Saturday, June 25, 2011

Interesting at several levels. Open government in the land of Big Brother. A cautionary tale for politicians who use electronic tools (Mr. Obama) Lots of collateral damage (his dentist?) is Blair liable for that?

Hackers leak Former British PM Tony Blair data

June 24, 2011 by Dissent

Elinor Mills reports:

Hackers today released what looks like personal information on former British Prime Minister Tony Blair and contents of his electronic address book, including contact data for what could be his dentist, mechanic and members of Parliament.

A link to the data on the Pastebin Web site was sent out on Twitter from the account of “TeaMp0isoN” along with a message saying “Tony Blair should be locked up, he is a war criminal.” Earlier in the day, the account had tweeted that it was targeting Blair for his support of the war in Iraq.

Read more on cnet

(Related) I wonder how many organizations believe their security isn't adequate. That is what they are saying, right?

Telstra Fears LulzSec Attacks, Hesitates On Internet Filter

After the earlier report that some of Australia's largest telcos (and ISPs) were to start censoring internet traffic based on a blacklist, rdnetto writes with the news that

"Telstra is now hesitating to deploy the internet filter it had previously promised to implement, fearing reprisals from online vigilantes."

The linked article specifically names LulzSec as the source of such reprisals.

I have visions (nightmares) of Social networks for Health data hat I can Opt Out of...

Google Health Creator Adam Bosworth On Why It Failed: “It’s Not Social”

After several years languishing in the backwoods of Google’s server farms, the company today decided to pull the plug on Google Health. Why didn’t the ambitious project to record your health record online and help you research your every ailment fail? I asked this to Adam Bosworth, the former Googler who originally created Google Health, a few weeks ago when he was in the TCTV studio to talk about his new health startup Keas.

In a sentence, “It’s not social.”

Never attribute to enemy action that which can be explained by simple stupidity.

Power Grid Change May Disrupt Clocks

hawguy writes with an AP story about upcoming tests of greater allowed variation in the frequency of the current carried on the U.S. electric grid: "

A yearlong experiment with the nation's electric grid could mess up traffic lights, security systems and some computers — and make plug-in clocks and appliances like programmable coffeemakers run up to 20 minutes fast."

[From the article:

The North American Electric Reliability Corp. runs the nation's interlocking web of transmission lines and power plants. A June 14 company presentation spelled out the potential effects of the change: East Coast clocks may run as much as 20 minutes fast over a year, but West Coast clocks are only likely to be off by 8 minutes. In Texas, it's only an expected speedup of 2 minutes.

Some parts of the grid, like in the East, tend to run faster than others. Errors add up. If the grid averages just over 60 cycles a second, clocks that rely on the grid will gain 14 seconds per day, according to the company's presentation.

How the Irish government views surveillance...

Pointer: Irish documents on interception of communications and surveillance

June 25, 2011 by Dissent

TJ McIntyre has helpfully uploaded some documents on interception of communications and surveillance in Ireland:

  • Interception and Data Retention Annual Report 2009/10

  • Covert Surveillance Report 2009-10

  • Revenue Surveillance Manual

Read the reports on his blog.

Why cops want to search cell phones? I can see my Ethical Hackers going two ways: Passive, renaming the “Cop Recorder” App to “Donate to the PBA” OR Aggressive, renaming all their Apps along the lines of “Live video chat with my Lawyer” and “Stream your Police encounter in Real Time” and “Information for ACLU Board Members”

LulzSec Document Dump Shows Cops' Fear of iPhones

"People are starting to comb through the details of the law enforcement documents made public by LulzSec. Blogger Kevin Fogarty noticed one interesting trend: The cops seem very anxious about iPhones, particularly apps that would allow encounters with police officers to be recorded. Ironically, the cops seem extremely concerned with protecting their own privacy, but the documents encourage police to examine iPhones during the course of interacting with the public to see what apps they have."

[From the article:

A document labeled "iphone apps- used against officers.doc" front-line officers encourages officers making an arrest to search for iPhones or other smartphones and look specifically to see what apps are running on them.

Specifically the document warns that an app called Cop Recorder can be activated while the phone is in a suspect's pocket to record what happens during an arrest, then upload the audio to a network server beyond the officer's reach.

This would seem a trivial number next to their first quarter profit of $3 billion, so...

Citigroup Cites $2.7 Million in Customer Losses From Hack

June 24, 2011 by admin

Randall Smith reports:

Citigroup Inc. has told government officials that about 3,400 of the customers whose credit-card information was hacked have suffered about $2.7 million in losses, according to people familiar with the matter.

The disclosure is the first acknowledgment by the New York company that the May security breach resulted in any losses. Citigroup has previously indicated it would cover any losses, saying customers wouldn’t be liable for unauthorized use of their accounts in connection with the attack.

Read more on WSJ.

...Why are they being so cheap in the customer relations area? (Is “too big to fail” also “too big to care?”)

Citi skimps on “standard” customer monitoring after security breach

June 24, 2011 by admin
Filed under Breach Incidents, Financial Sector, Hack, Of Note, U.S.


Reuters reports:

After a massive data breach last month, Citigroup did not offer its hacked clients the same degree of identity-theft protection that many other companies provide, drawing criticism from privacy advocates.

Citigroup, which had over 360,000 credit card accounts exposed last month, sent letters to affected customers this month with advice on protecting themselves against identity theft.

But unlike other large U.S. companies breached by cybercriminals, Citigroup did not offer to buy or give all affected customers a year of preventive credit file monitoring services, according to a sample of a letter the bank sent to many customers and filed with regulators in Maine.

Read more on Smart Business.

So let’s review: they don’t publicly disclose the breach until confronted by Financial Times and then they don’t make what has pretty much become a pro forma offer of free credit monitoring services? Did they miss the memo on public relations or is this just a company in serious need of an attitude correction?

Sucking up abandoned property? I wonder if there is such a thing as a “Quitclaim Copyright?” If so, I would be willing to sell my rights to the complete Harry Potter collection...

WIPO Talks May Portend Sweeping Broacast-Based Copyright

"It seems the nasty 'Broadcast Treaty' is rearing its head again in the WIPO talks. This would give a new copyright to what is uncopyrighted or out of copyright material to anyone who broadcasts the material. It essentially re-ups the copyright — not to the original copyrights holder, but to the broadcaster, without any contract to the original holder."

I wouldn't expect to see any action in this area since both sides assume the flaws work to their advantage. It will be interesting to see what the “hacktivists” do to them...

E-Voting Reform In an Out Year?

"Most of us know the many problems with electronic voting systems. They are closed source and hackable, some have a default candidate checked, and many are unauditable (doing a recount is equivalent to hitting a browser's refresh button). But these issues only come to our attention around election time. Now is the time to think about open source voting, end-to-end auditable voting systems and open source governance. Not in November of 2012, when it will, once again, be far, far too late to do anything about it."

It'll be interesting to see what e-voting oddities start cropping up in the current election cycle; Republican straw polls have already started, and the primaries kick off this winter.

So sad (yet funny)

Amish Man Busted in Buggy for Sexting

Friday, June 24, 2011

Sony in the news again. It's amazing what comes out after a breach (and before the Class Action) Makes it seem that Sony is doomed.

Sony laid off employees before data breach: Lawsuit

June 24, 2011 by admin

Reuters reports:

Sony Corp laid off employees in a unit responsible for network security two weeks before a massive data breach, according to a lawsuit filed this week.

Sony also spent lavishly on security to protect its own corporate information, while failing to do the same for its customers’ data, the proposed class action lawsuit alleges.


In a lawsuit filed in a San Diego federal court on Monday, a proposed class of Sony customers says the company knew it was at increased risk of attack because it had experienced prior, smaller breaches.

Read more on Times of India.

Now this is interesting/scary... and very slick.

Postal Inspectors Probe Gold Coin Purchases Made With Stolen American Express Cards

June 23, 2011 by admin

A reader sent along this item from CoinWeek, noting the interesting references to tampering with AmEx security:

U.S. Postal Service inspectors are investigating the fraudulent use of stolen American Express credit cards to purchase apparently tens of thousands of dollars of gold coins.

“The orders are placed by phone, often for $10,000 to $20,000 worth of Liberty Double Eagles or other, large-sized gold coins. The callers have a foreign accent and sometimes have problems pronouncing the name on the credit card. They’ll phone dealers and will correspond by email, but no one ever answers the phones when dealers try to call them back,” said Michael Fuljenz, President of Universal Coin & Bullion in Beaumont, Texas who has been working with postal inspectors on several cases.

“The callers want the coins shipped by overnight delivery to residential addresses in either Gaithersburg or Montgomery Village in Maryland, then phone or email back asking for the tracking number of the shipment. The location they give for delivery matches the address you get when you use the American Express address verification system; however, it turns out those are not the actual addresses of the victims whose stolen credit card numbers are being used,” said Fuljenz.

The four-digit verification codes and other information on the credit card are also seemingly correct when you check with American Express or the credit card processor. However, it appears that various precautionary security mechanisms may have been tampered with because it’s really not the right verification information despite the seemingly correct initial match up. The thieves may have somehow compromised the American Express records system.”

Fuljenz has provided evidence and assisted regional postal inspectors in Washington, DC in their recent investigations. He urges anyone with information or requiring assistance to contact Postal Inspector Christopher Saunders by phone at (202) 636-1484 or by email at, or contact Mike Fuljenz at (409) 658-4533.

Okay, you security folks: how can they do this?

Interesting management strategy...

Arizona Department of Public Safety hacked; LulzSec starts to reveal data reportedly acquired

June 23, 2011 by admin

With each day, LulzSec seem more and more to be “hactivists.” Today, they revealed what seems clearly to be a politically motivated hack/compromise. From their press release:

We are releasing hundreds of private intelligence bulletins, training manuals, personal email correspondence, names, phone numbers, addresses and passwords belonging to Arizona law enforcement. We are targeting AZDPS specifically because we are against SB1070 and the racial profiling anti-immigrant police state that is Arizona.

The documents classified as “law enforcement sensitive”, “not for public distribution”, and “for official use only” are primarily related to border patrol and counter-terrorism operations and describe the use of informants to infiltrate various gangs, cartels, motorcycle clubs, Nazi groups, and protest movements.

Every week we plan on releasing more classified documents and embarassing personal details of military and law enforcement in an effort not just to reveal their racist and corrupt nature but to purposefully sabotage their efforts to terrorize communities fighting an unjust “war on drugs”.

Hackers of the world are uniting and taking direct action against our common oppressors – the government, corporations, police, and militaries of the world.

See you again real soon! ;D

The Arizona Republic reports that the AZDPS has confirmed that they were hacked. In a somewhat surprising statement:

Steve Harrison, a DPS spokesperson, confirmed late Thursday that the agency’s system had been hacked earlier in the day. He told 12 News the agency had heard rumors that someone was working on hacking the agency’s system, but DPS could not do anything until the system was actually breached. [And if the volume of data taken is any indication, they didn't do anything for some time after the breach. Bob]

Experts are working on closing the loopholes and have closed external access to the DPS system.

They couldn’t do anything like… um… unplug?

New options for minimal wording on those PR releases? My guess is that NATO probably wasn't told...

NATO e-bookshop discloses “probable” data breach

June 24, 2011 by admin

In an example of how to leave breach watchers scratching their heads, NATO issued the following statement on its site yesterday:

23 Jun. 2011

Probable data breach from a NATO-related website

Police dealing with digital crimes have notified NATO of a probable data breach from a NATO-related website operated by an external company. NATO’s e-Bookshop is a separate service for the public for the release of NATO information and does not contain any classified data. Access to the site has been blocked and subscribers have been notified.

A little more transparency would be good, guys. What kind(s) of data did the attacker probably get? When did this probably happen? What should users probably do? I probably need more coffee before I read such notices.

If any reader actually received a notice from NATO’s e-Bookshop, please forward a copy to me via this site or so that we can include it in the database.

Kudos to The H for catching the notice.

They do things differently in the Ukraine...

16 cyber hackers detained

… The detainees, all "young men from the age of 26 to 33 with splendid technical educations", have been interrogated but remain free as no charges have yet been filed against them, said Vitaly Khlevitsky, an SBU spokesperson.

The alleged cyber thieves used an existing computer virus and internet servers in the US, UK, France, Germany, Cyprus and Latvia to identify targets and break into their accounts, he said.

The virus, Conficker, specialises in attacking the Windows computer operating system and shutting down its defensive sub-programs.

The men allegedly used a less virulent virus to infect user software and used automated messages to offer victims an anti-virus programme via the internet.

A multinational police task force on Wednesday raided 30 potential server sites in "several" nations and confiscated 74 computers and more than 300 memory devices. More than 40 bank accounts in Latvia and Cyprus are believed to have been used by the hackers to transport stolen funds, Interfax reported.

US officials said its Federal Bureau of Investigation had been monitoring the operations of the purported Ukrainian hacker group for more than three years.

The amount of money stolen by the hackers over that time period could be "substantially more" than $72m, Khlevitsky said.

Note to my Ethical Hackers. You don't need to swipe a card to read the data...’s SDK Makes Entering Credit Card Information As Easy As Taking A Snapshot is a new startup making its public debut today that’s looking to make lives easier for developers and users alike — by making inputting your credit card information as easy as holding your card in front of your phone’s camera for a few seconds. You can see the feature in action in the video...

Intellectual Property law is hard for judges and lawyers to understand, no wonder I find it a bit confusing...

Removal of Photo Credit Qualifies As DMCA Violation

"A federal appeals court in Philadelphia has reinstated a photographer's copyright lawsuit against a New Jersey radio station owner, after finding that a lower court came to the wrong decision on every issue in the case. Most significantly, the appeals court said that a photo credit printed in the gutter of a magazine qualifies as copyright management information (CMI) under the Digital Millennium Copyright Act (DMCA). The DMCA prohibits the unauthorized removal of encryption technology or copyright management information from copyrighted works."

(Related) It apparently confuses the lawyers who apply for patents too.

Microsoft's Virtual Skywriting Patent App Features the Real Thing

"GeekWire reports that Microsoft this week was awarded a patent on something it calls 'virtual skywriting', an augmented reality service that adds fake skywriting to scenes captured on a cell phone screen. Odd enough in its own right, but Microsoft also included an unattributed photo in the patent application which it described as 'an example of virtual skywriting in use,' although it certainly appears to be identical to a famous image of actual skywriting from a 2001 public art project. If that turns out to be the case, could the self-described opponent of half-baked patents and IP misuse find itself in hot water with the USPTO for using the 'prior art' to fake its fake skywriting?"

While I'm confessing my shortcomings, here's another area I don't understand. When did schools change places with parents?

MB: Schools ban posting of student photos online

June 24, 2011 by Dissent

Nick Martin reports:

Manitoba’s largest school division is trying to put the social-media genie back in the bottle just in time for graduation.

The Winnipeg School Division has adopted stringent privacy policies -increasing up its already rigid standards -in an effort to keep photo and video of its students off the Internet.

Anyone [That includes you Mom and Dad... Bob] recording a public event at the school, including those held after school, off-campus or at a school in another division, may do so only for personal use, [Is this a ban on journalists? Bob] and may not post on the Internet, the division says.

It’s a policy proponents say is meant to protect young children. But just how school officials can enforce it in the era of Facebook and social media is unclear.

“We believe student safety is paramount,” said trustee Kristine Barr, chairwoman of the policy/ program committee that recommended the changes to the board.

“It could be a holiday concert, a band recital, a sports game,” Barr said.

Principals will be responsible for notifying people attending school organized public events of the rules and it will be up to principals to ask people to take down any postings that violate the rules, Barr said.

“They’re welcome to do so for their own use, but they can’t be posted on the Internet,” she said. “Our hope is there’s going to be compliance.”

Barr would not talk about what steps the division could take if anyone refused to take down postings that violated the policy.

Read more in the Edmonton Journal.

While their proposal may sound like a serious over-reach, I would point out that here in the U.S., we also have similar rules. People who take photos of students in school or at a school event may not publish them or use them without written consent of those photographed and their parents. But those rules fall under our federal FERPA law and it’s not clear to me what a school district here would/could really do to enforce that other than suspend first and hope that the student or parents cave in.

This could be useful. The unsubscribing process can be tedious, confusing, and nearly impossible to complete.

Now You Can From Social Apps Too

When launched last October, the premise was pretty simple. You install it in your email, and any time you want to unsubscribe from a marketing email, you just hit the “Unsusbcribe” button and the service takes care of the rest.

Now the service is expanding to social apps. If you are like me, you have dozens of both Web and mobile apps that you’ve signed into with with your Facebook, Twitter, or LinkedIn ID. Some of these you keep using, some you forget about, but they still have access to your data unless you remove them.

Thursday, June 23, 2011

Nothing about WHY. I'd like to know if consumers are getting educated or are getting burned by the breaches.

A third of consumers withhold personal information online, DMA study claims

June 22, 2011 by Dissent

Oliver Luft reports:

More than one in three consumers withhold entirely information that could be used to identify them while engaging with brands online, a new study has found.


The number of consumers willing to provide name, address and email details has seen a substantial drop over the past six months, according to the study. Almost a third more people (31%) were unwilling to share this information online, compared with six months ago.

Read more on Marketing.

For my Ethical Hackers. If Google can bypass security, we can too...

Chrome Frame hops over PC lockdown barrier

One of the reasons I've been skeptical about Google Chrome Frame is that using the software was difficult for one of the prime audiences using the ancient Internet Explorer 6: those who had no choice.

That's because some corporations lock down computers so users don't get the administrative privileges needed to upgrade IE to a version less than a decade old or to install an alternative browser. With that lockdown, it also wasn't possible to install Chrome Frame, which implants Chrome's modern Web page rendering technology into Internet Explorer.

At Google I/O in May, Google announced that the developer version of Chrome Frame could sidestep the lockdown, though, and now the company is publicizing the move more broadly.

"Non-Admin Chrome Frame runs a helper process at startup to assist with loading the Chrome Frame plug-in into Internet Explorer. The helper process is designed to consume almost no system resources while running," said Google programmer Robert Shield in a blog post this week. "Once installed, non-admin users will have the same no-friction experience that admin users of Chrome Frame have today."

“We kinda think we need to do something about Security but we have no idea what that might be...”

DHS official says ISPs would likely be covered by Obama cybersecurity plan

June 22, 2011 by admin

Gautham Nagesh reports:

A top Department of Homeland Security cybersecurity official told lawmakers Internet Service Providers (ISPs) would likely be among the private-sector firms that would be subject to federal oversight under the White House’s proposed cybersecurity legislation.

At a hearing in front of the Senate Judiciary Subcommittee on Crime and Terrorism, DHS acting Deputy Under Secretary Greg Schaffer acknowledged that under the White House’s plan, ISPs would likely be among the private firms deemed critical infrastructure and therefore subject to federal security standards.

Read more on The Hill.

[From the article:

Schaffer emphasized that the administration's legislative proposal doesn't explicitly lay out which industries would be deemed critical and core critical infrastructure, but witnesses at Tuesday's hearing mentioned transportation, financial services, utilities and healthcare providers as among those sectors that could be included.

Subpanel Chairman Sheldon Whitehouse (D-R.I.) noted that ISPs are in a unique position to know when consumers' computers are under attack or have been enslaved by malicious botnets. He suggested ISPs should take action against infected devices in the event consumers are not aware of the breach. [Assuming they can reach into my computer and tell an infection from an Ethical Hacking tool... Bob]

This is quite depressing. It's bad enough that some firms don't log computer activity and therefore can't determine what happened or when it happened, now they tell us they don't keep any history for analysis. How does management determine if employees are doing their job?

Verizon Launches Service Based On Data Breach Report Methodology

Verizon Business is offering an security incident analysis service based on the Verizon Incident Sharing framework (VerIS), the foundation of the organization's highly regarded annual Data Breach Investigation Report (DBIR). The aim of the service is to generate metrics of an organization’s security incidents over time to discover the root causes of vulnerability and take preventive measures.

… "We see patterns when we study the community," said Wade Baker, director of research and intelligence and principal DBIR author. "The same kinds of problems occur over and over again."

… Organizations often have capable incident response, but typically deal with incidents as one-offs rather than collect information that could show patterns of successful attacks. "There’s a disconnect when we ask, ‘What kind of incidents have you had in the past?'" Baker says. "I’ve never been in an organization that can just print out a list of incidents of all types over the last two years so they can do risk analysis."

Attention e-Discovery experts and those who think they can communicate securely.

QuickForget: Securely Share Private Information Online & Set Its Expiration

Email and instant messaging are not suitable means to share private information online. What would be very helpful is a self-destructing message which expires after your contact views the information. This is precisely what QuickForget offers.

QuickForget is a free to use web service that lets you securely share sensitive information online. The site does not require any software download or account registrations. You simply type in the information, which you can code in whichever way you desire, and specify the number of views or time duration for which the information will be active. Your message is then put up on a public URL that is displayed to you.

Sharing this URL with friends and contacts takes them to the information page. When your message reaches the limits you set, it expires and URL visitors are told that the site has “forgotten the secret”.

Similar tools: OneTimeMessage, SelfDestruct, Norbt, and Send.

This can't be right (as in legal) can it?

"Expert Body" To Decide Which Sites To Block For Copyright Infringement

"Rights holders in the UK are proposing to appoint a 'council' and an 'expert body' to decide which websites should be blocked by ISPs for infringing copyright. The controversial Digital Economy Act made provisions for sites accused of hosting copyrighted material to be blocked by British ISPs. 'The cost of the proposed scheme is not indicated, but is likely to be substantial, including the running cost of two non-judicial independent bodies and the cost to ISPs of permanently blocking websites,' Consumer Focus said."

[From the article:

“We do not believe that it is appropriate for two non-judicial bodies to broadly interpret existing case law, effectively establish new copyright law, and direct the Applications Court to issue a permanent injunction, without a trial.”

(Related) Apparently Australia does it without even pretending there is a committee. It's done at the whim of Big Brother.

Australia's 2 Largest ISP's Start Censorsing the Web

"Looks like after Stephen Conroy's web filter went down in flames he went quietly behind the backs of Australians and struck a deal with Telstra and Optus to start filtering an undisclosed blacklist of sites from organization within and external to Australia. From the article: 'Electronic Frontiers Association board member Colin Jacobs also expressed concern at the scheme, saying the Government and internet providers needed to be more upfront about websites being blocked and offer an appeals process for website owners who felt URLs had been blocked unfairly. "There is a question about where the links are coming from and I'd like to know the answer to that," Mr Jacobs said."

Another reversal of myth? Research disproves “the obvious?”

Violent Games Credited With Reducing Crime Levels

"According to a research paper produced from a collaboration between the University of Texas and the Centre for European Economic Research, violent video games may induce aggressive behavior, but the incapacitation effect outweighs this and produces a genuine reduction in violent crime. This paper was referenced in a BBC news story giving reasons why the US crime rates are falling (at least outside the prisons!)"

Lots of Open (AKA free) resources.

OKCon11 Opens In Berlin

"The annual conference of the Open Knowledge Foundation will be held in Berlin. There will be different lectures about open data, open science, open access, etc. and different free workshops where hackers, volunteers, designers, etc. can participate learning new tools, or helping scientists to develop new prototypes for their research projects."

[A couple of examples:

Free is good!

Free Premium Download: WinX DVD Copy Pro

We have got a great honor to give an exclusive chance to download and enjoy WinX DVD Copy Pro to visitors. It’s a paid product, but now is being given away from June 22 to June 26, 2011. During this period, You can get this full licensed software for free without any functional limitations without doing anything. Yes, you just need to download it!

WinX DVD Copy Pro is specially designed to meet users’ up-to-date DVD backup demand; clone DVD to DVD disc for safe storage; copy DVD to ISO image for later burning, playing or ripping; copy DVD to MPEG2 file with intact content for further usage in media center, DVD library establishment and DVD playback in PS3, HTPC.

Wednesday, June 22, 2011

Interesting and possibly big. They know they have a problem but so far don't see the connection. Not normal. Note: Card Verification Value (CVV or CVV2)

Debit Breach Hits Ohio Accounts

June 21, 2011 by admin

Jeffrey Roman reports:

June 21 Update: The recent breaches that affected dozens of Northeast Ohio banks and credit unions were most likely caused by the interception of CVV2 card security codes, says Mike Urban, senior director of fraud product management at FICO.

It’s not a skimming situation,” Urban says of the breaches which started in April. “Likely, it was related to one or several attacks on a card-not-present merchant.”

The fraudsters, using stolen debit details, hit accounts with fraudulent signature-based transactions used for online and over-the-phone purchases.

Based on the number of organizations hit, tens of thousands of accounts may have been exposed.

Read more on BankInfoSecurity.

[From the article:

Fraudulent purchases, some of which neared $4,000, at Walmart, AutoZone and CVS were reported. Other transactions were initiated overseas, including some in Germany and the Philippines.

… CVV data can be captured when a magnetic stripe is skimmed. CVV2 data, on the other hand, is used for authenticating online or over-the-phone purchases. "[The CVV2] number is not on a magnetic stripe," Urban says. "When you're skimming, you can compromise the CVV stripe. But you don't get the CVV2, which is on the signature bar."

… "I'd be interested in knowing what the connection, besides location, these CUs [and banks] have with each other," he says "Shared ATM network or processor? There must be a single point of compromise, versus a fraudster just focusing on CUs in a particular location."

This sounds funny. Could the FBI really be this ham-handed? I doubt it. Although, if this is one of their warrant-less grabs, there was no detailed list of items to seize.

FBI Seizes Servers In Virginia

"The FBI has seized servers belonging to several clients of a hosting company in Reston, VA, disrupting service for many other clients. 'In an e-mail to one of its clients on Tuesday afternoon, DigitalOne’s chief executive, Sergej Ostroumow, said: “This problem is caused by the FBI, not our company. In the night FBI has taken 3 enclosures with equipment plugged into them, possibly including your server — we cannot check it.” Mr. Ostroumow said that the FBI was only interested in one of the company’s clients but had taken servers used by “tens of clients.” He wrote: “After FBI’s unprofessional ‘work’ we can not restart our own servers, that’s why our Web site is offline and support doesn’t work.” The company’s staff had been working to solve the problem for the previous 15 hours, he said.'"

“Shame on you!” is unlikely to be sufficient.

Canada’s privacy commissioner scolds Staples, eHarmony

June 21, 2011 by Dissent

Jeff Davis reports:

Staples Business Depot received a slap on the wrist from the federal privacy commissioner Tuesday for failing to protect customers’ personal information.

The business-supplies company was found to have been selling used data storage devices — such as computers, hard drives and USB sticks — without first wiping them clean of data.


Also criticized in Tuesday’s report was online-dating site eHarmony, which was found not to be giving users a clear option of permanently deleting their profile information from the site.

Read more on,

Related, from the Office of the Privacy Commissioner of Canada:

Unlikely this would pass in the US. Too much money involved.

Dutch parliament passes legislation on cookies opt-in

June 22, 2011 by Dissent

The lower house of the Dutch parliament has passed legislation requiring websites to get visitors permission before installing tracking cookies. The controversial legislation went through various versions before passing, from requiring permission for all cookies to mandating an opt-in only for third-party cookies that collect personal information or pass that information on to third parties. In the end all cookies will be subject to the Law on the Protection of Personal Information, meaning they can be questioned by the privacy regulator CBP and in court.

Read more on Telecompaper.

For my Disaster Recovery class. If you can recover from a Zombie caused business interruption, you can handle most anything...

Army Gets How-To Guide for Zombie Invasion

One day in the not-too-distant future, a mindless horde of cannibalistic killing machines will come shambling through the streets of America. And when that day comes, the U.S. Army will be on it faster than you can scream “BRAAIIIINNSS!”

Lucky for us, the Army Zombie Combat Command has put together a nifty manual on how to identify, fight, and kill those murderous mobs of the undead. Soldiers can now add the FM 999-3 Counter-Zombie Operations at the Fireteam Level to their arsenal – “the primary doctrinal reference on conducting fire team sized infantry operations in a Zombie infested environment in the United States.”

[NOTE: This is a Cloud hosted document and the owner has used up all his download bandwidth. Fortunately, you can grab a copy at Scribed:

For my Intro to IT class...

Tuesday, June 21, 2011

How to Use Google Bookmarks

One of the parts of the Google Across the Curriculum workshop that I ran today was about using Google Bookmarks. For most of the participants in today's workshop using a web-based bookmarking service instead of a browser-based service was a new and welcome concept. The slides below were the basis for the hand-outs that today's participants received. For more more Google tools tutorials like this one, check out my Google Tutorials page.

If you're wondering about the benefits of using a social bookmarking service, watch Common Craft's explanation below.

Tuesday, June 21, 2011

Sony continues to get a very expensive education in Computer Security. It makes you wonder if they are sharing solutions with their subsidiaries.

Sony Portugal latest to fall to hackers

June 20, 2011 by admin

On June 9, Chester Wisniewski wrote (but I missed):

The same Lebanese hacker who targeted Sony Europe on Friday has now dumped a database from Sony Portugal.

The hacker claims to be a grey hat, not a black hat, according to his post to

“I am not a black hat to dump all the database I am Grey hat”

Instead of dumping the entire database like many previous Sony attackers, idahc only dumped the email addresses from one table in Sony’s database.

He claims to have discovered three different flaws on, including SQL injection, XSS (cross-site scripting) and iFrame injection.

Read more on Naked Security.


Hackers claim 177K e-mails from Sony Pictures France

June 20, 2011 by admin

Erica Ogg reports:

Sony’s turn as the whipping boy for Internet hackers continued over the weekend. Two hackers posted a list of e-mails they say they took from the Sony Pictures France Web site.

The two hackers who claim responsibility are a Lebanese student who goes by the handle Idahc, and a French friend of his who goes by Auth3ntiq. The two say they copied 177,172 e-mails from the entertainment company’s site, but posted only 70 of them on the code-sharing site Pastebin. They say they will not be posting all of the e-mails they found.

Read more on cnet

In stark contrast to Sony... (See, it is possible for executive to learn.)

Executive Learns From Hack

June 21, 2011 by admin

Evan Ramstad reports about the lessons learned by one executive after the Hyundai Capital Services hack:

…His biggest mistake, he says, was that he used to treat the information-technology department as simply one of many units that helped the company get its main job done. Today he treats it as central to everything the company does. Since the attack, Mr. Chung has spent weeks learning the ins and outs of network architecture, security infrastructure and the tradeoffs between data protection and customer satisfaction.

“If you lock the restroom and garage because you are trying to protect the jewelry in the bedroom, sooner or later, the rest of the family complains and finds a way around it,” Mr. Chung says. “Like everything, IT security needs a philosophy, and only the CEO can make that kind of a decision.”

So what were the main lessons learned?

  • Trust the authorities.

  • Stay open and transparent.

  • Learn IT and know where vulnerabilities are.

  • Create a philosophy that drives IT decisions.

  • Reassess plans for products and services.

Good lessons to learn, indeed.

Read more in the Wall Street Journal.

Steal once, cash in forever?

(update) Debit card breach affects several hundred card holders

June 20, 2011 by admin

The numbers of fraud reports related to the Michaels Store breach continues to climb. Jack Moran reports:

Federal authorities investigating a major data breach at craft retailer Michaels are fast becoming aware of its impact on debit card holders in Oregon.

During the past week, local police agencies from Portland to Medford have fielded several hundred reports apparently related to the extensive fraud case.

Eugene and Springfield police combined have received approximately 150 such reports, while Beaverton police have heard from about 50 people whose bank accounts were targeted in the scheme. Roseburg police say they’re aware of at least 70 additional cases, while Medford police saw a handful of reports trickle in last week.

Source: The Register-Guard. In other coverage, the Oregon Community Credit Union reported that 1300 of its customers were impacted by the breach.

The criminals seem pretty well organized as they seem to be moving from area to area or staggering when they start to use the card numbers they acquired. Given that stores in 20 states were found to be compromised, it will be interesting to see what the finally tally is on this one, if we’re ever told. Certainly there are a number of banks and credit unions that have replaced a lot of cards, although in many cases, that may just be proactive.

I see incidents like this and I wonder who wanted to access what and who did they pay to make it look accidental. I'd want to check the logs for this period of time.

Dropbox Password Goof Let Any Password Work For 4 Hours

"Dropbox confirmed today that for some time yesterday, any user's account was accessible without a password. The glitch was a programming error related to a code update and accounts were only vulnerable from around 1:54 pm PST to 5:46pm PST." "

Only" is relative; as reader zonky puts it, "It took around 4 hours from deployment for Dropbox to notice they'd entirely broken their authentication scheme."

Truth or simply an attention grabber? Could it happen here?

Lulzsec 2011 census released

June 21, 2011 by admin

In a message that undoubtedly should send shudders down the spines of those involved in the security of UK census data, the hacking collective known as LulzSec posted a message on Pastebin yesterday:

Greetings Internets,

We have blissfully obtained records of every single citizen who gave their records to the security-illiterate UK government for the 2011 census

We’re keeping them under lock and key though… so don’t worry about your privacy (…until we finish re-formatting them for release)

Myself and the rest of my Lulz shipmates will then embark upon a trip to ThePirateBay with our beautiful records for your viewing pleasure!

Ahoy! Bwahahaha… >:]

Assuming the veracity of their claims, I can only hope that they do not post/reveal everyone’s data but that they do explain how they got around the government’s putative security. (Note: Graham Cluley says Sophos is assuming it *isn’t* true until they see some proof; I guess I’m more pessimistic).

And would the hackers find (or scarily, have they already found) it as easy to acquire sensitive personal and medical data from the NHS and SCR (Summary Care Records) system? Privacy advocates have long expressed concerned about the security of the SCR system, and a massive compromise of that system could make the UK public less likely to trust it or want their records to become part of it. LulzSec already gave NHS one gentle warning, but what else have they accessed or acquired?

To date, LulzSec does not report that they have compromised any major U.S. health care databases but that may only be a matter of time. What would happen here should a large healthcare insurer’s database be acquired or a huge hospital system’s patient records database be compromised and posted online? How would that impact the development of large networked databases here? And what if they decided to take down a power grid “for the lulz?”

Back in the UK, Tamlin Magee comments on

An expert with high levels of access to government spoke on condition of anonymity to TechEye – and has told us that the only thing that will make us stand up and take note will be a truly catastrophic disaster. [Too may organizations like that. Bob] We are not talking data theft. We are talking significant, weighted attacks on the country’s infrastructure. Hospitals. Power grids. Airports. Data leaks are just the beginning.

This is not sensationalism. This is real. The entire country needs to wake up from its nap - Sony didn’t teach us squat, neither will this, if true, but it should.

Tamlin is right, of course. And to those who still have not taken security more seriously because “It can’t happen to us,” I would say, “How do you know it hasn’t already happened to you?” According to the hackers themselves, not every compromise has been revealed. So my question to our government and large private sector firms that amass huge quantities of data is this: what are you doing right now to harden your security? Are you still vulnerable to SQL injections after all these years and after all of the warnings you’ve had? If so, you’re still playing with fire but it is us who will get burned.

If true, what can we expect? 1) The kid had nothing to do with LulzSec, they just framed him to mislead the police. 2) The kid WAS LulzSec – all of it, and the threat to the free world is over. 3) Either way, LulzSec will seek revenge.

LulzSec Suspect Arrested By UK Police

"The UK's Police Computer e-Crime Unit (PCeU) has arrested a 19-year-old man in Wickford, Essex, in connection with the series of LulzSec attacks against organizations including the CIA, PBS and Sony. The man, who has been arrested under the Computer Misuse and Fraud Act, has had his house searched and a significant amount of material taken away by police for forensic examination. The PCeU worked with local Essex police and the FBI on the investigation."

Attention Ethical Hackers: The problem with fixing security vulnerabilities is that there is no requirement to fix nor any penalty for failure to fix (other than a security breach)

SSL/TLS Vulnerability Widely Unpatched

"In November 2009 a Man-In-the-Middle vulnerability for SSL/TLS/https was made public (CVE-2009-3555), and shortly afterwards demonstrated to be exploitable. In February 2010 researchers published RFC 5746, which described how servers and clients can be made immune. Software that implements the TLS protocol enhancements became available shortly afterwards. Most modern web browsers are patched, but the solution requires that both browser developers and website operators take action. Unfortunately, 16 months later, many major websites, including several ones that deal with real world transactions of goods and money, still haven't upgraded their systems. Even worse, for a big portion of those sites it can be shown that their operators failed to apply the essential configuration hotfix. Here is an exemplary list of patched and unpatched sites, along with more background information. The patched sites demonstrate that patching is indeed possible."

There is also the downside of “everybody hates you”

Righthaven Loss: Judge Rules Reposting Entire Article Is Fair Use

A federal judge ruled Monday that publishing an entire article without the rights holder’s authorization was a fair use of the work, in yet another blow to newspaper copyright troll Righthaven.

It’s not often that republishing an entire work without permission is deemed fair use. Fair use is an infringement defense when the defendant reproduced a copyrighted work for purposes such as criticism, commentary, teaching and research. The defense is analyzed on a case-by-case basis.

Monday’s ruling dismissed a lawsuit brought by Righthaven, a Las Vegas-based copyright litigation factory jointly owned with newspaper publisher Stephens Media. The venture’s litigation tactics and ethics are being questioned by several judges and attorneys, a factor that also weighed in on U.S. District Judge Philip Pro’s decision Monday.

(Related) So I should be able to scan these real-time recommendations and instantly make programmed trades.

Appeals Court Deals Blow to ‘Hot News’ Doctrine

A federal appeals court cleared the way Monday for a financial-news website to publish stock market analysts’ private buy and sell recommendations in near-real time, striking a blow to a century-old legal doctrine that gave media companies control over the time-sensitive news they report.

… The ruling overturns an injunction handed down by a lower court in 2010, that forced the site Theflyonthewall to delay posting leaked stock market buy and sell recommendations. The recommendations were intended for bank clients that earn the banks at least $50,000 to $100,000 in trading commissions yearly; by making them available to the masses in near real-time, Theflyonthewall was violating its intellectual-property rights, that court ruled.

The 2nd U.S. Circuit Court of Appeals, though, found on appeal that Theflyonthewall was within its rights.

“We conclude that in this case, a firm’s ability to make news — by issuing a recommendation that is likely to affect the market price of a security — does not give rise to a right for it to control who breaks that news and how,” the appeals court ruled 3-0.

Perhaps they need smarter lawyers?

EFF and Bitcoin

For several months, EFF has been following the movement around Bitcoin, an electronic payment system that touts itself as "the first decentralized digital currency." We helped inform our members about this unique project through our blog and we experimented with accepting Bitcoin donations for several months in an account that was started by others.

However, we’ve recently removed the Bitcoin donation option from the Other Ways to Help page on the EFF website, and we have decided to not accept Bitcoins. We decided on this course of action for a few reasons:

At last, Canadian websites can end in .EH? And California wants both .DUDE and .FERSURE

June 20, 2011

ICANN Approves Historic Change to Internet’s Domain Name System

News release: "ICANN’s Board of Directors has approved a plan to usher in one of the biggest changes ever to the Internet’s Domain Name System. During a special meeting, the Board approved a plan to allow an increase in the number of Internet address endings - called generic top-level domains (gTLDs) - from the current 22, which includes such familiar domains as .com, .org and .net. “ICANN has opened the Internet’s naming system to unleash the global human imagination. Today’s decision respects the rights of groups to create new Top Level Domains in any language or script. We hope this allows the domain name system to better serve all of mankind,” said Rod Beckstrom, President and Chief Executive Officer of ICANN. New gTLDs will change the way people find information on the Internet and how businesses plan and structure their online presence. Virtually every organization with an online presence could be affected in some way. Internet address names will be able to end with almost any word in any language, offering organizations around the world the opportunity to market their brand, products, community or cause in new and innovative ways."

Who says my students won't read academic papers?

Sexting and Infidelity in Cyberspace: Humans Are Still Social Creatures Who Need Face-To-Face Contact, Study Finds

… The way we become involved in, and develop, relationships with others has changed dramatically over the last 20 years due to the increased availability of devices such as computers, video cams, and cell phones. These advances have had a significant impact on our social lives, as well as on the sexual aspects of our lives. These days, the internet is where the majority of people go to find sex partners.

… The survey posted on the "infidelity" website revealed the following results: Women were more likely than men to engage in sexting behaviors. Over two-thirds of the respondents had cheated online while in a serious relationship and over three-quarters had cheated in real life. Women and men were just as likely to have cheated both online and in real life while in a serious real-life relationship. In addition, older men were more likely than younger men to cheat in real life.

[The report: Download PDF (274.1 KB) View HTML

For my Geeks. It's Linux, but it does interesting things to Windows systems...

DOWNLOAD: 50 Cool Uses For Live CDs

It is perhaps the most useful tool in any geek’s toolkit, but do you realize all the things live CDs can help you with? If not, it’s time to read “50 Cool Uses For Live CDs”. This guide outlines just a few of the many uses live CDs can offer, and is a great resource for live CD beginners and enthusiasts alike.

DOWNLOAD 50 Cool Uses for Live CDs Read now on Scribd

Monday, June 20, 2011

Oh, the horror! Could this be the infrastructure attack that triggers the first CyberWar? It at least demonstrates the value of communicating with your customers...

Netflix down: website and streaming movies go offline, were they hacked?

… The Netflix blog and techblog make no mention of any issues, but the Twitter universe is full of people asking the question, is Netflix down? Has Netflix been hacked?

… As of 3:00 am Eastern time, Monday morning, neither the Netflix blog or the Netflix techblog has been updated since Friday, and the Official Netflix twitter channel has yet to mention anything about an interruption of service Sunday night. [Still nothing as far as I can see Bob]

I wonder if we'll hear more about this?

Feds Recruiting ISPs To Combat Cyber Threats

"The U.S. Department of Defense (DOD) and Department of Homeland Security (DHS) have established a pilot program with leading private defense contractors and ISPs called DIB Cyber Pilot in an attempt to strengthen each others' knowledge base regarding growing security threats in cyberspace. The new program was triggered by recent high-profile hacks of the International Monetary Fund and many others. But don't worry — Deputy Secretary of Defense William J. Lynn promises that the new program will not involve "monitoring, intercepting, or storing any private sector communications" by the DOD and DHS."

[From the article:

The Defense Industrial Base (DIB) Cyber Pilot program was started last month, Lynn said. The voluntary program involves sharing the DOD's classified threat intelligence with defense contractors and their private Internet service providers (ISPs), "along with the know-how to employ it in network defense." [So it is unlikely to include all ISP's Bob]

… Lynn broke down the types of new threats emerging into three categories: Suspected government-backed hacks of military and private sector networks, crude but disruptive attacks on networks from hacking groups such as Anonymous, and destructive attacks targeting critical infrastructure and military networks.

Among the recent high-profile cyberattacks in the first category he cited were security breaches that were possibly orchestrated by government agencies at the International Monetary Fund, Lockheed Martin, Google, NASDAQ, and Citibank. [I saw no indication of that. Bob] Lynn also said the French Finance Ministry and European Commission "had suffered major intrusions in recent months."

Infographics (the movie) If this virus had targeted the US, would we now be at war?

A Weapon Camouflaged In Code

[Also available here:

Apparently, they are trying to force iPad users to pay for access. Also apparently, they don't understand how the Internet works...

NY Post Goes App-Only For iPad Users

"Browsing the web this morning, I discovered that the New York Post is blocking iPad users from reading its website via Safari. Instead, iPad users must download and use the NY Post App instead. That app previously required a paid subscription (which is one reason I didn't use it); however, the version I downloaded this morning isn't making any demands for payment. Yet."

[From the article:

… apparently no one there noticed or cared that users of other iPad browsers like Skyfire and Opera Mini can slip right in.


Annoyed with blocking iPad (and only iPad) traffic? Turn off JavaScript under Safari preferences and the site works again.

The horrors of selling a product people will actually use!

June 19, 2011

Average U.S. Smartphone Data Usage Up 89% as Cost per MB Goes Down 46%

News release: "The mobile Data Tsunami initially described here is still growing at an astounding pace. According to Nielsen’s monthly analysis of cellphone bills for 65,000+ lines, smartphone owners – especially those with iPhones and Android devices — are consuming more data than ever before on a per-user basis. This has huge implications for carriers since the proportion of smartphone owners is also increasing dramatically. (Currently, 37% of all mobile subscribers in the United States have smartphones.) In just the last 12 months, the amount of data the average smartphone user consumes per month has grown by 89 percent from 230 Megabytes (MB) in Q1 2010 to 435 MB in Q1 2011. A look at the distribution of data consumption is even more shocking: data usage for the top 10 percent of smartphone users (90th percentile) is up 109 percent while the top 1 percent (99th percentile) has grown their usage by an astonishing 155 percent from 1.8GB in Q1 2010 to over 4.6GB in Q1 2011.


Will Capped Data Plans Kill the Cloud?

"With the introduction of its Chromebook, Google is betting big on the Cloud. As is Apple, with its iCloud initiative . So too are Netflix and Skype. Unfortunately, their very existence is threatened by data-capping carriers, who have set a course to make sure that the network is NOT the computer. 'I don't know what the solution is,' writes David Pogue. 'I don't know if anyone's thinking about this. But there are big changes coming. There are big forces about to shape our lives online. And at the moment, they're on a direct collision course.'"