Saturday, May 21, 2011

If at first you don’t succeed, fail, fail again.
Hackers hit Sony sites raising more security issues
May 20, 2011 by admin
It’s getting so that I need a scorecard to keep track of all of the recent Sony breaches. These would appear to be #’s 3 and 4….
Reuters reports:
Sony Corp has been hacked again, exposing more security issues for the company less than a month after intruders stole personal information from more than 100 million online user accounts.
A hacked page on a Sony website in Thailand directed users to a fake site posing as an Italian credit card company. The site was designed to steal information from customers, Internet security firm F-Secure disclosed on Friday.
The latest hacking, which the security company said occurred separately from the April attack, was reported just hours after Sony told customers of another breach on one of its units.
So-Net, the Internet service provider unit of Sony, alerted customers on Thursday that an intruder had broken into its system and stolen virtual points worth $1,225 from account holders.
Read more on Thomson Reuters.

Phishing Site Discovered On Sony Thailand Servers
mcgrew tips news that security firm F-secure has found a live phishing site running on Sony's Thailand servers. "Basically this means that Sony has been hacked, again. Although in this case the server is probably not very important." This comes alongside news that a point service run by So-net, a Sony subsidiary, was accessed by an unknown intruder, who stole about $1,200 worth of virtual tokens. "The intrusions are believed to have taken place on May 16 and 17. So-net discovered the breach on May 18, after receiving consumer complaints. So-net halted the point redemption service following the discovery of the breach. The latest breaches are relatively minor in scale compared to the massive breach at PSN and Sony Entertainment Online. Even so, it only adds to the company's embarrassment."

“Thanks for letting us know. Be careful.” That’s it?
Information and Privacy Commissioner issues his decisions about the Epsilon data breach that affected Best Buy and Air Miles
May 20, 2011 by admin
From the press release:
The Information and Privacy Commissioner of Alberta, Frank Work issued his decisions today in regard to Best Buy Canada Ltd., and Air Miles Reward Program’s breach incident reports involving unauthorized access to personal information.
… Commissioner Work reviewed the incident reports by Best Buy and Air Miles and concluded that although the information at issue (name, email addresses and organization membership (in the Best Buy case) was relatively minor compared to other data breaches which involve the unauthorized access of financial or other sensitive information, the sheer magnitude of the breach and the evidence that the information will likely be used for malicious purposes indicated there was a real risk of significant harm to affected individuals. He noted in his decisions that Best Buy and Air Miles had already notified the affected customers in compliance with section 19.1 of the PIPA Regulation, and therefore did not require the organizations to notify again.
The Commissioner stated that the number of affected individuals increases the likelihood that spear phishing attempts will be successful and significant harm to individuals could occur as a result of the breach.
What’s significant about this finding is that the Commissioner says that even (just) name and email addresses in the context of a large breach of this kind indicates a “real risk of significant harm.”

It’s one thing to enjoin news services (who are used to complying with the Official Secrets Act) but quite another to expect individuals to stop tweeting the latest gossip.
Twitter and “unknown persons” sued by UK athlete who had secured superinjunction
May 20, 2011 by Dissent
Josh Halliday reports:
A footballer has sued Twitter after a number of the microblogging site’s users purported to reveal the name of the player who allegedly had an affair with model Imogen Thomas.
The footballer’s legal team began the legal action at the high court in London on Wednesday, in what is thought to be the first action against the US social media firm and its users.
The lawsuit lists the defendants as “Twitter Inc and persons unknown”. The latter are described as those “responsible for the publication of information on the Twitter accounts” in the court document, according to reports.
Read more in The Guardian.
James Lumley and Lindsay Fortado of Bloomberg also report on the lawsuit:
Twitter Inc. and some of its users were sued by an entity known as “CTB” in London, according to a court filing.
While the document gave no details, CTB are the initials used by the court in a separate lawsuit to refer to an athlete who won an anonymity order banning the media from publishing stories about his alleged affair with a reality-television star.
The case is: CTB v. Twitter Inc., Persons Unknown, High Court of Justice (Queens Bench Division), HQ11X01814.
Read more on Bloomberg Businessweek.

Who said, “War is an economic event?”
A New Approach To Reducing Spam: Go After Credit Processors
WrongSizeGlass writes
"A team of computer scientists at two University of California campuses has been looking deeply into the nature of spam, and they think found a 'choke point' [PDF] that could greatly reduce the flow of spam. It turned out that 95 percent of the credit card transactions for the spam-advertised drugs and herbal remedies they bought were handled by just three financial companies — one based in Azerbaijan, one in Denmark and one in Nevis, in the West Indies. If a handful of companies like these refused to authorize online credit card payments to the merchants, 'you'd cut off the money that supports the entire spam enterprise,' said one of the scientists."
Frequent Slashdot contributor (and author of a book on Digital Cash) Peter Wayner wonders if "the way to get a business shut down is to send out a couple billion spam messages in its name."

Shocker! Could we be looking at a “Korean Summer?” (a la “Arab Spring”) Or are these half-million phones just issued to the Army? (Over 1 million active, 7 million reserve)
North Korean 3G Mobile Subscriptions Hit Half a Million
"The number of 3G cellular subscriptions in North Korea passed half a million during the first quarter, according to the country's only 3G cellular operator. The Koryolink network had 535,133 subscriptions at the end of March, an increase of just over 100,000 on the end of December 2010."
[From the article:
The company's network now covers 92 percent of the population.
North Korea is one of the world's most heavily controlled countries and communication is severely restricted. Most cell phones don't have the ability to make or receive international calls.

Friday, May 20, 2011


Federal lawsuit blames Michaels for PIN thefts

May 19, 2011 by admin

Josh Stockinger reports:

A West Chicago woman has filed a federal lawsuit against Michaels, claiming the arts-and-crafts giant failed to protect customers from “cyber-pickpockets” who stole sensitive banking information from checkout keypads at stores in 20 states.

The suit filed this week in Illinois’ northern district seeks class-action status and more than $5 million in damages for Brandi Ramundo and others whose credit and debit accounts were compromised. It comes in the wake of revelations by Michaels earlier this month that checkout PIN pads were tampered with at 80 of its stores across the country.

Read more in The Daily Herald.

Taking data is bad. Taking Personal Information is worse. Using that Personal Information is evil. Using it to demonstrate that you have stolen data is just stupid.

NJ: Newark police investigating student information included in letters sent to school

May 20, 2011 by Dissent

Seth Roy reports:

Newark police are investigating a report filed this week that alleges leaders of the new Eagle Wings Academy took student information from Excel Academy to contact school districts.

On May 9, Marlene Jacob — former Excel director and current Eagle Wings director — sent letters to districts that contract with Excel about her new school, which is aiming to serve a similar type of student.

When Licking Valley Superintendent Dave Hile saw that letter and the accompanying sample contracts, the district immediately contacted Excel.

“The thing that concerned (special education director Jan Clayton) was it had our students’ names on it and their Social Security numbers,” Hile said. “We just didn’t believe that they should have had that information.”

Excel sent a letter to the 33 districts it contracts with Wednesday, stating Eagle Wings Academy is not affiliated with Excel.

“Any student information included in the Eagle Wings Academy mailing was not obtained with permission from Excel Academy,” interim director Amber Thorne-Hamilton wrote in the letter. “This breach of confidentiality is concerning.”


Although this will understandably strike some as a FERPA issue/breach, it sounds like the police are investigating it is a possible insider data theft/data breach. It will be interesting to see what charges, if any, are ever filed.

Learning from the Mother Country?

Australian Government To Widen Spy Agency Powers, Again

"It seems the Australian Government has a fondness for expanding the powers of the domestic spy agency, ASIO, be it for hacking into servers or tapping citizens' phones. Now the plan is to make it easier to engage in economic and industrial espionage, as well as on groups such as WikiLeaks."

Should be an interesting paper, can’t wait to translate it from the Australian.

When the privacy walls fail

The Brocial Network, a men-only group on Facebook where members share images of their scantily clad women ''friends'', has reignited calls for tougher privacy laws for social media in Australia. But this is not the first time the voyeuristic dissemination of women's pictures has resulted in privacy law-reform debates.

More than a century ago, the operation of men's networks of circulation and exchange in the United States, the antecedents of today's Brocial Network, led to the first declared ''right to privacy'' in the common law world.

[Student profile:

p class="MsoNormal">Not all Data Mining is evil. This is “for your health!” therefore there is no Privacy risk whatsoever.

Criminal-Profiling Trick Used to Combat Disease

A technique that helps crime fighters zoom in on a serial killer’s whereabouts may help scientists prevent deaths of a different sort — those caused by infectious diseases.

The widely used criminology technique, called geographic profiling, helps investigators narrow a search by pinpointing high-priority targets among thousands of potential locations. In an upcoming International Journal of Health Geographics, researchers demonstrated the technique’s usefulness by identifying the sources of a recent malaria outbreak in Cairo and reconstructing an infamous cholera outbreak in Victorian London. Applying the technique to infectious diseases could help focus interventions, perhaps preventing the spread of disease while saving time and money.

e-Discovery is part of the Data Analysis and Data Mining arena.

Symantec to buy Clearwell for $390 million

Symantec announced today that it has agreed to acquire privately held Clearwell Systems for $390 million, bolstering the security company's efforts in the growing market for electronic legal-document discovery.

Symantec, best known for its Norton security products for PCs, will combine Clearwell's analysis and archiving of legal documents with its own Enterprise Vault e-discovery software. The e-discovery software market is expected to grow at an annual rate of 14 percent and is estimated to reach $1.7 billion by 2014, according to Gartner industry research.


Google scraps newspaper-scanning project

Google might have near-boundless ambition, but every now and then it throws in the towel. The most recent example: a project to scan newspapers for publication online.

"Users can continue to search digitized newspapers at, but we don't plan to introduce any further features or functionality to the Google News Archives and we are no longer accepting new microfilm or digital files for processing," Google told Search Engine Land in a story published today.

Economics 2.0? If this is true…

MasterCard Study: Youngsters Will Be The Catalyst Of Mobile Payment Adoption

…is this inevitable?

Bitcoin, Ven and the End of Currency

For my Geeks, Computer Security and Hacker students

Get Over 100 Portable Freeware Utilities With NirLauncher [Windows]

NirLauncher is a library that comes packed with over 100 portable freeware utilities for Windows. It is the perfect toolbox to carry around on your USB stick for emergencies, for example if you need to recover lost passwords or monitor your network. The tools are pre-sorted into 12 different categories and you are free to add additional software packages if you like.

We have previously covered NirLauncher here. If you are interested in portable apps in general, check out these resources:

A snapshot of the e-Wolrd.

Infographic: A Look At The Size And Shape Of The Geosocial Universe In 2011

Let’s see if my Security students really follow my Blog…

Free giveaway: Lock up your PC from hackers with Laplink's PC Lock

For 24 hours only, we are giving away a free copy of Laplink's latest new release of data encryption software, PC Lock. With its cloud management feature and military-grade 256-bit Advanced Encryption Standard, it provides an additional layer of protection from hackers and thieves.

Hackers and thieves never stop working, so why take a chance when you can get a free copy of Laplink PC Lock to give you one additional layer of safety and peace of mind? Also note that PC Lock is complementary to your existing antivirus software.

Normally priced at $29.95, you can get your copy for free today, only on CNET.

This free offer ends at 8 a.m. PDT on Saturday, May 21, 2011.

Thursday, May 19, 2011

In an effort to demonstrate their Hacking skills, Sony takes their own network offline! Way to go Sony!

How to stay safe on Sony's PlayStation Network

If you are a Sony PlayStation Network (PSN) customer you are probably getting a little paranoid. First there was the data breach from last month that exposed customer data and forced Sony to take the network down.

And now, just days after Sony got the service back up and running, it has taken the PSN password reset service offline because it was allowing people to change other customers' passwords if they knew their e-mail address and birth date--information that was stolen in the attack.

Sony says the hole in the PSN password reset site was not exploited in active attacks, although there are reports that the information was circling in the underground and being used prior to Sony taking the site down.

(Related) Even playing games is dangerous?

Rockstar blames Sony firmware for overheating PS3s

Even my Math students know that “Greater than: 200,000” does not mean “Only” 200,000…

(update) Massachusetts breach affected over 200,000

May 18, 2011 by admin

As a quick update: Matt Liebowitz of reports that the Massachusetts data breach disclosed yesterday may have impacted 210,000.

The NBC is in Denver

Email exposed 4,000 Securities and Exchange Commission employees

May 18, 2011 by admin

Shan Li reports:

The Securities and Exchange Commission is having some security problems.

About 4,000 agency employees, including several in Los Angeles, have been notified that their social security numbers and other payroll information were included accidentally in an unencrypted email, said Drew Malcomb, an Interior Department spokesman.

The May 4 email was sent by a contractor at the Interior Department’s National Business Center, a service center in charge of payroll, human resources and financial reporting for dozens of federal agencies, Malcomb said.

The contractor forgot to encrypt the email, and the software in place to catch such errors also failed and let the email through, he said.

Read more in the Los Angeles Times.

Gee, you would think this is easy, but “I know it when I see it” makes a poor legal definition.

Trying to define “sensitive” data

May 19, 2011 by Dissent

Peter Fleischer compares the EU definition of “sensitive personal data” to the definition in India’s new law and finds the EU definition lacking:

The European Data Protection Directive defines them as:

“personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.”


Now, for comparison, here is India’s just revised categories of “sensitive” data:

“unless freely available in the public domain or otherwise available under law, SPDI under the Rules is personal information which consists of information relating to:


financial information such as bank account, credit or debit card details as well as other payment instrument details,

physical, physiological and mental health condition,

sexual orientation,

medical records and history,

Biometric information (a defined term including fingerprints, eye retinas and irises, voice and facial patterns, hand measurements and DNA),

Any detail relating to the above when supplied for providing service, and

Any of the information described above received by an organization for processing, stored or processed under lawful contract or otherwise. “

Read more on Peter Fleischer: Privacy…?

(Related) It’s the Policy that’s difficult.

Google boss: anti-piracy laws would be disaster for free speech

Google's executive chairman, Eric Schmidt, warned on Wednesday that government plans to block access to illicit filesharing websites could set a "disastrous precedent" for freedom of speech.

Speaking to journalists after his keynote speech at Google's Big Tent conference in London, Schmidt said the online search giant would challenge attempts to restrict access to the Pirate Bay and other so-called "cyberlocker" sites that encourage illegal downloading – part of government plans to fight online piracy through controversial measures included in the Digital Economy Act.

"I would be very, very careful if I were a government about arbitrarily [implementing] simple solutions to complex problems," he said. "So, 'let's whack off the DNS'. Okay, that seems like an appealing solution but it sets a very bad precedent because now another country will say 'I don't like free speech so I'll whack off all those DNSs' – that country would be China.

"It doesn't seem right. I would be very, very careful about that stuff. If [the UK government] do it the wrong way it could have disastrous precedent setting in other areas."

Speaking at the same conference, the culture minister, Jeremy Hunt, said plans to block access to illicit filesharing websites were on schedule. He admitted that a "challenge" of the controversial measure is deciding which sites get blocked.

For my Security students: Think of this as an almost complete list of “Things that could go wrong”

May 18, 2011

Report: Push for Electronic Medical Records Overlooks Security Gaps

PBS Newshour: 'As the Obama administration pushes ahead with plans to increase the use of electronic medical records, two internal reports released Tuesday by the Department of Health and Human Services revealed "significant concerns" about security gaps in the system. The Office of the Inspector General found "a lack of general [information technology] security controls during prior audits at Medicare contractors, State Medicaid agencies, and hospitals." The investigation audited computer security at seven large hospitals in different states, and found 151 major vulnerabilities, including unencrypted wireless connections, easy passwords, and even a taped-over door lock on a room used for data storage. The auditors classified 124 of the breeches were "high impact" - resulting in costly losses, injury or death. According to the report, "outsiders or employees at some hospitals could have accessed, and at one of the seven hospitals did access, systems and beneficiaries' personal data."

Ask for everything, then negotiate down? Maybe you’ll wind up with ,ore than you ever thought possible.

Academic Publishers Ask The Impossible In GSU Copyright Suit

"A Duke University blog covers the possible ramifications of a motion in the copyright case against Georgia State University. Cambrigde, Oxford, and Sage have proposed an injunction that would first enjoin GSU to include all faculty, employees, students. All copying would have to be monitored and limited to 10% of a work or 1000 words, whichever is less. No two classes would be allowed to use the same copied work unless they paid for it, essentially taking fair use out of the classroom. [And for those of us who teach in colleges with campuses nationwide, this would be nearly impossible to monitor. Bob] Along with this, courses would be allowed to be made up of only 10% copied material, the other 90% must be either purchased works or copies that have been paid for by permission fees. And, if this isn't enough, the publishers also want access to all computer systems on the campus network, to monitor compliance and copying. 'This proposed order, in short, represents a nightmare, a true dystopia, for higher education.... Yet you can be sure that if [these] things happen, all of our campuses would be pressured to adopt the "Georgia State model" in order to avoid litigation.' Disclosure: I am currently a graduate student at Georgia State University."

For my Ethical Hackers – guess we’ll have to hold off too.

SCADA hack talk canceled after U.S., Siemens request

Two researchers say they canceled a talk at a security conference today on how to attack critical infrastructure systems, after U.S. cybersecurity and Siemens representatives asked them not to discuss their work publicly.

"We were asked very nicely if we could refrain from providing that information at this time," Dillon Beresford, an independent security researcher and a security analyst at NSS Labs, told CNET today. "I decided on my own that it would be in the best interest of not release the information."

Beresford said he and independent researcher Brian Meixell planned on doing a physical demonstration at the TakeDown Conference and shared their slides and other information on vulnerabilities and exploits with Siemens, ICS-CERT (Industrial Control Systems Cyber Emergency Response Team), and the Idaho National Lab on Monday.

The Clouds are rolling in…

City of San Francisco's e-mail heads to Microsoft cloud

San Francisco is upgrading its e-mail system to a Microsoft cloud-based service to reduce IT costs and improve the city's response to disasters.

The switch to Microsoft Exchange Online will occur over 12 months within 60 departments--starting with smaller departments before rolling out to departments dealing with public safety and eventually reaching the city's 23,000 employees.

Jon Walton, chief information officer for the City and County of San Francisco, made the Microsoft contract announcement during a press conference today.

First, the city will upgrade its e-mail system from seven different systems, including Lotus Notes, into one cloud-based system. In the future, there are other Microsoft options Walton would like to explore such as SharePoint, videoconferencing, and instant messaging--features that are available through Microsoft's Business Productivity Online Services. However, the initial contract with Microsoft includes only cloud-based e-mail and archiving.

Recently, Microsoft's cloud-based customers suffered an e-mail outage. E-mail outages have happened before, but this time the outage affected the city for only four hours, Walton said. "The Microsoft outage showed us we made the right decision" in picking Microsoft after considering using competitors such as Google and Lotus Notes, Walton said.

As far as security, "we were impressed by [Microsoft's] security solutions," Walton said. "Microsoft has clients that require more security than the city does." The cloud-based initiative will cost the city $1.2 million per year.

Suddenly Apple is the “good competitor?”

Google And Amazon May Have Just Handed Apple The Keys To The Cloud Music Kingdom

With regard to their cloud music offering, it looks like Apple is now just about ready to rock and roll. It would seem that this is now coming together even faster than they anticipated. And that may be thanks to two unlikely sources: Google and Amazon.

CNet’s Greg Sandoval is reporting tonight that Apple has signed an agreement with music label EMI to offer its music through Apple’s upcoming new cloud music service. This means that Apple now has agreements in place with two of the four major labels (Warner signed last month). And Sandoval believes that deals with the remaining two, Sony and Universal, could be wrapped up as early as next week.

You see, while Apple is believed to have had the infrastructure work done for a while for their cloud music offering, the hold up was these label deals. Negotiations have been ongoing for months, and given the stakes, it seems likely that they could have gone on for many more months. Then Amazon decided to get ballsy.

They launched their own cloud music service in March without any of the labels signed on, surprising everyone. Legally, they said they had the right to do this since customers are placing this music in digital vaults in the cloud in the same way they might put music on an MP3 player. The labels, not surprisingly, disagree.

When Amazon did that, Google, which had also been negotiating with the music labels for at least a year, also decided they needed to get their offering out there. Last week at Google I/O, they launched Google Music in beta. Again, the labels were pissed off.

And guess who they ran to?

So the labels, which for the better part of a decade now have been looking for someone, anyone to help counter Apple’s power in their business, is turning right back to Apple when they need help. And Apple will obviously gladly welcome them with open arms. After all, with these licenses, Apple will have secured the cloud music high ground despite being the last to launch.

Think about it. With these agreements, Apple is likely going to be able to do the one thing that is absolutely crucial for cloud music to take off: offer library syncing without uploading. In other words, Apple now likely be able to do what Lala (the company Apple bought in late 2009 and subsequently shut down) was able to do: scan your hard drive for songs and let you play those songs from their servers without having to upload them yourself. [No Privacy concerns here. Move along. Bob]

I like to use MindMaps in my “Intro to…” classes, so I’ll be evaluating this one…

Wednesday, May 18, 2011

Spider Scribe - Mind Mapping with Images, Maps, and More

Spider Scribe is an online mind map creation service. Spider Scribe can be used individually or be used collaboratively. I've reviewed a lot of mind mapping tools over the years. What jumps out about Spider Scribe is that users can add images, maps, calendars, text notes, and uploaded text files to their mind maps. Users can connect the elements on their mind maps or let them each stand on their own.

Toys for Geeks

7 Best “New” Web Browsers With A Chance Against Chrome & Firefox

Wednesday, May 18, 2011

How big? They don’t know?

Massachusetts Executive Office of Labor and Workforce Development Reports a Virus Infiltrated the Computer Systems of Agencies tied to Employers, Unemployed Claimants and Career Center Customers

May 17, 2011 by admin

The Executive Office of Labor and Workforce Development (EOLWD) today reported that the Departments of Unemployment Assistance (DUA) and Career Services (DCS) network, individual computer terminals as well as individual computers at the One Stop Career Centers were infected with the W32.QAKBOT virus, a new strain of a computer virus, beginning on April 20, 2011. Steps were taken immediately with the assistance of EOLWD’s security provider Symantec to eliminate the virus.

EOLWD learned yesterday that the computer virus (W32.QAKBOT) was not remediated as originally believed and that the persistence of the virus resulted in a data breach. Once it was discovered, the system was shut down and the breach is no longer active. W32.QAKBOT may have impacted as many as 1500 computers housed in DUA and DCS including the computers at the One-Stop Career Centers.

There is a possibility that as a result of the infection, the virus collected confidential claimant or employer information. This information may include names, Social Security Numbers, Employer Identification Numbers, email addresses and residential or business addresses. It is possible that bank information of employers was also transmitted through the virus. Only the 1200 employers that manually file could be impacted by the possible data breach.

“I apologize to our customers and recognize that this is an unwanted problem. [Interesting phrase… Bob] We are hopeful that the actual impact on residents and businesses is minimal. The breach is no longer active. We are in the process of individually notifying all residents whom we think could be impacted and have advised all relevant and necessary state and federal agencies of the situation.

We are coordinating with the Attorney General to identify the perpetrators of this crime and to take the next steps to address their actions.

There is no mechanism available to EOLWD to assess the actual number of individuals affected [‘cause we don’t keep no logs? Bob] but any claimant who had their UI file manually accessed by could be affected. Additionally, businesses that file their quarterly statements manually (about 1,200 of 180,000) may have had identifying information transmitted through the virus. For a claimant to have been impacted, a staff person would have had to key in sensitive information at an infected work station.


Probably nothing, but it needs following…

France’s official P2P monitoring firm hacked

May 17, 2011 by admin

Dan Goodin reports:

The French government has temporarily suspended its reliance on the company designated to monitor file-sharing networks for copyright scofflaws following reports that a hack on its servers may have leaked sensitive information.

Eric Walter, France’s secretary general of internet piracy, made the announcement over Twitter on Tuesday, saying that Hadopi, short for the High Authority for the dissemination of works and the protection of rights, was taking control of Trident Media Guard “following the leak of IP addresses.”

Read more in The Register.

[From the article:

It remains unclear just how serious the leak from TMG was. As a government-sanctioned collector of IP addresses trading music, pictures and other media over file-sharing networks, it could possess a wealth of sensitive information about French citizens. But according to news reports published on Tuesday (Google translation here) TMG has said “no personal data was disclosed” and that the hacked machine was a test server.”

Sony updates… Maybe it was the DoD?

Expert: Sony attack may have been multipronged

When it comes to the attack on Sony's PlayStation Network, the only thing we're sure of is what we don't know: how it was done and who did it.

In the past four weeks since Sony shut down the gaming network, security researchers have been cobbling together theories of how someone broke into the PlayStation Network (PSN) and Sony Online Entertainment site, exposing personal data from more than 100 million accounts.

Security experts believe whoever was responsible exploited one or more security holes--but how they were exploited and who did it remains a bit of a mystery, despite a disputed to link to the loosely knitted hacking organization Anonymous.

Sony has said only that between April 17 and 19 an unauthorized person gained access to Sony's PSN servers in San Diego by hacking into an application server behind a Web server and two firewalls. The attack was disguised as a purchase, so it did not immediately raise any red flags, and the vulnerability exploited was known, according to Sony. A week and a half later, the company said that during its investigation into the PSN breach, it discovered that attackers may have also obtained data from the Sony Online Entertainment system. The network and online site were restored last weekend.

Chris Lytle, security researcher at Veracode, said he thinks there were actually multiple concurrent breaches, not necessarily by the same person or group. "Sony just happened to be a low-hanging fruit because of what was publicly known at the time, and they got attacked from every direction at once," he said in an interview this week.

Lytle discusses several theories in a recent blog post and notes that information from Sony would indicate that a SQL injection was used to exploit a hole in the database layer of an application or that the database server was publicly accessible and exploitable.

"According to web logs that Sony had been leaking for months prior to the attack someone from a US Department of Defense IP from the netblock had probed Sony's systems for two weeks prior to the intruders gaining access," he writes. A program called Whisker, which only checks for known vulnerabilities, apparently was used to perform the scans, he added.

Depending on what actions Sony took or didn't take to secure its systems and how old any potential vulnerabilities were, the question of negligence could be raised, said Eugene Spafford, a computer science professor at Purdue and executive director of CERIAS (Center for Education and Research in Information Assurance and Security) at the university.

"It would seem, from what we've heard, that it is possible they didn't exercise due care," he said in an interview with CNET. "If you park your car in a high-crime area and leave the doors unlocked and the keys in the ignition, you are being careless when you should know better. That makes you somewhat culpable for the losses."


Sony: PSN back, but no system is 100 percent secure

After switching PlayStation Network back on this past weekend, Sony executives are now speaking out about the security breach and its aftermath.

Several media outlets participated in a call with Chairman and CEO Howard Stringer and Executive Deputy President Kazuo Hirai today in which the execs admitted Sony still does not know who accessed the personal records of more than 100 million of its customers last month.

Putting the event in context, Stringer said that any company's security system is vulnerable. "Nobody's system is 100 percent secure," Stringer said, according to Bloomberg. "This is a hiccup in the road to a network future." [A little more empathy would be appreciated. Bob]

He also lamented how hard it is for everyone who does business online to keep ahead of hackers. According to the Huffington Post, Stringer called it "a kind of escalating competition between good and bad." [“Damn it, every penny we spend on Security comes out of my Bonus!” Bob]

(Related) I’ll ask my PS3 using students if this is sufficient.

Sony Details Free PS3, PSP Games in ‘Welcome Back’ Package

“He was a really big irritant.”

Judge Orders Former San Francisco Admin Terry Childs To Pay $1.5M

" A judge Tuesday ordered a former city worker who locked San Francisco out of its main computer network for 12 days in 2008 to pay nearly $1.5 million in restitution, prosecutors said.' Keep in mind the network never went down and no user services were denied, and given that Terry Childs was the only one who had admin access (for years prior) it is difficult to understand how they came up in $1.5 million in costs, unless they're billing Terry Childs for the City's own failure to set up division of responsibility and standby emergency access procedures?"

Not enough swing in the legislative pendulum

Breach Notification Proposal Lacks Teeth

May 17, 2011 by admin

Clearly I’m not the only one who was unimpressed with the Obama administration’s plan for a federal data breach notification law. Tracy Kitten reports:

The Obama administration’s plan for a federal data breach notification policy is too vague to be effective, and it lacks teeth to penalize violators, critics say.



Final PHI Protection Rule Won’t Mandate Encryption

By Dissent, May 17, 2011

The omnibus federal final rule that will cover changes to the HIPAA privacy, security, breach notification and enforcement rules will not include a mandate for encryption of protected health information, confirms Susan McAndrew, deputy director for health information privacy in the Department of Health and Human Services’ Office for Civil Rights.


McAndrew wasn’t as clear when asked if the breach notification “harm threshold,” which enables an organization to not provide notification of a breach if it determines no consequential harm has or will result, will be eliminated in the final rule.

Read more on Health Data Management.


EFF Applauds New Electronic Privacy Bill That Tells the Government: Come Back With a Warrant!

May 18, 2011 by Dissent

Kevin Bankston writes:

Today, Senator Patrick Leahy introduced much-needed legislation to update the Electronic Communication Privacy Act of 1986, a critically important but woefully outdated federal privacy law in desperate need of a 21st century upgrade. This ECPA Amendments Act of 2011 (S. 1011) would implement several of the reform principles advocated by EFF as part of the Digital Due Process (DDP) coalition, and is a welcome first step in the process of providing stronger and clearer privacy protections for our Internet communications and location data. Here is the bill text, along with a summary of the bill.

The upshot? If the government wants to track your cell phone or seize your email or read your private IMs or social network messages, the bill would require that it first go to court and get a search warrant based on probable cause. This is consistent with DDP‘s principles, builds on EFF’s hard-won court victories on how the Fourth Amendment applies to your email and your cell phone location data, and would represent a great step forward for online and mobile privacy protections.

The bill isn’t absolutely free of problems: although it clearly would require a warrant for ongoing tracking of your cell phone, it would also and unfortunately preserve the current statutory rule allowing the government to get historical records of your location without probable cause. It also expands the government’s authority to use National Security Letters to obtain rich transactional data about who you communicate with online and when, without probable cause or court oversight. You can count on EFF to press for these problems to be fixed, and for all of the DDP principles to be addressed, as the bill proceeds through Congress.

Read more on EFF.

“Reveal your source!” Should be a lot more fun when everything is in the Cloud.

Grubb’s story: privacy, news and the strong arm of the law

May 18, 2011 by Dissent

Yesterday I saw some conflicting news reports as to what happened to Australian reporter Ben Grubb after he covered a hacking story at a security conference. In time, the story got clarified, and here’s his report:

We’ve all seen it happen on TV a zillion times. But when a police officer recited to me those well-rehearsed words – ‘you have the right to remain silent … – I felt sick in the stomach.

The conversation with the two officers had started off in a friendly enough manner. I was in a session at the AusCERT security conference on the Gold Coast when I received a call from Detective Superintendent Errol Coultis.

I thought he was from the Queensland Police media unit to begin with, but it soon became clear he was an officer who wanted to question me over a story I had written regarding a security expert’s demonstration of vulnerabilities on social media sites such as Facebook.

Read more in The Age.

Taking a reporter’s iPad because it contained evidence of what might be a crime? Accusing a reporter of receiving illegally obtained information? Is this a mini-WikiLeaks? What Ben Grubb did is what journalists and bloggers do every day – we receive information and sometimes that information may not have been obtained by the party who provides it to us in totally legal ways. If what Ben Grubb did was wrong – and I don’t think it was – then the New York Times and every other mainstream news organization is at risk of having their reporters covering Australian news arrested and their computers seized.

This was just so wrong.

I look forward to seeing the report also.

Report: Limit Searches of Electronic Devices – and Jacob Appelbaum!

May 18, 2011 by Dissent

Okay, yes, I added Jacob Appelbaum’s name to the headline. It seemed appropriate.

The Associated Press reports:

Travelers carry so much personal information on laptops, computer disks and smartphones that routine searches of electronic devices at the nation’s borders are too intrusive now, in the view of a bipartisan panel that includes a Republican conservative who once headed border security.

A report released Wednesday by The Constitution Project, a bipartisan legal think tank, recommended that the Homeland Security Department discontinue its policy of searching electronic devices without a reasonable suspicion of wrongdoing.

From Oct. 1, 2008, to June 2, 2010, over 6,500 people — almost half of them U.S. citizens — had electronic devices searched at the border, the report found.

Read more on Fox News.

I do not see the report up on the organization’s web site as of the time of this posting, but look forward to reading it. Certainly anyone who has followed the tweets of Jacob Appelbaum (@ioerror) will be well aware that CBP routinely detains him and their actions seems more like downright harassment than anything else, since they no longer engage in even the pretext of searching for anything that would actually pose any risk to national security or be evidence of any criminal activity.

Harassment – even if conducted politely – is still harassment. I defy the DHS to provide any justification for their treatment of this American citizen. They are either being petty and malicious or they must think Appelbaum is so stupid that after having been detained so many times, he would still travel with anything that might be of remote use to the government.

For my Computer Security students. It’s a “feature” not a “problem,” right?

How Windows 7 Knows About Your Internet Connection

"In Windows 7, any time you connect to a network, Windows tells you if you have full internet access or just a local network connection. It also knows if a WiFi access point requires in-browser authentication. How? It turns out, a service automatically requests a file from a Microsoft website every time you connect to any network, and the result of this attempt tells it whether the connection is successful. This feature is useful, but some may have privacy concerns with sending their IP address to Microsoft (which the site logs, according to documentation) every single time they connect to the internet. As it turns out, not only can you disable the service, you can even tell it to check your own server instead."

Righthaven Hit With Class Action Counterclaim

"Steve Green reports that one of the website operators accused of copyright infringement by Righthaven has retaliated, hitting the Las Vegas company with a class-action counterclaim, charging that defendants in all 57 Righthaven cases in Colorado 'are victims of extortion litigation by Righthaven, which has made such extortion litigation a part of its, if not its entire, business model.' The counterclaim says Righthaven has victimized defendants by failing to send takedown notices prior to suing, by threatening to take their website domain names when that's not provided for under the federal Copyright Act, by falsely claiming it owns the copyrights at issue and by failing to investigate jurisdictional and fair use issues before suing, among other things. The claim seeks an adjudication that Righthaven's copyright infringement lawsuits amount to unfair and deceptive trade practices under Colorado law, an injunction permanently enjoining Righthaven from continuing the alleged unfair and deceptive trade practices, an unspecified financial award to the class-action plaintiffs for damages as well as their costs and attorney's fees."

Will we agree? Somehow I doubt it.

Location data is personal and private confirms EU watchdog

May 17, 2011 by Dissent

Jennifer Baker reports:

The European Union data protection watchdog says that geo-location constitutes private data.

The opinion, which was approved by the Article 29 Working Party on Monday, looked at developments in mobile technology and the current legal framework around them and makes recommendations.

“Location data is certainly, in many instances, private data, and there then follows the obligations to inform users, and the opportunity to opt in or opt out,” Peter Hustinx, Europe’s Data Protection Supervisor (EDPS) and member of the working group, told IDG News Service.

Private or personal data receives a much higher level of protection under the E.U.’s Data Protection Directive than anonymous data.


Ah Jeff, I think it unwise to tell Congress, “Nah nah na nah nah!”

Jeff Bezos Calls Sales Tax Requirements On Amazon Unconstitutional

" chief Jeff Bezos says the online retailer won't collect tax from most of its 90 million customers until Congress clearly mandates it. Although a growing number of states are demanding that Amazon collect and remit tax on sales within their borders, such demands are 'interference in interstate commerce' and prohibited by the Constitution, Bezos said."

Are game ‘terms of service’ like shrink-wrap licenses?

The FSF's Campaign Against the Nintendo 3DS

"The Nintendo 3DS's terms of so-called service, and the even more grotesquely-misnamed privacy policy, make it clear that you are in the service of Nintendo. Specifically, anything you do, write, photograph, or otherwise generate with the 3DS is Nintendo's possession, for them to use however, whenever, and for as long as they want. On the other hand, if you do something they don't like, they're prepared to turn your device into a doorstop — and you gave them permission when you started using it. And if you have a child's best interests at heart, don't give it to anyone too young to know to never use her real name, type in an address or phone number, or take any personally-identifiable photos. They might, at best, end up in a Nintendo ad."

A nation of movie watchers

Netflix Dominates North American Internet

"Accounting for 29.7% of all information downloaded during peak usage hours by North American broadband-connected households in March, Netflix Inc. received the title in the latest Global Internet Phenomena Report released by Sandvine Corp. on Tuesday. In its ninth such report, Waterloo, Ont.-based Sandvine found the amount of data consumed by users streaming television shows and movies from Netflix's online service exceeded even that of peer-to-peer (P2P) file sharing technology BitTorrent."

Tossing gasoline on the “off shoring” debate. Although this might be a useful service when writing a dissertation.

Outsourcing Education: Does It Matter If Someone in India Corrected Your College Paper?

Plenty of American businesses have outsourced jobs across the globe, and now colleges are jumping on the bandwagon. Colleges are hiring online "tutors" to check student work for grammar and other English mistakes and provide the kind of feedback students used to get from professors or teaching assistants before budget cuts resulted in staff layoffs and unmanageably large class sizes.

Here's how it works: Schools like West Hills Community College in central California hire services like Virginia-based RichFeedback. When a student turns in a paper, the professor sends it to RichFeedback, which then passes it along to its own tutors, mostly based in India. According to the Fresno Bee, the tutors return the papers "covered with color-coded corrections, suggestions for improvements and references to class text examples." Then professors only have to spend time evaluating a paper's subject-matter content.