Scan of Internet Uncovers Thousands of Vulnerable Embedded Devices
By Kim Zetter October 23, 2009 4:25 pm
Researchers scanning the internet for vulnerable embedded devices have found nearly 21,000 routers, webcams and VoIP products open to remote attack. Their administrative interfaces are viewable from anywhere on the internet and their owners have
Linksys routers had the highest percent of vulnerable devices found in the United States — 45 percent of 2,729 routers that were publicly accessible still had a default password in place. Polycom VoIP units came in second, with default passwords lingering on about 29 percent of 585 devices accessible over the internet.
Maybe we just do this for fun...
Spying on a stolen laptop
by Elinor Mills October 23, 2009 5:32 PM PDT
… Someone broke into the car of an employee working for an InertLogic customer and stole the laptop, which had work and personal information on it.
Months went by [too often the case Bob] before anyone realized that technology InertLogic uses to help manage equipment remotely was sitting on the laptop and could be flipped on to monitor it. The technology, from Kaseya, captures screenshots from remote machines and can be used to install keyloggers, as well as record audio and images from a Webcam.
Fleener relied only on the screenshots that were taken captured every 5 or 10 seconds to see what the user of the laptop was up to. Within a short time, he learned the name, address, and other sensitive information about the man using the laptop. (Fleener is careful not to accuse the individual of being the thief because there is no proof of that.) [Is that why the keylogger wasn't turned on? Bob]
The man visited Facebook, MySpace, and other social networks, according to Fleener. He used Google to search for auto parts and did queries on how to remove security tags from merchandise. He looked at porn and made pirate copies of DVDs, including "Harry Potter and the Half-Blood Prince." Every time the laptop went online, typically on weekend nights and never on Tuesday, Fleener and others got paged.
Benjamin Lavalley, a senior engineer at Kaseya, figured out that by looking at the nearby Wi-Fi access points and doing an online map search, they could try to find out the exact location of the laptop.
Interesting, but if Congress investigated every government entity that failed to do their job they'd have no time to do anything they like (like fund raising)
Privacy Coalition Seeks Investigation of DHS Chief Privacy Office
EPIC joined the Privacy Coalition letter sent to the House Committee on Homeland Security urging them to investigate the Department of Homeland Security’s (DHS) Chief Privacy Office. DHS is unrivaled in its authority to develop and deploy new systems of surveillance. The letter cited DHS use of Fusion Center, Whole Body Imaging, funding of CCTV Surveillance, and Suspicionless Electronic Border Searches as examples of where the agency is eroding privacy protections.
The Coalition’s letter argues, in part:
The primary statutory duty of the Chief Privacy Officer is to assure “that the use of technologies sustain, and do not erode, privacy protections.”5 The CPO has not done so, focusing instead almost exclusively on the fourth statutory duty, conducting a “privacy impact assessment”6 on each Department action. The structure of the annual report reveals the Office’s confusion of these two duties, to the detriment of the former. The report notes that the Office “is divided into two major functional units: Privacy Compliance; and Departmental Disclosure and FOIA.”7 The report claims that the Compliance Group “manages statutory and policy-based responsibilities by working with each component and program throughout the Department to ensure that privacy considerations are addressed when implementing a program, technology, or policy.”8 This description should encompass the fulfillment of the statutory responsibility to prevent erosion of privacy. Yet the section of the annual report entitled “Compliance” barely discusses ways in which the Office has done so; it focuses almost entirely on the conducting of assessments.9 In fact, the “Privacy Compliance Process” graphic describes the process as containing Review, Privacy Threshold Analysis (PTA), Privacy Impact Assessment (PIA), and if necessary, a System of Records Notice (SORN), followed by a repetition of the cycle after three years for programs still in force.10
Looks like the school is screwed, unless “dropping” the phone is the same as “using” the phone and at the same time creates “reasonable suspicion”
School had no right to read messages on student’s cell phone, family say
Eric Been reports:
Owensboro High School violated the Constitution by confiscating a student’s cell phone after it slipped from his pocket during class, and expelling him because of the text messages that school officials read on it, the student’s family claims in Federal Court.
The student, identified only as G.C., says his teacher confiscated his phone “pursuant to school policy,” on Sept. 2. The teacher, the principal and two assistant principals then performed a “warrantless and illegal search” by reading the text messages on the phone, the family says.
The family says G.C. was expelled “as a result of the warrantless and illegal search.”
Read more on Courthouse News.
Related: Lawsuit: G.C. III v. Owensboro Public Schools (pdf)
According to the district’s policies:
Student Search & Seizure
Although students have the right to freedom from unreasonable search and seizure, school officials have the right, under the law, to search students or their property when there is a reasonable suspicion they have something that violates school rules or endangers others.
Searches may include the student, his/her locker, desk, automobile, cell phone or other personal belongings. The Police Detection Canine Team may conduct random and unannounced searches of general school areas, including school lockers and parking lots.
A school official having reasonable suspicion that the student is in possession of a weapon may use a hand-held metal detector.
Possession of Telecommunication Devices Prohibited
Under state law (KRS 158.165), a student in the Owensboro Public School District may not activate a telecommunications device on school property or while at a school-related activity or school sponsored activity during the regular school hours unless he/she is acting in the capacity of a volunteer fire fighter or emergency medical service worker.
“Telecommunication devices” refers to devices that emit an audible signal, vibrates, displays a message, or otherwise summons or delivers a communication to the processor, including, but not limited to, a paging device and a cellular telephone. This offense will be treated as “refusal to follow directives” under the Code of Acceptable Behavior and Discipline.
Reference KRS 158.165
Consequences for Violation of the Policy
1st Offense – The school administrator will confiscate the telecommunication device. A required parent conference must take place before the telecommunication device is returned.
2nd Offense – Same as 1st offense with the option of in-house suspension for 4 days. The student loses the privilege to carry a device for the remainder of the year.
3rd Offense — Same as 2nd offense with the option of in-house suspension for 7 days.
4th Offense or more – Forfeit telecommunication device and suspend to a hearing with the DPP.
Long-term alternative placement
Beyond control charges filed
Cloudy with a chance of...
Box.net and Salesforce.com cloud-to-cloud integration
by Dave Rosenberg October 23, 2009 11:07 AM PDT
One of the less appealing aspects of using cloud services is integrating various applications--both those in the cloud and those in your enterprise in an easily manageable way. A practical use case is the ability to use one CRM (customer relationship management) system and a different file storage system, both in the cloud.
So, Friday when I saw that Box.net was directly integrating its cloud-based storage service with Salesforce.com, I saw the confluence of two major trends, cloud storage and integration appear all in one fell swoop.
… It sounds rather mundane, but it is the future of collaboration. Customers want to use best-of-breed solutions and be able to directly integrate with their applications of choice without being forced to use a third-party integrator.
(Related) The flip side?
Reporters' Roundtable: The Dangers of cloud computing
by Rafe Needleman October 23, 2009 5:06 PM PDT
This should make for some interesting discussion. My guess is that it will come down to a formula that guarantees a share of a pipe with diameter “X” to “Y” retail customers.
October 23, 2009
FCC Seeks Public Input on Draft Rules to Preserve the Free and Open Internet
News release: "In the next chapter of a longstanding effort to preserve the free and open Internet, the Federal Communications Commission is seeking public input on draft rules that would codify and supplement existing Internet openness principles. In addition to providing greater predictability for all stakeholders, the Notice is aimed at securing the many economic and social benefits that an open Internet has historically provided. It seeks to do so in a manner that will promote and protect the legitimate needs of consumers, broadband Internet access service providers, entrepreneurs, investors, and businesses of all sizes that make use of the Internet."
October 23, 2009
FCC Announces Release of Report on Barriers to Broadband Adoption by the Advanced Communications Law & Policy Institute
News release: "The Advanced Communications Law & Policy Institute (ACLP) at New York Law School has released a report identifying major barriers to broadband adoption among senior citizens and people with disabilities, and across the telemedicine, energy, education, and government sectors. This report was prepared in coordination with staff of the Omnibus Broadband Initiative (OBI) for use in the development of the FCC's National Broadband Plan."
Barriers to Broadband Adoption - A Report to the Federal Communications Commission. The Advanced Communications Law & Policy Institute, New York Law School. October 2009
Because no one expects the Spanish Inquisition (or an evil Bill Gates) Actually, what would a computer look for to identify a “fake” email from Bill?
Major Secure Email Products And Services Miss Spear-Phishing Attack
Experiment successfully slips fake LinkedIn invite from 'Bill Gates' into inboxes
Oct 22, 2009 | 01:17 PM By Kelly Jackson Higgins DarkReading
A spear-phishing experiment conducted during the past few days by a researcher has netted some disturbing results: Most major enterprise email products and services were unable to detect a fake LinkedIn invitation on behalf of "Bill Gates," which landed successfully in users' inboxes.
… "I tested [this on] six different enterprise networks using the latest email security technology from most of the major vendors, and not a single one picked up on the spoofed email," Perrymon says. He has written a white paper on the attack and plans to reveal the vendors in the test after he has contacted them and received their responses.
Perrymon says he tested 10 different combinations of email security appliances, services, and open-source and commercial products; four major client email products; and three major smartphone brands.
It might be amusing to compare this with the proprietary code leaked earlier this week.
Open Source Voting Software Concept Released
Posted by Soulskill on Friday October 23, @10:01PM from the one-for-you-and-two-for-me dept.
"Wired is reporting that the Open Source Digital Voting Foundation has announced the first release of Linux- and Ruby-based election management software. This software should compete in the same realm as Election Systems & Software, as well as Diebold/Premiere for use by County registrars. Mitch Kapor — founder of Lotus 1-2-3 — and Dean Logan, Registrar for Los Angeles County, and Debra Bowen, California Secretary of State, all took part in a formal announcement ceremony. The OSDV is working with multiple jurisdictions, activists, developers and other organizations to bring together 'the best and brightest in technology and policy' to create 'guidelines and specifications for high assurance digital voting services.' The announcement was made as part of the OSDV Trust the Vote project, where open source tools are to be used to create a certifiable and sustainable open source voting system."
Who says you can't make money blogging?
Create your own personalized money bill at the click of a mouse button
Tools & Techniques. Just because these are handy to have.
25+ Useful Linux and Unix Cheat Sheets
Posted on 23. Oct, 2009 by Mohamed Rias
For my Disaster Recovery class: Dilbert translates what I'm finding in class to the business world.
Always a surprise...
3 Free Microsoft Software Offerings You Might Not Know
Oct. 23rd, 2009 By Guy McDowell
[The one I find worth playing with is Microsoft Producer for PowerPoint Bob]
Microsoft Producer for PowerPoint
It works much like any basic movie editing software would, like Microsoft MovieMaker. So you can have music spanning several slides, and have a richer visual experience. This product is also ideal for creating stand-alone presentations that don’t require you to be there talking.