Saturday, May 28, 2011

Perhaps Sony is discovering a bit about what happened?

Sony Will Testify on PlayStation Hack; Hirai Letter Answers Questions

May 27, 2011 by admin

Mark Hachman reports:

Sony will testify at a House privacy hearing on June 2, after earlier refusing to appear. In a letter to lawmakers, Sony also provided more details about the attacks.

An aide for Rep. Mary Bono Mack (R-Calif.), chairwoman of the House Energy and Commerce Committee’s subcommittee on Commerce, Manufacturing, and Trade, said Friday that Sony has agreed to testify next week, joined by representatives from Epsilon, itself the victim of a date breach in April.

Read more on PC Magazine.

Related: The Subcommittee on Commerce, Manufacturing, and Trade has scheduled a hearing on Thursday, June 2, 2011, at 9:00 a.m. in 2123 Rayburn House Office Building. The hearing is entitled “Sony and Epsilon: Lessons for Data Security Legislation.” Witnesses to be announced.

[From the article:

However, Hirai also added that the company has not been able to identify the individual or individuals responsible for the breach.

Four servers were initially isolated as possibly hacked, and then the entire system was shut down as other abnormalities were discovered. The delays, Hirai explained, were due to the problems in mirroring the affected data to preserve evidence. [This is a clear indication that they had no logs of the hacking activity, but only the results. Bob]

… Sony said that it was unable to determine conclusively what information was taken, so it assumed each of the 77 million accounts on the network could have been compromised. [Another way that accurate logging will save you big money... Bob]

A few 'suggestive' phrases that this may not be a large card skimming operation but rather a direct hack on a merchants database. (a la TJX) Still, why are they protecting the merchant?

Update: More AU cards canceled after breach

May 27, 2011 by admin

Chris Zappone and Jared Lynch provide an update on a breach reported on this blog earlier today:

The Westpac-owned St George Bank is at the centre of one of the nation’s biggest credit card security breaches after financial information was leaked from one of its clients.

The breach has already has forced banks to cancel and reissue more than 10,000 cards this week, while thousands of customers also face the sudden malfunction of their credit cards over the weekend.

The giant fraud will also affect thousands of automatic credit payments such as gym memberships and phone bills.

So far, the Commonwealth Bank has cancelled 8000 cards after detecting suspicious activity linked to an unnamed retailer. Bendigo Bank has also cancelled 2300 cards, while Westpac and St George cancelled and reissued ”a small number of cards” – believed to be fewer than 1000 – as a result of the suspicious activity. ANZ has not reported any cancellations but was monitoring the situation.

Read more in the Blacktown Sun

[From the article:

Given the size and rapid spread of the fraud, it is believed the security breach occurred online.


8000 CBA credit card details unleashed in breach

Mastercard and Visa may issue penalties including fines to the acquiring bank, not CommBank, under the payment industry’s PCI-DSS compliance rules.

The rules impose minimum security standards on merchants according to their size. It demands, among other requirements, that credit card data be encrypted so it could not be read in the event of a data breach.

Do you suppose there is money in helping schools avoid situations like taking pictures of their students in their bedrooms? (a la Lower Merion High School)

Education Privacy in Peril

May 27, 2011 by Dissent

Daniel Solove writes:

I have been spending a lot of time examining education privacy lately, and there are some very troubling things going on in this field. At a general level, schools lack much sophistication in how they handle privacy issues. Other industry sectors that handle sensitive personal data have Chief Privacy Officers and a comprehensive privacy program. Most schools lack anyone to handle privacy or any kind of privacy program. I recently started a new company called TeachPrivacy [ ] to address these issues and help schools better develop a privacy program.

Another problem with education privacy involves the growing effort by the government to amass data about students. The Obama Administration is aggressively pushing this information gathering — the development of what is called “longitudinal databases” — to study how students perform over the duration of their education. This effort, although certainly for laudable goals, carries significant privacy risks.

Read more on Concurring Opinions.

Yet another indication that just because you can parrot the laws does not mean you understand them.

BBC Site Uses Cookies To Inform Visitors of Anti-Cookie Law

"As of 26 May 2011 web sites in the UK must get a user's permission to set cookies. If you go to the BBC's commercial TV listings site Radio Times you'll see a message telling you about the new law. Go to the site again, though, and you don't see the message. How does the site know you've already seen it? By setting a cookie of course! It doesn't ask for permission."

Apparently minds are shrinking. Here's one that has already reached the size of a pea...

DoD Paper Proposes National Security Through a Culture of Restraint (and Stigma)

"An SAIC analyst has written a paper [PDF] calling for the 'stigmatization' of the 'unattractive' types who tend to discuss government secrets in public. The plan, described in the Naval Postgraduate School Homeland Security Affairs journal, is to promote self-censorship as a 'civic duty'. Who needs to censor themselves? Amateur enthusiasts who describe satellite orbits, scientists who describe threats to the food supply, graduate students mapping the internet, the Government Accountability Office, which publishes failure reports on the TSA, the US Geologic Survey, which publishes surface water information, newspapers (the New York Times), TV shows, journalism websites, anti-secrecy websites, and even security author Bruce Schneier, to name a few."

No comments: