Thursday, August 07, 2008

Another serial-security-screwup?

http://www.pogowasright.org/article.php?story=200808061624391

Security breach at S&K Menswear website: The Real Deal

Wednesday, August 06 2008 @ 04:24 PM EDT Contributed by: PrivacyNews

Wednesday, we're learning of yet another breach, this time at S&K Menswear. Here's The Real Deal.

Steve Hurn bought some suits online from S&K Menswear about a year ago. He was happy with them, until he got a letter from the FBI.

“They said that there had been thousands of people who did business with S&K and that all their information had been compromised,” says Hurn.

Source - WSYR-TV

Related - S&K breach notification letter

Comment: this appears to be related to the same incident reported on PogoWasRight.org in December 2007.



Interesting in this context: Credit cards stolen in the US are shipped (emailed) to other countries where authorization is not immediate. Is this a case of the reverse? Or perhaps it indicates a “card swap” between gangs?

http://www.pogowasright.org/article.php?story=20080806194214228

ID thefts at England Air Force bases total $70G

Wednesday, August 06 2008 @ 07:42 PM EDT Contributed by: PrivacyNews

Thieves spent $650 on a shopping spree at Bloomingdale's in New York City and more than $1,100 at various Canadian businesses in just two cases of identity theft reported in the past month within Air Force communities in England.

Sixty-six victims reported losses totaling $37,917 at RAF Lakenheath from July 5 to Aug. 5.

Victims' bank accounts were hacked and duplicate debit cards were created to make purchases all over North America, from Canada to Mexico and throughout the States, according to statistics provided by Lakenheathfs 48th Security Forces Squadron.

Approximately 150 identity theft incidents totaling about $70,000 were reported within the RAF Mildenhall and Lakenheath communities in the past month, according to Air Force investigators.

Source - Stars and Stripes



BreachBlog does a nice job of research, again.

http://breachblog.com/2008/08/06/127-ucla-medical-employees-implicated-in-privilege-abuse.aspx

127 UCLA Medical employees implicated in privilege abuse

Posted by Evan Francen at 8/6/2008 11:42 AM

Breach Description:

"LOS ANGELES (AP) — More than 120 workers at a Los Angeles hospital looked at celebrities' medical records and other personal information without permission between January 2004 and June 2006 — nearly double the number initially reported earlier this year, according to a state report."

Reference URL:

The Mercury News USA Today Los Angeles Times AHN

... The California Department of Public Health also found that nearly twice as many medical center employees as had previously been reported peeked at confidential medical records at UCLA.

[Evan] If the state had not audited the hospital, would these breaches have ever been noticed? I am not a big fan of government oversight or additional laws and regulations, but this breach may present a valid argument to support them. When an organization does not adequately protect sensitive information, the consequences sometimes end up costing us all more.



More detail on an earlier report.

http://www.pogowasright.org/article.php?story=20080806153516473

Malicious Botnet Stole Bank, Credit Union Credentials (updated)

Wednesday, August 06 2008 @ 03:35 PM EDT Contributed by: PrivacyNews

The researcher who first discovered a motherlode of stolen enterprise user names and passwords in June has found that nearly 9,000 of them are bank and credit-card account credentials from around the world that were grabbed by an old but crafty botnet. And it turns out the initial 50 gigabytes' worth of data that included 463,582 passwords on the crime server is only about one-fourth of the total number of accounts stolen by the so-called Coreflood botnet.

Source - Dark Reading

Update:: GCN reports that the cache of stolen data contained user ids and passwords for:

  • 8,485 bank accounts

  • 3,233 credit card accounts

  • 151,000 e-mail accounts

  • 58,391 social networking site accounts

  • 4,237 online retailer accounts

  • 416 stock trading accounts

  • 869 payment processor accounts

  • 413 mortgage accounts, and

  • 422 finance company accounts

[From the GCN article:

The Trojan apparently has been around since 2002, when it was being used for distributed denial of service attacks. It has since evolved to selling anonymity services and to full-fledged back fraud.



I'm glad I can have an impact on national security.

http://blog.wired.com/27bstroke6/2008/08/chertoff.html

Chertoff: I'm Listening to the Internet (Not in a Bad Way)

By Ryan Singel August 06, 2008 | 8:28:51 PM



Enjoy your trip to the Olympics... Hope they let you leave.

http://www.pogowasright.org/article.php?story=20080807074034284

Beijing Olympics Visitors To Come Under Widespread Surveillance

Thursday, August 07 2008 @ 07:40 AM EDT Contributed by: PrivacyNews

The government has installed about 300,000 cameras in Beijing and set up a network to spy on its citizens and foreigners.

Source - Hartford Courant



Fodder for the conspiracy theorists?

http://www.bespacific.com/mt/archives/018975.html

August 06, 2008

DOJ Releases Documents on the Anthrax Investigation

AP - US: Ivins solely responsible for anthrax attacks

Press release: "As the Department indicated last week and has been widely reported, substantial progress has been made in the Amerithrax investigation in recent years. As you know, this investigation into the worst act of bioterrorism in U.S. history has been one of the largest and most complex ever conducted by the FBI. The U.S. Postal Inspection Service has also made an extraordinary contribution to this investigation. Over the past seven years, hundreds of thousands of agent-hours have been dedicated to solving this crime.

Ordinarily, we do not publicly disclose evidence against a suspect who has not been charged, in part because of the presumption of innocence. But because of the extraordinary and justified public interest in this investigation, as well as the significant public attention resulting from the death of Dr. Bruce Edwards Ivins last week, today we are compelled to take the extraordinary step of providing first, the victims and their families, as well as Congress, and the American public with an overview of some recent developments as well as some of our conclusions.

Earlier today, several search warrant affidavits were unsealed in federal court in the District of Columbia. Among other things, these search warrants confirm that the government was investigating Dr. Ivins in connection with the attacks, which killed five individuals and injured 17 others in 2001. Dr. Ivins was a resident of Frederick, Maryland, and a long-time anthrax researcher who worked at the U.S. Army Medical Research Institute for Infectious Diseases, known as USAMRIID. Dr. Ivins died of an overdose on July 29, 2008, and, at the time of his death, was the sole suspect in the case."



“It is better to look secure than to be secure” This assumes TSA doesn't confiscate your laptop for copying. I now have reports of three laptop confiscation incidents on domestic flights.

http://tech.slashdot.org/article.pl?sid=08/08/06/1444226&from=rss

TSA To Allow Laptops In Approved Bags

Posted by CmdrTaco on Wednesday August 06, @11:21AM from the security-theater dept. Transportation Security

mnovotny writes

"TIME is reporting that TSA will be allowing laptops in approved bags through security checkpoints. 'The new rules, announced Tuesday and set to take effect Aug. 16, are intended to help streamline the X-ray inspection lines. To qualify as "checkpoint friendly," a bag must have a designated laptop-only section that unfolds to lie flat on the X-ray machine belt and contains no metal snaps, zippers or buckles and no pockets.'"

Don't you feel safer? I wish an independent 3rd-party group could get together and see what they could get through security without being arrested for the experiment. So little of what the TSA is doing is any more than illusion.


“It is better to look secure than to be secure” “We need this totally insecure system to protect you security!”

http://www.pogowasright.org/article.php?story=2008080616405895

Cloned e-passports fiasco renews calls for £4.7bn ID card scheme to be axed

Wednesday, August 06 2008 @ 04:40 PM EDT Contributed by: PrivacyNews

Opposition MPs accused the Government last night of being naive in believing that new microchipped passports would be foolproof against criminals involved in identity theft.

After The Times disclosed that new passports could be cloned and manipulated in minutes and would then be accepted as genuine, MPs also gave warning of serious implications for the security of the Government's £4.7 billion identity card scheme.

Source - Times Online Related - ‘Fakeproof’ e-passport is cloned in minutes

Thanks to Brian Honan for the link.


“It is better to look secure than to be secure”

http://www.pogowasright.org/article.php?story=20080807054352521

Hacking electronic-toll systems

Thursday, August 07 2008 @ 05:43 AM EDT Contributed by: PrivacyNews

Electronic toll systems like FasTrak and E-ZPass may be convenient for drivers, but they are rife with privacy risks, a security expert said Wednesday at the Black Hat 2008 security conference.

... The transponder ID, which lacks encryption, could be wiped and switched with that of a device from a different car used in a crime, such as for alibi purposes, he said. [Sounds like a project for the Forensics Majors... Bob]

The e-toll systems also pose a risk in that a driver's movements could be tracked in real time, and e-toll operators have already been served with subpoenas seeking customer information, Lawson said.

Source - C|net


and one more “It is better to look secure than to be secure”

http://www.schneier.com/blog/archives/2008/08/hacking_mifare.html

August 7, 2008

Hacking Mifare Transport Cards

London's Oyster card has been cracked, and the final details will become public in October. NXP Semiconductors, the Philips spin-off that makes the system, lost a court battle to prevent the researchers from publishing.



The latest “We can, therefore we must” technology? What happens if you need rapid (eco-unfriendly) acceleration to avoid an accident and the car resists?

http://blog.wired.com/cars/2008/08/dont-meddle-wit.html

Nissan Puts the Meddle to the Pedal

By Keith Barry August 06, 2008 | 3:00:00 PM

... The ECO Pedal, for those of you who haven't already complained about it, is a device that causes a reactive force in the gas pedal when the car senses the driver is accelerating too rapidly for optimum fuel economy. In other words, if you push too hard, it pushes back.



Turn student papers into a file for your iPod? I think not! (Might be useful when writing – what does your speech/article sound like?)

http://www.killerstartups.com/Web-App-Tools/hearwho-com-turn-text-into-audio

HearWho.com - Turn Text Into Audio (mp3)

Hearwho.com is a website that allows you to turn up to 3000 characters of text into audio files. This could come in handy for college students who want to take less time to learn their lessons. Using the site is easy. Just copy the text into the text box, chose the voice you want to dictate the text, and click on Start Conversion.

... you can also take Spanish language texts and put them into sound. This could be a great tool for people learning Spanish to use for better understanding texts and things of that nature.

http://www.hearwho.com/



Your only option when your favorite sport is Synchronized Underwater Basket Weaving...

http://howto.wired.com/wiki/Watch_the_Olympics_Online

Watch the Olympics Online

With opening ceremonies kicking off Friday, August 8, we have compiled a list of online destinations for getting your fix of the summer sporting events.

No comments: