Friday, February 11, 2011

“We were hacked, but nobody noticed.”

eHarmony Hacked

February 10, 2011 by admin

Brian Krebs writes:

Online dating giant eHarmony has begun urging many users to change their passwords, after being alerted by to a potential security breach of customer information. The individual responsible for all the ruckus is an Argentinian hacker who recently claimed responsibility for a similar breach at competing e-dating site


Joseph Essas, chief technology officer at eHarmony, said Russo found a SQL injection vulnerability in one of the third party libraries that eHarmony has been using for content management on the company’s advice site – Essas said there were no signs that accounts at its main user site — — were affected.

“The SQL dump contained screen names, email addresses, and hashed passwords for account login on the Advice site.”


“We can handle any emergency!”

FEMA Loses Lessons Learned Data

The Federal Emergency Management Agency (FEMA) has been without access to years' worth of lessons-learned data for nine months, unable to recover access to it since a server failure in May 2010, according to a newly issued report by the Department of Homeland Security's inspector general.

While the data was recovered by November 2010, the software needed to read it hasn't been restored, meaning that FEMA personnel aren't able to access certain historical data stretching back to 2004, before Hurricane Katrina, California wildfires, and other major recent disasters.

Lots of links...

Cloud computing: An opportunity and a legal maze

February 11, 2011 by Dissent

There’s a nice overview of cloud computing issues and positions from EurActiv. Here are some parts of it:


Rewriting data protection rules

The European Commission admits that its Data Protection Directive is outdated and is currently reading industry responses to a consultation before reviewing the law.

The current directive sets out guidelines for data controllers who process and handle the data. But the EU will need to tweak these definitions, as cloud computing allows the processing and handling of data to be carried out at a far-flung data centre if businesses so wish.

The current Data Protection Directive requires data to either be stored in the European Economic Area (EEA) or in a territory that has equivalent legal privacy laws.

As of September 2009, the Commission decided that Argentina, Australia, Canada, Switzerland, the Faroe Islands, Guernsey, the Isle of Man, Jersey and the United States had adequate protection for privacy.


Security and data privacy

Cloud computing has been described as putting all of your eggs in one basket. But if that basket gets hit, is everything lost? What if everyone’s personal data, bank account details, credit history, criminal records and tax payments moved to the cloud and got lost?

Regulators will need to act quickly as new research shows that clouds are not being upfront about the services they provide.

A study by the Queen Mary experts in London concludes that cloud business contracts sometimes waive responsibility for data storage or delete data if it not used for a while. Such contracts are usually difficult to understand as they sometimes amount to 60-page documents written in dense legalese. Many users, however, want the cloud precisely because they need to store data they no longer use but may well need in the future.

While essential security aspects are addressed by most tools, the cloud is potentially geographically vast and may need more prescriptive rules on data replication and distribution.

Customers are also concerned that they will no longer “own” their data, as they are not the de facto data handler if it is hovering in a cloud somewhere. This could also create difficulties in accessing data or in moving to another supplier.

In a recent survey, customers’ top concern was the security of their data in the cloud, followed by performance, privacy and cost.

The EU’s ePrivacy Directive, which was updated in 2009, created data breach notifications whereby any communications provider or Internet service provider (ISP) must inform individuals about data breaches of their personal information.

Germany, which is recent years has seen a dramatic increase in data breaches, revised its data protection rules to go beyond the EU regulation.

To try and smooth over legal discrepancies, the industry suggests that a worldwide agreement could be found under World Trade Organisation (WTO) rules for online services and software.

Read more on EurActiv

Is this California statute the only one of its kind?

Class Claims Facebook Violates Kids’ Privacy

February 10, 2011 by Dissent

A class action claims Facebook misappropriates the names and likeness of children and uses them in ads without permission from their parents or grandparents. The class claims that children are unable to stop Facebook from using their names and photos on a Facebook page if they have “liked” it.

This constitutes an “endorsement,” and use of the kids’ names and photos in “Friend Finder” also constitutes commercial use without legal consent, according to the complaint in Superior Court.


The class claims this violates Article 1 Section 1 of the California Constitution, on privacy; and section 3344 of the Civil Code, the right of publicity law.

Read more on Courthouse News. I expect we’ll see more about this case in mainstream media but in the interim, I’m trying to get more information.

Another California only law?

Consumer groups cheer court’s ruling on consumer privacy protections

February 11, 2011 by Dissent

There’s been a lot of media coverage of a decision reported here yesterday in which the California Supreme Court held that Williams-Sonoma violated a state law when it requested and recorded a customer’s zip code during a credit card transaction in a store.

In a joint press release, Privacy Rights Clearinghouse and Consumer Federation of California write:

Today the California Supreme Court ruled that retail stores are not allowed to request and record a consumer’s zip code as part of a credit card transaction. According to the Privacy Rights Clearinghouse and the Consumer Federation of California, that jointly filed an amicus brief with the Supreme Court on this case, the ruling gives further protection to California consumers and helps prevent unlawful use of personal identification information (PII).

The ruling remanded the class action lawsuit Pineda v. Williams-Sonoma Stores, Inc., no. S178241 back to the trial court for further proceedings, which began in 2008 when Jessica Pineda paid Williams-Sonoma using a credit card. As part of the transaction process, the housewares retailer requested Pineda’s zip code. Unbeknownst to Pineda, Williams-Sonoma used a process called “reverse appending” to find out her mailing address. The retail giant then sent Pineda catalogs and used the information it had collected for other business purposes.

… Pineda’s attorney, Gene Stonebarger, argued that Williams-Sonoma’s deceptive actions violated the Song-Beverly Credit Card Act of 1971 (Civ. Code, § 1747.08), which was designed to protect consumer privacy by placing limits on what PII retailers are allowed to request or record when dealing with credit card transactions. The Supreme Court agreed.

“The ruling is significant because it confirms that the definition of PII includes part of a person’s address; the zip code,” states Beth Givens, founder of Privacy Rights Clearinghouse, a consumer education and advocacy group. “In ruling in favor of the plaintiff, the Justices acknowledge advances in technology, in which the use of databases can turn a name plus a zip code into a full address.”

… The ruling reversed both the trial court and the Court of Appeals. The Supreme Court is allowing the decision to be applied retroactively to past consumer transactions. Each violation carries a civil penalty of up to $1,000. A PDF of the ruling can be found at

Statistics I've been trying to tell you, the amount of data we will need to process is rather large...

How much information is there in the world? Scientists calculate the world's total technological capacity

… Looking at both digital memory and analog devices, the researchers calculate that humankind is able to store at least 295 exabytes of information. (Yes, that's a number with 20 zeroes in it.)

… That's 315 times the number of grains of sand in the world. But it's still less than one percent of the information that is stored in all the DNA molecules of a human being.

• 2002 could be considered the beginning of the digital age, the first year worldwide digital storage capacity overtook total analog capacity. As of 2007, almost 94 percent of our memory is in digital form.

• From 1986 to 2007, the period of time examined in the study, worldwide computing capacity grew 58 percent a year, ten times faster than the United States' GDP.

• Telecommunications grew 28 percent annually, and storage capacity grew 23 percent a year.

For my Computer Security students

Google Adds Two-Factor Authentication To Gmail

"Google has introduced a new two-step authentication feature for Gmail users that it says will significantly increase the security of the free mail service. The system enables users to set up a method for obtaining a secret code that will be required, along with a password, to access a Gmail account. The new two-factor authentication system is a voluntary program right now, although it could become mandatory at some point in the future. Gmail, like virtually all other webmail services, has been a frequent target of attacks, both sophisticated and mundane, aimed at hijacking users' accounts. The most famous of these was an attack that was part of the Aurora operation against Google and others, part of which targeted the Gmail accounts of Chinese dissidents."

(Related) Not all “upgrades” act as expected...

Security Patch Breaks VMware Users' Windows Desktops

"VMware is telling customers that two Windows 7 security patches have left VMware View users incapable of accessing their Windows desktops. Security updates issued on Patch Tuesday fixed Windows but broke the VMware View connection between users' PCs and remotely hosted Windows 7 desktops. Users will have to upgrade VMware View or uninstall the Microsoft patches in order to regain access to their desktops."


Chinese Hackers Strike Energy Companies

"Chinese hackers working regular business hours shifts stole sensitive intellectual property from energy companies for as long as four years using relatively unsophisticated intrusion methods in an operation dubbed 'Night Dragon,' according to a new report from security vendor McAfee."

Reader IT.luddite links this informative PDF from CERT.

I use an RSS reader every day, but this is for my Intro to IT students...

How RSS Feeds Work In Simple Terms [Technology Explained]

A RSS feed works by creating a source of data that is machine (computer) readable. RSS uses XML, which stands for eXtensible Markup Language, to encode a variety of information sources in a standardized way, allowing other websites and applications to process that information and make it readable to you however the programmer desires.

No comments: