Thursday, May 19, 2011

In an effort to demonstrate their Hacking skills, Sony takes their own network offline! Way to go Sony!

How to stay safe on Sony's PlayStation Network

If you are a Sony PlayStation Network (PSN) customer you are probably getting a little paranoid. First there was the data breach from last month that exposed customer data and forced Sony to take the network down.

And now, just days after Sony got the service back up and running, it has taken the PSN password reset service offline because it was allowing people to change other customers' passwords if they knew their e-mail address and birth date--information that was stolen in the attack.

Sony says the hole in the PSN password reset site was not exploited in active attacks, although there are reports that the information was circling in the underground and being used prior to Sony taking the site down.

(Related) Even playing games is dangerous?

Rockstar blames Sony firmware for overheating PS3s

Even my Math students know that “Greater than: 200,000” does not mean “Only” 200,000…

(update) Massachusetts breach affected over 200,000

May 18, 2011 by admin

As a quick update: Matt Liebowitz of reports that the Massachusetts data breach disclosed yesterday may have impacted 210,000.

The NBC is in Denver

Email exposed 4,000 Securities and Exchange Commission employees

May 18, 2011 by admin

Shan Li reports:

The Securities and Exchange Commission is having some security problems.

About 4,000 agency employees, including several in Los Angeles, have been notified that their social security numbers and other payroll information were included accidentally in an unencrypted email, said Drew Malcomb, an Interior Department spokesman.

The May 4 email was sent by a contractor at the Interior Department’s National Business Center, a service center in charge of payroll, human resources and financial reporting for dozens of federal agencies, Malcomb said.

The contractor forgot to encrypt the email, and the software in place to catch such errors also failed and let the email through, he said.

Read more in the Los Angeles Times.

Gee, you would think this is easy, but “I know it when I see it” makes a poor legal definition.

Trying to define “sensitive” data

May 19, 2011 by Dissent

Peter Fleischer compares the EU definition of “sensitive personal data” to the definition in India’s new law and finds the EU definition lacking:

The European Data Protection Directive defines them as:

“personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.”


Now, for comparison, here is India’s just revised categories of “sensitive” data:

“unless freely available in the public domain or otherwise available under law, SPDI under the Rules is personal information which consists of information relating to:


financial information such as bank account, credit or debit card details as well as other payment instrument details,

physical, physiological and mental health condition,

sexual orientation,

medical records and history,

Biometric information (a defined term including fingerprints, eye retinas and irises, voice and facial patterns, hand measurements and DNA),

Any detail relating to the above when supplied for providing service, and

Any of the information described above received by an organization for processing, stored or processed under lawful contract or otherwise. “

Read more on Peter Fleischer: Privacy…?

(Related) It’s the Policy that’s difficult.

Google boss: anti-piracy laws would be disaster for free speech

Google's executive chairman, Eric Schmidt, warned on Wednesday that government plans to block access to illicit filesharing websites could set a "disastrous precedent" for freedom of speech.

Speaking to journalists after his keynote speech at Google's Big Tent conference in London, Schmidt said the online search giant would challenge attempts to restrict access to the Pirate Bay and other so-called "cyberlocker" sites that encourage illegal downloading – part of government plans to fight online piracy through controversial measures included in the Digital Economy Act.

"I would be very, very careful if I were a government about arbitrarily [implementing] simple solutions to complex problems," he said. "So, 'let's whack off the DNS'. Okay, that seems like an appealing solution but it sets a very bad precedent because now another country will say 'I don't like free speech so I'll whack off all those DNSs' – that country would be China.

"It doesn't seem right. I would be very, very careful about that stuff. If [the UK government] do it the wrong way it could have disastrous precedent setting in other areas."

Speaking at the same conference, the culture minister, Jeremy Hunt, said plans to block access to illicit filesharing websites were on schedule. He admitted that a "challenge" of the controversial measure is deciding which sites get blocked.

For my Security students: Think of this as an almost complete list of “Things that could go wrong”

May 18, 2011

Report: Push for Electronic Medical Records Overlooks Security Gaps

PBS Newshour: 'As the Obama administration pushes ahead with plans to increase the use of electronic medical records, two internal reports released Tuesday by the Department of Health and Human Services revealed "significant concerns" about security gaps in the system. The Office of the Inspector General found "a lack of general [information technology] security controls during prior audits at Medicare contractors, State Medicaid agencies, and hospitals." The investigation audited computer security at seven large hospitals in different states, and found 151 major vulnerabilities, including unencrypted wireless connections, easy passwords, and even a taped-over door lock on a room used for data storage. The auditors classified 124 of the breeches were "high impact" - resulting in costly losses, injury or death. According to the report, "outsiders or employees at some hospitals could have accessed, and at one of the seven hospitals did access, systems and beneficiaries' personal data."

Ask for everything, then negotiate down? Maybe you’ll wind up with ,ore than you ever thought possible.

Academic Publishers Ask The Impossible In GSU Copyright Suit

"A Duke University blog covers the possible ramifications of a motion in the copyright case against Georgia State University. Cambrigde, Oxford, and Sage have proposed an injunction that would first enjoin GSU to include all faculty, employees, students. All copying would have to be monitored and limited to 10% of a work or 1000 words, whichever is less. No two classes would be allowed to use the same copied work unless they paid for it, essentially taking fair use out of the classroom. [And for those of us who teach in colleges with campuses nationwide, this would be nearly impossible to monitor. Bob] Along with this, courses would be allowed to be made up of only 10% copied material, the other 90% must be either purchased works or copies that have been paid for by permission fees. And, if this isn't enough, the publishers also want access to all computer systems on the campus network, to monitor compliance and copying. 'This proposed order, in short, represents a nightmare, a true dystopia, for higher education.... Yet you can be sure that if [these] things happen, all of our campuses would be pressured to adopt the "Georgia State model" in order to avoid litigation.' Disclosure: I am currently a graduate student at Georgia State University."

For my Ethical Hackers – guess we’ll have to hold off too.

SCADA hack talk canceled after U.S., Siemens request

Two researchers say they canceled a talk at a security conference today on how to attack critical infrastructure systems, after U.S. cybersecurity and Siemens representatives asked them not to discuss their work publicly.

"We were asked very nicely if we could refrain from providing that information at this time," Dillon Beresford, an independent security researcher and a security analyst at NSS Labs, told CNET today. "I decided on my own that it would be in the best interest of not release the information."

Beresford said he and independent researcher Brian Meixell planned on doing a physical demonstration at the TakeDown Conference and shared their slides and other information on vulnerabilities and exploits with Siemens, ICS-CERT (Industrial Control Systems Cyber Emergency Response Team), and the Idaho National Lab on Monday.

The Clouds are rolling in…

City of San Francisco's e-mail heads to Microsoft cloud

San Francisco is upgrading its e-mail system to a Microsoft cloud-based service to reduce IT costs and improve the city's response to disasters.

The switch to Microsoft Exchange Online will occur over 12 months within 60 departments--starting with smaller departments before rolling out to departments dealing with public safety and eventually reaching the city's 23,000 employees.

Jon Walton, chief information officer for the City and County of San Francisco, made the Microsoft contract announcement during a press conference today.

First, the city will upgrade its e-mail system from seven different systems, including Lotus Notes, into one cloud-based system. In the future, there are other Microsoft options Walton would like to explore such as SharePoint, videoconferencing, and instant messaging--features that are available through Microsoft's Business Productivity Online Services. However, the initial contract with Microsoft includes only cloud-based e-mail and archiving.

Recently, Microsoft's cloud-based customers suffered an e-mail outage. E-mail outages have happened before, but this time the outage affected the city for only four hours, Walton said. "The Microsoft outage showed us we made the right decision" in picking Microsoft after considering using competitors such as Google and Lotus Notes, Walton said.

As far as security, "we were impressed by [Microsoft's] security solutions," Walton said. "Microsoft has clients that require more security than the city does." The cloud-based initiative will cost the city $1.2 million per year.

Suddenly Apple is the “good competitor?”

Google And Amazon May Have Just Handed Apple The Keys To The Cloud Music Kingdom

With regard to their cloud music offering, it looks like Apple is now just about ready to rock and roll. It would seem that this is now coming together even faster than they anticipated. And that may be thanks to two unlikely sources: Google and Amazon.

CNet’s Greg Sandoval is reporting tonight that Apple has signed an agreement with music label EMI to offer its music through Apple’s upcoming new cloud music service. This means that Apple now has agreements in place with two of the four major labels (Warner signed last month). And Sandoval believes that deals with the remaining two, Sony and Universal, could be wrapped up as early as next week.

You see, while Apple is believed to have had the infrastructure work done for a while for their cloud music offering, the hold up was these label deals. Negotiations have been ongoing for months, and given the stakes, it seems likely that they could have gone on for many more months. Then Amazon decided to get ballsy.

They launched their own cloud music service in March without any of the labels signed on, surprising everyone. Legally, they said they had the right to do this since customers are placing this music in digital vaults in the cloud in the same way they might put music on an MP3 player. The labels, not surprisingly, disagree.

When Amazon did that, Google, which had also been negotiating with the music labels for at least a year, also decided they needed to get their offering out there. Last week at Google I/O, they launched Google Music in beta. Again, the labels were pissed off.

And guess who they ran to?

So the labels, which for the better part of a decade now have been looking for someone, anyone to help counter Apple’s power in their business, is turning right back to Apple when they need help. And Apple will obviously gladly welcome them with open arms. After all, with these licenses, Apple will have secured the cloud music high ground despite being the last to launch.

Think about it. With these agreements, Apple is likely going to be able to do the one thing that is absolutely crucial for cloud music to take off: offer library syncing without uploading. In other words, Apple now likely be able to do what Lala (the company Apple bought in late 2009 and subsequently shut down) was able to do: scan your hard drive for songs and let you play those songs from their servers without having to upload them yourself. [No Privacy concerns here. Move along. Bob]

I like to use MindMaps in my “Intro to…” classes, so I’ll be evaluating this one…

Wednesday, May 18, 2011

Spider Scribe - Mind Mapping with Images, Maps, and More

Spider Scribe is an online mind map creation service. Spider Scribe can be used individually or be used collaboratively. I've reviewed a lot of mind mapping tools over the years. What jumps out about Spider Scribe is that users can add images, maps, calendars, text notes, and uploaded text files to their mind maps. Users can connect the elements on their mind maps or let them each stand on their own.

Toys for Geeks

7 Best “New” Web Browsers With A Chance Against Chrome & Firefox

No comments: