Thursday, June 02, 2011

Expect this number to grow... Why else would you steal the keys?

Three military contractors linked to post-RSA attacks

So far this week, the news has focused on Lockheed Martin and L-3, two military contractors who appear to have suffered targeted attack attempts in the wake of the massive breach at RSA earlier this year. Now, a third contractor has emerged, as insiders place Northrop Grumman on the list.

So... An Act of War or some curious kid writing a report on “How people use G-mail?”

Google reveals breaches; reminds users how to stay safe online

June 1, 2011 by admin

Eric Grosse posted the following to Google’s blog today:


Through the strength of our cloud-based security and abuse detection systems*, we recently uncovered a campaign to collect user passwords, likely through phishing. This campaign, which appears to originate from Jinan, China, affected what seem to be the personal Gmail accounts of hundreds of users including, among others, senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists.

The goal of this effort seems to have been to monitor the contents of these users’ emails, with the perpetrators apparently using stolen passwords to change peoples’ forwarding and delegation settings. (Gmail enables you to forward your emails automatically, as well as grant others access to your account.)

Google detected and has disrupted this campaign to take users’ passwords and monitor their emails. We have notified victims and secured their accounts. In addition, we have notified relevant government authorities.

It’s important to stress that our internal systems have not been affected—these account hijackings were not the result of a security problem with Gmail itself. But we believe that being open about these security issues helps users better protect their information online.


If you use Gmail, do see their advice/instructions in the blog to secure your account.

(Related) If they do anything in another country, is it an Act of War?

UK Plans Cyber Weapons Program

"The Ministry of Defence says they are working on a range of offensive cyber weapons to increase the country's defensive capabilities. The armed forces minister, Nick Harvey, says, 'The consequences of a well planned, well executed attack against our digital infrastructure could be catastrophic With nuclear or biological weapons, the technical threshold is high. With cyber the finger hovering over the button could be anyone from a state to a student.'"

(Related) Who teaches “Un-ethical Hacking?”

North Korea Training "Cyberwarriors" Abroad

"A North Korean defector claims that the secretive totalitarian state is nurturing a team of "cyberwarriors," identifying young people with computer skills and sending them abroad to learn the latest hacking techniques, while lavishing privileges on their families at home to keep them loyal. This could lead to an escalation in tensions, especially given that the US military believes that cyberattacks from foreign countries constitute acts of war."

Good news....

PlayStation Store back online

Sony flipped the switch tonight to bring the last remaining piece of its PlayStation Network back online, the PlayStation Store.

...Bad news? For debate: Sony should ignore these braggarts...

Tupac hackers to Sony: 'Beginning of the end'

A group that made headlines for hacking the PBS Web site earlier this week is apparently turning its attention to Sony.

The group known as LulzSec has been promising Sony attacks since this past weekend when it posted to its Twitter account that it is engaged in an operation it calls "Sownage," shorthand for Sony Ownage. The group stated at the time that it was working on hatching a plan that would be the "beginning of the end" for Sony. It has yet to reveal what it has planned. But yesterday the group said that the attack was already under way, seemingly without Sony's knowledge.

"Hey @Sony, you know we're making off with a bunch of your internal stuff right now and you haven't even noticed?" LulzSec tweeted. "Slow and steady, guys."

Is this a record?

Cashing in on privacy breaches

June 2, 2011 by Dissent

Terry Baynes reports:

The hacking of a Sony Corp customer database this spring has attracted class-action lawyers and consumers eager to cash in on the high-profile privacy breach. At least 40 lawsuits have been filed–including at least two this week–on behalf of millions of Sony PlayStation users in federal courts, according to Westlaw data.


Take a look at some of the most notable privacy settlements from recent years, and what the settlements were worth to the lawyers and plaintiffs.

Read more on Thomson Reuters.


Honda Data Breach Triggers Lawsuit [repost]

June 1, 2011 by admin

[repost] Mathew J. Schwartz reports:

… As with the Sony breach, lawyers for Honda customers filed a class action lawsuit on behalf of affected customers, seeking 200 million Canadian dollars ($206 million). The claim says that the breach exposed customers to “theft of their identity, theft from their bank accounts, and theft from their debit and credit cards.” It also says that Honda failed to disclose the breach to customers “in a reasonable amount of time.”

Read more on InformationWeek.

I don’t expect that the lawsuit has much chance of prevailing, but there’s another interesting aspect to the breach mentioned in the news story:

Honda’s data breach apparently also puts the company in violation of Canadian law. “Data breaches like these underline the importance of one of the fundamental tenets of Canadian privacy law: that personal information shall be retained only as long as necessary to fulfill the purposes for which it was created or collected and, once no longer required, should be destroyed, erased, or made anonymous,” said David Elder, a lawyer at Ottawa-based law firm Stikeman Elliot, in a blog post.

For my ethical hackers. Don't assume hackers have no resources...

New MacDefender Defeats Apple Security Update

"Apple released a security update yesterday designed to rid Macs of the menacing MacDefender malware that has plagued users for nearly a month. But mere hours after the update, cyber-criminals released a new variant of the malware that easily defeated Apple's belated security efforts. That didn't take long."

For my Computer Security students. Create logs and actually review them – or you can say “We have no idea what data was accessed...”

Preliminary Thoughts about the HIPAA Accounting of Disclosures NPRM

By Dissent, May 31, 2011

Rebecca Herold comments on the HIPAA Privacy Rule Accounting of Disclosures under the Health Information Technology for Economic and Clinical Health Act Notice of Proposed Rule Making (NPRM).


Logging access to ePHI has been around since the Security Rule went into effect. So, even though the original accounting for disclosures requirements did not include activities for TPO, CEs should theoretically already have the access/disclosure logging activities implemented. As should BAs after the HITECH rule went into effect. However, realistically, I doubt if more than 40% (and this is my own spit-wad estimation which is likely on the high side) actually have such logging in place. The Accounting of Disclosures NPRM is a wake-up call for CEs and BAs alike to get this portion of the Security Rule implemented. Once it is implemented, then creating easy-to-understand reports to show these accesses will be a matter of creating or updating existing applications that access ePHI. This could take some time to plan for and implement if starting from scratch.

Read Rebecca’s full commentary on Privacy Guidance.

Is this good parenting or parental spying? - Monitor What Children Do On Facebook

Aptly-titled Minor Monitor, it empowers parents to analyze all the interactions their children have on Faeebook. These are presented via an interface that minimizes the time that would be spent looking for that very information on Facebook itself. Parents will be able to identify over-age friends, contacts with a low number of mutual friends and also offensive language and outright sexual references.

Accounts can be created for free, and the tracking process will start once the parent has linked the Facebook account of his child to his Minor Monitor account.

How will they enforce this? Son goes to friends home, enters password so they can watch “Transformers” for the 39th time, cops break down the door?

Tennessee Makes it Illegal To Share Your Netflix Password

"State lawmakers in Tennessee have passed a groundbreaking measure that would make it a crime to use a friend's login — even with permission — to listen to songs or watch movies from services such as Netflix or Rhapsody. The bill, which has been signed by the governor, was pushed by recording industry officials to try to stop the loss of billions of dollars to illegal music sharing. They hope other states will follow."

“Papers, Citizen! Then assume the position and allow us to welcome you to New York City.”

NYPD Stopped and Frisked Record Number of Innocent People during First Quarter of 2011

June 1, 2011 by Dissent

The NYPD stopped and interrogated more than 161,000 completely innocent New Yorkers in the first quarter of 2011, the highest number over a three-month period since the Police Department began reporting data on its troubling stop-and-frisk program.

About 88 percent of the 183,326 stop-and-frisk encounters recorded from January through March resulted in neither an arrest nor a summons, according to figures the NYPD released quietly over the holiday weekend. About 84 percent of those stopped by police were black or Latino.

Read more on ACLU’s blog.

This is similar to the adoption of mini-computers by accounting departments, personal computers (usually Macs) by marketing and a number of other technologies (PDAs, cell phones, etc.) As in each of these, normal 'due diligence' is ignored...

IT increasingly bypassed on cloud adoption

IT departments, long criticized as being too slow in offering new technologies and services, may be facing a grassroots rebellion in many companies over cloud services.

A new survey that looked at cloud adoption inside companies found that many business executives are bypassing IT altogether in adopting cloud services -- and they face few consequences for doing so.

Free is good! For the toolkit...

Free Premium Download: WonderFox DVD Ripper

We have got a great honor to give an exclusive chance to download and enjoy WonderFox DVD Ripper for free to visitors. It’s a paid product, but now is being given away from June 1 to June 7, 2011. During this period, You can get this full licensed software for free without any functional limitations without doing anything. Yes, you just need to download it!

WonderFox DVD Ripper is the powerful and professional ripper software. It is the good solution which is also easy to use for ripping content of DVDs to a wide range of mainstream video formats such as AVI, MPEG, MP4, MOV, FLV, WMV, 3GP etc. The WonderFox DVD ripping software is also a powerful DVD converter which supports to convert DVDs to the popular portable devices such as iPhone, iPad, iPod, Nokia N8, BlackBerry PlayBook, Motorola Xoom…

Dilbert elegantly explains “undue reliance” (For my Excel students too)

No comments: