Tuesday, May 03, 2011

Apparently there is a “purely coincidental” connection between me teaching “Intro to Computer Security” and breaches at large corporations. I “have no evidence” that points to my Ethical Hackers...

Sony does it again! This is in addition to the earlier breach...


SOE hacked: 12,700 credit card numbers and 24.6 million accounts may have been compromised

May 2, 2011 by admin

Togikagi writes:

As we previously reported, all Sony Online Entertainment services, games, forums and web sites went offline this morning as a result of the recent Playstation Network intrusion. SOE just issued an announcement, and it appears that the personal information of players may have been compromised. Here are the details straight from SOE:

“Our ongoing investigation of illegal intrusions into Sony Online Entertainment systems has discovered that hackers may have obtained personal customer information from SOE systems. We are today advising you that the personal information you provided us in connection with your SOE account may have been stolen in a cyber-attack. Stolen information includes, to the extent you provided it to us, the following: name, address (city, state, zip, country), email address, gender, birthdate, phone number, login name and hashed password.”

SOE goes on to state that there is no evidence that their main credit card database was compromised. However, SOE is warning customers outside of the United States that credit and debit card information from an outdated database from 2007 may have been obtained. Affected customers will be notified.

Read more on Zam.

In related coverage on PlayStation Universe, Adam Dolge reports that

more than 12,700 customers’ credit card numbers may have been stolen. SOE believes hackers stole customer information on April 16 and April 17. Engineers and security consultants reviewing SOE systems discovered that personal information from approximately 24.6 million SOE accounts may have been stolen, as well as certain information from an outdated database from 2007. The outdated database had approximately 12,700 non-U.S. credit or debit card numbers and expiration dates, but no security cards. There may also have been 10,700 direct debit records stolen from customers in Austria, Germany, Netherlands, and Spain.

Given the attacks on the PlayStation Network, SOE had already undertaken an intensive investigation into its system. Upon discovering the additional information, SOE shut down all servers related to SOE services while it reviewed and upgraded all of its online security.

The press release went on to say, “Sony is making this disclosure as quickly as possible after the discovery of the theft, and the company has posted information on its website and will send e-mails to all consumers whose data may have been stolen.”

Personal information stolen from approximately 24.6 million SOE accounts includes names, addresses, email addresses, birthdates, gender, phone numbers, login names, and hashed passwords. The 10,700 direct debit records stolen include bank account numbers, customer names, account names, and customers’ addresses.

(Related) We'd rather patch the hole than explain how we hit the iceberg...


Sony Declines to Testify at Congressional Hearing

May 2, 2011 by admin

Nick Bilton reports:

Sony has declined to testify at a Congressional hearing on Wednesday, “The Threat of Data Theft to American Consumers,” that seeks to understand how consumers’ private data is protected by corporations.


The subcommittee sent a letter to Sony on Friday asking the company to answer a number of questions related to the attack by May 6. After Sony declined to testify to the committee, the deadline to respond to questions was pushed up to May 3.

Read more in the NY Times.

(Related) Probably more 'seizing an opportunity” than a true reaction to the Sony breach.


AU privacy laws to be beefed up following Sony attack

May 3, 2011 by Dissent

Asher Moses reports that Sony’s delay of several days in disclosing its mammoth data breach has increased the push for stronger privacy and breach disclosure laws in Australia:

The federal government will introduce laws forcing companies to disclose privacy breaches after Sony revealed that more than 1.5 million Australian user accounts were compromised in the recent attack on its PlayStation Network.

The stolen information include names, addresses, birthdays, email addresses and log-in passwords. Of the 1,560,791 Australian accounts that were affected, 280,000 had credit card details, but these were encrypted and there had been no reports of fraudulent activity, Sony said.

The Privacy Minister, Brendan O’Connor, said he was ”very concerned” about the theft of personal information and expressed disappointment that Sony took ”several days” to inform customers about the breach. This meant a mandatory ”data breach notification” system now ”appears necessary”, he said.

Read more on The Age.

It's all guesswork, but based on experience...


Total cost of Epsilon breach could reach $4 billion

E-mail services firm Epsilon will face years of repercussions and up to $225 million in total costs as a result of its recent data breach, a massive event that indicates the often overlooked risk of cloud-based computing systems, according to a report by CyberFactors.

The recent breakdown of Amazon’s cloud computing services that disrupted services to popular sites like Foursquare and Quora is another example of a cloud failure that could prove extremely costly in the long run – and a hint of more troubles on the horizon.

The Epsilon breach may have affected 75 companies or 3% of Epsilon’s customers, not 2% as previously reported, and could eventually cost these companies as much as $412 million, for a total event cost of $637 million. Further, CyberFactors conservatively estimated the number of affected e-mails in the Epsilon breach at 60 million.

The total cost of the Epsilon breach – including forensic audits and monitoring, fines, litigation and lost business for provider and customers – could eventually run as high as $3 billion to $4 billion, according to CyberFactors, given that the compromised e-mail addresses could be used by phishers to gain access to sites that contain consumers’ personal information.

“While the attractiveness of the cloud model is hard to refute, the economics of business risk for cloud providers and their customers can no longer be ignored,” said Regina Clark, Research and Analytics Director, CyberFactors. “With the cost of technology failures rising at an accelerated rate, the Epsilon event suggests a much more profound financial risk environment is now upon us. Cloud companies would be wise to think more like banks, insurance companies and hedge funds, and not just aggregators of the world’s precious data and technology dependencies.”

Other results of the research on the Epsilon breach:

  • 51% of the costs related to the Epsilon data breach will occur in year one, 42% in year two, and 7% in year three and thereafter

  • Loss of revenue related to customer churn as part of the Epsilon breach fallout could range from $6.1 million if just 1% of customers left, to $30.7 million if there were 5% churn.

  • CyberFactors research shows that since 2005, data events have cost individual affected companies in the range of $5.5 million to $12.8 million, depending on the industry and assuming no liability claims.

Does this “former business partner” have other clients?


Best Buy Customers Beware: Another Email Security Breach

May 2, 2011 by admin

MB Quirk of The Consumerist cites an email from Best Buy to its customers – and no, this is apparently not the Epsilon breach, but yet another breach involving Best Buy customers:

Dear Valued Best Buy Customer,

We have discovered that a former business partner’s files containing the email addresses of some Best Buy customers were accessed without authorization. For your security, we wanted to call this matter to your attention.

We believe the only information taken was your email address, and that no other information was accessed. [What “other information” did they have? Bob] We do not believe that Best Buy was specifically targeted in this breach. We are continuing to investigate the situation, and are working closely with the appropriate officials to explore all possibilities.

Read more on The Consumerist.

Any risk at a Cloud Provider is a risk to all of their clients...


VMware Causes Second Outage While Recovering From First

"VMware's new Cloud Foundry service was online for just two weeks when it suffered its first outage, caused by a power failure. Things got really interesting the next day, when a VMware employee accidentally caused a second, more serious outage while a VMware team was writing up a plan of action to recover from future power loss incidents. An inadvertent press of a key on a keyboard led to 'a full outage of the network infrastructure [that] took out all load balancers, routers, and firewalls... and resulted in a complete external loss of connectivity to Cloud Foundry.' Clearly, human error is still a major factor in cloud networks."

A new “assumption” – I wonder if we'll ever see it reflected in law?


The Promise of Privacy Controls

May 2, 2011 by Dissent

Woodrow Hartzog writes:

Privacy settings and other technological controls used to protect privacy have been justifiably criticized a bit lately. Danielle Citron recently blogged at Concurring Opinions about an important new study conducted by Columbia’s Michelle Madejski, Maritza Johnson and Steve Bellovin that found that Facebook’s default privacy settings fail to capture real-world expectations. The United Kingdom Government has recently indicated that browser settings alone cannot be used by Web users to give consent to being tracked online [Now that's interesting! Bob] under a new EU law. The Government’s rationale for this decision was that these browser settings were not flexible enough to reflect a user’s true privacy preferences. The general consensus seems to be that most privacy settings simply aren’t that good at protecting the actual information we consider private in a given context.

Read more on CIS.

Did Mom & Dad give Facebook permission to treat Junior as an adult?


Liking’ ads leads to lawsuit

May 3, 2011 by Dissent

Herald News Service reports:

Facebook Inc., the social-networking site, was sued for not getting permission to display notices that minors “like” Facebook advertisers’ products.

The lawsuit seeks class action status on behalf of Facebook users in New York state under the age of 18 who had “their names or likenesses used on a Facebook feed or in an advertisement sold by Facebook Inc. without the consent of their parent or guardian.”

The suit was filed Monday in federal court in Brooklyn.

Read more in the Calgary Herald.

(Related) ...and he should know!


Assange: Facebook 'the Most Appalling Spy Machine' Ever

i4u points out an interview with Julian Assange in which the controversial WikiLeaks spokesman calls Facebook "the most appalling spy machine that has ever been invented." He continues,

"Here we have the world’s most comprehensive database about people, their relationships, their names, their addresses, their locations and the communications with each other, their relatives, all sitting within the United States, all accessible to US intelligence. Facebook, Google, Yahoo – all these major US organizations have built-in interfaces for US intelligence. It’s not a matter of serving a subpoena. They have an interface that they have developed for US intelligence to use. Now, is it the case that Facebook is actually run by US intelligence? No, it’s not like that. It’s simply that US intelligence is able to bring to bear legal and political pressure on them. And it’s costly for them to hand out records one by one, so they have automated the process. Everyone should understand that when they add their friends to Facebook, they are doing free work for United States intelligence agencies in building this database for them."

Even when it “sounds like a good idea,” it pays to actually test your process to see if it works!


Update on digital fingerprints in Europe

May 2, 2011 by Dissent

A PogoWasRight.org reader submits the following:

On 27 April 2011 in a committee session of Dutch parliament it was decided to ‘temporarily’ stop the database storage of digital fingerprints for the biometric passport and ID Card.


It appeared the current state of the technique doesn’t allow proper verification (n=1) on the basis of the stored data (let alone identification). Fingerscan verification tests by the government show failure rates of 20-25%. This issue raises serious questions on a European scale about EU Regulation 2252/2004, which is at the basis of the biometric passport in Europe. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2004:385:0001:0006:EN:PDF

So far, two fingerprints are stored on the RFID chip in the Dutch passport AND ID card. Together with 2 extra fingerprints per person these are stored in the decentral local council’s databases. The about 6 million stored fingerscans in total will be destroyed soon. http://www.rnw.nl/english/bulletin/government-promises-erase-fingerprints

After the change of legislation two fingerprints of all citizens above 12 years will be stored only during the production time of the (RFID chip of the) biometric passport. The national ID card will contain fingerprints only on a voluntary basis in the near future.

Dutch government repeated it still wants to store fingerprints in a central database in the future. Following questions in parliament, the Dutch government on 14 February 2011 already published an inventory (English translation in attached PDF) of the travel document registers within the European Union. 26 Countries, that is excluding The Netherlands, answered the survey. Poland and Romania didn’t answer the questions completely (partly in English).

This survey doesn’t say anything about the legality of the current collection, storage and use of biometric data within the European Union.

In order to obtain more clarity in this respect an international alliance of organisations and individuals on 31 March 2011 lodged a petition [ https://www.privacyinternational.org/article/petition-council-europe-government-use-citizens-biometrics ], calling on the Council of Europe to start an indepth survey on the collection and storage of biometric data by the states within the Council of Europe.

For my Criminal justice students (and anyone who needs help getting to sleep?)


Quincy court going live on the Web

Dubbed Open Court, the project will have cameras and microphones operating today in the Quincy court’s first criminal session. At the same time, the court’s proceedings will be streamed live over the Internet at the new website created solely for Open Court — to give the public an unfiltered view of court proceedings. The site is www.opencourt.us.

… In that same courtroom there will be an operating Wi-Fi network and reserved space for citizen bloggers who want to post to the Internet.

In a summary of the ideas underlying the experiment, Davidow and supporters write that the traditional window into courts — journalism — no longer has the resources it once had. [Not sure how that “justifies” streaming from the court... Bob]

… The camera will also be shut off when required under existing court rules and for domestic violence cases. [Are these normally “closed” to the public? Bob]

We've upgraded to Office 2010, now I can learn how to use it! What a concept...


DOWNLOAD Microsoft Office 2010: Ultimate Tips & Tricks

This manual, by author Matt Smith, points out all the best new features of Microsoft’s latest office suite, and explains them all in one handy guide. In most programs, it’s not hard to find every single feature, but Office 2010 is so expansive that even veteran users will often find that they aren’t expert in even half of the capabilities the software offers.

This guide will show you how to:

  • Turn off the annoying file block feature.

  • Speed up document creation in Word with building blocks.

  • Present data at a glance with Excel’s new Sparklines.

  • Edit video from within PowerPoint.

  • Broadcast a PowerPoint presentation over the web, live.

  • Adding social functionality to Outlook.

DOWNLOAD Office 2010: Ultimate Tips and Tricks or Read Now on Scribd

For my Computer Security and Ethical hacking students...


How To Isolate & Test Unsafe Applications On Your PC

Some of my Computer Security students are using WikiSpaces for their course project...


Monday, May 2, 2011

Wikispaces Adds a New Commenting Feature

Just because...


Top Ten Of The Best Add-ons That Can (REALLY) Rock Your Firefox 4

No comments: