Heartland offers end-to-end encryption to customers
by Steve Ragan - May 27 2010, 19:40
The E3 card terminal that Heartland announced this week will offer end-to-end encryption of the card data. Merchants that use it will have peace of mind that the data is useless to criminals if captured, the company said. However, E3 isn’t a free offer to any of their 250,000 plus customers, or those who might want in on the action down the line.
… Ahmad told us that the top three benefits for Heartland customers using E3 include the fact that no cardholder data is present in the merchant’s systems. In addition, there are minimal, if any disruptions to the merchant during day-to-day operations. Finally, there is the warranty from Heartland, which pays the merchant the amount of compliance fines, fees, or assessments in the event of a breach that can be linked to a direct failure of E3.
Things that make you say, “Oops!”
http://www.databreaches.net/?p=11917
UK: 1000 data breaches reported to the ICO
May 28, 2010 by admin
The Information Commissioner’s Office issued a press release and summary analysis of breaches:
With the number of breaches involving people’s personal information reported to the Information Commissioner’s Office (ICO) reaching 1000, the privacy watchdog is urging organisations to minimise the risk of mistakes. Staff need simple procedures on how to handle personal information with appropriate training to ensure the importance of personal information is fully understood.
The entire press release can be found here.
The government’s analysis of the 1007 breaches indicates that stolen data or stolen hardware accounted for the most common cause of breaches, with 307 breaches of this kind. Of those 307 thefts, 116 were reported by the NHS. The second most common source of reported breaches was disclosure errors (254), followed closely by lost data or lost hardware (233).
Comparing sectors, NHS (their public healthcare sector) accounted for 305 breaches, followed closely by the private sector (288 breaches).
I thought this might get messy. How dare Google actually look at publicly available, broadcast data! That's as rude as looking at the front of my house! The scum!
http://www.pogowasright.org/?p=10643
Oregon Judge Slaps Google With Restraining Order Over Private Wifi Data
May 27, 2010 by Dissent
Nick Saint reports:
An Oregon judge has issued a restraining order forbidding Google from destroying data the company accidentally recorded from private wifi networks with its Street View cars.
Google had announced its intention to consult with privacy advocates and governments about the best way to dispose of the data. Residents of Oregon and Washington filed a class action suit over privacy violations, and requested a restraining order to ensure the data could be used as evidence.
Read more on Business Insider and expect updates on this one.
Would P.T. Barnum's “This way to the egress” be considered adequate labeling?
http://www.pogowasright.org/?p=10640
UK: Viewing a website is a ‘transactional decision’, says OFT’s behavioural ad study
May 27, 2010 by Dissent
Struan Robertson writes:
OPINION: The OFT has endorsed the UK ad industry’s self-regulation of behavioural advertising. But its conclusion was based in part on a curious reading of consumer protection regulations, coupled with research that departs from similar studies.
The Office of Fair Trading is the Government’s consumer and competition authority. That it sees no need for Government regulation in behavioural advertising is great news for online publishers and advertisers. In my view, that is good for consumers too, because it helps to keep content free.
The biggest change demanded in the report is that ads selected according to someone’s browsing behaviour should be labelled. That’s a sensible step, and one that UK trade body the Internet Advertising Bureau (IAB) was taking already.
What surprised me more was another, less significant feature of the report: the OFT says that viewing a website is a transactional decision for the purposes of the Consumer Protection (Unfair Trading) Regulations, known as the CPRs.
Read more on Out-Law.com
[From Out-Law:
The report says:
"The OFT interprets transactional decision widely and believes it encompasses, for example, the decision to view a website. So not informing a consumer about the collection of information about their browsing behaviour could breach the CPRs if that knowledge would have altered their behaviour, perhaps by dissuading them from visiting that website."
The OFT is not just saying that its worried about information or a lack of information influencing a decision to buy something on a website; it's talking about it influencing a decision just to visit a site, whether the site sells things or not.
Who'd a thunk it!
Image-conscious youth rein in social networking
By MARTHA IRVINE, AP National Writer – Thu May 27, 3:49 am ET
CHICAGO – What's that? A young college grad lecturing her elders about online privacy?
It might go against conventional wisdom, but a new report from the Pew Internet & American Life Project is adding fuel to the argument that young people are fast becoming the gurus of online reputation management, especially when it comes to social networking sites.
Among other things, the study found that they are most likely to limit personal information online — and the least likely to trust free online services ranging from Facebook to LinkedIn and MySpace.
… In this instance, adults over the age of 30 might do well to listen. The Pew study and a mounting body of new research is showing that the very generation accused of sharing too much information online is actually leading the pack in online privacy.
The Pew study found, for instance, that social networkers ages 18 to 29 were the most likely to change the privacy settings on their profiles to limit what they share with others online. The percentage who did so was 71 percent, compared with just 55 percent of the 50- to 64-year-old bracket. Meanwhile, about two-thirds of all social networkers who were surveyed said they've tightened security settings.
… Consider also that the study found that a quarter of online adults said their employers now have policies about how they portray themselves online. [That's new, isn't it? Bob]
[The report: http://www.pewinternet.org/Reports/2010/Reputation-Management.aspx?r=1
Where do threats come from and what are their targets? If you have a detection tool anywhere along the path that connects these points (not only at the corporate end-point) you can detect and respond to an attack. Why do you want to be in my network?
http://www.wired.com/threatlevel/2010/05/einstein-on-private-networks/
Pentagon: Let Us Secure Your Network or Face the ‘Wild Wild West’ Internet Alone
By Kim Zetter May 27, 2010 1:50 pm
Companies that operate critical infrastructures and do not voluntarily allow the federal government to install monitoring software on their networks to detect possible cyberattacks would face the “wild” internet on their own and place us all at risk, a top Pentagon official seemed to say Wednesday.
… The Einstein programs are intrusion-detection and response systems developed by the National Security Agency. The government is in the process of deploying Einstein 2 to federal networks to inspect traffic for malicious threats, but there has been talk of deploying it to private-sector networks as well. Intrusion-detection systems are already a standard tool in the defense arsenal of private-sector businesses, and the government has been unclear about how its system surpasses those already available to companies.
… In 2008, DHS’s Privacy Office published a Privacy Impact Assessment (.pdf) on early versions of Einstein 2, but has not published one on Einstein 3. The assessment left many questions unanswered, such as the extent of the NSA’s role in the programs and whether information obtained by the monitoring systems will be shared with law enforcement or other intelligence agencies. [Of course it will. Why else would you bother detecting the attack? Bob]
(Related) ...but a different perspective. Question: How do I distinguish an all out attack from the government trying to take control of my network to defend me? (I'm still haunted by, “In order to save the village, we had to destroy it.”)
Cyber Command: We Don’t Wanna Defend the Internet (We Just Might Have To)
By Noah Shachtman May 28, 2010 9:44 am
OMAHA, Nebraska – Members of the military’s new Cyber Command insist that they’ve got no interest in taking over civilian Internet security – or even in becoming the Pentagon’s primary information protectors. But the push to intertwine military and civilian network defenses is gaining momentum, nevertheless. At a gathering this week of top cybersecurity officials and defense contractors, the Pentagon’s number two floated the idea that the Defense Department might start a protective program for civilian networks, based on a deeply controversial effort to keep hackers out of the government’s pipes.
U.S. Cyber Command (“CYBERCOM“) officially became operational this week, after years of preparation. But observers inside the military and out still aren’t quite sure what the command is supposed to do: protect the Pentagon’s networks, strike enemies with logic bombs, seal up civilian vulnerabilities, or some combination of all three.
… A 356-page classified plan outlining CYBERCOM’s rise is being put into action. A team of about 560 troops, headquartered at Ft. Meade, Maryland, will eventually grow to 1093. Each of the four armed services are assembling their own cyber units out of former communications specialists, system administrators, network defenders, and military hackers. Those units – Marine Forces Cyber Command, the 24th Air Force, the 10th Fleet, and Army Forces Cyber Command – are then supposed to supply some of their troops to CYBERCOM as needed. It’s similar to how the Army and Marines provide Central Command with combat forces to fight the wars in Afghanistan and Iraq. Inside the military, there’s a sense that CYBERCOM may take on a momentum of its own, its missions growing more and more diverse.
(Related) How would you define a data disaster? Loss of control of the Air Traffic system? Disclosure of IRS data? Shutdown of the phone systems./stock markets/airline reservation systems?
Are We Ready For a True Data Disaster?
Posted by timothy on Thursday May 27, @05:32PM
"Fatal Exception's Neil McAllister questions how long we can go before a truly catastrophic data disaster strikes. 'The lure of potential profits in the information economy, combined with the apparent ease with which data can be gathered and a lack of regulation, creates a climate of recklessness in which a "data spill" of the scale of the Deepwater Horizon incident seems not just likely, but inevitable.' Witness Google mistakenly emailing potentially sensitive business data to customers of its Local Business Center service, or the 1.5 million Facebook accounts and passwords recently offered up on an underground hacking forum. 'These incidents seem relatively minor, but as companies gather ever more individually identifiable data and cross-reference these databases in new and more innovative ways, the potential for a major catastrophe grows.'"
For my Intro to Computing (and Statistics) students. Another reason for Backups! Note that even with some lasting millions of cycles, we don't yet know what the Mean and Standard Deviation are.
Flash Destroyer Tests Limit of Solid State Storage
Posted by timothy on Thursday May 27, @04:02PM
"We all know that flash and other types of solid state storage can only endure a limited number of write cycles. The open source Flash Destroyer prototype explores that limit by writing and verifying a solid state storage chip until it dies. The total write-verify cycle count is shown on a display — watch a live video feed and guess when the first chip will die. This project was inspired by the inevitable comments about flash longevity on every Slashdot SSD story. Design files and source are available at Google Code."
For my Computer Security students.
http://www.computerworld.com/s/article/9177398/How_to_foil_Web_browser_tabnapping_
How to foil Web browser 'tabnapping'
Patches may never come, but you can take steps to stymie tab kidnapping
By Gregg Keizer May 26, 2010 03:32 PM ET
Computerworld - A new, incredibly sneaky identity-theft tactic surfaced earlier this week when Mozilla's Aza Raskin, the creative lead of Firefox, unveiled what's become known as "tabnapping."
Stated simply, tabnapping -- from the combination of "tab" and "kidnapping" -- could be used by clever phishers to dupe users into giving up passwords by secretly changing already-open browser tabs. All of the major browsers on Windows and Mac OS X are vulnerable to the attack.
For my Computer Forensics students who don't have Windows 7 yet...
http://www.makeuseof.com/dir/findexif-extract-exif-data-online/
FindExif: Extract EXIF Data Online
All digital cameras add a bunch of information to each photo that they save. This information is called the EXIF data that is used to store information about the camera used to take the photo, the camera settings used, resolution of the image and other details that might help in classifying the image later on.
… FindExif is an online site that lets you extract exif data online and view it in an easy to understand format.
Similar sites: CameraSummary, Get-exif-info and Exifremover.
For my Computer Security (Process Engineering) students.
CERT Releases Basic Fuzzing Framework
Posted by timothy on Thursday May 27, @08:53PM
"Carnegie Mellon University's Computer Emergency Response Team has released a new fuzzing framework to help identify and eliminate security vulnerabilities from software products. The Basic Fuzzing Framework (BFF) is described as a simplified version of automated dumb fuzzing. It includes a Linux virtual machine that has been optimized for fuzz testing and a set of scripts to implement a software test."
[From the article:
Fuzz testers, or fuzzers, are used by security researchers to find vulnerabilities by sending random input to an application. If the program contains a vulnerability that can leads to an exception, crash or server error, researchers can parse the results of the test to pinpoint the cause of the crash. [Note that this is the opposite of testing with real data. Your software must handle ANY input. Processing the good stuff and rejecting the bad. Bob]
For my Ethical Hacking students Why we use Linux (Ubuntu)
iPhone's PIN-Based Security Transparent To Ubuntu
Posted by timothy on Thursday May 27, @03:19PM
"Security experts found that the iPhone 3GS has very little security, even with a PIN set up. They plugged one into Ubuntu 10.04, and it was automounted with almost all of the iPhone's data exposed. This has been reported to Apple, but the company seems to be having difficulty reproducing the problem."
(Related) Making Linux even more useful
http://www.makeuseof.com/tag/4-ways-linux-compatible-software/
4 Ways To Make Linux Compatible With Even More Software
Tools & Techniques
http://www.makeuseof.com/tag/3-fast-easy-online-screen-capture-tools/
3 Fast and Easy Online Screen Capture Tools
Tools & Techniques A number of simple videos explaining how things work.
Common Craft
[Some Technology topics:
Blogs
Cloud Computing
RSS
Web Search Strategies
Wikis
No comments:
Post a Comment