Friday, August 06, 2010

A simple twist on the trend to target small businesses (any business with less than adequate security)

http://www.databreaches.net/?p=13003

Hackers find a new target in payroll processing

August 5, 2010 by admin

Oh ho…. this explains the confusion created by a recent breach report by Regeneron to the New Hampshire Attorney General’s Office. I had been wondering why Regeneron was claiming that they had first found out about a breach involving Ceridian in June when Ceridian had claimed back in February that everyone was notified. I had even called Ceridian last week to ask about Regeneron’s report, but despite their promise to get back to me, they never did. Now I understand why. It appears that what Regeneron was talking about was not the Ceridian breach we knew about in February, but a new breach — this one of Regeneron — that attempted to steal or divert funds by using Regeneron’s credentials to access their payroll account with Ceridian. Robert McMillan reports:

… In what may be a troubling sign of things to come, criminals recently hacked into a desktop computer belonging to Regeneron Pharmaceuticals and tried to steal money by redirecting funds using Regeneron’s account on the company’s third-party payroll system, operated by Ceridian.

The attack didn’t work, but it shows that criminals, who have been making millions of dollars by hacking into computers and initiating fraudulent bank transfers, may have found a new target.

The hacking happened sometime around June 18, said Ross Grossman, vice president of human resources with Regeneron, a 1,200-employee drugmaker based in Tarrytown, New York. “Someone using some kind of malware was able to hack in and get the user name and password of one of our employees and use the Ceridian system,” he said in an interview.

Read more on Computerworld.



How to get tickets to the big game?

http://www.pogowasright.org/?p=12664

AU: Secret police files made available on AFL players, coaches shared with AFL

August 6, 2010 by Dissent

Steve Lillebuen reports:

Secret police files gathered on AFL players, coaches, board members and even staff have been made available to the league.

Victoria Police struck a deal with the league to share any records it has gathered on AFL identities, including handing over photos and videos.

An AFL club president, civil liberties advocates and the state opposition have all blasted the agreement as unprecedented, insulting invasion of privacy.

Hawthorn president Jeff Kennett said the agreement is utterly disturbing.

“I cannot imagine any circumstance that would justify our police force handing over its files to a sporting body,” the former Victorian premier told AAP.

Read more on Adelaide Now.



Interesting how much even the size of the policies vary...

http://www.pogowasright.org/?p=12633

US Government File Spying Series

August 6, 2010 by Dissent

John Young of Cryptome writes:

The vast US Government files (a/k/a records, data, profiles, dossiers) on its citizens and employees are governed by privacy law. Every government department and agency is required to establish, maintain and publish privacy polices. As with other privacy policies by businesses and individuals, government privacy policies describe the files and who has access to the files under privacy law for diverse governmental and non-governmental purposes.

The Office of the Federal Register provides US Government privacy issuances, the latest for 2009.

John has zipped up 15 of these files (41.1MB). They contain descriptions of their purpose, scope, handling, confidentiality, security measures and availability to other parties. His zip file includes:

Treasury Department (Includes IRS, 1,009 pages, 3.8MB)
Department of Defense (Excludes OSD, 1,333 pages, 5.0MB)
Department of the Air Force (1,146 pages, 4.1MB)
Department of the Army (946 pages, 3.4MB)
Department of the Navy (Excludes Marine Corps, 777 pages, 2.9MB)
Justice Department (Includes FBI, 1,490 pages, 5.9MB)
Department of Health and Human Services (1,763 pages, 6.8MB)
Department of Homeland Security (1,058 pages, 4.3MB)
Department of Energy (392 pages, 1.5MB)
State Department (296 pages, 1.2MB)
Central Intelligence Agency (158 pages, 666KB)
Agency for International Development (106 pages, 477KB)
Office of the Director of National Intelligence (86 pages, 457KB)
Executive Office of the President (29 pages, 240KB)
National Security Council (24 pages, 180KB)

Links to individual files are provided on Cryptome for those who don’t want the zipped archive.



Makes me wonder why this is being mentioned? Was it going to come out in a more negative way? Perhaps it is just a staged incident to show how “impartial” Blumenthal is?

http://www.pogowasright.org/?p=12642

Blumenthal Finds Improper Use Of Bysiewicz Office Database; Probe Concludes With Report, Referral To Chief Prosecutor

August 6, 2010 by Dissent

Jon Lender reports:

State Attorney General Richard Blumenthal said Thursday that the office of Secretary of the State Susan Bysiewicz maintained “inappropriate” personal and political information in a taxpayer-funded office database – creating “the reasonable perception that the state database was developed as a useful tool for political campaign purposes.” [Why was it developed? See below. Bob]

Blumenthal made those findings in an investigative report. He said he was was referring the report to the state’s top prosecutor, Chief State’s Attorney Kevin Kane, as well as the State Elections Enforcement Commission and legislative leaders in hopes of closing a longstanding loophole in state law that permits political activity in state offices by elected officials and their appointed aides.

The referral to Kane also will allow the prosecutor to review whether any criminal laws were violated, Blumenthal’s office confirmed Thursday.

Blumenthal also said in his report that it was “not proper” for his fellow Democrat, Bysiewicz, to use its 36,000-name database to identify the “religion, race and ethnicity” of more than 2,400 citizens, and to keep “special notes” records of some citizens’ political leanings and personal characteristics. In a few cases, those notes included “descriptions of [citizens'] medical issues, choice of clothing, and favored political candidates,” the report said.

Read more in the Hartford Courant.

[From the article:

Blumenthal found no violations of state law.

… The attorney general said that although Bysiewicz's office database has a legitimate use -- "to enable the agency and the Secretary of the state to properly fulfill their duties and responsibilities to the public" [Ah! The very definition of vague! Bob] - it also includes much information not essential to the operation of her office.



Another “Lower Merion” class of lawsuit.

http://www.pogowasright.org/?p=12621

Dad Fights Suspension Over Party Photo

August 5, 2010 by Dissent

Adam Klasfield reports on yet another lawsuit based on a school attempting to punish students for what they do outside of school and on their own time:

A high school girl was suspended from extra-curricular activities for two years based on a bogus “good conduct policy” implemented after the superintendent found a photograph of her allegedly holding a beer at a party, the girl’s father claims in Thomas County Court. He says the school changed its handbook after he questioned the punishment.

Richard Jameson claims the superintendent of Thedford High School came to his home in May to tell him that he had a photograph of Jameson’s daughter, Courtney, holding a beer at a party.

Read more on Courthouse News, where you can also find a copy of the complaint.

Even if the policy wasn’t “bogus,” schools should confine themselves to educating students and dealing with issues that occur on school property. If extra-curricular activities spill over into school, such as cyberharassment cases, yes, I think the schools will need to deal with that in school, but only to the extent that they meet their obligation to create a safe environment for all students. Underage drinking may be of concern to them, but that’s the parents’ responsibility to deal with and not the school’s, unless it happens on school property or the kids are coming in inebriated.

Paging the ACLU to Aisle 4…..


(Related) Speaking of our favorite school district...

http://mainlinemedianews.com/articles/2010/08/05/main_line_times/news/doc4c5af75028ce0646119198.txt

LMSD continues laptop policy update review

… Another issue that has been addressed, he said, is that students should understand that once a computer is turned in at the end of the year any files on the computer become district property.


(Related) It is good to see that someone can learn from this kerfuffle.

http://mainlinemedianews.com/articles/2010/08/04/main_line_times/news/doc4c599360c12b5478165725.txt

Rosemont school launching one-one-one computer program for middle-schoolers

… Students in sixth, seventh and eighth grades attending the Rosemont School of the Holy Child in Rosemont this fall will get a new netbook computer to use in school and take home. But officials say it will have one major difference from another local school’s highly publicized one-on-one laptop program.

“We do not have any remote-activation software on these machines and there will be no GPS tracking,” said Jim Breslin, the school’s director of technology. “We have not purchased anything like that. It’s not in our mind at all.”

… So students don’t lose their assignments, they will be encouraged to store them on the school’s server as a backup.

There are webcams on the computers but school officials say they will have no access to remotely activate them.



Now parents can be just as intrusive as school districts! Think of it as an electronic version of the ankle bracelet they make Lindsay Lohan wear.

http://techcrunch.com/2010/08/05/yc-funded-whereoscope-gives-parents-an-easy-way-to-track-where-their-kids-are/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

YC-Funded Whereoscope Gives Parents An Easy Way To Track Where Their Kids Are

Since the dawn of mankind, and probably even a while before that, parents have been asking themselves the same question: “Where are my kids?”

Now Whereoscope, a Y Combinator-funded startup that’s launching today, may have a solution that’s more reliable and easier to use than most other kid-tracking solutions on the market.

Whereoscope consists of an iPhone application that runs in the background (you’ll need iOS 4, which enabled background apps). During an initial setup process, you designate a handful of key locations, or geofences, that your children often visit — their school, home, a best friend’s house, etc. You can elect to receive a push notification whenever your child leaves or arrives at one of these areas. Your child doesn’t have to actually do anything to check in, so there’s nothing for them to forget. And, if your child were to “accidentally” disable the application, Whereoscope can send you a warning giving you a heads up.



So, I'm covered right?

http://www.pogowasright.org/?p=12635

Discovery Rule for Libel Doesn’t Apply to Blogs, Says Federal Judge

August 6, 2010 by Dissent

Shannon P. Duffy writes:

Aviation lawyer and seasoned pilot Arthur Alan Wolk knows quite a bit about the stratosphere and the troposphere, but he may have learned something new this week about the blogosphere when a federal judge tossed out his libel suit against the bloggers at Overlawyered.com.

As U.S. District Judge Mary A. McLaughlin sees it, a blog is legally the same as any other “mass media,” meaning that any libel lawsuit filed against a blog in Pennsylvania must make its way to court within one year.

[...]

Wolk has already filed a notice of appeal to challenge McLaughlin’s ruling.

Rosen said he believed that McLaughlin had erred by failing to apply recent Pennsylvania Supreme Court decisions that say the discovery rule tolls the statute of limitations until an “awakening event.”

The Internet, Rosen said, poses “unique challenges” for the courts in the field of defamation.

“Unlike mass media print defamation claims, where the publication is pervasive for a short time, but soon becomes yesterday’s news, the Internet is a different animal,” Rosen said.

“In cases such as Mr. Wolk’s, involving a blog that is relatively obscure, but which published a false statement that may appear on any Google type search, the discovery rule is of particular importance,” Rosen said.

Onufrak said that if his clients had not won the case on statute-of-limitations grounds, he was confident that they would have won on First Amendment grounds because the blog entry was not defamatory and would have been considered protected opinion.

Read more about the case and issues on Law.com.



How to bypass the mommie barrier. OR “We don't need no stinking iPhones!”

http://news.cnet.com/8301-1035_3-20012720-94.html?part=rss&subj=news&tag=2547-1_3-0-20

How to text without a cell phone

Kids, of course, come in all varieties and their interests run the gamut. But when it comes to 10-year-old girls, I dare say, there are two ubiquitous desires: getting one's ears pierced and getting a cell phone.

And you may as well let go of that ol' school stereotype of a preteen--phone glued to ear--gabbing on and on with friends about inanities. The phone is not really for talking. It's for texting.

Which is why my own 10-year-old daughter--too young in her stodgy mom's eyes for piercings or a cell phone--was ecstatic to have found a workaround for the latter. Earlier this summer, a friend told her about an app for her iPod Touch called Textfree, which assigns her a real phone number and lets her send and receive texts for free.

Unbeknownst to her, however, she might also be helping to shake up traditional wireless carrier models as we know them.

In the roughly two months since users of Pinger's Textfree app started getting assigned actual phone numbers, Pinger has handed out 1.6 million. That's as many wireless numbers as AT&T gave out to net new subscribers in April,


(Related) Another reason for Apple to control Apps on the iPhone. Isn't there something like a “prior art” test?

http://apple.slashdot.org/story/10/08/05/237240/Apple-Mines-App-Store-Submissions-For-Patent-Ideas?from=rss

Apple Mines App Store Submissions For Patent Ideas

Posted by timothy on Thursday August 05, @07:56PM

I Don't Believe in Imaginary Property writes

"Apple has started filing a bunch of patents on mobile applications. That might not be so interesting in and of itself, but if you look closely at the figures in one of the patents, you can see that it's a copy of the third-party Where To? application, which has been on the App Store since at least 2008. There's also a side-by-side comparison which should make it clear that the diagram was copied directly from their app. Even though it's true that the figures are just illustrations of a possible UI and not a part of the claimed invention, it's hard to see how they didn't get some of their ideas from Where To? It might also be the case that Apple isn't looking through the App Store submissions in order to patent other people's ideas, but it's difficult to explain some of these patents if they're not. And with the other patents listed, it's hard to see how old ideas where 'on the internet' has been replaced with the phrase 'on a mobile device' can promote the progress of science and useful arts. This seems like a good time to use Peer to Patent."



Perhaps we shouldn't worry about “applicability” or what concerns various governments when we are building a basic definition.

http://www.bespacific.com/mt/archives/024886.html

August 05, 2010

Defining Internet Freedom - eJournal - U.S. Department of State

Defining Internet Freedom - eJournal - U.S. Department of State, July 2010

  • "The first part of this journal addresses the difficulty agreeing on a universally applicable definition of Internet freedom. Nations impose many different kinds of restrictions. Some represent the efforts of authoritarian regimes to repress their opponents, but others instead reflect diverse political traditions and cultural norms. Other materials survey the current state of ‘net freedom in different parts of the world. Freedom House, a leading nongovernmental organization, has studied government efforts to control, regulate, and censor different forms of electronic social communication. Its findings are explained here. We also explore a number of issues that help define the contours of Internet freedom. The term “intermediary liability” may not pique one’s interest, but it assumes new relevance phrased as whether YouTube is liable for an offensive video posted by a third party. From dancing babies to public libraries, the issues that will delimit global citizens’ access to information are being contested every day."



Pop quiz for my Computer Security students: Suggest seven ways to defeat these controls.

http://yro.slashdot.org/story/10/08/05/152255/Tech-Specs-Leaked-For-French-Spyware?from=rss

Tech Specs Leaked For French Spyware

Posted by CmdrTaco on Thursday August 05, @12:09PM

"With the 'three strikes' law now in effect in France, the organization tasked with implementing it, Hadopi, has been working on technology specs for making the process work — and those specs have now leaked. It appears to involve client-side monitoring and controlling software, that would try to watch what you were doing online, and even warn you before you used any P2P protocol (must make Skype phone calls fun). It's hard to believe people will accept this kind of thing being installed on their computers, so I can't wait to see how Hadopi moves forward with it. It also appears to violate EU rules on privacy."



Video from the Black Hat conference.

http://blogs.computerworld.com/16661/mobile_malware_you_will_be_billed_90_000_for_this_call

Mobile malware: You will be billed $90,000 for this call

"There are more phones on the planet than computers. And it's easier to steal money from phones," stated Mikko Hypponen, chief research officer at security firm F-Secure Corp. In a video interview, Hypponen explained there haven't been more mobile phone attacks, since Windows XP computers are still the "easist" and most exploitable target.

… According to the video, he expects to eventually see mobile smartphone worms that spread automatically to everyone listed in a phone's address book. When this happens, a worm could spread infection around the world in only a couple of minutes.



For my Ethical Hackers/Broncos fans. What say we give the home team an edge? “It's first and ten. The Broncos are on their own 6 yard line. There's the snap! It's a Draw that goes for about half a yard... WAIT! The scoreboard indicates it's a touchdown!”

http://news.cnet.com/8301-13506_3-20012807-17.html?part=rss&subj=news&tag=2547-1_3-0-20

Microchips making their way into NFL footballs?

The technology, which was originally designed for soccer balls, helps referees know when the ball has crossed a line. In soccer, the technology is used to help referees determine if a ball did, in fact, pass the goal line.



Attention Math students! Consider yourselves lucky! This is the homework I could have assigned!

http://science.slashdot.org/story/10/08/06/0326237/5-Trillion-Digits-of-Pi-mdash-a-New-World-Record?from=rss

5 Trillion Digits of Pi — a New World Record

Posted by timothy on Friday August 06, @05:12AM



A backgrounder for my Computer Security students.

http://www.makeuseof.com/tag/wardriving/

What Is That Wardriving Thing All About?



This could be used in place of a “Forum” Might be interesting to see if short messages are more popular with students.

http://www.killerstartups.com/Comm/mychatbox-me-building-microblogging-communities

MyChatbox.me - Building Microblogging Communities

http://mychatbox.me/

A service that has just surfaced, My Chatbox will let you create a private microblogging community in which you will be able to communicate only with those that you want. Using this platform, you grant admission to others into your small community and proceed to interact with them as you would using Twitter (IE, by sending micro messages) that in this case will most likely revolve around a specific topic.

… and since creating a community costs nothing you will be able to come up with one for testing purposes if the idea appeals to you.

No comments: