As always, more questions than answers... Who owned the laptop? Why permit (insist?) the data be taken off-site? What possible processing required ALL the Universities actual data? (Have they never heard of test data?)
http://www.databreaches.net/?p=16412
Tulane University’s breach report to the NH AG’s Office
January 18, 2011 by admin
As an update to the Tulane University incident where a laptop with W-2 data was stolen from an employee’s car while he was traveling out of town:
Tulane’s notification to the New Hampshire Attorney General’s Office provides some additional details on the incident.
The employee had the data on a laptop because he was supposed to work on it over the winter break to prepare the W-2′s.
The laptop was in a briefcase stolen from his (then unoccupied) car while he was away.
The data were unencrypted.
While the explanation seems like a reasonable explanation as to why the data should have been with the employee over break, it does not provide any adequate explanation of why the data weren’t encrypted and why the employee would just leave a laptop in a car – even in a locked trunk. Haven’t there been enough stolen laptop stories in the news the past few years to make everyone aware of the risks?
Poor reporting or just no real information released? Sounds like a fun one to follow if in fact Rahm Emanuel was a victim.
http://www.databreaches.net/?p=16405
Two charged over iPad hacking on AT&T network
January 18, 2011 by admin
From Reuters:
U.S. prosecutors have charged two men with stealing and distributing email addresses for about 120,000 users of Apple Inc’s popular iPad.
Investigators accused Daniel Spitler and Andrew Auernheimer of using an “account slurper” [I'm thinking the FBI made this one up or is it so old I've forgotten the term? Bob] to conduct a “brute force” attack over five days last June, to extract data about iPad users who accessed the Internet through AT&T Inc’s 3G network.
Among the possible victims were celebrities, businesses executives and government officials like New York City Mayor Michael Bloomberg, ABC News anchor Diane Sawyer, movie mogul Harvey Weinstein and perhaps then-White House Chief of Staff Rahm Emanuel, prosecutors said.
Read more on Reuters.
[From the article:
Among the possible victims ... then-White House Chief of Staff Rahm Emanuel, prosecutors said.
… According to the complaint, the account slurper randomly guessed at data [More likely, they guessed passwords. Bob] held on AT&T's servers until it could match names with emails.
… After the hacking, it shut off the feature that allowed email addresses to be obtained. [Are they talking about lists of people and their email address or just lists of email addresses? Bob]
(Related) ...and now I'm concerned that “got a boost” should be translated to “first learned about the hack...”
http://www.databreaches.net/?p=16420
AT&T iPad hackers’ chats were turned in by secret source
January 19, 2011 by admin
Robert McMillan reports:
Rhe government’s case against two men charged with hacking into AT&T’s website to steal e-mail addresses from about 120,000 iPad users got a boost last year when a confidential source handed over 150 pages of chat logs between the two and other members of their hacking group.
Excerpts from the logs, published in the court record, apparently show them talking about the legal risk of their hacking adventures, as well as ways that they could maximize the embarrassment caused by the incident.
Read more on Computerworld.
No real surprise, is it? Another reason why I should not use an employer's computer? Some companies still insist on providing me a “work computer” that is hopelessly out-of-date and has no useful software installed (they even try to block some of that useful hacking stuff!)
Work E-Mail Not Protected by Attorney-Client Privilege, Court Says
E-mails between a client and attorney are no longer considered privileged and confidential if the client writes the messages from a work e-mail account, a California court of appeals has ruled.
So, how do I take advantage of this?
http://www.bespacific.com/mt/archives/026283.html
January 18, 2011
Pew Report: The Social Side of the Internet
The Social Side of the Internet - Technology use has become deeply embedded in group life and is affecting the way civic and social groups behave and the way they impact their communities, by Lee Rainie, Kristen Purcell, Aaron Smith, Jan 18, 2011
"The internet is now deeply embedded in group and organizational life in America. A new national survey by the Pew Research Center’s Internet & American Life Project has found that 75% of all American adults are active in some kind of voluntary group or organization and internet users are more likely than others to be active: 80% of internet users participate in groups, compared with 56% of non-internet users. Moreover, social media users are even more likely to be active: 82% of social network users and 85% of Twitter users are group participants."
Double secret body scans? Is it really turned off, or is just the “ON” light extinguished?
http://www.pogowasright.org/?p=19585
TSA Now Forcing Opt-Outs To Walk Through Body Scanners?
January 19, 2011 by Dissent
Paul Joseph Watson of Infowars.com writes:
If the experience of a man traveling through Baltimore Washington International Airport last night is anything to go by, the TSA is now forcing people who opt out of the naked body scanner to walk through the machine as part of a psychological ploy to coerce subservience out of other travelers.
Alexander Petersen was passing through security to board a domestic flight to Florida with his wife and three children. After the backscatter x-ray machines were turned on, TSA staff started corralling passengers to go through the naked body scanners. Petersen’s family escaped selection but when he was told to submit to a scan, Peterson declined and opted for the invasive pat down instead.
“They then called for an “opt-out” pat down and still told me I had to go through the machine,” writes Petersen.
Read more on Infowars.com.
Since November, I’ve read a number of anecdotal reports where people who did go through the scanners were still subjected to the invasive pat-downs, even though the body scanners did not sound any alarm or indicate any reason for suspicion. This is somewhat different, though, where the body scanners are reportedly being used as a “punishment” for those who object to them.
I continue to urge Congress to review and revise this horrific situation. No citizen of the U.S. should be required to undergo pat-downs that are aggressive and humiliating without reasonable suspicion. A large segment of this county, if not the majority, has had enough of the costly and privacy-invasive security theater and wants some sanity and respect restored to air travel.
For my Computer Security students
http://yro.slashdot.org/story/11/01/19/0113206/Encrypt-Your-Smartphone-mdash-Or-Else?from=rss
Encrypt Your Smartphone — Or Else
"Modern smartphones contain ever-increasing volumes of our private personal data — from text messages to images to emails — yet many smartphone security features can easily be circumvented by thieves or police officers equipped with off-the-shelf forensics equipment. Worse, thanks to a recent California Supreme Court ruling, police officers may be able to search your smartphone for hours without a warrant if you're arrested for any reason. Ars Technica has an article exploring the legal issues surrounding cell phone searches and explaining how you can safeguard your smartphone from the prying eyes of law enforcement officers."
[From the article:
While the search incident to arrest exception gives police free rein to search and seize mobile phones found on arrestees’ persons, police generally cannot lawfully compel suspects to disclose or enter their mobile phone passwords. That's because the Fifth Amendment's protection against self-incrimination bars the government from compelling an individual to divulge any information or engage in any action considered to be "testimonial"—that is, predicated on potentially incriminating knowledge contained solely within the suspect's mind.
Individuals can be forced to make an incriminating testimonial communication only when there is no possibility that it will be used against them (such as when prosecutors have granted them immunity) or when the incriminating nature of the information sought is a foregone conclusion. (For more on this subject, see this informative article forthcoming in the Iowa Law Review, also by Professor Gershowitz, which explores in great depth the uncharted legal territory surrounding password-protected mobile phones seized incident to arrest.)
… While police cannot force you to disclose your mobile phone password, once they've lawfully taken the phone off your person, they are free to try to crack the password by guessing it or by entering every possible combination (a brute-force attack). If police succeed in gaining access your mobile phone, they may make a copy of all information contained on the device for subsequent examination and analysis. [Or they could copy everything on your phone and brute force it later... Bob]
Didn't Orson Welles admonish us to “release no software before its time?”
http://it.slashdot.org/story/11/01/18/2137248/Stuxnet-Authors-Made-Key-Errors?from=rss
Stuxnet Authors Made Key Errors
"There is a growing sentiment among security researchers that the programmers behind the Stuxnet attack may not have been the super-elite cadre of developers that they've been mythologized to be in the media. In fact, some experts say that Stuxnet could well have been far more effective and difficult to detect had the attackers not made a few elementary mistakes."
Another tool for my Ethical Hackers.
Unsecured IP Cameras Accessible To Everyone
"In the last couple of decades, we have become so accustomed to the idea that the public portion of our everyday life is watched and recorded — in stores, on the street, in institutions — that we often don't even notice the cameras anymore. Analog surveillance systems were difficult to hack into by people who lacked the adequate knowledge, but IP cameras — having their own IPs — can be quite easily physically located and their stream watched in real-time by anyone who has a modicum of computer knowledge and knows what to search for on Google."
[From the article:
Camera names and model numbers matched with specific search tags such as “intitle,” “inurl,” “intext,” and many others, can yield links to cameras' remote viewing pages. Search combinations such as “intext:’MOBOTIX M10’ intext:’Open Menu’” and “intitle: ‘Live View / - AXIS 206M’” proved effective for Connor.
And he is not the only one. According to him, there are entire online communities of people interested in finding unsecured IP cameras and in discussing their interest on forums. They have also been known to provide large lists of search strings that work on Google Search and they are there for the taking for all those people who don't know where to start.
… Luckily for all of us who have the need for such a surveillance setup, securing these cameras can be done easily and fast by following instructions in the manual. They - and the DVRs and NVRs - come equipped with onboard security settings that take only a few minutes to configure and effectively lock out anyone who shouldn't have access. Also, a simple step like changing the default username and password can do wonders.
For my Ethical Hackers. We should have one of each in Lab 117...
Attack Toolkits Dominating the Threat Landscape
"The ease-of-use and ability to amass great profits through the use of easily accessible 'attack toolkits' are driving faster proliferation of cyber attacks and expanding the pool of attackers, opening the doors to more criminals who would likely otherwise lack the required technical expertise to succeed in the cybercrime underground. The relative simplicity and effectiveness of attack kits has contributed to their increased use in cybercrime — these kits are now being used in the majority of malicious Internet attacks."
[From the article:
• Popularity and demand has driven up the cost of attack kits. In 2006, WebAttacker, a popular attack toolkit, sold for $15 on the underground economy. In 2010, ZeuS 2.0 was advertised for up to $8,000.
• Of the Web-based threat activity detected by Symantec during the reporting period, 61 percent was attributable to attack kits.
Politicians are idiots. Anyone can use the Internet today – If they choose to... Is this a step toward mandatory Internet use? (Perhaps with built in cameras and microphones?)
UK To Offer PCs For £98, Subsidized Internet Connections
"The UK government wants to offer low-cost computers as part of a 12-month trial during Race Online 2012. The scheme, which aims to reach out to the 9.2 million adults that are not yet online, 4 million of whom are considered socially and economically disadvantaged, aims to 'make the UK the first nation in the world where everyone can use the web.' Prices will start at £98 ($156.01) for a refurbished PC, with subsidized Internet connections available for as little as £9 ($14.33) a month or £18 ($28.65) for three months. The cheap computers will run open-source software (think Linux) and will include a flat-screen monitor, keyboard, mouse, dedicated telephone helpline, delivery, and even a warranty. The cheap Internet packages will use a mobile dongle to help people access the web."
Something for all my Math students...
Wednesday, January 19, 2011
Microsoft Mathematics 4.0 - A Scientific Calculator
Microsoft has released a new scientific calculator that you can download for free (Windows only). Microsoft Mathematics 4.0 is a graphing calculator that plots in 2D and 3D. Of course, the calculator does many other functions such as solving inequalities, converting units of measure, and performing matrix and vector operations.
[From the Microsoft website:
With Microsoft Mathematics, students can learn to solve equations step-by-step
No comments:
Post a Comment