell FTP credentials a better basis for pricing the stolen data, he said.

From the Consumerist blog, this article lays it all out:

Anecdotal evidence suggests that a recently reported data breach by an undisclosed "major retailer" has resulted in a jump in consumers having their debit cards forcibly reissued, or calls from their bank to verify their recent purchase history. The problems seem to have started just around Christmas time and have continued into mid-January.

And here's an alarming report from a victim of the purported theft wave:

 "Citibank contacted my husband and told him that they would be re-issuing him a new account number because a "major merchant" had notified authorities that its secure data had been compromised. They would not release the name of the merchant, instead saying that it was "the kind of thing we would probably hear about in the news," she writes.

Food for thought:

• Is this nationwide or regional?
• Is it a vendor or 3rd party processor breach?
• Does this fall within legal definitions of breach disclosure?

Joel Hruska of ArsTechnica writes, "Historically, the vast majority of trojans, worms, and viruses have targeted the (Windows) PC. Attack and propagation methods may have grown more sophisticated, but the PC has remained the focus of most malware. According to a paper written by a team of researchers at Indiana University, however, this could change in the future. According to the team's research (PDF), an attack that specifically targets wireless routers and spreads between them at any point where coverage overlaps could quickly and easily propagate throughout an entire city."I read the research paper, and while it's heavy on theory/research, it doesn't have me convinced that this is a huge threat.  What is the incentive for router hacking?  DNS cache poisoning?  And how does a router manage brute forcing against the others?  Can platforms cross-hack?   At least the fix of pushing the reset button is easier than reinstalling an OS.   

Bruce Schneier's coverage of a recent Swedish Army "keychain breach" makes me wonder how much broader the scope of breaches from tiny storage devices may become.

I know I've seen how [relatively] small a simple database or text file can be; it's not hard to imagine several hundred thousand sensitive records being contained on a small portable storage device. Even email now has capacity to move giant files around, not to mention all the specialized "movers" like Sendspace, yousendit, rapidshare, etc.

Storage bargains seems to be getting continuously better, but when we all have 100TB drives eventually, how well will we manage, organize, and keep track of all that juicy data, especially on portable devices?

Says Raimund Genes, CTO of Trend Micro, "You wonder why anyone still bothers burgling houses when this is so much easier." "This is a completely standard commercial business, the spammers even have their own trade associations."

A new study shows the cost of a company breach, per record, has increased $15 from a year ago, bringing the new total to $197. Also increasing is the number of customers who no longer do business with a company after a breach, with that number rising to 2.7%, and the cost of a breach involving a third party, with that per record cost rising $60 to $231.