Saturday, June 18, 2011

I wonder if Homeland Security checks to see if this was an attack on US infrastructure? Shouldn't they at least insist the airline explain exactly what happened? (and not accept, “We don't know.”)

United Airlines Passengers Stranded By Computer Outage

From reader Peter McDermott comes word of a computer outage with effects to dwarf those of the one that stranded thousands of US Airways passengers last week. This time, it's United Airlines' systems that are out of commission and unable to handle passenger reservations, leaving passengers stranded all over the U.S. According to Peter, experiencing the resultant delays first-hand at Dulles Airport near Washington, D.C., United planes are being sent on — along with their passengers' luggage — to the cities from which they're to leave tomorrow morning, in anticipation of the computer system being fixed in the interim.

[From the Sun-Times article:

The airline said Saturday that the problem had been fixed, blaming it on “a network connectivity issue.”

[From the NBC Chicago article:

At Los Angeles International Airport, United Airlines operations said there was a "nationwide computer malfunction."

… An NBC News producer at LAX reported that passengers were unable to check in unless they'd printed out their boarding pass prior to traveling to the airport.

Think about the implications...

Surveillant Society

One aspect of the Egyptian uprising (among the others, most ongoing) that was overpowered by the wild acclamation of social media is something that has been quietly but powerfully changing societal norms over the last decade. It is simply the inclusion, on almost every mobile phone sold, of a digital camera. When 90% of the active population can, at any time, record an event they are witness to, and transmit it to the rest of the world instantly, many rules begin to change.

“We have the technology, therefore we must use it!” (Fancier than “We can, so we must”)

The media loved the Lower Merion “webcamgate” case but ignores PC Rental Agent case?

June 17, 2011 by Dissent

I continue to be surprised at how little coverage I’m seeing in mainstream media about a case involving software that can and allegedly has take(n) remote screenshots of customers in their homes without their knowledge.

I’ve posted a few blog entries on the potential class action lawsuit against Aaron’s Inc, Aspen Way Enterprises (a franchisee), and DesignerWare LLC. But read Lisa Thompson’s coverage of what a former franchisee employee told the court last month:

A former sales manager at an Aaron’s store owned by a franchisee in the state of Washington told the judge that in her experience, the detective mode of the software, PC Rental Agent, was used not only in cases of “stolen” merchandise.

Some managers stored data that was collected secretly from customers’ computers, said Chastity Hittinger.

She said she had seen screen shots of customer’s bank accounts and Macy’s bills and a photo that captured a woman sitting at her computer smoking a marijuana water pipe.

When asked what the managers did with the data, she said, “They would just sit around and joke about it.”

Hittinger said she worked at a franchisee-owned Aaron’s in Moses Lake, Wash., between September 2009 and March 2010 and then sporadically until May 11, when she left on good terms.

Stay on it, Ms. Thompson, please. Stores have a right to reasonable security, but it sounds like people have no idea that they may be viewed in their homes. And I’ll bet dollars to donuts that customers do not wade through rental agreements to find any clause in there that may actually notify them of this – assuming for now that there even is such a clause.

This could be amusing...

2 Really Simple Ways To Send Audio Tweets To Twitter

Getting ready for my Intro to IT class...

Microsoft Helps Army Avoid ‘Death by PowerPoint’

… PowerPoint is already ubiquitous within the Army — to the chagrin of many an officer. Karle’s mission is much harder: stopping the Army from using it stupidly.

… In December, Karle launched a blog called, simply enough, Modern Presenter, that synthesized his experience giving endless presentations for Microsoft with the feedback he got from Burke and Doctrine Man.


What happens on the Internet in 60 seconds (Infographic)

Friday, June 17, 2011

So who should you be angry with? The hackers or the hackees?

Fraud Starts After Lulzsec Group Releases E-Mail, Passwords

June 16, 2011 by admin

Robert McMillan reports:

Debbie Crowell never ordered the iPhone, but thanks to a hacking group known as Lulzsec, she spent a good part of her Thursday morning trying to get US$712.00 in charges reversed after someone broke into her Amazon account and ordered it.

“They even had me pay for one-day shipping,” she said via e-mail Thursday afternoon.

Crowell is one of more than 62,000 people who must now change passwords and keep a close eye on their online accounts after Lulzsec posted their e-mail addresses and passwords to the Internet Thursday.

Read more on CIO.

[From the article:

It's not clear where all of the Lulzsec e-mail addresses and passwords came from. At least 12,000 of them, including Crowell's, were gathered from, a discussion forum for readers and writers of mystery and romance novels. The site's technical staff is trying to figure out how they were stolen and is in the process of contacting victims, said Writerspace owner Cissy Hartley.

Think of it as a hacker scorecard...

Keeping up with the hackers (chart)

To see the whole chart on one page click here.

(Related) ...'cause we're gonna need one.

More than 10 million pieces of Malware spotted per day last month

The full report is online.

I wonder how many organizations have even considered how to respond? Looks like there is a large and growing number of consultants who have considered how to respond and unfortunately more than enough business for them all.

Out of the Closet After a Hack

June 16, 2011 by admin

Ben Worthen and Anton Troianovski report:

… How Epsilon handled to the breach is representative of how companies are shifting their responses to hacking incidents.

In the past, companies were typically caught off guard when a breach occurred and responses were often flat-footed, requiring updates and further clarifications to concerned customers.

Now an industry of experts—including lawyers, public-relations specialists and forensic investigators—has emerged to help companies determine what to disclose and how to reassure victims. Executives outside the computer room are also more aware of the threat posed by hacking, leading companies to formulate breach-response plans before an incident ever occurs.

The shift comes as hacking intrusions become more commonplace and experience shows that revealing an incident won’t necessarily cause lasting damage to a brand.

In fact, if a breach is handled well, “customer loyalty and your brand can actually improve,” said Lori Nugent, an attorney who specializes in breaches at Wilson Elser Moskowitz Edelman & Dicker LLP.

Read more on WSJ.

I’m prepared to accept that in the vast majority of breaches, there is no lasting damage or harm to brand, but I’d like to see data showing that loyalty or brand can improve following a breach if it’s handled well, so I’ve emailed Ms Nugent to ask her for additional information about her claim. If I hear anything, I’ll update this post.

'cause you need to track the anti-social network too.

Google Has A Way To Automatically Track What People Are Saying About You Online

June 17, 2011 by Dissent

Google just announced a new feature called “Me On The Web” which aims to help you monitor who’s talking about you on the internet.

Me On The Web can be configured to send you an email every time an article or blog mentions your name or email address. Also, Me On The Web provides you with resources to protect and cultivate your online identity, like a walkthrough for how to convince a webmaster to take information about you off their site.

Read more on Business Insider

Cheap IT has always been an illusion... Until now?

June 15, 2011

Research - To Move or Not To Move: The Economics of Cloud Computing

To Move or Not To Move: The Economics of Cloud Computing - Byung Chul, Tak Bhuvan Urgaonkar, Anand Sivasubramaniam, Computer Systems Laboratory Department of Computer Science and Engineering, The Pennsylvania State University, University Park, PA

  • "Cloud-based hosting promises cost advantages over conventional in-house (on-premise) application deployment. One important question when considering a move to the cloud is whether it makes sense for ‘my’ application to migrate to the cloud. This question is challenging to answer due to following reasons. Although many potential benefits of migrating to the cloud can be enumerated, some benefits may not apply to my application. Also, there can be multiple ways in which an application might make use of the facilities offered by cloud providers. Answering these questions requires an in-depth understanding of the cost implications of all the possible choices specific to ‘my’ circumstances. In this study we identify an initial set of key factors affecting the costs of a deployement choice. Using benchmarks representing two different applications (TPC-W and TPC-E) we investigate the evolution of costs for different deployment choices. We show that application characteristics such as workload intensity, growth rate, storage capacity and software licensing costs produce complex combined effect on overall costs. We also discuss issues regarding workload variance and horizontal partitioning."

Something to amuse my students

Who Is Winning & Losing in the Tech Talent Wars? [INFOGRAPHIC]

Thursday, June 16, 2011

“Hey, we were only off by 80%...”

Citigroup reveals breach affected over 360,000 cards

June 16, 2011 by admin

John Ribeiro reports that Citigroup has updated its initial statement about its breach. Their updated statement is likely to fuel debate about time frames for disclosing breaches.

It now seems that over 360,083 credit card accounts in North America were accessed by the hacker(s) during the compromise of its card account management website in May. Some of those accounts, however, were duplicates or already-closed accounts, resulting in the bank having to reissue a total of 217,657 cards along with a notification letter.

Citigroup has been criticized for delaying in communicating to customers that their personal data had been compromised. The details released on Wednesday confirm that Citibank issued notification letters to customers on June 3, over 20 days after it detected a data breach.


The majority of accounts impacted were identified within seven days of discovery. By May 24, the bank confirmed the full extent of information accessed on 360,069 accounts. An additional 14 accounts were confirmed subsequently. To determine the cardholder impact required analysis of millions of pieces of data, Citigroup said. [I have an idea – use a computer! Bob]


Citigroup joins the ranks of those who are having to defend what the public seems to see as significant or unacceptable delays in revealing breaches. The bank says it discovered the breach on May 10 (but when did it occur?). They say that by May 24, they had confirmed the full extent of information accessed. Under the provisions of a bill proposed by Congresswoman Mary Bono Mack, they would have had to reveal the breach by May 26 at the latest – and there’s some debate as to whether entities should be allowed to wait until they have fully confirmed so much. As it was, the bank started sending out letters on June 3 but did not publicly acknowledge the breach to the media until June 9 after Financial Times contacted them and pushed for a response – almost a full month after discovery of the breach.

Ignorance (of computer security) can be costly – but this seems a bit draconian.

Owners of hacked computers will be punished, says official

June 15, 2011 by admin

Wow. Look at this news from Turkey:

Computer users whose computers are hacked by Anonymous, an international group of hackers that has vowed to attack government websites in protest of an Internet filter system the government plans to introduce in late August, will be held legally accountable for the use of their computers in the attack, an official at the Ministry of Transportation and Communication has said.

Head of the Internet Council, a part of the ministry, Serhat Özeren, said on Tuesday that if a user’s IP address is detected as having been used in an Anonymous attack, they will be held responsible. Özeren warned users to take computer safety measures, including password protection for Wi-Fi modems and updating the latest security software and installing firewalls to protect their computers from hacker intervention.

Read more on Today’s Zaman

New economy, new methods of bank robbery.

$500,000 Worth of Bitcoins Stolen

"A Bitcoin user allegedly has had $500,000 worth of Bitcoins stolen from him. A hacker supposedly gained access to the user's home computer and managed to get the user's wallet.dat file, which contained the cryptographic keys that allowed him to drain the user's balance."

With all that public(?) data out there, this was inevitable.

FTC Okays Social Media Background Check Company

"The FTC has dropped its investigation of a new company that runs social media background checks and ongoing Internet/social media monitoring of employees, determining its compliant with the Fair Credit Reporting Act. So make sure your gun photos are private and that you're not part of any 'Legalize marijuana' Facebook groups."

[From the article:

Andrews says that in a given pool of candidates they screen, there are usually 20% who don’t pop up in an Internet/social media screen (“despite what some media have claimed, we don’t see a no-hit candidate as a negative thing”), 60% have a neutral or positive Internet footprint (“we’ll flag positive things in addition to the negative, such as awards received or an active presence on an industry blog”), and 5-20% of applicants have something negative out there about them. In an executive screen of older candidates, it’s closer to 5%, but in an applicant pool for a lower level of job with younger applicants who are more likely to have an Internet presence, it hits that higher 20%.

The company only provides monitoring services if a client has a social media policy set up with its employees. Most of the time, Social Intelligence is scanning the Web for employees’ disclosure of confidential or proprietary information, professional misconduct, or illegal activity. Andrews said though that monitoring does sometimes extend to looking to make sure an employee isn’t criticizing the company somewhere or getting into Internet fights with colleagues. (The company will not monitor ex-employees.)

Why outsource this? For one, it can be hard to keep track of lots of employees. Plus Social Intelligence has proprietary technology for linking people with pseudonyms or online names they might use in place of the offline name known to their employer. For another, Social Intelligence can screen out information that an employer shouldn’t see — or risk discrimination charges — such as an employee’s religion or sexuality (depending on the state), before sending their report along.


ProfileDefenders: Get Help In Protecting Your Company’s Online Reputation

(Related) This was more than inevitable...

British Tax System Uses Web Robots To Find Cheats

"HM Revenue & Customs (HMRC) is extending its campaign against tax cheats with the news that it will use web robots to trawl cyberspace. The system will check eBay and Google to identify traders who aren't declaring all their earnings. From the article: 'The decision to target cyberspace to hunt down those evading tax comes as HMRC continues its campaign to recover around £7 billion lost to the Treasury each year. It is thought that this latest development, the use of ‘web robots’, will help HMRC track down rogue eBay and Gumtree businesses, as well as people earning second incomes by acting as private tutors. It will also help it hunt down so called cash-in-hand handymen and traders.'"

(Related) On the other hand...

Iceland Taps Facebook To Rewrite Its Constitution

"Iceland is finally overhauling its constitution, and it has turned to the Internet to get input from citizens. More specifically, the 25-member council drafting the new constitution is reaching out to its citizens through Facebook. Two thirds of Iceland's population (approximately 320,000) is on Facebook, so the constitutional council's weekly meetings are broadcast live not only on the council's website, but on the social network as well. 'It is possible to register through other means, but most of the discussion takes place via Facebook,' said Berghildur Bernhardsdottir, spokeswoman for the constitutional review project."

Bypassing Big Brother...

Look Ma, No Internet! Free Software Gives Text-Messaging New Reach

Here’s how it works: After downloading and installing the Frontline SMS software to a computer (it works on Windows, Mac or Linux), you use a USB cable to attach a cell phone or GSM modem with a SIM card. With Frontline SMS open and running, you can then create groups of contacts and send them messages. Any text they send back will appear on screen and be added to a database of messages.

(Related) Using plain language to defeat the censors. Obvious and brilliant.

Jargon Watch: Antilaser, Steppenwolf Planets, Diabetes Belt

Lianghui n. Chinese euphemism for protest. After the government began censoring certain words, including Egypt and Tunisia, on the Internet, activists adopted the Communist party’s lingo for two successive political meetings—lianghui—so that censoring calls for dissent would entail blocking news about state proceedings.

Wednesday, June 15, 2011

Less than half the size of the VA laptop theft, but proof that the lesson was not learned...

Missing: Laptop with 8.6million medical records

By Dissent, June 14, 2011

Mike Sullivan reports on a huge data breach in the UK:

A laptop holding the medical records of eight MILLION patients has gone missing.

The computer vanished from an NHS building in the biggest-ever security breach of its kind.

It went missing three weeks ago but has only just been reported to police.

The unencrypted laptop contains sensitive details of 8.63 million people plus records of 18 million hospital visits, operations and procedures.

The data does not include names but patients could be identified from postcodes and details such as gender, age and ethnic origin.

The computer was one of 20 lost from a store room at London Health Programmes, a medical research organisation based at the NHS North Central London health authority.

Eight have been recovered but a search is still being carried out for the other 12.

Though the loss was reported as a theft it is not yet clear if the laptops, said to be worth £10,000 each, were stolen, mislaid or dumped. [Where were the recovered laptops found? Bob]

The records include details of cancer, HIV, mental illness and abortions.

A source said: “This laptop would be a devastating tool in the hands of a blackmailer.”

Police were said to be “dismayed” that the loss – which is also being probed by the Information Commissioner – was not reported earlier.

Sourcee: The Sun

So what will the ICO do with this one? The fact that they’re not sure what happened to the laptop is troubling, as is the issue of why the data were not encrypted (I assume they’re not or that would have been mentioned).

Update: The ICO issued this statement:

“Any allegation that sensitive personal information has been compromised is concerning and we will now make enquiries to establish the full facts of this alleged data breach.”

[From the article:

Releasing the withheld information could “tip off” the thief to the significance of the information on the computer, he said.

South Carolina Press Association Executive Director Bill Rogers called that logic “bogus.”

“How is that going to compromise anything other than embarrass the hospital a little bit?” he asked. “It’s nothing that the criminal doesn’t already know.

… Rogers said that under the state Freedom of Information Act, withholding victims’ names from incident reports is acceptable only in cases involving sex crimes or when the victim is a juvenile.

Discovered at the end of March. Every patient is probably (at least) concerned, why not release more information? Indications are the laptop was not encrypted.

Spartanburg hospital, police keeping quiet on details of stolen laptop investigation

By Dissent, June 14, 2011

Stephen Largen provides an update on a breach mentioned previously on this blog:

Spartanburg Regional Healthcare System and the Spartanburg County Sheriff’s Office are keeping many of the details of an ongoing investigation into a stolen laptop computer secret from the public.

The laptop was reported stolen from an SRHS employee’s vehicle in late March and compromised the personal and medical billing information of an undisclosed number of patients.

SRHS waited until May 27 to inform affected patients of the breach.

SRHS has refused to disclose how many patients had information on the stolen computer, and numerous callers to the Herald-Journal have expressed frustration with the lack of information released by the health care system.

Read more on,

I still do not see this incident on HHS’s breach tool, so either they have delayed reporting or the incident affected less than 500 people. I guess we’ll have to wait to see but since they already notified patients, I would think that they should have been able to notify HHS without compromising any investigation into the theft.

For additional links to media coverage on this breach, see the reference links in the entry in

Is this the answer we will see for companies which don't implement encryption?

Chrome encrypts Gmail whether you want it or not

This is fast becoming the 'crime of choice.' Apparently it is quite simple to execute and conversion (getting your hands on cash) is easy and relatively risk free.

Update: Cleveland debit card spree getting bigger as more than 1 dozen banks, credit unions affected

June 14, 2011 by admin

More on a breach reported previously on this blog, from Teresa Dixon Murray of the Plain Dealer, who has been all over this breach for the past few weeks:

The local debit card fraud breach that was discovered last month is much wider than first realized, striking just about every major bank in the area and some of the biggest credit unions across Northeast Ohio.

At least eight banks — Key, Dollar Bank, Fifth Third, PNC, Huntington, Charter One, Ohio Savings and FirstMerit — are now known to be affected by the breach, a Plain Dealer review of dozens of police reports show.

And more than half a dozen credit unions — including Century Federal Credit Union, whose members include the Cleveland Clinic and Cavs/Quicken Loans — were also hit.


Coniglio said his credit union has tallied about 200 customers whose accounts were hit.


North Olmsted Police Department logged about 20 reports of debit card abuse in the last few weeks. Middleburg Heights has some three dozen reports.

No one knows, or is saying, exactly how widespread the breach is. Most of the large banks contacted would not or could not specify how many debit fraud complaints they’ve had related to this case. However, Charter One did say it had at least 50 fraud complaints connected to one west side restaurant, which was originally thought to be the source of the breach.

Read more on Cleveland Plain Dealer.

Defining CyberWar

China's Cyberassault on America

If we discovered Chinese explosives laid throughout our national electrical system, we'd consider it an act of war. China's digital bombs pose as grave a threat.

“It's so simple, even a caveman can do it!” So imagine how simple it is for an App to do it... Another indication that users consider security to be an annoyance rather than a benefit?

The Most Common iPhone Passcodes

"The problem of poor passwords is not confined to computer use, and that fact was illustrated by an app developer who has added code to capture user passcodes to one of its applications. 'Because Big Brother's [the app in question] passcode setup screen and lock screen are nearly identical to those of the actual iPhone passcode lock, I figured that the collected information would closely correlate with actual iPhone passcodes,' says Daniel Amitay. It turns out that of the 204,508 recorded passcodes, 15% were one of the most common ten."

Moving credit card processes into the Cloud. Should be a useful perspective...

PCI council publishes additional virtualization guidance

… The additional guidance published on Tuesday examines the different classes of virtualization seen in payment environments and explains them. These classes include virtualized operating systems, as well as hardware, platforms, and networks. The system components that constitute these virtual systems, and PCI DSS scoping information for each one, are also addressed.

Moreover, practical methods and concepts for deployment, including suggestions for controls, recommendations for mixed-mode and cloud-based environments, and risk assessment are covered as well.

The supplement also includes an appendix that provides examples of virtualization implications for specific PCI DSS requirements and suggested best practices for addressing them.

Interesting in that we are starting to see the rules for “crowdsourced surveillance” There are more cameras than employees to monitor them, so this type of business has potential – if the rules don't kill it.

CCTV website rapped on privacy

June 14, 2011 by Dissent

From Wire News Services:

A website set up to allow the public to report crime seen via CCTV footage has been forced to make significant changes to the way it operates.

Internet Eyes offers rewards of up to £1000 for crimes such as shoplifting seen via live CCTV footage streamed to the homes of members.

The Information Commissioner’s Office (ICO) demanded changes after footage from the service was found on YouTube.

Images transferred over the internet must now be encrypted. The firm must also carry out checks on registered viewers and audit which viewers are watching which clips.

By July the firm must also ensure that no viewer can access footage from cameras located within a 30 mile radius of the viewer’s location.

Read more on Herald de Paris.

Speaking of surveillance...

Exclusive: Google's Web mapping can track your phone

Android phones with location services enabled regularly beam the unique hardware IDs of nearby Wi-Fi devices back to Google, a similar practice followed by Microsoft, Apple, and Skyhook Wireless as part of each company's effort to map the street addresses of access points and routers around the globe. That benefits users by helping their mobile devices determine locations faster then they could with GPS alone.

Only Google and Skyhook Wireless, however, make their location databases linking hardware IDs to street addresses publicly available on the Internet, which raises novel privacy concerns when the IDs they're tracking are mobile. If someone knows your hardware ID, he may be able to find a physical address that the companies associate with you--even if you never intended it to become public.

This will be huge! (If it upheld on appeal)

Judge: Comerica must pay company hit in phishing attack

June 14, 2011 by admin

David Ashenfelter reports on a ruling in a case with potentially huge implications, EMI v. Comerica (past coverage):

Comerica bank must reimburse a Sterling Heights sheet metal company $561,000 it lost in an Internet phishing attack, a federal judge has ruled in what may be the first such case nationally to be tried to a verdict.

U.S. District Judge Patrick Duggan said the bank should have detected and stopped the fraudulent activity against Experi-Metal shortly after it began in January 2009.

The company’s lawyer, Richard Tomlinson of Troy, said he was elated by Monday’s ruling.

Read more on Detroit Free Press.

[From the article:

The 2009 attack occurred after Experi-Metal’s controller unwittingly typed in the company’s password to its bank accounts in response to what he thought was a request from Comerica.

In the hours that followed, an unknown Internet fraudster initiated 97 wire transfers totaling $1.9 million from Experi-Metal’s accounts to destinations overseas. The theft was discovered by another bank which alerted Comerica, which recovered all but $561,000.

This is hugely confusing. Perhaps some wise and kindly law professor will explain the logic to me?

Schools May Punish Students for Off-Campus, Online Speech

Global Cooling! Global Cooling! (Sorry, I can't help finding these stories...)

Big Drop In Solar Activity Could Cool Earth

"Scientists say the Sun, which roils with flares and electromagnetic energy every 11 years or so, could go into virtual hibernation after the current cycle of high activity, reducing temperatures on Earth. As the current sunspot cycle, Cycle 24, begins to ramp up toward maximum, scientists from the National Solar Observatory and the Air Force Research Laboratory independently found that the Sun's interior, visible surface, and corona indicate the next 11-year solar sunspot cycle, Cycle 25, will be greatly reduced or may not happen at all."

A useful list... and I love lists.

The Top 10 Best How-To YouTube Video Channels







Make Magazine


Khan Academy


Tuesday, June 14, 2011

This is not a new technique, but (apparently) not everyone has taken note and corrected the hole in their security.

Revealed: How Citigroup hackers broke in ‘through the front door’ using bank’s website

June 14, 2011 by admin

Lee Moran reports:

Hackers who stole the personal details of more than 200,000 Citigroup customers ‘broke in through the front door’ using an extremely simple technique.

It has been called ‘one of the most brazen bank hacking attacks’ in recent years.

And for the first time it has been revealed how the sophisticated cyber criminals made off with the staggering bounty of names, account numbers, email addresses and transaction histories.

They simply logged on to the part of the group’s site reserved for credit card customers – and substituted their account numbers which appeared in the browser’s address bar with other numbers.

It allowed them to leapfrog into the accounts of other customers – with an automatic computer programme letting them repeat the trick tens of thousands of times.

Read more on The Daily Mail.

Security Breach: The gift that keeps on giving...

OR: Portland-area debit card fraud could be related to Michaels PIN skimming

June 14, 2011 by admin

A rash of card fraud reports over the weekend in Beaverton, Oregon may be linked to the breach of some Michaels Stores.

Brent Hunsberger reports:

A number of Portland-area residents reported their debit cards either were compromised or canceled suddenly over the weekend, and Beaverton police said at least one case was related to a data breach earlier this year at Michaels Stores Inc.

Bill Johnson, a customer at First Tech Federal Credit Union, discovered $800 in unauthorized ATM withdrawals on Saturday, while a spokesperson at Advantis Credit Union said it saw a spike in debit card fraud over the weekend. Several U.S. Bank customers reported their debit cards were canceled without notice.

Beaverton Police Department spokeswoman Pam Yazzolino said it referred one case to the U.S. Secret Service, which is investigating the Michaels breach.

Michaels reported last month that Personal Identification Numbers pads at close to 90 stores had been tampered with between Feb. 8 and May 6, exposing payment cards to possible fraud. The tamperings occurred at two stores in Beaverton as well as stores in Tualatin, Roseburg, Springfield and Medford, the company has said.

Some PIN numbers have been used fraudulently since then, company officials said. But in Beaverton, illegal charges using those PINs might be just beginning to show up, Yazzolino said.

Doug Marker, vice president for loss prevention and safety at Michaels, said today via a spokesperson that “it cannot be assumed that all fraud experienced by any Michaels shopper is necessarily connected to Michaels.”

Read more on The Oregonian.

If the Beaverton fraud is Michaels-related, it would be another reminder why people shouldn’t assume that if their information isn’t misused within days, they’re safe, despite any entity’s claims of “We have no evidence of misuse” issued days after breach disclosure.

Related: Past coverage of the Michaels Store breach.

An attention getter?

LulzSec Hacks the US Senate

"LulzSec might not be as famous as Anonymous — they're really best known for hacking sites they like, to prove a point about security — but they may have just raised their profile significantly, posting what appears to be data taken from an internally facing server at the US Senate. However, the fun-loving group might find that the Senate reacts a lot more harshly to intrusions than, say, PBS did."

The group also recently grabbed data from Bethesda Softworks.

(Related) Hummm... I'll need to study this.

Rep. Mary Bono Mack Releases Discussion Draft of SAFE Data Act

June 13, 2011 by admin

The following statement was issued by Rep. Mary Bono Mack today:

Calling a recent dramatic increase in cyber attacks “a threat to the future of electronic commerce,” Congresswoman Mary Bono Mack (CA-45), Chairman of the House Subcommittee on Commerce, Manufacturing and Trade, today released a discussion draft of the Secure and Fortify Data Act (SAFE Data Act), which establishes uniform national standards for data security and data breach notification.

“With nearly 1.5 billion credit cards now in use in the United States – and more and more Americans banking and shopping online – sophisticated hackers and cyber thieves have a treasure chest of opportunities to ‘get rich quick’. The SAFE Data Act will provide American consumers with better safeguards in the future,” Congresswoman Bono Mack said in releasing the discussion draft of her legislation.

The Subcommittee on Commerce, Manufacturing and Trade will hold a legislative hearing on the much-anticipated draft on Wednesday (June 15) at 10 am in 2322 Rayburn House Office Building.

Scheduled to testify are the Honorable Edith Ramirez, Commissioner, Federal Trade Commission; Jason Goldman, Telecommunications and e-Commerce Counsel, U.S. Chamber of Commerce; Robert Holleyman, President and CEO, Business Software Alliance; Stuart Pratt, President and CEO, Consumer Data Industry Association; and Marc Rotenberg, Executive Director, Electronic Privacy Information Center.

Congresswoman Bono Mack’s efforts build on legislation passed by the House in 2009 but not acted upon in the Senate. Most importantly, it reflects the changing landscape of data breaches and data security since that time. It also encompasses many of the lessons learned in the aftermath of massive data breaches at Sony, Epsilon and Citigroup, which put more than 100 million consumer accounts at risk.

“You shouldn’t have to cross your fingers and whisper a prayer when you type in a credit card number on your computer and hit ‘enter.’ E-commerce is a vital and growing part of our economy. We should take steps to embrace and protect it – and that starts with robust cyber security,” Bono Mack continued. “Most importantly, consumers have a right to know when their personal information has been compromised, and companies and other organizations have an overriding responsibility to promptly alert them.”

The Federal Trade Commission (FTC) estimates that nearly 9 million Americans fall victim to identity theft every year, costing consumers and businesses billions of dollars annually – and those numbers are growing steadily and alarmingly. Just as troubling, Congresswoman Bono Mack says the frequency and scope of these breaches is “causing incalculable damage to consumer confidence when it comes to shopping and banking online.”

A key feature of the SAFE Data Act requires notification to the FTC and consumers within 48 hours of the time that a breach has been secured and scope of the breach assessed. The FTC would also be given the authority to levy civil penalties if companies or entities fail to respond in a timely and responsible manner. Non-profit organizations such as universities and charities would be required to comply with the legislation.

Additionally, the SAFE Data Act grants the FTC the ability to expand the definition of “personally identifiable information” so long as this new data poses a reasonable risk of identity theft or would otherwise “result in unlawful conduct.”

Following several recent hearings examining this growing problem, Congresswoman Bono Mack says it’s time for Congress to take action.

“These eye-popping data breaches only reinforce my long held belief that much more needs to be done to protect sensitive consumer information. Americans need additional safeguards to prevent identity theft, and the SAFE Data Act will help to accomplish this goal.”

The text of the discussion draft can be viewed by clicking here.

[From the Draft:


A security policy...

The identification of an officer [or other individual] as the point of contact with responsibility for the management of information security.

A process for identifying and assessing any reasonably foreseeable vulnerabilities in each system [...] which shall include regular monitoring for a breach of security of each such system.

A process for taking preventive and corrective action...

A process for disposing of data in electronic form

About time?

Report from first health care privacy conference

By Dissent, June 14, 2011

Andy Oram writes:

Strange that a conference on health privacy has never been held before, so I’m told. Privacy in health care is the first topic raised whenever someone talks about electronic health records–and dominates the discussion from then on–or, on the other hand, is dismissed as an overblown concern not worthy of criticism. But today a conference was held on the subject, prepared by the University of Texas’s Lyndon B. Johnson School of Public Affairs and held just a few blocks from the Capitol building at the Georgetown Law Center as a preconference to the august Computers, Freedom & Privacy conference.

The Goldilocks dilemma in health privacy

Policy experts seem to fall into three camps regarding health privacy. The privacy maximalists include the organizers of this conference, notably the Patient Privacy Rights, as well as the well-known Electronic Privacy Information Center and a number of world-renowned experts, including Alan Westin, Ross Anderson from Cambridge University, Canadian luminary Stephanie Perrin, and Carnegie Mellon’s indefatigable Latanya Sweeney (who couldn’t attend today but submitted a presentation via video). These people talk of the risks of re-identifying data that was supposed to be identified, and highlight all the points in both current and proposed health systems where intrusions can occur.

On the other side stand a lot of my closest associates in the health care area, who intensely dislike Patient Privacy Rights and accuse it of exaggerations and mistruths. The privacy minimalists assert that current systems provide pretty good protection, that attacks on the average person are unlikely (except from other people in his or her life, which are hard to fight systematically), and that an over-concern for privacy throws sand in the machinery of useful data exchange systems that can fix many of the problems in health care. (See for instance, my blog on last week’s Health Data Initiative Forum)

Read more on O’Reilly Radar.

Full Disclosure: was a sponsor of the conference, although I was unable to attend due to other commitments.

[Some resources from the conference:

'We're from the government and we're here to help you!”

Federally-Mandated Medical Coding Gums Up IT Ops

"The change over from a medical coding system in use since the 1970s to an updated version that adds more than 50,000 new 7-character codes is being compared to Y2K as an IT project that is nearly impossible to complete on time. [A government specialty... Bob] ICD-10, which replaces ICD-9, adds far more granularity to medical diagnosis and treatment. For example, ICD-9 has one code for a finger amputation. In contrast, ICD-10 has a code for every finger and every section of every finger. An 'unfunded mandate,' [Also a government specialty Bob] the change over to ICD-10 codes is a multi-year project for hospitals, state Medicaid organizations, and insurance providers. The effort, which affects dozens of core systems, is taxing IT operational budgets at a time when shops are already under the gun to implement electronic health records."

(Related) Data volumes are exploding... Interesting video.

Daniel Kraft: Medicine's future? There's an app for that

Maybe I should emulate Jay Leno and drive antique cars...

Nissan car secretly shares driver data with websites

June 13, 2011 by Dissent

Dan Goodin reports:

Electric cars manufactured by Nissan surreptitiously leak detailed information about a driver’s location, speed and destination to websites accessed through the vehicle’s built in RSS reader, a security blogger has found.

The Nissan Leaf is a 100-percent electric car that Nissan introduced seven months ago. Among its many innovations is a GSM cellular connection that lets drivers share a variety of real-time data about the car, including its location, driving history, power consumption, and battery reserves. Carwings, as the service is known, then provides a number of services designed to support “eco-driving,” such as break downs of the vehicle’s energy efficiency based on comparisons with other owners.

But according to Seattle-based blogger Casey Halverson, Carwings includes the detailed data in all web requests the Nissan Leaf sends to third-party servers that the driver has subscribed to through RSS, or real simple syndication. Each time the driver accesses a given RSS feed, the car’s precise geographic coordinates, speed, and direction are sent in clear text. The data will also include the driver’s destination if it’s programmed in to the Leaf’s navigation system, as well as data available from the car’s climate control settings.

Read more in The Register.

(Related) Why “location” is popular...

Adobe's CTO Pitches 'Apps Near You' Concept

"Next-generation applications will be location-specific, offering users information and features related to where they are at any given moment, Adobe Systems CTO Kevin Lynch, said at the Open Mobile Summit conference. 'Apps near you,' as he called the idea, would pop up on mobile screens when a user is close to a specific location. Lynch showed the example of someone with a Samsung tablet visiting a museum and being able to download a guide application."

(Related) More fun things you can do with “location”

Chinese Spying Devices Installed On Hong Kong Cars

"Spying devices disguised as electronic border cards have been secretly installed on thousands of Hong Kong vehicles by Chinese authorities, according to a Hong Kong newspaper. A translation of the story states Chinese authorities have been installing spying devices on all dual-plate Chinese-Hong Kong vehicles for years, enabling a vast network of eavesdropping across the archipelago."

Law Enforcement is so much easier if everyone is a criminal...

Petition for Rehearing Filed in United States v. Nosal, the Ninth Circuit Case on Criminalizing Violations of Computer Use Policies

June 14, 2011 by Dissent

Orin Kerr writes:

A petition for rehearing was recently filed in United States v. Nosal, the Ninth Circuit decision holding that an employee who violates his employer’s computer use policy is guilty of “exceeding authorized access” to the employer’s computer. I have posted a copy here. I hope the Ninth Circuit grants rehearing, as I think the Nosal case is both wrong on the law and deeply troubling for civil liberties in the Internet age.

Overstatement? I don’t think so. It seems to me that if the federal government can arrest you and throw you in jail for violating a computer use policy — any computer use policy — then the government can arrest pretty much anyone who uses a computer. Most people who use computers routinely violate computer use policies: While we understand that such policies may have force from the standpoint of breach of contract, no one thinks that breaching a computer use policy is the same as hacking into the computer. TheNosal case would change that. Under its reasoning, breaching a written policy is treated the same way as hacking. And as computers become more and more ubiquitous, the power to arrest anyone who routinely uses a computer is the power to arrest anyone.

Read more on The Volokh Conspiracy.


June 13, 2011

Report - FBI Expands Surveillance Power of Agents

NYT: "The Federal Bureau of Investigation is giving significant new powers to its roughly 14,000 agents, allowing them more leeway to search databases, go through household trash or use surveillance teams to scrutinize the lives of people who have attracted their attention. The F.B.I. soon plans to issue a new edition of its manual, called the Domestic Investigations and Operations Guide, according to an official who has worked on the draft document and several others who have been briefed on its contents. The new rules add to several measures taken over the past decade to give agents more latitude as they search for signs of criminal or terrorist activity. The F.B.I. recently briefed several privacy advocates about the coming changes. Among them, Michael German, a former F.B.I. agent who is now a lawyer for the American Civil Liberties Union, argued that it was unwise to further ease restrictions on agents’ power to use potentially intrusive techniques, especially if they lacked a firm reason to suspect someone of wrongdoing."

(Related) I guess we can expect more like this...

First Challenge To US Domain Seizures Filed

"You may recall that the US government, mainly through Homeland Security's Immigration and Customs Enforcement division (ICE) has been seizing domain names over the past year, based on bad evidence, even leading to the 'accidental' seizure of 84,000 sites. While it has taken some time, the first challenge has been filed to the domain seizures, by the company Puerto 80, who runs Rojadirecta, a Spanish internet forum that was seized because users linked to streaming sporting events. Rojadirecta was declared perfectly legal (twice!) in Spain, but the challenge obviously focuses on US law, and how the seizure was improper and did not meet the qualifications for a seizure, how the seizure violates the First Amendment by being improper prior restraint on protected speech, and how Rojadirecta is not guilty of criminal copyright infringement. This could represent a very important case in determining the government's legal right to simply seize domain names."

Oh good. We get to see what they looked like before the mug shots...

June 13, 2011

GPO Releases Congressional Pictorial Directory: 112th Congress

"The U.S. Government Printing Office (GPO) has made available the Congressional Pictorial Directory: 112th Congress on GPO’s Federal Digital System (FDsys), a one-stop site to authentic, published Government information. GPO employees designed and created the Pictorial Directory, which features a color photograph of each Member of the House of Representatives and the Senate and details each Member’s length of service, political party affiliation, and congressional district. The Pictorial Directory also contains pictures of the President, Vice President, and House and Senate officers and officials."

Because Infographics are interesting...

The Six Biggest Websites On The Internet Compared [Infographic]

Monday, June 13, 2011

Is this an act of war? Would the US tolerate a similar system here?

US underwrites Internet detour around censors

The Obama administration is leading a global effort to deploy “shadow” Internet and mobile phone systems that dissidents can use to undermine repressive governments that seek to silence them by censoring or shutting down telecommunications networks.

The effort includes secretive projects to create independent cellphone networks inside foreign countries...

… Some projects involve technology that the United States is developing; others pull together tools that have already been created by hackers in a so-called liberation-technology movement sweeping the globe.

The State Department, for example, is financing the creation of stealth wireless networks that would enable activists to communicate outside the reach of governments in countries like Iran, Syria and Libya, according to participants in the projects.

In one of the most ambitious efforts, United States officials say, the State Department and Pentagon have spent at least $50 million to create an independent cellphone network in Afghanistan using towers on protected military bases inside the country. It is intended to offset the Taliban’s ability to shut down the official Afghan services, seemingly at will.

… Developers caution that independent networks come with downsides: repressive governments could use surveillance to pinpoint and arrest activists who use the technology or simply catch them bringing hardware across the border.

… Mrs. Clinton has made Internet freedom into a signature cause. But the State Department has carefully framed its support as promoting free speech and human rights for their own sake, not as a policy aimed at destabilizing autocratic governments.

That distinction is difficult to maintain, said Clay Shirky, an assistant professor at New York University who studies the Internet and social media. “You can’t say, ‘All we want is for people to speak their minds, not bring down autocratic regimes’ — they’re the same thing,” Mr. Shirky said.

(Related) A “Shadow Internet” also preserves targeting information... An example of “Open Source Intelligence.”

June 12, 2011

NATO Leveraging Twitter for Airstrikes in Libya

Wired: "In the early days of the Libya war, U.S. commanders were adamant that they didn’t communicate with the Libyan rebels about what targets to bomb. As it turns out, they don’t need to. They’ve got Twitter. NATO officials conducting air strikes on forces loyal to Moammar Gadhafi don’t have soldiers on the ground to spot for the warplanes and armed drones overhead. (Well, at least not officially.) But they do have a barrage of tweets about Gadhafi’s troop movements in beleaguered cities like Benghazi and Tripoli, all of which come in handy when picking out targets.We get information from open sources on the Internet, we get Twitter,” British Wing Commander Mike Bracken told AFP. Another NATO official attested, “Twitter is a great source.” None of which is to say that an errant tweet is enough to launch a Hellfire missile. NATO flies AWACS surveillance planes over Libya, as well as other spy aircraft and satellites, to aid with targeting. NATO officials assure that they don’t just set targeting coordinates based on what someone says over Twitter — just that Twitter has value as a source of tactical intelligence."

This should be amusing...

Hackers Expose 26,000 Sex Website Passwords

"Passwords and email addresses of almost 26,000 members of adult website have been released on the internet by the notorious hacking group LulzSec. To add to the victims' humiliation, LulzSec called on its followers to try the email/password combinations against Facebook, and tell friends and family of the users that they were subscribers to a pornographic website. In addition LulzSec released passwords belonging to the administrators of dozens of other adult websites, and highlighted military and government email addresses that had signed up for the xxx-rated services."

You would think Anonymous would be better at hiding...

Turkish Police Nab 32 Suspects Tied To Anonymous

"Following the arrest of three alleged 'Anonymous' members by Spanish authorities on Friday, Turkey's state-run news agency has reported that police have detained 32 individuals allegedly linked to the hacktivist group. The Anatolia news agency said today that the suspects were taken into custody after conducting raids in a dozen cities for suspected ties to Anonymous. The group recently targeted Web sites of the country's telecommunications watchdog, the prime minister's office and parliament as a protest to Turkey's plans to introduce Internet filters."

1984 has come and gone, but Big Brother is forever! Facebook? Really?

UK: Cabinet Office talks to Facebook & co about new ID system

June 13, 2011 by Dissent

Kelly Fiveash reports:

Facebook and other social networks could be used by British citizens to sign into public services online, The Register has learned.

A Cabinet Office spokeswoman confirmed to us this morning that the department was speaking to “a range of industry” about its ID assurance scheme, a prototype for which is expected in October this year.

Cabinet Office minister Francis Maude said in the House of Commons last month that “people will be able to use the service of their choice to prove identity when accessing any public services [via the internet].”

Read more in The Register.

Right. Because it’s not like this is any national ID scheme under another name and it’s not like identities on social media platforms are ever compromised or fake.

TelecomTV has some pointed commentary about the proposal:

The Cabinet Office has already launched a damage limitation exercise. According to Kelly Fiveash, wring in The Register, a government spokeswoman claims that “no data will be held by the government through the ID assurance scheme.” However. as Kelly Fiveash points out, this is because the ID authentication process will be farmed-out to private sector companies such as social networking sites and banks.

In which case, God help us.

Interesting. I don't see any indication that Comcast has people dedicated to thei service – it seems they simply send 'alerts' to customers. More “Home Surveillance” than Security.

Comcast Offering Home Security Bundle

"Bloomberg reports that media giant Comcast has begun offering home security bundles with cable or phone service in selected markets. From the article: 'The Philadelphia-based company is starting Xfinity Home Security in seven markets for $39.95 a month. It lets users remotely adjust lights and thermostats, watch cameras, and get e-mail or text alerts when doors and windows are opened and closed. Customers can watch live video of their homes on an Xfinity website or with an Apple Inc. iPad application.'"

For my Data Mining and Data Analysis students.

How Journalists Data-Mined the Wikileaks Docs

"Associated Press developer-journalist extraordinaire Jonathan Stray gives a brilliant explanation of the use of data-mining strategies to winnow and wring journalistic sense out of massive numbers of documents, using the Iraq and Afghanistan war logs released by Wikileaks as a case in point. The concepts for focusing on certain groups of documents and ignoring others are hardly new; they underlie the algorithms used by the major Web search engines. Their use in a journalistic context is on a cutting edge, though, and it raises a fascinating quandary: By choosing the parameters under which documents will be considered similar enough to pay attention to, journalist-programmers actually choose the frame in which a story will be told. This type of data mining holds great potential for investigative revelation — and great potential for journalistic abuse."

For my Computer Security students:

Seeking Address: Why Cyber Attacks Are So Difficult to Trace Back to Hackers

Malicious hackers use the very same technology that enables online banking, entertainment and myriad other communication services to attack these very applications, steal user data, and then cover their own tracks.