Saturday, December 20, 2008

“We don't need no stinking security!” Version 473B

http://www.pogowasright.org/article.php?story=20081219231740472

UNCSA tells its students to monitor credit

Friday, December 19 2008 @ 11:17 PM EST Contributed by: PrivacyNews

Officials at the UNC School of the Arts say they are notifying current and former students that their names and Social Security numbers "may have been accidentally exposed" in a security breach involving a university computer server.

The server in question went online in July 2003. The security breach occurred in May of 2006 and affected about 2,700 students who were enrolled between 2003 and 2006.

Source - Winston-Salem Journal

[From the article:

"We have no reason to believe that the personal information was stolen, used inappropriately or even accessed," Lisa Smith, the chief information officer at UNCSA, said in a statement. [Translation: “We don't log activity on the server, so we have no idea what the hacker did.” Bob]

School officials say they became aware of the breach last week. [Reviewing 21/2 year old files? Bob] They say they are still trying to determine its cause.



Another exercise in PR?

http://www.pogowasright.org/article.php?story=20081220005525459

Hackers strikes LCCC system

Saturday, December 20 2008 @ 12:55 AM EST Contributed by: PrivacyNews

A sophisticated [Translation: “He got by our security, he must be smarter than we are.” Bob] computer hacker was able to breach the security system of two Lorain County Community College servers in an attack during the Thanksgiving holiday break.

It is believed that the hacker was not attempting to steal [See below Bob] information or identities, but rather to pirate available server space, said Marcia Ballinger, vice president of strategic and institutional development. The attack did not disrupt the college’s operations.

Still, the breach is being investigated by forensic experts and the FBI.

One of the servers contained the records of approximately 22,000 students, community users, and employees and their Social Security numbers. That server hosted the college’s library card system.

Source - The Chronicle-Telegram

[From the article:

When the breach occurred, LCCC’s system detected the downloading of application files [Translation: “We logged what was being stolen.” Bob and a virus alert was initiated. [Not sure from the information in the article why a virus alert would be triggered. Bob] The College’s Information Systems and Services staff immediately shut down the servers and blocked access, Ballinger said. [“By immediately, we mean sometime the following week. If it was truly immediately, nothing would have been downloaded.” Bob]

... LCCC has not experienced any hacking or cyber attack incidents in the past. [Translation: “We haven't detected any...” Bob]



Local update – still no facts!

http://www.pogowasright.org/article.php?story=20081220010134822

Longmont Credit Fraud Part of Larger Scheme (update)

Saturday, December 20 2008 @ 01:01 AM EST Contributed by: PrivacyNews

Longmont Police believe they are closer to solving a credit card-identity theft scam that had targeted at least 150 people in Longmont, many of them customers of one Asian restaurant.

Longmont Det. Sgt. Jeffrey Satur said Friday that the identity theft was connected to a far more extensive fraud operation with tentacles in several western states.

... The Longmont investigation had focused on the East Moon Asian Bistro, located in the 2100 block of North Main Street. No arrests have been made, and Satur said management has cooperated in the probe. It is blieved that whatever employee or employees that might have been involved were doing so unbeknownst to restaurant management - but in coordination with suspects out of state.

Source - MyFOX Colorado

[From the article:

"There seems to be a lot of organization between how the cards were collected, how they were cloned and then who is using them at other locations," said Satur. And we know it's not just one person, so there appears to be an organized effort to pull off this scam." [“That's amazing, Mr. Holmes!” Bob]



Security ain't easy!

http://www.pogowasright.org/article.php?story=20081220072109464

American Express bitten by XSS bugs (again)

Saturday, December 20 2008 @ 07:21 AM EST Contributed by: PrivacyNews

The website for American Express has once again been bitten by security bugs that could expose its considerable base of customers to attacks that steal their login credentials.

The notice come days after The Register reported Amex unnecessarily put its users at risk by failing to fix a glaring vulnerability more than two weeks after a security research first alerted company employees to the problem.

Source - The Register



As cell phones (slash PDA slash GPS slash Browsers) become more sophisticated, won't this become more likely for individuals, not just corporations?

http://tech.slashdot.org/article.pl?sid=08%2F12%2F19%2F1620253&from=rss

Hacked Business Owner Stuck With $52k Phone Bill

Posted by ScuttleMonkey on Friday December 19, @02:19PM from the build-a-better-mousetrap dept. Communications Security

ubercam writes

"A Canadian business man is on the hook for a $52,000 phone bill after someone hacked into his voice mail system and found a way to dial out. The hacker racked up the charges with calls to Bulgaria. The business owner noticed an odd message coming up on his call display (Feature 36), and alerted his provider, Manitoba Telecom Services. They referred him to their fraud department, who discovered the breach. MTS said that they would reverse the charges if the hacked equipment was theirs, but in this case it was customer owned. The ironic part is that the victim's company, HUB Computer Solutions is in the business of computer and network security. They even offer to sell, configure and secure Cisco VoIP systems. Looks as though they even couldn't manage to secure their own system, which doesn't bode well for their customers."

This certainly isn't the first time someone has exploited the phone system and stuck another with the bill. Maybe it's time for the phone company to get their fraud detection and prevention services at least on par with what the credit card companies have done.



Here's an interesting area for a Security research paper. Start with what we tell individuals to do and then scale it up and start analyzing the conflicting goals... Would an online retailer (eBay, Amazon) be as willing to cut their Internet connection as the loacl bakery?

http://news.cnet.com/8301-13578_3-10127134-38.html?part=rss&subj=news&tag=2547-1_3-0-5

After six years, Homeland Security still without 'cybercrisis' plan

Posted by Declan McCullagh December 19, 2008 10:39 AM PST

When the U.S. Department of Homeland Security was created, it was supposed to find a way to respond to serious "cybercrises." "The department will gather and focus all our efforts to face the challenge of cyberterrorism," President Bush said when signing the legislation in November 2002.

More than six years later, and after spending more than $400 million on cybersecurity, DHS still has not accomplished that stated goal. "We need to have a plan tailored for a cybercrisis," DHS Secretary Michael Chertoff said on Thursday.



More on the “new RIAA.” (Based on the details they provide, how could an ISP ensure the file was infringing?)

http://www.pogowasright.org/article.php?story=200812191056581

Copy of RIAA's new enforcement notice to ISPs

Friday, December 19 2008 @ 10:56 AM EST Contributed by: PrivacyNews

The recording industry dropped some big news Friday, announcing that it will no longer take a broad approach to litigating against alleged filed sharers. The Recording Industry Association of America has enlisted the help of internet service providers to act as a sentry and help discourage customers from pirating music.

Below is a copy of the form letter the RIAA will send to ISPs to inform them one of their customers is accused of file sharing. The notification is similar to those the group has sent to college campuses for years and shows very clearly that the group retains the right to sue people for copyright violations.

Source - Cnet



It would not be good for the State to allow its citizen to know how sneaky their politicians are.

http://politics.slashdot.org/article.pl?sid=08%2F12%2F20%2F0647226&from=rss

Court Allows Arkansas To Hide Wikipedia Edits

Posted by Soulskill on Saturday December 20, @08:15AM from the change-we-don't-believe-in dept. Government The Courts The Media Politics

rheotaxis writes

"A circuit judge in Arkansas will not order the state to reveal where its computers were used to edit Wikipedia articles about former governor Mike Huckabee while he was running for President. Two Associated Press journalists used WikiScanner to track the edits to IP addresses used by the state. Writer Jon Gambrell and News Editor Kelly P. Kissel filed a suit in October 2007 asking the state to reveal which state offices used the IP addresses, because state rules don't allow using computer resources for political purposes. The director of the Arkansas Department of Information Systems, Claire Bailey, claimed in court that releasing this information would allow hackers to target these state offices." [We already know the IP address, we just want to know who is breaking the law. Bob]



Spin politician, spin!

http://interviews.slashdot.org/article.pl?sid=08%2F12%2F19%2F1448238&from=rss

CSIS Cybersecurity Commission Chairman Jim Langevin Answers Your Questions

Posted by Roblimo on Friday December 19, @11:44AM from the yet-another-chapter-in-the-continuing-U.S.-government-cybersecurity-saga dept.

Last week we solicited questions for US Representative Jim Langevin (D-RI), one of the chairs of the CSIS Cybersecurity Commission. Here are his answers — along with contact information for him if you want to continue the conversation.



Some of us never bought the explanation of the first cuts. Read the comments for some of the “improbable” bits.

http://tech.slashdot.org/article.pl?sid=08%2F12%2F19%2F1932219&from=rss

Mediterranean Undersea Cables Cut, Again

Posted by ScuttleMonkey on Friday December 19, @03:11PM from the cut-me-twice-shame-on-you dept. Communications The Internet

miller60 writes

"Three undersea cables in the Mediterranean Sea have failed within minutes of each other in an incident that is eerily similar to a series of cable cuts in the region in early 2008. The cable cuts are already causing serious service problems in the Middle East and Asia. See coverage at the Internet Storm Center, Data Center Knowledge and Bloomberg. The February 2008 cable cuts triggered rampant speculation about sabotage, but were later attributed to ships that dropped anchor in the wrong place."



Mark my words! This is a serious mistake. . They specify that the loan is secured by “unencumbered assets.” If they had 4 or 13 billion in unencumbered assets, would they need a loan? Perhaps all those lawyers in Congress never took a class in Bankruptcy.

At 14 or 15 pages, it is apparently far easier (paperwork wise) to borrow billions than it is to get a home mortgage

http://www.bespacific.com/mt/archives/020109.html

December 18, 2008

Bush Administration's Plan to Assist Automakers

Follow up to previous postings on auto industry, today's White House press release: "...the only way to avoid a collapse of the U.S. auto industry is for the executive branch to step in. The American people want the auto companies to succeed, and so do I. So today, I'm announcing that the federal government will grant loans to auto companies under conditions similar to those Congress considered last week...These loans will provide help in two ways. First, they will give automakers three months to put in place plans to restructure into viable companies -- which we believe they are capable of doing. Second, if restructuring cannot be accomplished outside of bankruptcy, the loans will provide time for companies to make the legal and financial preparations necessary for an orderly Chapter 11 process that offers a better prospect of long-term success -- and gives consumers confidence that they can continue to buy American cars."

Treasury Releases Term Sheet for Automotive Plan: Washington - The U.S. Treasury Department today released the term sheet and appendices for the Administration's plan for stabilizing the automotive industry.



Global Warming! Global Warming!

http://blog.wired.com/wiredscience/2008/12/waveheight.html

Surfers, Rejoice: Some Extreme Waves Getting Bigger

By Alexis Madrigal December 19, 2008 5:34:23 PM

SAN FRANCISCO — The largest waves in the Pacific Northwest are getting higher by seven centimeters a year, posing an increasing threat to property close to the shore. And the strange part is: Scientists aren't sure why. [It's that last but that makes me certain it is connected to Global Warming. Bob]

Oregon State researchers found that the danger to property from these larger extreme waves will outweigh the impacts of rising sea levels caused by global warming over the next several decades.



For the Computer Forensics class. Want to give someone a heart attack? Send your co-workers a lay-off notice! Foreclose on loans! Tell someone they are being sued! What fun! (There is even a “do it yourself” tutorial!)

http://www.killerstartups.com/Comm/deadfake-com-sending-anonymous-e-mails

Deadfake.com - Sending Anonymous E-mails

http://www.deadfake.com

If for any reason you have to send an e-mail communication in an anonymous manner, this application is going to suit you just fine. To make things more interesting, you can not only send anonymous messages through the site, but also send e-mails and make them appear as if they came from another person.

This process is implemented in a very easy way too, and that is a definitive bonus. You don’t need to sign up or login in order to use it, and there are no fees of any kind to be paid.

[From the site FAQ:

Update: Due to some naughty people, I've now added a footer at the bottom of each message specifying that the message was actually a prank. Sorry.



A Computer Forensic tool leaves the Internet!

http://news.cnet.com/8301-13580_3-10127350-39.html?part=rss&subj=news&tag=2547-1_3-0-5

FixMyMovie forsakes the cloud for PC software

Posted by Stephen Shankland December 19, 2008 1:18 PM PST

FixMyMovie, an online service that let people improve the quality of their videos, is going offline.

"We're shutting down FixMyMovie.com on December 31, 2008. In its place, we're launching a new Windows desktop application, code-named Carmel, which will be released in the first quarter of 2009," said MotionDSP, which runs the site, in an e-mail to site members Friday.

... MotionDSP has been funded by In-Q-Tel, the Central Intelligence Agency's venture investment arm, which is interested in technology that can extract more information from photos and videos.



Because my students have the next two weeks off...

www.sockandawe.com http://www.kroma.no/2008/bushgame/

No comments: