Friday, March 13, 2009

Boy! That'll teach 'em!

http://information-security-resources.com/2009/03/13/visa-puts-heartland-on-probation-over-breach/

Visa Puts Heartland on Probation Over Breach

March 13, 2009 by ADMIN By Anthony M. Freed, Information-Security-Resources.com Financial Editor

Heartland Payment Systems (HPY), one of the largest credit card processors in North America, is finally being called to the carpet for the apparent lapses in Payment Card Industry Data Security Standards (PCI DSS) that contributed to the largest data breach of 2008, perhaps even the largest breach ever considering the full extent of the exposure has yet to be determined.

Called to the carpet sort of, anyway; the sanctions and guidance laid out by Visa (V) seem a little lackluster when weighed against the severity and duration of the breach.

Given that Visa is now considered the most likely of several candidates for inclusion in the Dow Industrial Average, taking up slack from soon to be sidelined Citigroup and Bank of America, it is not surprising that they do not want to call too much attention to the situation:

… Removal from Visa’s List of Compliant Service Providers - Visa has removed Heartland from its online list of Payment Card Industry Data Security Standard (PCI DSS) compliant service providers. HPS has advised, however, that it is aggressively working on remediation and re-validation of its systems to comply with PCI DSS standards. The company will be relisted once it revalidates its PCI DSS compliance using a Qualified Security Assessor and meets other related compliance conditions.

[Interesting because Heartland WAS in compliance at their last audit. What would the impact be if they are still found to be in compliance? (Of course, they won't.) Bob]

… Also included in Visa’s belated response to the Heartland breach is a fine to be levied against the participating banks - most of whom rightly consider themselves to be victims of the breach as much as their customers are. [Huh? Bob]

… Another mystery contained in Visa’s announcement is the requirement that all fraud related to the Heartland breach has to be reported by May 19th.



Get sick or injured, lose your identity! Another “third party leak” and another long delay before disclosure.

http://www.databreaches.net/?p=2220

Chicago Fire Department contractor’s laptop stolen

March 12, 2009 by admin

The Dezonia Group handles billing people for the Chicago Fire Department’s ambulance service. Dana Koslov of CBS in Chicago reports that the contractor reported that an employee’s laptop stolen six weeks ago contained the names, addresses, and Social Security numbers of thousands of people who used the ambulance service in the past two years.



For your Security Manager. (Them eastern european guys is smart!)

http://it.slashdot.org/article.pl?sid=09/03/13/0234213&from=rss

Romanians Find Cure For Conficker

Posted by timothy on Friday March 13, @02:11AM from the cheer-goes-up dept. Worms Security Windows IT

mask.of.sanity writes

"BitDefender has released what it claims is the first vaccination tool to remove the notorious Conficker virus that infected some 9 million Windows machines in about three months. The worm, also known as Downadup, exploits a bug in the Windows Server service used by Windows 2000, XP, Vista, Server 2003 and Server 2008. It spreads primarily through a buffer overflow vulnerability in Windows Server Service where it disables the operating system update service, security center, including Windows Defender, and error reporting. The Romanian security vendor said its removal tool will delete all versions of Downadup and will not be detected by the virus."


Related. Perhaps not smart enough...

http://www.msnbc.msn.com/id/29633353/

Police in Romania detain 20 alleged hackers - Security- msnbc.com

TIMISOARA, Romania - Police in Romania on Wednesday detained 20 people suspected of cloning the Web sites of banks in other countries to deplete customers' bank accounts.

… In another case, police detained a person suspected of hacking into the servers of U.S. universities and government agencies, including NASA.



All politicians lie. All politicians break campaign promises. Neither Conservatives nor Liberals want anyone to know what they are doing until it is done (and they can blame the other guy for forcing such an evil compromise.)

http://news.cnet.com/8301-13578_3-10195547-38.html?part=rss&subj=news&tag=2547-1_3-0-5

Copyright treaty is classified for 'national security'

by Declan McCullagh March 12, 2009 5:45 PM PDT

Last September, the Bush administration defended the unusual secrecy over an anti-counterfeiting treaty being negotiated by the U.S. government, which some liberal groups worry could criminalize some peer-to-peer file sharing that infringes copyrights.

Now President Obama's White House has tightened the cloak of government secrecy still further, saying in a letter this week that a discussion draft of the Anti-Counterfeiting Trade Agreement and related materials are "classified in the interest of national security pursuant to Executive Order 12958."



Making data more available.

http://www.bespacific.com/mt/archives/020819.html

March 12, 2009

Searchable Version of Emergency Economic Stabilization Act of 2008

askSam: "This database contains a complete text of the American Recovery and Reinvestment Act of 2009 also known as the Stimulus Bill or Bailout Bill. It was formerly referred to as the Economic Stimulus Act. This database is fully searchable by division, title, section, and keyword. The American Recovery and Reinvestment Act of 2009 ("Stimulus Bill", Pub.L. 111-5, H.R. 1, S. 1) is an Act of Congress enacted by the 111th United States Congress and signed into law by President Barack Obama on February 17, 2009."



Making data less available. Strange how articles like this start discussions of economics among the commenters.

http://yro.slashdot.org/article.pl?sid=09/03/12/1846224&from=rss

Amazon Uses DMCA To Restrict Ebook Purchases

Posted by timothy on Thursday March 12, @03:24PM from the do-not-read-this-dept-line dept. Censorship Books Hardware Hacking

InlawBiker writes

"Today, Amazon invoked the DMCA to force removal of a python script and instructions from the mobileread web site. The script is used to identify the Kindle's internal ID number, which can be used to enable non-Amazon purchased books to work on the Kindle. '...this week we received a DMCA take-down notice from Amazon requesting the removal of the tool kindlepid.py and instructions for it. Although we never hosted this tool (contrary to their claim), nor believe that this tool is used to remove technological measures (contrary to their claim), we decided, due to the vagueness of the DMCA law and our intention to remain in good relation with Amazon, to voluntarily follow their request and remove links and detailed instructions related to it.' Ironically, the purpose of the script is to make the Kindle more useful to its users."



Vigilante users... What percentage of click would have to be bogus before the information value falls below that of un-analyzed data? Probably means this will have little effect.

http://yro.slashdot.org/article.pl?sid=09/03/12/2139258&from=rss

Adbusters Suggests Click Fraud As Protest

Posted by timothy on Thursday March 12, @05:53PM from the they-never-suggest-wine-pairings-do-they dept. Privacy The Internet Politics

An anonymous reader writes

"In response to Google's recently announced plans to expand the tracking of users, the international anti-advertising magazine Adbusters proposes that we collectively embark on a civil disobedience campaign of intentional, automated 'click fraud' in order to undermine Google's advertising program in order to force Google to adopt a pro-privacy corporate policy. They have released a GreaseMonkey script that automatically clicks on all AdSense ads."



I can see the TV ads now: “So easy, even a frog can do it!”

http://linux.slashdot.org/article.pl?sid=09/03/12/1854224&from=rss

French Police Save Millions Switching To Ubuntu

Posted by timothy on Thursday March 12, @03:04PM from the justified-disdain dept. Linux Business GUI Government Operating Systems

Ynot_82 writes

"The French national police force, the Gendarmerie Nationale, has spoken about their migration away from the Windows platform to Linux. Estimated to have already saved the force 50 Million Euros, the migration is due to be completed on all 90,000 workstations by 2015. Of the move, Lt. Col. Guimard had this comment: '"Moving from Microsoft XP to Vista would not have brought us many advantages and Microsoft said it would require training of users. Moving from XP to Ubuntu, however, proved very easy. The two biggest differences are the icons and the games. Games are not our priority."'"

[From the article:

A report published by the European Commission's Open Source Observatory provides some details from a recent presentation given by Gendarmerie Lieutenant-Colonel Xavier Guimard, who says that the Gendarmerie has been able to reduced its annual IT budget by 70 percent without having to reduce its capabilities.



For my Security and Forensics classes. (Comments include a tool to bypass keystroke loggers and a brief history of Tempest)

http://it.slashdot.org/article.pl?sid=09/03/12/2038213&from=rss

Researchers Sniff Keystrokes From Thin Air, Wires

Posted by timothy on Thursday March 12, @05:00PM from the making-a-tempest-of-them-themselves dept. Security IT

narramissic writes

"Two separate research teams have found that the electromagnetic radiation that is generated when a computer keyboard is tapped is actually pretty easy to capture and decode. Using an oscilloscope and an inexpensive wireless antenna, the Ecole Polytechnique team was able to pick up keystrokes from virtually any keyboard, including laptops — with 95 percent accuracy over a distance of up to 20 meters. Using similar techniques, Inverse Path researchers Andrea Barisani and Daniele Bianco picked out keyboard signals from keyboard ground cables. On PS/2 keyboards, 'the data cable is so close to the ground cable, the emanations from the data cable leak onto the ground cable, which acts as an antenna,' Barisani said. That ground wire passes through the PC and into the building's power wires, where the researchers can pick up the signals using a computer, an oscilloscope and about $500 worth of other equipment. Barisani and Bianco will present their findings at the CanSecWest hacking conference next week in Vancouver. The Ecole Polytechnique team has submitted their research for peer review and hopes to publish it very soon."



Another reason why I have both Computer and Business degrees and why my “Zap your competition” business makes the big bucks!

http://it.slashdot.org/article.pl?sid=09/03/12/2317239&from=rss

Cybercrime-As-a-Service Takes Off

Posted by timothy on Thursday March 12, @07:29PM from the no-need-for-subtlety dept. Security IT

pnorth writes

"Malware writers that sell toolkits online for as little as $400 will now configure and host the attacks as a service for another $50, according to email offers cited by security experts. A technical account manager at authentication firm Vasco said that cyber crime is becoming so business-like that online offerings of malicious code often include support and maintenance services. He said 'it was inevitable that services would be sold to people who bought the malware toolkits but didn't know how to configure them. Not only can you buy configuration as a service now, you can have the malware operated for you, too.'"


Related A retail version of the Crime-as-a-Service model?

http://blog.wired.com/27bstroke6/2009/03/how-to-get-free.html

Android App Scans DVD Bar Codes, Starts BitTorrent Download

By David Kravets March 11, 2009 11:19:30 PM

Android application developer Alex Holmes is creating a simple and powerful new way to get your pirated videos: an application that uses your cellphone's built in camera to scan a DVD bar code, then starts the movie downloading onto your home computer. [Of course, real movie/music buffs will have them months before they are available in stores. Bob]



Interesting discussion. CTU uses Firefox by default, but I suspect a step-by-stepguide for students (install VMWare, Ubuntu, plug-ins, players, viewers,etc.) would be useful.

http://ask.slashdot.org/article.pl?sid=09/03/12/2225258&from=rss

Windows Security and On-line Training Courses?

Posted by timothy on Thursday March 12, @06:40PM from the temporary-education-discount dept.

Education Security Windows

eggegick writes

"My wife has taken a number of college courses over the last three years and many of the classes used on-line materials rather than books. The problem was these required IE along with Java, Active X and/or various plug-ins (the names of which escapes me), and occasionally I'd have to tweak our firewall to allow these apps to run. I don't think any of these training apps would work with Firefox. All of this made me cringe from a security point of view. Myself, I use Firefox, No-Script, our external firewall and common sense when using the web. I have a very old Windows 2000 machine that I keep up to date. To my knowledge, I've never had a virus or malware problem. Her computer is a relatively new XP machine, and at this point she feels her computer has something wrong. But now she prefers to use my old machine instead of hers since it seems to be more responsive. We plan to run the recovery disk on hers. Assuming the college course work applications were part of the cause, what recommendations do any of you have for running this kind of software? Is there a VMware solution that would work — that is, have a Windows image that is used temporarily for the course work and then discarded at the end of the semester (and how do you create such an image, and what does it cost?)."



The Internet has been around since the 60's, but the World Wide Web is just reaching the age where it can begin truly impacting productivity. (See http://hnn.us/roundup/entries/39689.html for example.)

http://news.cnet.com/8301-10787_3-10195512-60.html?part=rss&subj=news&tag=2547-1_3-0-5

It was 20 years ago today: The Web

by Charles Cooper March 13, 2009 12:01 AM PDT

Is it already 20 years since Tim Berners-Lee authored "Information Management: A proposal" and set the technology world on fire?



Probably, this type of software is in your future.

http://news.cnet.com/8301-17939_109-10193578-2.html?part=rss&subj=news&tag=2547-1_3-0-5

OfficeZilla: The next project management winner?

by Don Reisinger March 12, 2009 3:58 PM PDT

Online collaboration is one of the best uses of the Web, and project management is where it can really shine. I thought it would be worth taking a look at a product called OfficeZilla to see how well it stacks up against Basecamp and Teamwork, two established leaders in the online project management space. The results may surprise you.

Unlike Basecamp, OfficeZilla is free.



Liers! A search for Bach or Bruebeck or Louis Armstrong returns zilch! Lots of good stuff though.

http://www.killerstartups.com/Video-Music-Photo/vastfm-com-stream-every-song-by-every-artist-for-free

VastFM.com - Stream Every Song By Every Artist For Free

http://www.vastfm.com/

VastFM allows you to stream every song by every artist, for free. Simply furnish the name of the artist to see his entire discography, and listen to any song you'd like. This solution uses open music directories and audio from YouTube videos to deliver every song you can think of. Links to concert tickets in your area for artists you might like are also provided.

The site claims to have the largest music directory on the Internet, and to have all your favorite unsigned artists. If you just look at the cloud of keywords on the opening screen you will see that is quite accurate – at a single glance I spotted Americana artists like Explosions In The Sky, representative figures from the 60s like Leonard Cohen and also bands like The Jam and Franz Ferdinand. Of course, hip hop artists and contemporary rockers like Kaiser Chiefs were prominently featured.

At the end of the day, the site is a true platform of discovery. You can find new music on the spot, and also listen to brand new albums to decide if you like them before parting with your cash.

No comments: