Saturday, April 23, 2011

I reported this yesterday. This article makes a few more points... The more I look at it, the less I like it. It looks like the information gathering arm of the reviled TIA. Can you say, “Big Brother?”

Want a Passport? Better Find Your Circumcision Records!

The State Department has proposed a new “Biographical Questionnaire” that, if approved, you might have to complete to receive a passport.

Sample entries on the proposed Form DS-5513 include:

  • Your mother’s residence one year before your birth

  • Your mother’s residence one year after your birth

  • Your mother’s place of employment at the time of your birth

  • Details of your mother’s pre-natal or post-natal medical care, if any

  • Your mother’s place of employment at the time of your birth

  • Details of the type of document, if any, your mother used to enter into the United States before your birth

  • The circumstances of your birth including the names (as well as address and phone number) of persons present or in attendance at your birth.

  • If there were any religious or institutional recoding of your birth or event occurring around the time of birth (Example: baptism, circumcision, confirmation or other religious ceremony).

  • A list of every address at which you’ve ever resided since birth.

  • The name and telephone number of every supervisor you’ve had at every job in your life, including as a temporary worker.

  • The name, address, and telephone number of every school you’ve ever attended.

Stuff happens. You have to expect human error. But...

Sealed Records Exposed In Major Court Gaffe

April 22, 2011 by admin

In a shocking failure to protect sensitive details about dozens of ongoing criminal investigations, federal officials somehow allowed confidential information about sealed cases to be publicly accessible via the court system’s online lookup service, The Smoking Gun has learned.

Over the past nine months, details of 40 separate sealed court applications filed by federal prosecutors in Alabama were uploaded to PACER, the web-based records system that counts nearly one million users, including defense lawyers, prosecutors, journalists, researchers, private investigators, and government officials.

The court applications, made by ten separate prosecutors, included requests to install hidden surveillance cameras, examine Facebook records, obtain credit information on certain individuals, procure telephone records, and attach devices on phone lines that would allow agents to track incoming and outgoing calls. Remarkably, the U.S. District Court records–which covered filings as recent as April 11–included specific names, addresses, and phone numbers that should never have appeared on PACER.

Read more on The Smoking Gun.

[From the article:

It is likely impossible to determine if the sensitive information was viewed or disseminated by other PACER users, let alone gauge whether any cases were jeopardized by the posting of the sealed material. [Now this is a management failure. No logs of access were kept? Granted this system is intended to be accessible by the public, but how could you learn anything about patterns of access without records of that access? Bob]

… In a statement provided late yesterday to TSG, the Middle District’s chief judge, Mark Fuller, noted that, “The confidential information has been sealed. I regret the error was not identified earlier and have adopted procedures to ensure that it will not occur in the future.” [Referred to as “Locking the barn door after the horse has bolted” Bob] It remains unclear why U.S. District Court personnel believed that, while the documents themselves had to be kept in a safe in the clerk’s office, details from those records could be made available through PACER.

An interesting point for debate by my Computer Security students, however the examples they chose seem to suggest a slap or two was required. Also, where are these fines “driving security policy?” If they drive improvements in security, isn't that a worthy strategic objective?

Data breach fines can risk more harm than good, experts say

April 22, 2011 by admin

George V. Hulme writes:

Are regulatory and security breach fines protecting the consumer, or beginning to unduly drive security policy? As penalties begin to be levied against organizations who have been attacked, or employees violated data policy, some experts now question whether the government is penalizing one of the victims in a crime, rather than helping to mitigate the risk of identity theft — as the laws were first intended.

Read more on NetworkWorld.

[From the article:

Consider the move by the Massachusetts Attorney General against restaurant chain owner the Briar Group LLC. A few weeks ago the attorney general announced that it reached an agreement with Briar Group to pay $110,000 in penalties. The settlement stems from allegations that the restaurant chain didn't adequately protect customer payment data after a malicious application was installed on its systems. The malware was on its network from April, 2009 through December, 2009. [Failure to detect Bob] The allegations against the chain say that the group didn't change employee login information and continued to take credit and debit cards after it discovered the breach, [“We know our customers are at risk, let's ignore it?” Bob] this statement from the Massachusetts Attorney General says. The compliant also alleges that the chain failed to properly secure its remote access utilities and wireless network.

Interesting if true. I have stated (too many times, some say) that each generation of technology fails to learn governance techniques earlier generations learned the hard way...

Weaponizing GPS Tracking Devices

Those low-cost embedded tracking devices in your smartphone or those personal GPS devices that track the whereabouts of your children, car, pet, or shipment can easily be intercepted by hackers, who can then pinpoint their whereabouts, impersonate them, and spoof their physical location, a researcher has discovered.

… Bailey also released tools today for each of the three attacks he demonstrated at SOURCE Boston.

"Embedded devices are low-cost, easy to use, and easy to debug. And the security landscape is very small," Bailey says. "There is very little capability for integrating secure communications on the devices and ensuring that it's your code executing on there."

The underlying issue is that the low-cost and rapid commoditization of these embedded systems precludes their being properly secured. "There's a low entry point for people to develop them, so you have a serious problem because new developers and new startups don't have an understanding of security. It's an insecure product by default," he says.

… In the first attack, Bailey forced the device to send him its physical location using techniques to grab the GPS coordinates and local cell tower information. "I can force those devices to bypass the manufacturer's controls and give me their information and they have no idea that I've intercepted their location," he says.

… If it's a truck on I-70, I can take the device and force it to send false location to the server and meantime, could hijack the truck," he explains. Zoombak's command and control channel is in the clear, unencrypted.

… Another protection would be to ensure that when a device on a 3G network that it cannot interact with other 3g devices: it should only be able to speak with the manufacturer's server, he says.

(Related) Let that be a lesson to you. Don't drive a “classic.”

Seattle police say 'wardrivers' are hitting small businesses

Seattle police are investigating a group of criminals who they say have been cruising around town in a black Mercedes stealing credit card data by tapping into wireless networks belonging to area businesses.

The group has been at it for about five years, according to an affidavit signed by Detective Chris Hansen, a fraud investigator with the Seattle Police Department.

… Hansen believes the group has been "wardriving" the Seattle area in a customized 1988 Mercedes Benz, looking for companies using an unsecure Wi-Fi standard called Wired Equivalent Privacy (WEP). WEP has well-documented security flaws and has been considered for years to be unsecure, but was widely used in routers built between about 2000 and 2005. Many consumers and small businesses still use it.

Because WEP's encryption can be cracked using easy-to-find tools, even unsophisticated hackers can break into WEP networks and mine them for data.

… Police impounded the Mercedes last October after arresting its owner for allegedly using stolen gift cards at a local wine bar. In the car they found a range-boosting antenna and a Wi-Fi-enabled laptop with a passenger-seat mount, so that it could be used while driving.

Something for the Mobile Stalker?

Free Reverse Phone Lookup

Look up a cell, land line or unlisted phone number in the USA and Canada. Free directory search. Results include name, address, age and more. NOTE: Free results available ONLY for land line numbers. For mobile numbers full results are not free.

(Related) and something to protect jailbroken phones

Tools wipe location data from (some) iPhones

Want to wipe location-tracking data that's being stored on your iPhone without your permission? There's an app for that, but you've got to jailbreak your iPhone first.

Didn't we used to have the best communications network in the world?

AT&T Admits Network Can't Handle iPhone, iPad Traffic

"AT&T has admitted that the rise of tablets and smartphones like the iPad and iPhone has taken a major toll on its network. In its public filing to the Federal Communications Commission yesterday, the company admitted that its network has been under increasing strain as more and more high-bandwidth devices have been connected. This not only includes smartphones like the iPhone, but tablets like the iPad as well. AT&T says that in many cases tablets put a greater stress on their network (PDF) than smartphones do."

For my Intro to Computer Security class.

A Glimpse Inside Google's South Carolina Data Center

"Google today released a video showcasing the security and data protection practices in its data centers. Filmed at the company's South Carolina data center, it provides a look at Google's wiping of data and (literal) shredding of hard drives."

Friday, April 22, 2011

This should be interesting... One of the Baker Street irregulars (my Intro to Computer Security students) picked this one up for me.

Epsilon pledges to build 'Fort Knox' around breached system

E-mail marketing giant Epsilon will build an industry-leading security system in response to a March 30 breach in which thieves gained access to the e-mail addresses and names of partner's customers, the CEO of Epsilon's parent company said Thursday.

… "Bottom line, we will emerge not just with strong security protocols, but industry-leading," he said. "We're essentially going to build Fort Knox around this thing. We've taken the position now that it's not good enough to be at or above the industry [standard], we need to be the absolute leader in the industry because we are the largest player." [I wish them well. Seriously! Bob]

Epsilon's e-mail marketing technologies will sacrifice some flexibility and user-friendliness for security, Heffernan said during a conference call about his company's quarterly profits. Heffernan didn't disclose what new security measures the company planned to take.

… "While knowing we are the victim of this crime, we will not be playing that card," he said. "Rather, we view our role as standing up and taking the hit for what these cyber-crooks did. We will learn from the experience and come out stronger than ever."

Still, Alliance Data Systems projected no "meaningful" costs or liability related to the incident, Heffernan said. E-mail volumes have remained at the expected levels, and the company expects no changes in Epsilon's financial results going forward.

The company expects the "vast, vast majority, if not all," of Epsilon's clients to remain with the company, he said.

Interesting as this is the second (Amazon) Cloud service to fail this week. I wonder if it is another example of Sony cutting corners?

A Disaster In The Making? Sony’s PlayStation Network Suffers Prolonged Global Outage

Sony’s PlayStation Network, its online service for PlayStation 3 and PlayStation Portable consoles, suffered from a major outage today, which remains ongoing. According to Sony’s blog, the interruption in service may last into the long weekend — for at least another “full day or two”. The Sony Network currently has more than 70 million registered users, many of whom have taken to Twitter and other social networks to express their frustration over the prolonged downtime. Millions of unhappy gamers (and Netflix customers) a PlayStation outage makes.

(Related) Speaking of Amazon... Are their “Zones” based on legal jurisdictions or the availability of cheap power?

Amazon Outage Shows Limits of Failover 'Zones'

"For cloud customers willing to pony up a little extra cash, Amazon has an enticing proposition: Spread your application across multiple availability zones for a near-guarantee that it won't suffer from downtime. ' By launching instances in separate Availability Zones, you can protect your applications from failure of a single location,' Amazon says in pitching its Elastic Compute Cloud service. But the availability zones are close together and can fail at the same time, as we saw today. The outage and ongoing attempts to restore service call into question the effectiveness of the availability zones, and put a spotlight on Amazon's failure to provide load balancing between the east and west coasts."

How much information does a government need to know to grant you a passport?

State Dept. proposes “Biographical Questionnaire” for passport applicants

April 22, 2011 by Dissent

Papers, Please! calls our attention to this stunning over-reach of surveillance:

The U.S. Department of State is proposing a new Biographical Questionnaire for passport applicants. The proposed new Form DS-5513 asks for all addresses since birth; lifetime employment history including employers’ and supervisors names, addresses, and telephone numbers; personal details of all siblings; mother’s address one year prior to your birth; any “religious ceremony” around the time of birth; and a variety of other information. According to the proposed form, “failure to provide the information requested may result in … the denial of your U.S. passport application.”

Read more on Papers, Please!

If you want to submit comments during the period for public comments, you’ll have to do so quickly as April 25 appears to be the last day for comments. The blog has information on how you can submit your comments.

The government seems to have given up any pretense at respecting privacy and the Constitution.

What right to they have to demand information on a citizen’s religion via a backdoor question about religious ceremonies? Are they arguing that the First Amendment protects our freedom of religion but not the right to keep our religious associations to ourselves?

And now we need to sell out our siblings’ personal details and privacy to get a passport?

And remind me: this would be the same State Department that has had a dozen employees prosecuted for snooping in people’s files? And the same one that had all of their cables spread all over the world?

Bad idea, State Department. Really, really bad. This is a total surveillance state move and must be resisted strongly.

Spread the word, folks.

(Related) Don't bother to tell your customers, but be sure to market forensic tool to law enforcement.. Much more in the article, including where to get training...

How police have obtained iPhone, iPad tracking logs

Law enforcement agencies have known since at least last year that an iPhone or iPad surreptitiously records its owner's approximate location, and have used that geolocation data to aid criminal investigations.

Apple has never publicized the undocumented feature buried deep within the software that operates iPhones and iPads, which became the topic of criticism this week after a researcher at a conference in Santa Clara, Calif., described in detail how it works. Apple had acknowledged to Congress last year only that "cell tower and Wi-Fi access point information" is "intermittently" collected and "transmitted to Apple" every 12 hours.

At least some phones running Google's Android OS also store location information, Swedish programer Magnus Eriksson told CNET today. And research by another security analyst suggests that "virtually all Android devices" send some of those coordinates back to Google.

… They've become a valuable sales pitch when targeting customers in police, military, and intelligence agencies.

The U.K-based company Forensic Telecommunications Services advertises its iXAM product as able to "extract GPS location fixes" from an iPhone 3GS including "latitude, longitude, altitude and time." Its literature boasts: "These are confirmed fixes--they prove that the device was definitely in that location at that time." Another mobile forensics company, Cellebrite, brags that its products can pluck out geographical locations derived from both "Wi-Fi and cell tower" signals, and a third lists Android devices as able to yield "historical location data" too.

Alex Levinson is the technical lead for a competing company called Katana Forensics, which sells Lantern 2 software that extracts location information from iOS devices.

… Research by security analyst Samy Kamkar, a onetime hacker with a colorful past, indicates an HTC Android phone determined its location every few seconds and transmitted the data to Google at least a few times an hour, according to a report in The Wall Street Journal. It said that the Android phone also transmitted the name, location and signal strength of nearby Wi-Fi networks, as well as a unique identifier for the phone.

… Courts have been split on whether warrants are required to peruse files on gadgets after an arrest, with police typically arguing that the Fourth Amendment's prohibition on unusual searches doesn't apply.

… In addition, the U.S. Department of Homeland Security has publicly asserted the right to copy all data from anyone's electronic devices at the border--even if there's no suspicion of or evidence for illegal activity. The U.S. Ninth Circuit Court of Appeals has blessed the practice.

I like them! Will impact US companies who OutSource to India...

India Issues Draft Privacy Rules

April 22, 2011 by Dissent

The Government of India’s Ministry of Communications & Information Technology has published three draft rules that would implement the Information Technology Act, 2000. These include: Reasonable Security Practices and Procedures and Sensitive Personal Information; Due Diligence Observed by Intermediaries Guidelines and Guidelines for Cyber Cafe. The first two of these rules could affect international companies that provide digital services or process data in India. The comment period on the rules ends February 28, 2011.

Read more on Hunton & Williams Privacy and Information Security Law Blog.

Free is good!

April 21, 2011

Justia's new free service provides Daily & Weekly Opinion Summaries for all Federal Courts

Another invaluable service for researchers that facilitates free access to court opinions - from the innovative experts at Justia - who are now "providing FREE Daily & Weekly Opinion Summaries for all Federal Courts, and selected State Supreme Courts. See an example daily email for the U.S. 9th Circuit Court of Appeals or a weekly practice area email for Environmental Law."

  • "To sign up for the Case Summary Newsletters you first need to login to or create a Justia Account. Then you will be able to select the free newsletters you wish to subscribe to."

This “Clarification” is confusing...

Pointer: Recent cases, from the Harvard Law Review

April 22, 2011 by Dissent

In Harvard Law Review (Volume 124 · April 2011 · Number 6):

Third Circuit Allows Government to Acquire Cell Phone Data Without Probable Cause. — In re The Application of the United States for an Order Directing a Provider of Electronic Communication Service to Disclose Records to the Government, 620 F.3d 304 (3d Cir. 2010).

Lawyers dueling Lawyers. Perhaps we could provide the swords?

IMSLP Taken Down By UK Publishers Group

"According to a post at the IMSLP Journal, the IMSLP, the largest site on the 'net providing public domain sheet music, has been taken down yet again. The UK-based Music Publisher's Association has sent GoDaddy, the IMSLP's domain registrar, a DMCA takedown notice. The IMSLP argues that the notice is bogus. More detailed discussions on the matter can be found at the IMSLP Forums."

[Finally, an aggressive response!

What is the MPA complaining about? Rachmaninoff's Bells, which is public domain both in Canada and the USA: ... _Sergei%29 MPA's claim is entirely bogus.

Anyone who is interested in suing or helping to sue the MPA under DMCA section 512(f) (misrepresentations) please contact me at imslproject

I'm always looking for practical examples for my Math students. Odd that the defense relies on TWO pictures taken by these cameras. No doubt the company will stop taking that second picture... Perhaps Courts should insist that all “automated ticketing systems” take two pictures? (Perhaps this suggests a Business Opportunity as well? )

Business owner casts reasonable doubt on accuracy of speed cameras

Will Foreman has beaten the speed cameras.

Five times and counting before three different judges, the Prince George’s County business owner has used a computer and a calculation to cast reasonable doubt on the reliability of the soulless traffic enforcers.

… “You’ve produced an elegant defense and I’m sufficiently doubtful,” Judge Mark T. O’Brien said to William Adams, after hearing evidence that his Subaru was traveling below the 35-mph limit - and not 50 mph as the ticket indicated.

The method?

Mr. Foreman, the owner of Eastover Auto Supply in Oxon Hill, examined dozens of citation photos of his company’s trucks that were issued along a camera-monitored stretch of Indian Head Highway his employees frequently travel.

The camera company, Optotraffic, uses a sensor that detects any vehicle exceeding the speed limit by 12 or more mph, then takes two photos of it for identification purposes. The photos are mailed to violators, along with a $40 ticket.

For each ticket, Mr. Foreman digitally superimposed the two photos - taken 0.363 seconds apart from a stationary point, according to an Optotraffic time stamp - creating a single photo with two images of the vehicle.

Using the vehicle’s length as a frame of reference, Mr. Foreman then measured its distance traveled in the elapsed time, allowing him to calculate the vehicle’s speed. In every case, he said, the vehicle was not traveling fast enough to get a ticket.

So far the judges have agreed.

.. Mr. Foreman’s tickets were all issued in Forest Heights, a town of about 2,600 where officials expected $2.9 million in ticket revenue this fiscal year, about half the town’s $5.8 million budget.

… Optotraffic representatives said the photos are not intended to capture the actual act of speeding, [But, wouldn't the photos show skid marks as drivers slammed on the brakes to slow from 50 to “less than 35” in a mere 50 feet? Bob] and are taken nearly 50 feet down the road from sensors as a way to prove the vehicle was on the road.

“No one has come to us with a proven error,” company spokesman Mickey Shepherd said Tuesday. “Their speed is not measured by the photos. The speed is measured before the photos are taken.”

Thursday, April 21, 2011

Texas is tough... But shouldn't this be the fate of any manager who fails to protect the assets they are responsible for?

Texas fires two tech chiefs over breach

The Texas State Comptroller's office has fired its heads of information security and of innovation and technology following an inadvertent data leak that exposed Social Security numbers and other personal information on over 3.2 million people in the state.

Two other employees have also been fired over the incident, a statement posted on Texas Comptroller Susan Combs' site noted .

… The exposed data was contained in three files that were transferred to the comptroller's office from the Teacher Retirement System of Texas (TRS), the Texas Workforce Commission and the Employees Retirement System of Texas (ERS).

The data, which was to be used by a property verification system [Why would retired teachers be matched against property records? Bob] at the Comptroller's office, was supposed to have been transferred in an encrypted manner by the agencies under Texas administrative rules. However, the data was transferred in an unencrypted manner to the Comptroller.

To compound the mistake, personnel in Combs' office then put the information onto a server that was accessible to the public and left it there for an extended period, without purging it as required, the statement said.

The mistake was finally discovered on March 31, more than 10 months after the files were put on the server.

How NOT to share Electronic Health Records.

Texas Health Arlington Memorial Hospital breach notice

By Dissent, April 20, 2011

I finally tracked down an explanation for a breach entry in HHS’s breach tool that read:

Texas Health Arlington Memorial Hospital,TX,, 654, 12/23/2010,Unknown ,Electronic Medical Record,,

I had reported it on this blog last week, but here’s the undated notice that explains it:

Texas Health Arlington Memorial Hospital is notifying our patients about a breach of personal health information. After completion of the investigation and review of the facts, we believe that there is no potential harm of identity theft or financial fraud to you due to the intended purpose of the disclosure. The breach was discovered on January 26, 2011.

Texas Health Arlington has been in the process of converting information systems and processes to the same system standards used at other Texas Health hospitals. On December 23, 2010 the information services department turned on a switch between Texas Health Arlington and SandlotConnect, a health information exchange. The switch allows health information to go to SandlotConnect after patients sign an authorization form and the patients’ accounts are marked to permit the exchange of information.

It was determined that there were two issues: (1) the SandlotConnect authorization form was not presented to patients at the time of registration as Texas Health Arlington employees were not aware that the switch had been turned on and (2) the registration employees were marking patients’ accounts incorrectly.

The information disclosed to SandlotConnect included the following elements: name, address, date of birth, social security number, account number, medical record number, insurance information, and dates of service. In addition, the categories of health information as indicated below may have been sent: Lab Results, Radiology Results, Problems, Procedures, Transcribed Reports, Medications, and/or Allergies.

Since notification of the event, we turned off the switch so that no further health information would be sent, marked each affected patients’ account as not participating in the health information exchange, and worked with Sandlot to shield the information from being further used or disclosed. In addition, Texas Health Arlington registration employees received additional training on the SandlotConnect health information exchange processes. Information services has modified their implementation process for the health information exchange and trained their employees on it.

We also reviewed audit trail reports and determined that the majority of accounts were accessed by Sandlot employees in order to shield the affected patients’ health information. [If I read this correctly, they manually flagged these records (rather than removing them) and at the time the Audit Reports were produced, they had not yet flagged them all. Why is there no automated “un-do” process? Bob]

… Another finding was that some patients already had their accounts marked to participate in the exchange due to a previous visit at another Texas Health hospital where they had authorized their the exchange to SandlotConnect. However, it is our practice for patients to have the opportunity at each visit to a Texas Health hospital to decide whether they want to participate or not in the health information exchange.


Apparently, telling Congress that you (Apple) collect location data and store it anonymously is not the same as telling Congress that the device that collects the data can be related to the device owner because it is still in his possession!

Your computer knows where your iPhone has been

April 20, 2011 by Dissent

Apple may have just bought itself another round of questioning by certain members of Congress.

Back in July 2010, Apple informed members of Congress that although iPhone and other Apple products do collect and store “batched” user location data, the data are not directly associated with a particular identity or device (see their letter to Congressmen Markey and Barton here). That may be true on their side of the equation, but nowhere did they mention that what appears to be specific and time-stamped location data would be downloaded to the customer’s computer drive during synch operations.

Charles Arthur of The Guardian reports:

Security researchers have discovered that Apple’s iPhone keeps track of where you go – and saves every detail of it to a secret file on the device which is then copied to the owner’s computer when the two are synchronised.

The file contains the latitude and longitude of the phone’s recorded coordinates along with a timestamp, meaning that anyone who stole the phone or the computer could discover details about the owner’s movements using a simple program.

For some phones, there could be almost a year’s worth of data stored, as the recording of data seems to have started with Apple’s iOS 4 update to the phone’s operating system, released in June 2010.

Read more in The Guardian.

Clearly, this raises a huge privacy concern for those who do not want any record of their travels on their hard drive. Not everyone sees it as a problem, of course, and Kashmir Hill doesn’t seem to find it particularly problematic.

As for me, well, I don’t use any of those products, so it’s no big deal to me, but I do think that Apple should have been clearer with users about the existence of this file and its function.

[Senator Al Franken is jumping on reports like this on. Not sure if he is a techie at heart, or just thinks this will impress his constituents. Some good questions though...

A Privacy Law review, but pretty thin....

April 20, 2011

CRS - Privacy Protections for Personal Information Online

Privacy Protections for Personal Information Online, Gina Stevens, Legislative Attorney, April 6, 2011

  • "There is no comprehensive federal privacy statute that protects personal information. Instead, a patchwork of federal laws and regulations govern the collection and disclosure of personal information and has been addressed by Congress on a sector by-sector basis. Federal laws and regulations extend protection to consumer credit reports, electronic communications, federal agency records, education records, bank records, cable subscriber information, video rental records, motor vehicle records, health information, telecommunications subscriber information, children’s online information, and customer financial information. Some contend that this patchwork of laws and regulations is insufficient to meet the demands of today’s technology. Congress, the Obama Administration, businesses, public interest groups, and citizens are all involved in the discussion of privacy solutions. This report examines some of those efforts with respect to the protection of personal information. This report provides a brief overview of selected recent developments in the area of federal privacy law. This report does not cover workplace privacy laws or state privacy laws."

“Oh golly gosh! Someone is selling something cheaper than we are! That must be why we're failing!” Another Industry that hasn't anticipated customer demands and can't imagine how to catch up.

Dollar Apps Killing Traditional Gaming?

"There can be no denying that the rise of smartphones and tablets has had a major impact on the gaming business. The prevalence of free and 99-cent apps has changed consumers' perception of value . Mike Capps, president of Gears of War developer Epic Games, said, 'If there's anything that's killing us [in the traditional games business] it's dollar apps. How do you sell someone a $60 game that's really worth it? They're used to 99 cents. As I said, it's an uncertain time in the industry. But it's an exciting time for whoever picks the right path and wins.'"

For my Intro to Computer Security students Note: The PDF is bad – should be fixed soon...

April 20, 2011

NSA: Best Practices for Keeping Your Home Network Secure

Best Practices for Keeping Your Home Network Secure, April 2011.

  • "The cyber threat is no longer limited to your office network and work persona. Adversaries realize that targets are typically more vulnerable when operating from their home network since there is less rigor associated with the protection, monitoring, and maintenance of most home networks. Home users need to maintain a basic level of network defense and hygiene for both themselves and their family members when accessing the Internet."

If you absolutely must have a PowerPoint presentation, this might make it more palatable.

Present Me

Present Me is a wonderful presentation delivery tool that allows teachers to upload PowerPoint presentations and then record audio and video through a webcam which syncs to the presentation being shared. That new video presentation of the slides with the presenter can be shared, embedded, and easily sent around for others to view. This is a great way to capture and share specific lectures or explanations of assignments. It is also a great way for students to be able to reference or review an assignment given in class. The free version of this tool allows for a limited number of presentations to be saved/shared and is ad-supported.

This looks very interesting. I wonder how well it works with technical writing?

Organize & Create Your Short Stories & Novels With StoryBook

Here at MUO, we love writing and have always tried to bring you tools that will help with your writing, such as Nancy’s guide to inspiring apps for writers, Jeffry’s list of Firefox addons for writers, and Karl’s review of VocabGrabber. Today I’d like to offer an impressive open source application called Storybook, which can automate the entire writing process for you. This way, you can focus on what you do best – writing stories.

Writing A Novel With Storybook

What impressed me the most about this organizational tool is that it is capable of helping you sort out and organize even the most complicated novel with multiple storylines. The software comes loaded with tools to create, sort and connect the chapters of your book with individual scenes, your list of developed characters, and you can even “strand” together your scenes into a sequence that forms individual storylines that you can link together.

Wednesday, April 20, 2011

For my Intro to Computer Security students.

Top Federal Lab Hacked in Spear-Phishing Attack

The Oak Ridge National Laboratory was forced to disconnect internet access for workers on Friday after the federal facility was hacked, and administrators discovered data being siphoned from a server.

Only a “few megabytes” of data were stolen before the lab discovered the breach and cut internet access to prevent further exfiltration from the sensitive government facility, according to Thomas Zacharia, deputy director of the lab.

… Zacharia called the attack against the lab “sophisticated” and compared it to so-called “advanced persistent threat” attacks that hit security firm RSA last month and Google last year. [So, our friends in China again? Bob]

The attacker used an Internet Explorer zero-day vulnerability that Microsoft patched on April 12 to breach the lab’s network. The vulnerability, described as a critical remote-code execution vulnerability, allows an attacker to install malware on a user’s machine if he or she visits a malicious web site.

According to Zacharia, the intrusion came in the form of a spear-phishing email sent to lab employees on April 7. The e-mail, purportedly sent from the human resources department, discussed employee benefits and included a link to a malicious web page, where malware exploited the IE vulnerability to download additional code to users’ machines.

It’s not the first time the lab has been breached through spear phishing. In 2007, a similar attack allowed hackers to access a nonclassified database at the lab and gain access to thousands of names, Social Security numbers and birth dates belonging to anyone who had visited the lab between 1990 and 2004.


Hackers may have accessed more than 25,000 South Carolina students’ personal info

April 20, 2011 by admin

The identity of thousands of students and teachers has potentially been compromised after officials with the Lancaster County School District say a hacker was able to access their system.

According to school officials, the hackers were able to hack into the district’s system by monitoring district computers and capturing keystrokes to get passwords. Those passwords gave the hackers access into the records on the state system of more than 25,000 students and more than 2,500 school district employees.

While it’s still not clear exactly what information the hackers were able to access, the database houses information on current and former students and employees including names, birth dates, social security numbers, addresses and phone numbers.

School officials say the hacking occurred in March and were discovered by the U.S. Computer Emergency Readiness Team, which notified the S.C. Information Sharing & Analysis Center who notified the school district of the incidents last week.


Related: Notification Letter Dated April 12

[From the article:

"We are doing everything we can to prevent this from happening again, and we have put new measures in place to better assure that our computers are protected from such attempts."

[From the letter:

This kind of hacking is not something a person could find just surfing on the internet.[Actually, keylogging software can be found on the Internet. Try a Google search. Bob] It could be done only by skilled computer technicians who were purposely trying to capture this information.

Although we have no way of verifying which information was compromised, [Translation: i.e. “We don't keep logs” Bob]

Don't worry! We promise not to access your data, unless we want to...

Dropbox Can't See Your Dat– Er, Never Mind

"Dropbox, the online backup and file sharing service claims to have hit 25 million users in a single year. But a change in terms, noting that Dropbox will give up data to law enforcement under a legal request, showed that the company's security claims couldn't be possible. It turns out that Dropbox claims in one place that encrypted data makes it impossible for employees to see into user files, but in another says that they're only 'prohibited' from doing so."

This is one of those “If we had enough people, we would have had a cop follow this guy around, but we don't so we relied on technology.” If they had relied on flesh & blood, this wouldn't be an issue in the appeal.

Virginia Court of Appeals affirms conviction in warrantless GPS case

April 19, 2011 by Dissent

Back in September 2010, I noted that the Court of Appeals in Virginia had agreed to hear a case involving the use of GPS to track a man suspected of sexually assaulting women. The GPS device had been place in the bumper of his work van.

Thanks to Bob Gelman for letting me know that the court issued its opinion on April 5 in Foltz v. Commonwealth of Virginia. After rehearing the case en banc, the court upheld the conviction.

As background, after first having some suspicion as to the defendant’s role in a series of crimes based on modus operandi and matching up his probation meetings with the times and locations of assaults, on February 1, 2008, the officers attached a GPS system to the bumper of appellant’s assigned work van while it was parked on the public street in front of his residence. They did not obtain a search warrant prior to doing so nor did they obtain his employer’s permission.

Based on their ongoing review of the GPS data as well as assault data, their suspicion of him increased and they decided to follow him in real-time visual surveillance. As a result, they apprehended him in the act of assaulting a woman.

Foltz moved to have all of the evidence suppressed, arguing that the lack of a warrant violated his Fourth Amendment rights. The court ruled it admissible, and Foltz appealed on a number of grounds, including that the police officers’ eyewitness testimony was the “fruit of the poisonous tree” as there had been no warrant.

The Court of Appeals did not really get to the issue of the warrant in their opinion. They write:

From our review of the record on appeal, we conclude that the trial court did not err in denying appellant’s motion to suppress the eyewitness testimony of the police officers. We reach this conclusion without addressing whether the use of the GPS device, attached to employer’s van assigned to appellant, without first obtaining a search warrant, violated appellant’s rights under the Fourth Amendment of the United States Constitution and Article I, Section 10 of the Virginia Constitution.

Two of the justices, in their concurring opinion, however, noted that they felt the court should have addressed the Fourth Amendment issue as it had been raised and briefed. They indicated that in their opinion, there had been no violation of Foltz’s Fourth Amendment rights and that should have been the basis for affirming the trial court’s ruling. In their analysis, they note that although the use of warrantless GPS surveillance could raise Fourth Amendment issues, as applied to the facts of this specific case:

This case does not involve appellant’s home or even appellant’s own property. Especially as this case concerns a van owned and regulated by appellant’s employer, the circumstances in this case certainly did not violate appellant’s own privacy protections under the Fourth Amendment.

Justices Beales and Haley offer other arguments and analysis as to why the use of warrantless GPS as used in this specific case did not violate the Fourth Amendment. Their opinion makes for interesting reading, as does Justice Humphrey’s response to them.


April 19, 2011

EPIC - Solicitor General to Supreme Court: Review GPS Tracking Cases

"The Solicitor General filed a petition with the Supreme Court about the growing dispute in the federal courts over warrantless locational tracking. There is a split among the appellate court about GPS tracking by police agencies. The petition appeals a decision from the DC Circuit which held that the warrantless tracking of a motor vehicle violates the Constitutional right against unlawful searches. Earlier, EPIC filed an amicus brief in the Massachusetts Supreme Judicial Court case that also held that a warrant is required for the use of a GPS tracking device. For more information, see EPIC - Commonwealth v. Connolly and EPIC - Locational Privacy."

(Related) On the other hand...

Feds to Supreme Court: Allow Warrantless GPS Monitoring

The Obama administration is urging the Supreme Court to allow the government, without a court warrant, to affix GPS devices on suspects’ vehicles to track their every move.

The Justice Department, saying “a person has no reasonable expectation of privacy in his movements (.pdf) from one place to another,” is demanding the justices undo a lower court decision that reversed the conviction and life sentence of a cocaine dealer whose vehicle was tracked via GPS for a month without a court warrant.

Interesting indeed...

Article: From Facebook to Mug Shot: How the Dearth of Social Networking Privacy Rights Revolutionized Online Government Surveillance

April 19, 2011 by Dissent

Interesting law review article by Junichi P. Semitsu: From Facebook to Mug Shot: How the Dearth of Social Networking Privacy Rights Revolutionized Online Government Surveillance, 31 Pace L. Rev. 291 (2011).


Each month, Facebook’s half billion active users disseminate over 30 billion pieces of content. In this complex digital ecosystem, they live a parallel life that, for many, involves more frequent, fulfilling, and compelling communication than any other offline or online forum. But even though Facebook users have privacy options to control who sees what content, this Article concludes that every single one of Facebook’s 133 million active users in the United States lack a reasonable expectation of privacy from government surveillance of virtually all of their online activity.

Based on Facebook’s own interpretations of federal privacy laws, a warrant is only necessary to compel disclosure of inbox and outbox messages less than 181 days old. Everything else can be obtained with subpoenas that do not even require reasonable suspicion. Accordingly, over the last six years, government agents have worked the beat by mining the treasure trove of personal and confidential information on Facebook.

But while Facebook has been justifiably criticized for its weak and shifting privacy rules, this Article demonstrates that even if it adopted the strongest and clearest policies possible, its users would still lack reasonable expectations of privacy under federal law. First, federal courts have failed to properly adapt Fourth Amendment law to the realities of Internet architecture. Since all Facebook content has been knowingly exposed to at least one third party, the Supreme Court’s current Fourth Amendment jurisprudence does not clearly stop investigators from being allowed carte blanche to fish through the entire site for incriminating evidence. Second, Congress has failed to meaningfully revise the Electronic Communications Privacy Act (ECPA) for over a quarter century. Even if the ECPA were amended to cover all Facebook content, its lack of a suppression remedy would be one of several things that would keep Facebook a permanent open book. Thus, even when the government lacks reasonable suspicion of criminal activity and the user opts for the strictest privacy controls, Facebook users still cannot expect federal law to stop their private content and communications from being used against them.

This Article seeks to bring attention to this problem and rectify it. It examines Facebook’s architecture, reveals the ways in which government agencies have investigated crimes on social networking sites, and analyzes how courts have interpreted the Fourth Amendment and the ECPA. The Article concludes with an urgent proposal to revise the ECPA and reinterpret Katz before the Facebook generation accepts the Hobson’s choice it currently faces: either live life off the grid or accept that using modern communications technologies means the possibility of unwarranted government surveillance.


(Related) Is this a model for “Consent?” Will “Opt In” become mandatory in the UK?

RIPA to be changed to demand full consent to monitoring

April 19, 2011 by Dissent

It will no longer be enough to have “reasonable grounds” to believe that someone had consented to monitoring of their communications under changes to the Regulation of Investigatory Powers Act (RIPA) proposed by the Government.

Putting notice of monitoring in terms and conditions will not be enough to count as consent to that monitoring, the Home Office said. Its plans to change RIPA will mean that it will only be legal to intrude on private communications if you have a warrant or both the sender and recipient of information agree that it is acceptable, even if it is done unintentionally.


Tools for the “Cut & Paste” generation...

The 3 Best Clipboard Managers For Windows

The Windows clipboard is where information is stored temporarily when you copy something, for example a link, an image, or a piece of text. The clipboard can only hold one single item, so whenever you copy something else, the previous item will be discarded. If you didn’t mean to lose what you had copied earlier that can be a real bummer.

A Windows clipboard manager can fill in the void and add much needed capacity and functionality to the Windows clipboard. Not only can it maintain a history of items you copied during your current or even multiple Windows sessions, it can also save text snippets you frequently use and make them easily accessible.


Yankee Clipper III

xNeat Clipboard Manager

For my Disaster Recovery students (and all the others...) The download link is broken, so wait a bit.

DOWNLOAD Stuff Happens: The Backup & Restore Guide

Disasters happen. Unless you’re okay with losing all of your data, you need a good backup system. If you know this but haven’t got around to setting up backup on your PC, this is the guide to read.

Stuff Happens: The Backup and Restore Guide” or Read now on Scribd

I'm told that Twitter is now the biggest Job Search engine...

5 Twitter Job Services For Some Real-Time Job Search

You can bet that when Twitter increasingly has the power to spread revolutions, it can be a vital ally of your job hunting campaign.

In its overreaching popularity lies its job hunting prowess. Companies are increasingly using it spread their updates. Vacancies and recruitment’s are just one of them.

Even if you do a simple search for a job lead on Twitter, you will be surprised at the number of links that total up. I am not even telling you to do an advanced Twitter search or develop industry specific social strategy. We are talking here of Twitter services that do the job of distilling relevant job tweets for you so that you can find jobs on Twitter.

Here are five of them.

Tweet My Jobs


Job Shouts


Twitter JobCast

Tuesday, April 19, 2011

Nothing gets your attention like someone messing with your paycheck...

MA: Computer access breach exposed UMass Memorial pay stub data

April 18, 2011 by admin

Lee Hammel reports:

Personal pay stub information of some UMass Memorial Healthcare employees was subject to unauthorized access for five months.

The organization learned March 10 that at 10 kiosks where employees could view their pay stub information, and also at shared workstations, subsequent users were able to access the information of previous users, according to Rob Brogna, UMass Memorial spokesman. Upon confirming the problem, UMass Memorial removed the kiosks from use, he said.

The day after the breach was discovered, UMass Memorial applied a systemwide software change to disable the pertinent setting on the organization’s HRConnect application, he said. On March 16, the direct deposit bank account number was redacted from the information on HRConnect, and subsequently the 10 kiosks were returned to the campuses for employee use, Mr. Brogna said.

The personal information potentially exposed included name, bank name, bank transit number and bank account number. The breach did not involve employee Social Security numbers or medical record or patient information, he said.

Only UMass Memorial employees who accessed HRConnect using the kiosks or a shared workstation between Oct, 7 and March 11 are potentially affected by the breach, Mr. Brogna said. What portion of the 13,500 employees of the health care system was affected was not available last night.

Read more in the Telegram.

So what happened in October? Was there an upgrade that was problematic, or were the kiosks first introduced in October, or…?


Ca: Software glitch kills electronic stubs for federal workers’ paycheques

April 18, 2011 by admin

Dean Beebe reports:

A mysterious security breach has shut down the federal government’s online pay system, affecting some 320,000 public servants.

The system was pulled offline for “urgent” repairs on April 4 after officials discovered the privacy of eight account-holders had been breached.

Pay is still being deposited as scheduled in employees’ bank accounts.

But electronic paystubs with information about basic salary, overtime, bonuses, reimbursement of travel expenses and other key data has been unavailable for more than two weeks.

The glitch affects virtually every federal department, from Health Canada to Public Works itself, which operates the self-serve online system for all government employees.

Read more on News1130

[From the article:

Bois was not immediately able to describe how the problem occurred or what personal information may have been put at risk, but suggested the software and systems were not primarily at fault.

"The errors were not due to the CWA itself, but rather due to the manual processes involved," [I don't see where a “manual process” would be required in an automated system... Bob] he said Monday

We got through an entire year without a major (reported) security breach!

Verizon: More breaches but less data lost. Huh?!

While there were 760 data breaches recorded by Verizon and the U.S. Secret Service in 2010 (up from about 140 in 2009), there were only 4 million compromised records involved (way down from 144 million in 2009), according to the Verizon 2011 Data Breach Investigations Report scheduled to be released on Tuesday. The figures represent both a record high number of incidents and a record low records lost amount for any of the seven years Verizon has been keeping track.

[The report:


Cyber attacks rise at critical infrastructure firms

About 70 percent of the survey respondents said they frequently found malware designed to sabotage their systems during 2010, and nearly half of those in the electric industry said they found Stuxnet on their systems.

… The threat from sabotage includes electrical smart grids, which are being quickly adopted without adequate security measures in place, according to the U.S. Government Accountability Office and independent security experts. Fifty-six percent of the respondents whose companies are planning new smart grid systems also plan to connect to the consumer over the Internet. But only two-thirds have adopted special security measures for the smart grid controls, the report said.

[The report:

(Related) Speaking of attacks on infrastructure... Note: “Everyone is conspiring against us” – pretty much the definition of paranoia. (Of course, paranoids have enemies too)

Iran Says Siemens Helped US, Israel Build Stuxnet

"Iran's Brigadier General, Gholam Reza Jalali, accused Siemens on Saturday with helping US and Israeli teams craft the Stuxnet worm that attacked his country's nuclear facilities. 'Siemens should explain why and how it provided the enemies with the information about the codes of the SCADA software and prepared the ground for a cyber attack against us,' Jalali told the Islamic Republic News Service. Siemens did not reply to a request for comment on Jalali's accusations. Stuxnet, which first came to light in June 2010 but hit Iranian targets in several waves starting the year before, has been extensively analyzed by security researchers. Symantec and Langner Communications say Stuxnet was designed to infiltrate Iran's nuclear enrichment program, hide in the Iranian SCADA (supervisory control and data acquisition) control systems that operate its plants, then force gas centrifuge motors to spin at unsafe speeds. Jalali suggested that Iranian officials would pursue Siemens in the courts, and claimed that Iranian researchers traced the attack to Israel and the US. He said information from infected systems was sent to computers in Texas."

Should be an interesting argument...

Judge: was WiFi packet sniffing by Google Street View spying?

The question of whether Google is liable for damages for secretly intercepting data on open WiFi routers across the United States is boiling down to the definition of a “radio communication.”

… At the center of the legal flap is whether Google breached the Wiretap Act. The answer is important not only to Google, but to the millions who use open, unencrypted Wi-Fi networks at coffee shops, restaurants or any other business trying to cull customers.

Google said it is not illegal to intercept data from unencrypted, or non-password-protected Wi-Fi networks. Plaintiffs’ lawyers representing millions of Americans whose internet traffic was sniffed by Google think otherwise, and are seeking unspecified damages.

Judge Ware, however, suggested the answer to the far-reaching privacy dilemma lies in an unanswered question. He has asked each side to define “radio communication” (PDF) as it applies to the Wiretap Act, and wants to know whether home W-Fi networks are “radio communications” under the Wiretap Act.

In response, Google wrote last week that open WiFi networks are akin to “radio communications” like AM/FM radio, citizens’ band and police and fire bands — and are “readily accessible” to the general public. Indeed, packet-sniffing software, such as Wireshark and Firebug, is easily available online.

Hence, because unencrypted WiFi signals travel over the radio spectrum, they are not covered by the Wiretap Act, (PDF) Google responded.

“There can be no doubt that the transfer of any sign, signal, writing, images, sound, data, or intelligence of any nature transmitted over the radio spectrum constitutes a ‘radio communication.’ Indeed, there is nothing in the text or legislative history of the Wiretap Act that would exclude any transmission sent over the radio spectrum from the definition of ‘radio communication,’” Google wrote.

The plaintiffs’ lawyers countered that the communications in question started on a computer and only briefly were relayed on radio waves “across the living room from the recipient’s router to her laptop.”

“The fact that either the first or final few feet of the electronic communication may have gone via wireless transmission ['Wi-Fi'] does not transform the communication into a ‘radio communication’ broadcast similar to an AM/FM radio or a CB.,” (PDF) plaintiffs’ lawyer Elizabeth Cabraser wrote. “Nor is there anything in the statute to define ‘radio communications’ as synonymous with anything sent on a radio wave, however briefly and without regard to the entirety of the communication system at use.”

Both sides agree, however, that it’s illegal to listen in on cordless phones.

According to the Wiretap Act, it’s not considered felony wiretapping “to intercept or access an electronic communication made through an electronic communication system that is configured to that such electronic communication is readily accessible to the general public,” according to the text of the federal wiretapping statute.

The Federal Trade Commission closed its investigation into the brouhaha in October, without imposing any sanctions on the Mountain View, California internet giant. The Federal Communications Commission commenced a probe in November, but has not announced a conclusion.

… Google said it didn’t realize it was sniffing packets of data on unsecured WiFi networks in about a dozen countries over a three-year period until German privacy authorities began questioning what data Google’s Street View cars were collecting.

Personal Information has value? Who knew?

Lawsuit targeting RockYou data breach gets green light

April 18, 2011 by Dissent

Dan Goodin reports:

A federal judge has declined to dismiss a lawsuit filed against social-media application developer RockYou for exposing the personally identifiable information of 32 million of its users, which the site stored unencrypted when it suffered a major security breach 16 months ago.

Judge Phyllis Hamilton of the US District Court in the Northern District of California dismissed five causes of action brought by user Alan Claridge, but allowed four others to survive. RockYou argued that the suit should be thrown out in its entirety because Claridge didn’t suffer any injuries as a result of the data loss, which exposed the email address and password he supplied when establishing an account with the apps maker.

Read more in The Register.

[From the article:

"The court concludes that at the present pleading state, plaintiff has sufficiently alleged a general basis for harm by alleging that the breach of his [personally Identifiable Information] has caused him to lose some ascertainable but unidentified 'value' and/or property right inherent in the PII," Hamilton wrote.

… The finding that the loss of PII is sufficient grounds for a lawsuit is in stark contrast to rulings in other cases that have held that the exposure of social security numbers and other sensitive data gives rise to valid legal claims only when it results in actual damage to its owner, such as identity theft.

The 16-page ruling is available here.

Why indeed? (Profit?)

Sophos Slams Facebook Security In Open Letter

"Security experts are calling on Facebook to implement a three-point plan to improve safety online. Sophos says it receives reports every day of crime and fraud on Facebook, and that victims are desperate for advice on how to clean up their profiles and undo the consequences. In an open letter to Facebook, the firm calls upon the social networking giant to adopt three principles: privacy by default (opt-in sharing), vetted app developers, and use of https whenever possible. 'Our question to Facebook is this — why wait until regulators force your hand on privacy? Act now for the greater good of all.'"

For some (many?) of my Intro to Computer Security students, this is the first time they have thought about Security. Discussing article like this one may keep them thinking.

April 18, 2011

Digital Agenda: children using social networks at a younger age; many unaware of basic privacy risks, says survey

EU: "77% of 13-16 year olds and 38% of 9-12 year olds in the EU have a profile on a social networking site, according to a pan-European survey carried out for the European Commission. Yet, a quarter of children who use social networking sites like Facebook, Hyves, Tuenti, Nasza-Klasa SchuelerVZ, Hi5, Iwiw or Myvip say their profile is set to "public" meaning that everyone can see it, and many of these display their address and/or phone number. The figures highlight the importance of the European Commission's upcoming review of the implementation of the Safer Social Networking Principles for the EU. This agreement was brokered by the Commission in 2009 (IP/09/232) when major social networking companies agreed to implement measures to ensure the online safety of their under 18s users. Children's safety online is an important part of the Digital Agenda for Europe (see IP/10/581, MEMO/10/199 and MEMO/10/200)."

Ethics and Technology – or – The ethics of technology? – or – technically, we have no ethics?

Pirate Bay becomes "Research Bay" to aid P2P researchers

The Cybernorms group at Sweden's Lund University has partnered with The Pirate Bay to "help researchers to better understand habits and norms within the file-sharing community"—and the site has temporarily rechristened itself "The Research Bay" in response.

… A 2009 paper (PDF) based on initial Cybernorms research concluded first of all that there are "no social norms that hinder illegal file sharing. The surrounding imposes no moral or normative obstruction for the respondents file sharing of copyrighted content."

For my Computer Security students: Know your enemy!

Lavasoft Rogue Gallery: Directory of rogue antimalware software

While browsing the Internet, you might have seen a banner or popup that asks you to install a new antivirus program to rid you of computer infections. Mostly these intruding banners and pop-ups advertise rogue anti-malware software that would have adverse effects if installed onto your computer. A list of this malware can be found at Lavasoft Rogue Gallery.