Tuesday, October 05, 2010

Tony Soprano would be so proud! (Allegedly)


Hackers Steal $600,000 from Brigantine, NJ

October 4, 2010 by admin

Brian Krebs reports:

Organized cyber thieves took roughly $600,000 from the coastal city of Brigantine, New Jersey this week after stealing the city’s online banking credentials.

The break-in marks the second time this year that hackers have robbed the coffers of an Atlantic County town: In March, a similar attack struck Egg Harbor Township, N.J., which lost $100,000 in a similar intrusion.

Read more on KrebsOnSecurity.com.

Changing the Terms of Service?


BoA is holding my online bank accounts hostage

OK, fine, "hostage" may be a bit of hyperbole.

However, right at this moment, Bank of America is presenting me with a take-it-or-leave-it proposition: Agree to our "Electronic Communications Disclosure" - all 2,127 words; three densely packed printed pages - or kiss your online banking privileges good-bye.

The inflexibility of the offer was not immediately evident, as BoA did allow me to skip past its first entreaty to comply, but upon logging in a second time I was read the riot act: "Due to the importance of the updates, we request all of our Online Banking customers to read and consent to this document in order to continue using Online Banking."

… So let's take a look at what's inside, if for no other reason than it might spare a few of you from having to do it (gluttons for punishment can find the full text here):

This is good, right? Assuming it really is Comcast that puts the message on your screen.


Comcast Warns Customers Suspected of Bot Infection

Posted by Soulskill on Monday October 04, @06:21PM

"Comcast is pushing a new program nationwide that warns customers if they might have a bot infection. It puts a semitransparent overlay on the top of the website you're viewing, warning you that you may have a bot installed if the provider detects botnet traffic from your residence. Of course, if you have multiple machines running behind a router or modem then you're going to have a difficult time pinning down which machine might have the infection."

[From the article:

The Philadelphia-based cable Internet company is expanding nationwide a pilot program that began in Denver last year, which automatically informs affected customers with an e-mail urging them to visit the company’s security page.

… Customers can then either move or close the alert, or click Go to Anti-Virus Center, for recommended next-steps, which for Windows customers includes:

  • Downloading any missing Microsoft security updates.

  • Making sure the customer has some kind of up-to-date anti-virus software running.

  • Downloading and running Microsoft’s malicious software removal tool.

  • Downloading and installing Secunia‘s free Personal Software Inspector tool, a program that periodically scans the user’s computer for missing security updates for commonly used third party applications, such as Adobe Reader, Flash, and Java, and QuickTime.

No doubt the US will follow India's lead...


India claims access to BlackBerry comms

October 4, 2010 by Dissent

Bill Ray reports:

The Indian government is claiming that RIM has offered it access to instant messaging conversations within hours of a request, though access to email remains unresolved with time running out.

India told Reuters that RIM has offered to provide transcripts of instant messaging sessions, with real-time interception available by the end of the year. But RIM still has to sort out lawful intercept to BlackBerry email by the end of October or face a nationwide ban, while BlackBerry users in UAE are looking at a ban starting at the end of this week unless RIM manages the impossible, and quickly.

Read more in The Register.

Another belated grasp of the obvious. You have data, a program that can read the data, and a means of transmission. Why isn't it obvious you can combine these things?


Hacker claims third-party iPhone apps can freely transmit UDID, pose serious threat to privacy

October 4, 2010 by Dissent

More on apps that may be compromising your privacy, this article by Sean Hollister:

When Apple addressed a congressional inquiry on privacy in July, the company claimed that it couldn’t actually track a particular iPhone in real time, as its transactions were anonymous and thoroughly randomized. Bucknell University network admin Eric Smith, however, theorizes that third-party application developers and advertisers may not have the same qualms, and could be linking your device to your name (and even your location) whenever they transmit data. Smith, a two-time DefCon wardriving champ, studied 57 top applications in the iTunes App Store to see what they sent out, and discovered that some fired off the iPhone’s UDID and personal details in plaintext (where they can ostensibly be intercepted), including those for Amazon, Chase Bank, Target and Sam’s Club, though a few were secured with SSL. Though UDIDs are routinely used by apps to store personal data and combat piracy, what Smith fears is that a database could be set up linking these UDIDs to GPS coordinates or GeoIP, giving nefarious individuals or organizations knowledge of where you are.

Read more on Engadget.

Is this really news? Google bases their ads on the contents of your g-mail, don't they?


Why Comcast can (but probably won’t) read your e-mails, IMs

October 4, 2010 by Dissent

Nate Anderson writes:

For some time, Comcast has had a curious passage buried in one of its several “terms and conditions” documents. The ISP makes clear to users that it doesn’t need a court order to monitor their Internet usage, “including without limitation e-mail, newsgroups, chat, IP audio and video, and Web space content.” If Comcast wants to listen to your Skype calls, it’s free to do so.

Read more on Ars Technica.

It's Okay to spy on students, but I bet the teachers rebel!


School installs £9,000 facial recognition cameras to stop students turning up late… and teachers could be next target

October 4, 2010 by Dissent

As if we needed any more surveillance of youth or reason to be concerned about turning youth into a nation of sheep living in a surveillance state, this from the UK:

A school has introduced futuristic face recognition cameras to combat students arriving late for classes. [Couldn't they just lock the doors? Bob]

The £9,000 Face Register system monitors more than 200 sixth-form students at the Sir Christopher Hatton School in Wellingborough, Northamptonshire.


When signing in or out of school, pupils have to approach the black box and enter a PIN code, which links to their photograph on a database.

They are then snapped by the cameras and the images are compared with the picture on file to determine a match, meaning students are unable to sign in for their friends.

Headteacher Victoria Bishop said the school had been prompted to install the system for safety reasons. [Whose? Bob]

It’s always the safety, right?

Read more in the Daily Mail.

A less polite way to read this would be that even PCI compliant organizations have been breached.


Verizon PCI DSS Compliance Study: breached entities 50% less likely to be compliant

October 4, 2010 by admin

A new report from Verizon Business shows that following industry security standards can dramatically reduce such incidents.

In a first-of-its-kind “Verizon Payment Card Industry Compliance Report,” the company examined compliance with the Payment Card Industry Data Security Standard (PCI DSS), which was created in 2006 to protect cardholder data and reduce credit card fraud. Company investigators found that breached organizations are 50 percent less likely to be PCI compliant and that only 22 percent of organizations were PCI compliant at the time of their initial examination.

In addition to assessing the effectiveness of the PCI DSS standards, the report identifies which attack methods are most common and provides recommendations for businesses on earning and maintaining PCI compliance.

Some of the key findings:

  • 22% of organizations were validated compliant at the time of their Initial Report on Compliance (IROC). These tended to be year after year repeat clients.

  • On average, organizations met 81% of all test procedures defined within PCI DSS at the IROC stage. Naturally, there was some variation around this number but not many (11% of clients) passed less than 50% of tests.

  • Organizations struggled most with requirements 10 (track and monitor access), 11 (regularly test systems and processes), and 3 (protect stored cardholder data).

  • Requirements 9 (restrict physical access), 7 (restrict access to need-to-know), and 5 (use and update anti-virus) showed the highest implementation levels.

  • Overall, organizations that suffered a data breach were 50% less likely to be compliant than a normal population of PCI clients.

  • All of the top 10 threat actions leading to the compromise of payment card data are well within scope of the PCI DSS. For most of them, multiple layers of relevant controls exist across the standard that mitigate risk posed by these threat actions.

In light of some of the hospitality sector breaches, I was especially curious as to what they would find with respect to vendor defaults:

Default passwords, settings, and configurations are common attack points for hackers because they are such easy fare. As evidenced by the 48% that initially passed Requirement 2, many organizations have difficulty eliminating them. There were three big reasons clients didn’t have more success with this requirement: they didn’t sufficiently harden systems by turning off extra services (2.2.2) and functionality (2.2.4), they didn’t document why certain services and functions could not be removed due to business reasons (as required by 2.2.2 and 2.2.4), and they didn’t encrypt all non-console admin traffic (2.3).

You can read more of the findings and their recommendations on Verizon’s site.

So, how do I demonstrate a “commercial interest” in my name, or what alternative argument should I use? Does this have implications for Social Networks?


Court Rules Against Woman Who Didn't Like Search Results

Posted by samzenpus on Monday October 04, @01:22PM

The Seventh Circuit Court has ruled that Beverly Stayart can't sue Yahoo! because she did not like what she saw on the results page after searching for her name. Stayart claimed that her "internet presence" was damaged by Yahoo! because results for a search of her name showed listings which included pharmaceuticals and adult oriented websites. The court disagreed. From the article: "Stayart had sued under Section 43(a) of the federal Lanham Act, which prohibits false advertising, false implications of endorsement, and so on. Her problem was that a Lanham Act claim requires a showing that the plaintiff has a 'commercial interest' to protect, and Stayart did not have a commercial interest in her own name."

For my Ethical Hacking students. For the mid-term exam,would you rather change your grades (again) or elect yourselves Governor?


Voting System Pwned by Michigan Wolverines

After election officials in Washington, DC, egged on hackers to have a go at their new internet voting system, they did just that. The result was Michigan’s fight song “Hail to the Victors” played to voters after they cast their ballots.

Election officials were testing their new pilot voting system in advance of elections in November, but had to pull it down on Friday after the hackers seized it.

Officials initially cited “usability issues” [Deny, deny, deny! Bob] that had been brought to their attention, but the election board’s chief technology officer later admitted to the Washington Post that “the integrity of the system had been violated.”

A Michigan professor apparently “unleashed his students” on the system to get the win for Michigan.

The system, which was paid for in part with a $300,000 federal grant, was supposed to allow about 900 military personnel and overseas voters the ability to cast absentee ballots. But officials now say the voters will only be able to download their ballots via the system and will then have to send them in separately — via post, e-mail or fax – to be counted.

Common Cause, computer scientists and others had warned election board officials that the system was a security risk, but officials had dismissed their concerns.

Tools & Techniques for my Ethical Hackers...


Geolocation XSS Tracker Proof of Concept

Posted by CmdrTaco on Monday October 04, @12:23PM

Jamie found a bit of a scary link this morning that demonstrates a router XSS getting your MAC address and using it to map your current location. Which I'm sure is totally no big deal for anyone.

Didn't I propose this business model a few years back?


How Google could revolutionize the Music Industry

Apple is currently the undisputed king in online digital music sales. Ever since iTunes was released back in 2001, the program has been the default (and only really decent) option for people looking to build their digital music libraries.

This Holiday Season, Google is hoping to change that. And although “GMusic’s” existence has been confirmed for a few months now, it is only within the past week or so that concrete details have started to pop up.

Here are a few of the key features set to be included in GMusic:

Online Music Locker: For a $25/year subscription fee, users will have access to an onlne “music locker” where they can make music purchases as well as access and stream their entire music library from a computer or a supported mobile device. While you may be asking yourself why you’d want to pay a subscription fee for something you already own, consider the fact that with Gmusic your entire music library is automatically backed up online. If your computer breaks down or you just happen to be getting a new one, you won’t have to fret about losing all your music.

Direct Digital Downloads: Just because Google has been focusing on the streaming aspects of GMusic doesn’t mean they’re forgetting about traditional downloads. Google will allow users to save music to their computers for personal use just like they would with iTunes. The cost of a full-length album will be $7.00, while singles will go for 79 cents. These prices are about half of what we’re currently paying with iTunes, and could be one of the biggest selling points for the service. Google is also pushing record labels to allow for a one time preview of any track before making a purchase. In theory, this means that unlike with iTunes, you would have the ability to preview an entire album before deciding thats its worth purchasing. This would be huge, as it would mean an end to the days of purchasing a highly anticipated album, only to find out that it isn’t that great and you probably should’ve spent your money elsewhere.

50/50 royalty rate split between right-holders and Google: Consumers aren’t the only people that should be be excited for Google Music. Gmusic has the potential to completely transform the way that artists are compensated for digital music sales. Without getting into the gory details, just know that right now artists are essentially being screwed by iTunes. Most artists only get around 12% royalties on each album sold, and with plummeting album sales this has made it nearly impossible for artists to make a decent amount of money off of record sales. People in the music industry have been calling for revised royalty rates for awhile, and if Google has their way, they just might get it. Apparently Google’s proposal ”calls for a ’50-50′ revenue split between master rights-holders and Google, with music publishers receiving a 10.5% share. ” If this were the case, I would be a lot more inclined to start purchasing albums on a more regular basis, as I often feel that I am really not helping artists (especially independent ones) much when I purchase their album through iTunes, I usually choose to support them by buying concert tickets or merchandise instead.

… Realstically, the idea of Google Music “overtaking” iTunes anytime in the immediate future is pretty far fatched. However at the very least, it will be the first real competition Apple has seen in a long time. If Google Music is able to do everything they’re saying it will, artists, music fans, and the record industry as a whole all stand to benefit.

Free is good, it's talking your non-techie friends into installing the app that's hard.


Skype For Android Is Here And Works Over WiFi And 3G (Exceptions: US, China, Japan)

It took a while, but Skype has now released an application for Android smartphones, enabling users to make free calls to other Skype users and send and receive IMs, one-to-one or with a group. The Android app works over WiFi, 3G, EDGE and GPRS, and comes at a cost that’s hard to beat – gratis.

Big caveats: you can only make calls over WiFi in the United States, and the app is not available in the Android Market in China or Japan.

Okay, this feeds my Sci-Fi addiction.


AnyNewBook: Get New Books Release Notifications

Any New Books is a free to use new book release notification website that keeps you updated on new books that are relevant to your reading interests. The site’s function is quite simple: it lets you subscribe to weekly email notifications for each type of book genre.

In addition to getting updates on regular books you can choose to get updates on new Kindle books as well, by checking an option.


No comments: