Thursday, October 08, 2009

Another update. Perhaps we'll see coverage like we saw with SCO?

http://www.databreaches.net/?p=7758

Heartland Breach: Inside Look at the Plaintiffs’ Case

October 8, 2009 by admin Filed under Breach Incidents, Commentaries and Analyses, Financial Sector

Two stories today take a look at the the master complaint (pdf) filed last month in U.S. Southern District Court in Houston.

Linda McClasson of BankInfoSecurity.com provides a timeline and re-hash of the breach that incorporates allegations from the lawsuit, including statements made by Heartland before and after the breach and the statement made by Ellen Richey of Visa, while Evan Schuman of StorefrontBacktalk was intrigued by one incident described in the complaint:

“On the day after the data breach, Heartland conducted a webinar about the data breach for its high-level employees, sales representatives and/or relationship managers. Upon information and belief, Heartland relationship managers were told that PCI compliance was not a big deal. One of Heartland’s relationship managers resigned on or around April 23, 2009, in part because of Heartland’s statements regarding its PCI compliance. A Referee’s Decision in a Delaware Department of Labor proceeding reached the conclusion that this relationship manager had “good cause” to leave her position at Heartland based, in part, on Heartland’s conduct.” That might prove quite significant or it could be an irrelevant red herring. Either way, it’s not the kind of detail we see very often.



It's no longer “Oi! Give me your password, mate!” But the concept is the same.

http://www.databreaches.net/?p=7753

Web mail scam propagates itself

October 7, 2009 by admin Filed under Breach Incidents, Business Sector

The BBC reports:

The industry-wide phishing scam that has affected popular web mail services such as Hotmail and GMail, is spreading, according to experts.

Security firm Websense says it has noticed a sharp rise in spam emails from Yahoo, Gmail and Hotmail accounts.

This is because infected accounts are sending personalised e-mails to contacts suggesting shopping sites, which are in fact fakes.

[...]

Peter Griffin found his Hotmail account had been compromised on Tuesday. He is currently unemployed and is worried that he has been sending spam to prospective employers.

“I checked my account yesterday and found more than ten e-mails with links [that] were sent from my Hotmail [account] to people from my contacts,” he told the BBC.

Despite changing his password, he “found an hour later they had sent another six e-mails”.

One security expert thinks victims of the scam could have been part of a so-called key-logging attack.

Amichai Shulman from security firm Imperva said the high numbers of victims suggested this type of attack.

Read more on The BBC.


(Related) What kind of idiot falls for a phishing scam?

http://www.pogowasright.org/?p=4436

Citing cybercrime, FBI director doesn’t bank online

October 8, 2009 by Dissent Filed under Breaches, Internet

Robert McMillan reports that FBI Director Robert Mueller stopped using online banking after nearly falling prey to a phishing scheme:

Though he stopped before handing over any sensitive information, the incident put an end to Mueller’s online banking.

“After changing our passwords, I tried to pass the incident off to my wife … as a teachable moment,” he said. “To which she deftly replied, ‘Well, it is not my teachable moment. However, it is our money. No more Internet banking for you.”

Mueller said he considers online banking “very safe” but that “just in my household, we don’t use it.”

Read more in Computerworld.


(Related) Knowing the cause/source makes re-securing your systems easier.

http://www.databreaches.net/?p=7744

Researcher refutes phishing account of hijacked Hotmail passwords

October 7, 2009 by admin Filed under Breach Incidents, Business Sector, Of Note

Gregg Keizer reports:

One researcher isn’t buying Microsoft’s and Google’s explanation that hijacked Hotmail and Gmail passwords were obtained in a massive phishing attack.

Mary Landesman, a senior security researcher at San Francisco-based ScanSafe, said it’s more likely that the massive lists — which include approximately 30,000 credentials from Hotmail, Gmail, Yahoo Mail and other sources — were harvested by botnets that infected PCs with keylogging or data stealing Trojan horses.

Landesman based her speculation on an accidental find in August of a cache of usernames and passwords, including those from Windows Live ID, the umbrella log-on service that Microsoft offers users to access Hotmail, Messenger and a slew of other online services.

That cache contained about 5,000 Windows Live ID username/password combinations, said Landesman, who found the trove while researching a new piece of malware. “From the organization [of that cache] and what the data looked like in raw form, I think it’s more likely that this latest was the result of keylogging or data theft, not phishing,” Landesman said.

Read more on Network World.



Probably not related... Note the organization and international connections. This isn't bored teenagers any more.

http://www.databreaches.net/?p=7748

Operation Phish Phry reels in 100 in U.S. and Egypt

October 7, 2009 by admin Filed under Breach Incidents, ID Theft, Malware, Non-U.S., Of Note, U.S.

The largest number of defendants ever charged in a cyber crime case have been indicted in a multinational investigation conducted in the United States and Egypt that uncovered a sophisticated “phishing” operation that fraudulently collected personal information from thousands of victims that was used to defraud American banks.

This morning, authorities in several United States cities arrested 33 of 53 defendants named in an indictment returned last week by a federal grand jury in Los Angeles. Several defendants charged in the indictment are being sought this morning by law enforcement. Additionally, authorities in Egypt have charged 47 defendants linked to the phishing scheme.

… Operation Phish Phry commenced in 2007 when FBI agents, working with United States financial institutions, took proactive steps to identify and disrupt sophisticated criminal enterprises targeting the financial infrastructure in the United States.

… The 51-count indictment accuses all of the defendants with conspiracy to commit wire fraud and bank fraud. Various defendants are charged with bank fraud; aggravated identity theft; conspiracy to commit computer fraud, specifically unauthorized access to protected computers in connection with fraudulent bank transfers and domestic and international money laundering.

According to the indictment that was unsealed this morning, Egyptian-based hackers obtained bank account numbers and related personal identification information from an unknown number of bank customers through phishing—a technique that involves sending e-mail messages that appear to be official correspondence from banks or credit card vendors.

… Armed with the bank account information, members of the conspiracy hacked into accounts at two banks. Once they accessed the accounts, the individuals operating in Egypt communicated via text messages, telephone calls and Internet chat groups with co-conspirators in the United States. Through these communications, members of the criminal ring coordinated the illicit online transfer of funds from compromised accounts to newly created fraudulent accounts.

… A portion of the illegally obtained funds withdrawn were then transferred via wire services to the individuals operating in Egypt who had originally provided the bank account information obtained via phishing.

“The sophistication with which Phish Phry defendants operated represents an evolving and troubling paradigm in the way identity theft is now committed,” said Keith Bolcar, Acting Assistant Director In Charge of the FBI in Los Angeles. “Criminally savvy groups recruit here and abroad to pool tactics and skills necessary to commit organized theft facilitated by the computer, including hacking, fraud and identity theft, with a common greed and shared willingness to victimize Americans.



Unlikely to ever make the Hacker Hall of Fame.

http://www.wired.com/threatlevel/2009/10/dinh/

Former Teen Stock Swindler Pleads to New Hacking Charges

By Kevin Poulsen October 7, 2009 2:53 pm

A former teenage hacker who once served prison time for an online stock-trading scheme pleaded guilty last week to new charges of cracking a New York-based currency exchange service and gifting himself more than $100,000.

On Sept. 29, Van T. Dinh, now 25, confessed to computer fraud and identity theft in federal court in Manhattan.

… The FBI traced the hacking to an IP address assigned to the home Dinh shares with his mother in Phoenixville, Pennsylvania, near Philadelphia.

… He’s being held without bail at the Metropolitan Correctional Center in New York as a “danger to the community by hacking activities,” among other reasons.



It's not the Terminator-ness, it's the Big Brother-ness...

http://it.slashdot.org/story/09/10/08/1327239/How-Dangerous-Could-a-Hacked-Robot-Possibly-Be?from=rss

How Dangerous Could a Hacked Robot Possibly Be?

Posted by CmdrTaco on Thursday October 08, @09:36AM from the i-for-one-welcome-DELETED dept.

alphadogg writes

"Researchers at the University of Washington think it's finally time to start paying some serious attention to the question of robot security. Not because they think robots are about to go all Terminator on us, but because the robots can already be used to spy on us and vandalize our homes. In a paper published Thursday the researchers took a close look at three test robots: the Erector Spykee, and WowWee's RoboSapien and Rovio. They found that security is pretty much an afterthought in the current crop of robotic devices. 'We were shocked at how easy it was to actually compromise some of these robots,' said Tadayoshi Kohno, a University of Washington assistant professor, who co-authored the paper."



Want to do some Privacy Research?

http://www.pogowasright.org/?p=4426

The Privacy Projects launches to fund ‘evidence-based’ privacy research

October 8, 2009 by Dissent Filed under Other

Mobile devices, cloud computing and global business partnerships enabled by the Internet and other network services have redrawn the map of the global flow of personal information.

Technology will continue to drive simple services built on these complex systems, pushing the balance between using and protecting personal data “to the breaking point,” according to Richard Purcell, President of The Privacy Projects (TPP), a non-profit research institute that launches today.

The Privacy Projects (www.theprivacyprojects.org) intends to fund academic research into “evidence-based” privacy to enhance policies, practices and tools necessary to meet the power of the new technologies. “We intend to support advances in the ways companies collect, store, use, share and manage customer information,” said Purcell. “We encourage the digital human represented by the data to be more respected and better protected.”

[...]

The new group’s first research paper, written by UC Berkeley Professor Paul M. Schwartz, focuses on how six global corporations control cross-border data flows to meet customer needs while complying with multiple, local regulation. TPP will present the paper at the upcoming workshop of the Organization of Economic Co-operation and Development in Paris. Additional research — four or five are planned each year, according to Purcell — will expand on the ways in which data policies, practices, and technology tools can evolve to meet the current needs of all players.

Read the entire press release here.



http://www.pogowasright.org/?p=4428

Lawsuit challenges California’s mandatory DNA collection at arrest

October 7, 2009 by Dissent Filed under Court, Legislation, Surveillance, U.S.

A lawsuit filed today by the ACLU of Northern California seeks to stop California’s policy of mandating that DNA is collected from anyone arrested for a felony, whether or not they are ever charged or convicted. The ACLU opposes this law because it violates constitutional guarantees of privacy and freedom from unreasonable search and seizure, and because of the harmful impact on communities of color.

… In March 2009, Lily Haskell attended a peace rally in San Francisco and was arrested. She was not charged with a crime and was quickly released, but not before being required to provide a DNA sample.

“When your DNA is taken after an arrest at a political demonstration, it can have a silencing effect on political action,” said Haskell “Now my genetic information is stored indefinitely in a government database, simply because I was exercising my right to speak out.”

People like Haskell who are innocent and were never even charged with a crime may seek to have their DNA sample expunged [Like an 'Opt out' clause... Bob] from the state database, but the process is cumbersome and requires a long wait until the statute of limitations to bring charges has run out–at least three years and, in some cases, much longer.

… “Automatically collecting DNA from people who are merely arrested ignores the presumption of innocence. It blurs the line between being suspected of a crime and being convicted,” said Peter C. Meier, attorney with Paul, Hastings, Janofsky & Walker LLP, which is litigating the case with ACLU-NC on a pro bono basis.

… The case (No. 09-04779) is filed in the United States District Court for the Northern District of California in San Francisco.—-Related: Complaint in Haskell v. Brown (Oct. 7, 2009)



See? Practice does make perfect. Sony is getting quite good at this.

http://games.slashdot.org/story/09/10/07/1632257/Sony-Sued-Over-Bricked-PS3s?from=rss

Sony Sued Over Bricked PS3s

Posted by Soulskill on Wednesday October 07, @01:41PM from the sony's-pr-department-must-be-pleased dept.

Zarrot writes

"If Sony's recent 3.00 PS3 firmware update bricked your console, you may now have legal recourse thanks to a class action suit against Sony. The complaint alleges that thousands of users (PDF) were affected by the update, and in some cases the PS3 hardware itself was damaged. It continues, 'For owners who sustained hardware damage from the Sony-required update, Sony is charging a $150 repair fee per unit. Sony, responding to the numerous complaints about the unacceptable effects of the defective update, released a further, optional update that it claimed "improves system stability" — yet performance problems continued, and the new update did nothing to remedy the systems of users who sustained hardware damage."'"



Perhaps this logic will eventually be imported...

http://www.pogowasright.org/?p=4434

Creator of Winny file-sharing program found innocent in copyright violation case

October 8, 2009 by Dissent Filed under Court, Internet, Non-U.S.

The Asahi Shimbun reports an interesting court decision in Japan:

Setting a new guideline for criminal responsibility using new technology, the Osaka High Court ruled Thursday that the creator of the Winny peer-to-peer file-sharing program was not guilty of helping users violate copyrights.

Presiding Judge Masazo Ogura overturned a Kyoto District Court ruling, saying Isamu Kaneko, 39, was innocent because he did not promote illegal activities using the Winny software, even though he was aware of the risks of copyright violations.

Ogura also said the software “has various uses and the technology should be considered value neutral.” He concluded that the provision of a skill or technology alone does not constitute abetment.

Read more in Asahi Shimbun.



Okay, this one is silly, but it isn't unusual for businesses to expect employees to act “correctly.” Where is Emily Post when we need her?

http://idle.slashdot.org/story/09/10/07/2339247/Avatars-To-Have-Business-Dress-Codes-By-2013?from=rss

Avatars To Have Business Dress Codes By 2013

Posted by samzenpus on Thursday October 08, @01:25AM from the no-flaming-hair-at-pretend-work dept.

nk497 writes

"With businesses increasingly using digital tech like virtual worlds and Twitter, their staff will have to be given guidelines on how they 'dress' their avatars, according to analysts. 'As the use of virtual environments for business purposes grows, enterprises need to understand how employees are using avatars in ways that might affect the enterprise or the enterprise's reputation,' said James Lundy, managing vice president at Gartner, in a statement. 'We advise establishing codes of behavior that apply in any circumstance when an employee is acting as a company representative, whether in a real or virtual environment.'"



Even a warped perspective can be useful.

http://www.bespacific.com/mt/archives/022509.html

October 07, 2009

European Commission: The Future of the Internet and Europe's Digital Agenda

Viviane Reding, Member of the European Commission in charge of Information Society and Media, The Future of the Internet and Europe's Digital Agenda - Brussels, 6 October 2009

  • "In less than 10 years, [Everyone knows that Al Gore invented the Internet more than 10 years ago... Bob] the internet has grown from being a novel technical gadget application into becoming central to the economic systems of the developed world. This is because of its horizontal nature, it is everywhere, used throughout industry, economy and society whether for business or for leisure. It has driven more than half of the productivity gains in both the EU and the USA. It is the medium through which Information and Communication technologies can be exploited leading to innovation in business and a wide range of economic and societal benefits to citizens and consumers... One issue that is getting my full attention is the protection of privacy and of personal data in the online environment."



It's free, it's fully indexed, why aren't we doing something usefull with it?

http://radar.oreilly.com/2009/10/questions-and-answers-about-th.html

Questions (and Answers!) About the Federal Register

by Carl Malamud

… As many of you saw, the Office of the Federal Register announced that source code for the Federal Register is now available in bulk—for free—and has been converted to XML. Ed Felten's shop at Princeton created a site called fedthread.org to see what you can do with the data and Public.Resource.Org helped the Government Printing Office in testing early stages of the XML work.



For the Surgical Technology students. Perhaps we could morph on the head of your favorite celebrity – “Today we will carve up Jay Leno's chin.”

http://science.slashdot.org/story/09/10/07/1554244/Virtual-Autopsy-On-a-Multi-Touch-Table-Surface?from=rss

Virtual Autopsy On a Multi-Touch Table Surface

Posted by Soulskill on Wednesday October 07, @12:17PM from the over-my-dead-body dept.

An anonymous reader writes

"Engadget points out one of the more interesting ways to use a multitouch table surface so far. Researchers at Norrkoping Visualization Centre and the Center for Medical Image Science and Visualization in Sweden have fitted such a device with stunning, volume-rendered visualizations of high-resolution MRI data. If you've ever wondered what the inside of a human being really looks like, but lacked the grit or credentials to watch an autopsy in the flesh, check it out."



This video should capture the attention of my Small Business students

http://www.techcrunch.com/2009/10/07/everything-you-wanted-to-know-about-startup-building-but-were-afraid-to-ask/

Everything You Wanted To Know About Startup Building But Were Afraid To Ask

by Michael Arrington on October 7, 2009

… Last night I saw a 45 minute presentation by Mint CEO Aaron Patzer at a startup competition event called Juice Pitcher on the Microsoft campus. The event, which is put on by TheFunded and Vator.tv, put a handful of new startups on stage to show their stuff and compete for a top prize. Between pitches, Patzer took the stage and told the story of Mint, in detail. His company just sold for $170 million to Intuit.

Patzer takes the audience (and now you) from the beginning of Mint, and gives some incredibly useful device. He talks about the early days of Mint, where he lived on $30,000/yr and hired engineers at just a little more salary by offering them significant equity. He also says that, as a rule of thumb, every engineer in a pre-revenue startup adds $500,000 in valuation. Every business guy lowers the valuation by $250,000, he half jokingly quipped. In its earliest days, Mint was burning $150,000/year, he says, for 2 founders and 1 engineer/contractor.



For my Disaster Recovery students

http://www.bespacific.com/mt/archives/022510.html

October 07, 2009

Google Flu Trends expands to 16 additional countries

Official Google Blog: "If you're like us, you're probably thinking a lot about how this year's flu season might affect you and your community. To help you out, we at Google.org are excited to announce the expansion of Google Flu Trends to 16 additional countries, including much of Europe. We've also made the site available in 37 languages. Flu is a global threat, affecting millions worldwide each year, so we're pleased to make this tool available in more regions and languages."



Global Warming! Global Warming!

http://latimesblogs.latimes.com/outposts/2009/10/loveland-ski-area-becomes-first-resort-in-north-america-to-open.html

Loveland Ski Area is first in North America to open its slopes, resort says

October 7, 2009 3:01 pm

… Colorado Gov. Bill Ritter Jr. congratulated Loveland on its earliest opening in 40 years


(Related)

http://www.9news.com/money/article.aspx?storyid=124578&catid=344

Season begins as skiers hit Loveland slopes

… the earliest opening day in the ski area's history.

No comments: