Saturday, July 30, 2011

Hackers have a process for a light-speed attack. Do banks (any organizations) have people and a process for immediate response?

Bank recovers some of $28K stolen from Eliot account – but was this crime preventable?

OK, now this is somewhat disturbing: it appears that even when a bank was warned that accounts were about to be raided, they failed to prevent it.

David Ramsay reports:

TD Bank has notified the town it has recovered a portion of the $28,000 stolen on July 12 from the town’s direct deposit bank account.

We have received some of it back. I can’t tell you the exact amount; I don’t have that information,” Town Administrator Dan Blanchette told the Board of Selectmen on Thursday night. “I suspect it’ll take two weeks before we know much more.”

A former Washington Post staffer Brian Krebs, who now blogs on security issues, had alerted the town’s controller and TD Bank on July 11, prior to the theft, that town accounts likely were being raided by computer crooks overseas.

TD Bank was unable to detect any unusual activity and later missed the withdrawals by the thieves.


Did the town change the passwords on its accounts as soon as they were warned? Did the bank put an additional lawyer [Layer? But a lawyer would be a good idea too Bob] of security on the town’s accounts after they warned? What happened here? It’s not usual to have a reporter call you with a warning (and thumbs up to Brian for taking the time and effort to try to prevent the crime). So why wasn’t this crime prevented?

How seriously should we take these hacks? That depends on how secure the systems were in the first place. If the hackers are getting in by trying simple/common passwords, like “password” then the system was never intended to be secure in the first place.

Hackers strike government cybersecurity contractor

Hackers flying the AntiSec banner today released what they said was 400 megabytes of internal data from a government cybersecurity contractor, ManTech, as part of their campaign to embarrass the FBI every Friday, as well as target other government agencies and their partners.

"Today is Friday and we will be following the tradition of humiliating our friends from the FBI once again. This time we hit one of their biggest contractors for cyber security: Mantech International Corporation," the hackers said in a statement on PirateBay.

"What ManTech has to do with the FBI? Well, quite simple: In Summer 2010 the FBI had the glorious idea to outsource their Cybersecurity to ManTech. Value of the contract: 100 Million US-Dollar," the statement said. The batch of documents mostly involves NATO, another ManTech client, along with the Department of Homeland Security (DHS), U.S. military branches, and the State and Justice departments, according to the hackers. There was a rumor on Twitter that one of the files in the data release contains a Trojan horse, but another Twitter post said that was a false positive.

We respect our users' privacy... At least, we respect how much money it makes us.”

Researchers Expose Cunning Online Tracking Service That Can’t Be Dodged

Researchers at U.C. Berkeley have discovered that some of the net’s most popular sites are using a tracking service that can’t be evaded — even when users block cookies, turn off storage in Flash, or use browsers’ “incognito” functions.

The service, called KISSmetrics, is used by sites to track the number of visitors, what the visitors do on the site, and where they come to the site from — and the company says it does a more comprehensive job than its competitors such as Google Analytics.

But the researchers say the site is using sneaky techniques to prevent users from opting out of being tracked on popular sites, including the TV streaming site

KISSmetrics is a 17-person start-up founded in 2008 and based in the San Francisco Bay Area. Founder Hitten Shah confirmed that the research was correct, but told Friday morning that there was nothing illegal about the techniques it was using.

We don’t do it for malicious reasons. We don’t do it for tracking people across the web,” Shah said. “I would be having lawyers talk to you if we were doing anything malicious.”

Shah says KISSmetrics is used by thousands of sites to track incoming users, and it does not sell or buy data about those visitors, according to Shah. After this story was published, the company tweeted a link that explains how its tracking works

The research was published Friday by a team UC Berkeley privacy researchers that includes veteran privacy lawyer Chris Hoofnagle and noted privacy researcher Ashkan Soltani.

The stuff works even if you have all cookies blocked and private-browsing mode enabled,” Soltani said. “The code itself is pretty damning.”

The researchers dug into’s tracking code and discovered the KISSmetrics code. Using it, Hulu was able to track users regardless of which browser they used or whether they deleted their cookies. KISSmetrics used a number of methods to recreate cookies, and the persistent tracking can only be avoided by erasing the browser cache between visits.

They also say that Shah’s defense that the system is not used to track people around the web doesn’t hold up.

Both the Hulu and KISSmetrics code is pretty enlightening,” Soltani told in an e-mail. “These services are using practically every known method to circumvent user attempts to protect their privacy (Cookies, Flash Cookies, HTML5, CSS, Cache Cookies/Etags…) creating a perpetual game of privacy ‘whack-a-mole’.”

Berkeley researcher Soltani, who consulted for the Wall Street Journal’s reporting on privacy, notes that the code includes function names like “cram cookie.”

One of the techniques used involves using something called ETags in the browser cache, a once-theoretical technique that’s never before been seen in the wild on a major site, according to the researchers.

The research also found that many top websites have adopted new ways to track users using HTML5 and that Google tracking cookies are present on 97 of the top sites, including government sites such as

The full report from the Berkeley researchers

This works only if you can identify encryption, which looks a lot like random noise or sensor data.

Pakistan Tries To Ban Encryption

"Pakistan has a new Telecoms Law going into effect, which requires widespread monitoring of internet usage. In response, new reports are saying that the country is banning encryption, including VPNs, because it would interfere with the ability of ISPs to monitor internet usage."

Without context, we still don't know what constitutes a “heavy user” Related articles put the number at 2.5 GB per month, but the AT&T Press Release makes it look like a dynamic (constantly changing) 5% of users will be impacted. In other words, if you move a lot of data early in the billing period, they slow your connection, which allows other users to leapfrog into the “top 5%” which may or may not mean your speeds go back to normal.

AT&T To Start Data Throttling Heaviest Users

"AT&T has announced that starting on Oct. 1 it will throttle the data speeds of users with unlimited data plans who exceed bandwidth thresholds on its 3G network. AT&T is following in the tracks Verizon and Virgin Mobile in reducing data throughput speeds of its heaviest mobile data users."

[The AT&T Press Release:

One new measure is a step that may reduce the data throughput speed experienced by a very small minority of smartphone customers who are on unlimited plans - those whose extraordinary level of data usage puts them in the top 5 percent of our heaviest data users in a billing period. In fact, these customers on average use 12 times more data than the average of all other smartphone data customers. This step will not apply to … the vast majority of smartphone customers who still have unlimited data plans.

Now avoiding cliches is as easy as pie!

5 Websites For The English Writer That Help In The Search For Clichés


Cliché Finder

Sports Clichés

Cliché Web

101 Clichés

Friday, July 29, 2011

See? It can be done! I'd like some additional details, like the costs of software, end-user training, etc. Clearly the $6,000,000 figure is largely the cost to “do it over, correctly” What are their ongoing costs?

TN BlueCross Encrypts All Data After 57 Disks Stolen

"After dozens of hard disk drives were stolen from a leased facility in Chattanooga, potentially exposing the personal data of more than 1 million customers, BlueCross decided to go the safe route: they spent $6 million to encrypt all stored data across their enterprise. The health insurer spent the past year encrypting nearly a petabyte of data on 1,000 Windows, AIX, SQL, VMware and Xen server hard drives; 6,000 workstations and removable media drives; as well as 136,000 tape backup volumes."

[From the article:

The company said it spent more than 5,000 man-hours on the encryption effort, which encompassed about 885TB of at-rest data.

BCBS said it is now encrypting all data on 1,000 Windows, AIX, SQL, VMware and Xen server hard drives; 6,000 workstation hard drives and removable media drives; 136,000 tape backup volumes; and 25,000 voice call recordings per day.

BCBS completed the encryption project in just over a year.

How does one distinguish theft by Spammers from theft by intelligence agencies or an act of war?

35 Million SK Telecom Accounts Stolen By Chinese Hackers

"South Korea's SK Telecom has revealed that earlier this week hackers stole 35 million account details from two sites. A portal called Nate Portal that provided e-mail services and a social networking site called CyWorld were the two targets by hackers who, SK Telecom claims, used IP addresses originating from China. From the article, 'The stolen data included user IDs, passwords, social security numbers, names, mobile phone numbers and email addresses. Nate said the social security numbers and passwords are encrypted so that they are not available for illegal use.'"

The real reason for the Debt Ceiling kerfuffle?

Senators Want Secret Warrantless Wiretap Renewal

"A group of Senators are meeting in secret today, while most people are focused on the 'debt ceiling' issue, in order to try to rush through a renewal of the FISA Amendments Act, which expressly allowed warrantless wiretapping in the U.S. The law isn't set to expire until next year, but some feel that the debt ceiling crisis is a good distraction to pass the extension without having to debate the issue in public. The meeting is being held in secret, but it's not classified, so people can demand to know how their Senator voted."

Copyright Piracy is as evil as Child Pornography!

British Court Orders ISP To Block Filesharing Website In Potential Landmark Ruling

Document: FBI Surveillance Geeks Fear, Love New Gadgets

According to an internal FBI document (.pdf), the law enforcement agency has a keen interest in evaluating each new technology for its surveillance possibilities and challenges.

The FBI fears, for example, that 4G will require agencies to “deal with significantly higher data rates than in current wireless network intercepts,” according to the document. “Managing this ‘fire hose’ of data is complicated by the lack of buffering or reliable delivery requirements. … These higher data rates could place a greater emphasis on the filtering of data to identify specific content.”

To intercept VoIP, or voice-over IP traffic, in this environment, “voice packets will need to be extracted from the packet stream in near real-time,” the document states.

The unclassified document is a handy primer on all of the latest wireless technologies, presumably to help FBI engineers devise strategies for circumventing any surveillance obstacles the technologies might pose. Each technology section includes a discussion of the potential challenges to surveillance, but most of these discussions were redacted by the FBI before releasing the document. The document covers net neutrality, 4G, public Wi-Fi, anonymity services like Tor, and cloud storage and file-sharing services such as Dropbox, SpiderOak and SugarSync.

On the other hand, the FBI appears to be excited about the new opportunities for surveillance and evidence-gathering that Microsoft’s new Greenfield application might provide. Greenfield is reportedly an“activity-based navigation” system from Microsoft Research that will be able to track a phone user’s movements through a suite of sensors on the mobile phone, allowing a trail to be gathered indoors, where GPS tracking doesn’t reach.

There’s also a fascinating description of a device called Slurp (see below) that was developed by a former MIT Media Lab student. The device resembles a large eye dropper, and uses infrared ports to allow a user to easily slurp up (extract) and squirt out (inject) data from one device to another. The user touches the dropper to a file icon on a computer screen to slurp up the file, and then points it at a second display while squeezing the dropper to squirt the file back out.

Because of the device’s small and inconspicuous design, the document notes, the “act of capturing or transferring data may go undetected.” [Watch the video Bob]

In a show of irony, the document holds an uncharitable view of another cutting edge technology: an Apple patent for a “killswitch” that uses voice and facial recognition to shutdown an iPhone or its data if the device detects that the person using it is not the rightful owner. The FBI calls Apple’s concept “Big Brother-ish”.

(Related) One of my students has one of these, as a supplement to his smartphone, tablet and iPad. Imaging copying data to this device without ever removing it from your pocket... All for $200!!

GoFlex Satellite™ Mobile Wireless Storage

Take your media library with you. Stream it to your iPad®.

  • Take more than 300 HD movies on-the-go1

  • Stream media over Wi-Fi to 3 iPads at the same time

  • Automatically sync media and documents from your PC or Mac® computer

  • Up to 5 hours battery life2

Find me three engineers, quick!

Feds Giving Engineers and Scientists $50K to Learn to Start Companies

The Innovation Corps program — which starts in September at Stanford University –will give $50,000 to 100 different teams (3 or more people per team) every year to go through an intensive entrepreneurial education class. The I-Corps class will be modeled on a Stanford engineering class called Lean LaunchPad that was taught earlier this year by serial entrepreneur Steve Blank and a coterie of entrepreneurial thought leaders, technologists and venture capitalists.

Interesting service. Caution: Who owns the map? - Put Excel Addresses On A Map

This web service can take as many addresses as you have in the same document, and turn them into markers on a map that you can proceed to click upon at will.

Best of all, this service can be used absolutely for free. You can throw as many addresses as you wish at it, and they all will be handled with the same speed and precision.

Global Warming is real. It's just Al Gore's graphs that are bogus...

New NASA Data Casts Doubt On Global Warming Models

"Satellite data from NASA covering 2000 through 2011 cast doubt on current computer models predicting global warming, according to a new study. The data shows that much less heat is retained by carbon dioxide in the earth's atmosphere than is assumed in current models. 'There is a huge discrepancy between the data and the forecasts that is especially big over the oceans,' said Dr. Roy Spencer, a co-author of the study and research scientist at the University of Alabama."

Note: the press release about the study is somewhat less over the top.

This could be exceptionally useful. It could also be a way to support my online students!

Show Me What's Wrong - Help Your Friends With Their Computer Problems

Show Me What's Wrong is a free service offered byScreencast-O-Matic. The service is designed to help you help others with their computer problems. To use the service enter your name and email address to have a custom url assigned to you. You then send that url to the person who needs help. They open the link and can start recording their screens and talk about the trouble they're having. When they finish recording the screencast is sent directly to you. Watch the two minute video below to see Show Me What's Wrong in action.

[The video on Youtube:

Thursday, July 28, 2011

Another day where (apparently) nothing interesting happened?

Officer Friendly now Facebook friendly?

Fighting Crime With Facebook

"Demond Fernandez writes that Facebook has become a hot, new crime fighting tool for police in Conroe, Texas. Sergeant Joe Smart says Conroe police have been using its Facebook page to profile suspects and criminals since May — like a woman accused of stealing credit cards, masked gunmen caught on tape burglarizing a local store and a suspected computer thief, who the department's Facebook friends just helped police catch. 'It works. The witnesses are looking at it and they are giving us information,' says Smart. Police say Facebook friends in Conroe already helped them catch two wanted suspects and gather leads on several other open cases. Apparently the idea of using facebook to catch criminals is getting picked up in other places as the Toronto Police Service announced their goal is to have about 175 officers with online profiles by early November. 'We've prevented some pretty serious incidents simply because people reached out to the few police officers that were using social media,' says Constable Scott Mills, the force's social media officer. 'This is going to lead to a lot more trust and a lot more transparency.'"

Think of these as an “Anti-Cloud” Many useful alternatives are profiled...

3 Ways To Escape Cloud Storage Solutions If You Don’t Trust Them

Most major IT companies seem convinced that shoving everything into giant data centres in the sky is the solution to many essential computing tasks. Google has weened us into the cloud over the last few years with documents, storage, email – all of Google services in fact; Apple is hot on their heels with the launch of iCloud; and Dropbox is ubiquitous for simple file sharing. But what if you don’t want all your stuff on someone else’s servers? What if you want it at home, where you can physically touch it and have complete control over it?

Let me show you how you can escape the cloud, without losing any of the functionality.

Because I like lists, especially lists of free stuff...

Top 10 Free Software Download Sites

Wednesday, July 27, 2011

How “anonymous” is Anonymous?

In ‘Anonymous’ Raids, Feds Work From List of Top 1,000 Protesters

It turns out there’s a method behind the FBI’s raids of suspected Anonymous members around the country. The bureau is working from a list, provided by PayPal, of the 1,000 internet IP addresses responsible for the most protest traffic during Anonymous’ DDoS attacks against PayPal last December.

FBI agents served 40 search warrants in January on people suspected of hosing down PayPal during ”Operation Payback” — Anonymous’ retaliatory attack against companies who blacklisted WikiLeaks. On July 19, the feds charged the first 14 defendants under the Computer Fraud and Abuse Act, and raided an additional 35 suspects for evidence.

An FBI affidavit first published Tuesday by an NBC affiliate in Dallas lays out how the FBI decided on its targets, and suggests the bureau may have plenty more.

According to the affidavit, by FBI agent Chris Thompson, PayPal security officials were in close contact with the bureau beginning on December 6, two days after PayPal froze WikiLeaks’ donation account and the first day it began receiving serious denial-of-service traffic. FBI agents began monitoring Anonymous press releases and Twitter postings about Operation Payback, while PayPal collected traffic logs on a Radware intrusion prevention system installed on its network.

On December 15, the company turned over a USB thumb drive containing the Radware reports, which documented “approximately 1,000 IP addresses that sent malicious network packets to PayPal during the DDoS attacks.” The list represented the “IP addresses that sent the largest number of packets.”

Anonymous Affidavit

If OnStar can do it, why can't Script Kiddies?

Expert hacks car system, says problems reach to SCADA systems

Researcher Don A. Bailey will be showing at the Black Hat security conference next week how easy it is to open and even start a car remotely by hacking the cellular network-based security system. Even more disturbing is the message that demonstration brings, that cars aren't the only things at risk.

"We are seeing more GSM [Global System for Mobile Communications]-enabled systems popping up in consumer culture and industrial control systems. They're not just in Zoombak [Global Positioning System] location devices and personal security control systems, but also in sensors deployed for waste treatment facilities, SCADA [Supervisory Control and Data Acquisition] and call-back systems, physical security systems, industrial control systems," Bailey, a senior security consultant at iSec Partners, said today. "These GSM modules open up that world to attacks in a whole new way."

...but it is Okay to search everyone equally?

Can school personnel search your child’s bra without individualized suspicion?

Can your teenage daughter’s school personnel lift or search her bra if the whole school is going through a search for drugs? Not if there’s no individualized reasonable suspicion of her, according to a North Carolina decision.

Via, from In re T.A.S., 2011 N.C. App. LEXIS 1472 (July 19, 2011):

Where the blanket search of the entire school lacked any individualized suspicion as to which students were responsible for the alleged infraction or any particularized reason to believe the contraband sought presented an imminent threat to school safety, the search of T.A.S.’s bra was constitutionally unreasonable and we reverse the trial court’s order denying her suppression motion.

“I'm shocked... Shocked!”

Chief NSA Lawyer Hints That NSA May Be Tracking US Citizens

"Responding to questions from the Senate Select Committee on Intelligence yesterday, Matthew Olsen, the NSA's general counsel, said that the NSA 'may', under 'certain circumstances' have the authority to track U.S. citizens by intercepting location data from cell phones, but it's 'very complicated.' 'There's no need to panic, or start shopping for aluminum-foil headwear,' says blogger Kevin Fogarty, but clearly the NSA has been thinking about it enough 'that the agency's chief lawyer was able to speak intelligently about it off the cuff while interviewing for a different job.'"

No Privacy implications here... Move along...

Digital Tattoo Gets Under Your Skin to Monitor Blood

Instead of the dye used for tribal arm bands and Chinese characters, these tattoos will contain nanosensors that read the wearer’s blood levels of sodium, glucose and even alcohol with the help of an iPhone 4 camera.

Dr. Heather Clark, associate professor of pharmaceutical sciences at Northeastern University, is leading the research on the subdermal sensors. She said she was reminded of the benefits of real-time, wearable health monitoring when she entered a marathon in Vermont: If they become mass-produced and affordable for the consumer market, wireless devices worn on the body could tell you exactly what medication you need whenever you need it.

I had no idea how much to drink, or when,” said Clark, reflecting on her marathon run. “Or if I should have Gatorade instead.”

Clark’s technology could spell out the eventual demise of the painful finger pricks required for blood tests — assuming users have an iPhone, which Northeastern bioengineering grad student Matt Dubach has customized to read light from the tiny sensors to collect and output data.

For my Computer Security and Computer Forensic students.

How to Stop Cybercrooks: Take Their Pals to Court

The best way to stop the tide of global cybercrime may be to sue the pants off of the hosting companies and Internet Service Providers Online that are backing the crooks.

That’s the central conclusion of my policy paper, out today from the Brookings Institution. (You can find avery condensed version in Sunday’s Washington Post.)

No one knows exactly how big the cybercrime underground is. But it is huge. According to the British government, online thieves, scammers, and industrial spies cost U.K. businesses an estimated $43.5 billion in the last year alone. Crooks-for-hire will infect a thousand computers for seven dollars – that’s how simple it’s become. 60,000 new malicious software variants are detected every day, thanks in part to a new breed of crimeware that makes stealing passwords about as hard as setting up a web page. Even the Pentagon’s specialists are worried, noting in their new cybersecurity strategy that “the tools and techniques developed by cyber criminals are increasing in sophistication at an incredible rate.”

“Oh lookie. Thousands of angry Netflix customers. Let's offer them an alternative!”

Wal-Mart Jumps Into Video Streaming

"Today Wal-Mart has added streaming video to their website. What better time to compete with Netflix, now that they have raised their prices? On Wal-Mart's website, the movies will be available the same day the DVDs go on sale in stores. general manager Steve Nave said the retailer is following its customers as they increasingly embrace digital movie rentals and purchases. 'We know customers are starting to shift their behavior, in terms of how they consume their media,' Nave said, adding, 'As as customers make that change, we don't want to lose that customer as they shift to digital.' Wal-Mart, long the nation's leading seller of DVDs, signaled its intent to double down on digital movie distribution in February 2010, when it spent a reported $100 million to acquire Vudu, a Silicon Valley start-up that was gradually being added to home entertainment devices."

(Related) Actually, the market is even larger...

July 26, 2011

Pew: 71% of online adults now use video-sharing sites

Video, Web 2.0 - 71% of online adults now use video-sharing sites by Kathleen Moore, July 26, 2011

  • "Fully 71% of online Americans use video-sharing sites such as YouTube and Vimeo, up from 66% a year earlier. The use of video-sharing sites on any given day also jumped five percentage points, from 23% of online Americans in May 2010 to 28% in May 2011. Rural internet users are now just as likely as users in urban and suburban areas to have used these sites, and online African-Americans and Hispanics are more likely than internet-using whites to visit video-sharing sites."

This is what happens when you think of technology as a tool...

7 Ways Google+ Users Are Getting More Out of Their Circles

Organizing your circles in Google+ can be the most confusing part of the new social network. Yet people are learning to embrace and even optimize their circles for better productivity, filtering and privacy.

We spoke with some Google+ mavericks about how they’ve corralled their circles to be more effective. Below, they share their clever tricks and best practices so you can learn from both their mistakes and their successes.

Tuesday, July 26, 2011

You would think that by now companies would understand what “Best Practices” mean where breach disclosures are concerned...

Estée Lauder employees notified that their data were on stolen laptop

In a notification letter dated July 13 that omits important details, the firm’s lawyer writes that the company “recently learned” about the theft of a company-issued laptop that contained names and Social Security Numbers of current and former employees and contractors for the firm.

The letter to the New Hampshire Attorney General’s Office does not state:

1. When the theft occurred.
2. When they first learned of the theft.
3. Where the theft occurred.
4. How the theft occurred. Was the laptop stolen from a car, a home, or what?
5. Which police department the theft was reported to and how employees can obtain copies of the police report.
6. How many people, total, had data on the stolen laptop.

The letter indicated that following the theft, the company changed all passwords assigned to the employee. But there is no mention of encryption at all in either letter. Does the company require such data to be encrypted, and if so, why wasn’t it? And if they didn’t require encryption before, why aren’t they requiring it now? Where is the somewhat standard inclusion of what steps the company is taking to reduce or eliminate the likelihood of this type of breach happening again?

If you’re an employee of the company, there’s a phone number for you to call if you have questions. Maybe you can get more details and information about the incident, and if you do, please let me know.

Perhaps Australia should spend more time on security than censorship?

Austrian TV users’ bank account data acquired by hackers

July 26, 2011 by admin

Associated Press reports:

The Austrian authority that collects state television fees from customers says hackers have stolen 214,000 data files from its server, including 96,000 containing sensitive bank account information.

GIS says the cyberattack by a group identifying itself as “AustrAnon” occurred Friday. It said Monday that it has started informing customers whose data has been stolen and is taking steps to improve security.

Austrian state television is partially funded by viewers’ fees.

The culprits are believed to be linked to the loosely knit hacker group “Anonymous,” known for cyberattacks worldwide.

AP seems to have gotten the name of the group wrong, as the associated Twitter account is @AnonAustria.

Monsters and Critics also covers the hack, reporting from DPA:

In an online statement, AnonAustria said its cyber raid was not intended to harm ORF customers, but highlight the broadcaster’s lax security.

‘Such sensitive data must not be stored over many years and must not be so easily available to everyone,’ the group said.

The Mr. Cracker site adds:

GIS spokesman Herbert Denk said. “We have already started to inform all the clients concerned personally and advise them to monitor especially closely all their bank account movements,”

The federal security and counter-terrorism bureau (BVT) was investigating the attack and planned to file a complaint against unknown persons, GIS added.

For more background on this group, see the Austria Independent.

See how easy this is when you actually log what happens and then have someone look at the logs?

Log management and network auditing led to AT&T insider's arrest

Court documents in the case of an AT&T support contractor, alleged to have leaked sensitive corporate information to Anonymous, reveal that log management and network auditing led to his eventual arrest last week by the FBI.

AT&T’s internal investigation into the data breach discovered an IP address on their network visited at the same time the confidential information was accessed without authorization. Drilling down into network logs, the IP address itself was assigned to a pool of IPs allocated to Convergys contractors. At the time of the breach there were 19 contractors connected to the server where the documents were stored.

These sorts of data breach scenarios underscore the importance of applying intelligence to the logs that virtually all companies collect. It isn't enough to simply capture logs of system activity. You must be able to act on the data you collect,” commented Dwayne Melancon, the VP of Products at Tripwire.

Further network auditing revealed that of the 19 contractors, only “Moore’s AT&T username accessed both, and the servers containing the AT&T Confidential Information,” the FBI affidavit explained.

Indeed, Moore’s username was used to download the AT&T Confidential Information shortly before that same information was uploaded to and made publically available.”

Adding to the case, AT&T’s examination of Internet usage reports show that before the leaked documents were uploaded to, Moore’s username was linked to Google searches for uploading files, file hosting, and uploading zip files. Convergys’ network logs also show Moore’s username accessing and several times after the breach occurred, and on the day of the breach he was present in the office.

Once arrested, police can demand your DNA and a kidney and an ear and a tail. Imagine what they can demand if you are actually found guilty!

U.S. Appeals Court: OK to check DNA of those arrested

Rich Lord reports:

A closely divided 3rd U.S. Circuit Court of Appeals has found that the collection of DNA samples from people arrested — but not yet convicted — of crimes is constitutional, in an opinion released today.

In a precedent-setting ruling, the appeals court rejected U.S. District Judge David S. Cercone’s 2009 order finding that law enforcement could not collect DNA from Ruben Mitchell, who faces a federal charge of attempting to possess and distribute five kilograms or more of cocaine. Judge Cercone had found that requiring pre-trial detainees to submit DNA samples, which is done under the DNA Analysis Backlog Elimination Act of 2000, violates the 4th Amendment’s search and seizure rules.

In an 8-6 ruling, the circuit judges found that people who are arrested have “a diminished expectation of privacy in their identities.

Read more on The Pittsburgh Post-Gazette. You can read the ruling here (pdf).

[From a dissenting opinion:

(“Under the test the plurality employs, any person who experiences a reduction in his expectation of privacy would be susceptible to having his blood sample extracted and included in CODIS – attendees of public high schools or universities, persons seeking to obtain drivers‟ licenses, applicants for federal employment, or persons requiring any form of federal identification, and those who desire to travel by airplane, just to name a few.”)

Interesting. With minor modifications, I can see TSA adding this to their “security theater.” “Sir, it appears that you have ingested Middle Eastern food recently, please step over here for your colonoscopy...”

New device detects drugs from fingerprints

The power of self-incrimination is now at your fingertips, thanks to a new device out of the U.K. that can test for drugs in a person's system simply by taking a fingerprint.

The technology developed by Intelligent Fingerprinting, a spin-off company from the University of East Anglia in in Norwich, England, can simultaneously confirm a subject's identity and detect the presence of a number of drugs, including cocaine, cannabis, methadone, and nicotine.

Not sure what the law says, but I suspect there must be more than mere “storage” or anyone who was a victim would be guilty.

Japanese Man Arrested For Storing Malware

"38-year-old Yasuhiro Kawaguchi is the first person in Japan to get arrested for storing malware on his computer after the upper house's Judicial Affairs Committee has confirmed the new anti-malware lawpassed by the Japanese parliament. The law considers the creation, distribution and storage of malware a crime punishable with up to three years in prison and a fine that could reach the sum of 500,000 yen ($6,200)."

[From the Yomiuri article:

Police have arrested a man on suspicion of storing a computer virus on his personal computer without legitimate reasons

… The revised Penal Code, which was enforced July 14, bans storage of a computer virus for the purpose of infecting other computers.

Kawaguchi uploaded a file containing the virus, which was titled to suggest child pornography, to the Internet via the file-sharing software Share. People who downloaded the file and opened it on their computers, or activated a DVD onto which the file was saved, would cause their computers to be infected, according to the MPD.

Kawaguchi told police that he started creating viruses in about 2007, and police believe he created the latest virus. However, police plan to build a case against him on the charge of storing the virus, rather than creating it, as it was created before the revised law took effect.

Sounds like the kind of article an aggressive Google Marketing Department might plant. Is Twitter really in danger? Always. Will they die soon? Depends on their response...

Elgan: Why Twitter is obsolete

The microblogging service Twitter debuted five years ago, and by all accounts it's one of the great success stories of the social media era.

Twitter boasts 200 million users and 350 billion tweets per day, and it's a ubiquitous reference on mainstream TV. [Rarely a “sure sign” of infallibility Bob]

Twitter is about to close an $800 million funding round, which values the company at about $8 billion.

Suddenly, however, the service has been rendered obsolete by Google's new Google+ service, and also by the company's failure to capitalize on its five-year window of opportunity to innovate its way to indispensability.

Monday, July 25, 2011

Bad choice, if they even considered security before they designed it this way...

Android Password Data Stored In Plain Text

"The Hacker News is reporting that Android password data is being stored as plain text in its SQlite database. Hackers News says that 'The password for email accounts is stored into the SQLite DB which in turn stores it on the phone's file system in plain text. Encrypting or at least transforming the password would be desirable.' I'm sure most would agree encrypted password data in at least SHA or MD5 would be kind of a good idea!"

No comment...

New privacy guidelines would give FBI leeway to abuse privacy

Frank Askin, who is a professor of law and director of the Constitutional Litigation Clinic at Rutgers Law School-Newark, writes:

Twenty-five years ago, Congress passed and President Gerald Ford signed the Federal Privacy Act. In an effort to end the abuses committed by the FBI against anti-war and civil rights activists that director J. Edgar Hoover disliked, Section (e)(7) of that Act prohibited any agency of the federal government from “maintaining records describing how any individual exercises rights guaranteed by the First Amendment . . . unless pursuant to and within the scope of an authorized law enforcement activity.”

The FBI and the federal courts have spent the last 25 years honoring that statute in the breach; and Congress seems perfectly satisfied to let them do so. And as reported in the New York Times on June 13, the FBI is again about to amend its Domestic Investigations and Operations Guide to further thumb its nose at the privacy act.


(Related) Even citizens want to surveil... “We should do this...” But does anyone want to me the Online Emily Post?

Clive Thompson on Establishing Rules in the Videocam Age

… Sousveillance is the monitoring of events not by those above (surveiller in French) but by citizens, from below (sous-). The neologism was coined by Steve Mann, a pioneer in wearable computing at the University of Toronto. In the ’90s, Mann rigged a head-mounted camera to broadcast images online and found that it was great for documenting everyday malfeasance, like electrical-code violations. He also discovered that it made security guards uneasy. They’d ask him to remove the camera—and when he wouldn’t, they’d escort him away or even tackle him.

“I realized, this is the inverse of surveillance,” he said.

… Right now, sousveillance requires an act of will; you have to pull out your phone when you see something fishy. But always-on videocams are spreading. Many new cars, for example, have cameras for backing up, and forward-looking ones are gaining popularity. And wearable video devices like the Looxcie are already hitting the market: Pop one over your ear like a Bluetooth headset and it’ll capture a rolling five-hour buffer of everything you see and do, publishable to Facebook with a single click.

… As citizens turn their videocams on the authorities, we need some new rules of engagement.

Something to share?

July 24, 2011

Looks Too Good To Be webstie

"While the Internet can be a safe and convenient place to do business, scammers are out there in "cyber world" targeting unsuspecting consumers. The Looks Too Good To Be website was built to educate you, the consumer, and help prevent you from becoming a victim of an Internet fraud scheme. The website was developed and is maintained by a joint federal law enforcement and industry task force. Funding for the site has been provided by the United States Postal Inspection Service and the Federal Bureau of Investigation. Key partners include the National White Collar Crime Center,, Target and members of the Merchants Risk Council."

Beware of ePolitics. There is no reason why an eParty couldn't run an eCandidate and when eLected we find he/she is a virus...

Internet-Based Political Party Opens Doors

"New York Times Op-Ed Columnist Thomas L. Friedman writes (edited for brevity): 'If [...] idiocy by elected officials [...] leaves you wishing that we had more options today [...] not only are you not alone, but help may be on the way. Thanks to a quiet political start-up that is now ready to show its hand, a viable, centrist, third presidential ticket,elected by an Internet convention, is going to emerge in 2012.' Currently it looks like more liberal-inclined individuals are registering, but it would make for a healthier system if more viewpoints were represented."

Oh great. Now all my students will want me to design learning games...

Can AI Games Create Super-Intelligent Humans?

"A technology CEO sees game artificial intelligence as the key to a revolution in education, predicting a synergy where games create smarter humans who then create smarter games. Citing lessons drawn from Neal Stephenson's The Diamond Age, Alex Peake, founder of Primer Labs, sees the possibility of a self-fueling feedback loop which creates 'a Moore's law for artificial intelligence,' with accelerating returns ultimately generating the best possible education outcomes. ' What the computer taught me was that there was real muggle magic ...' writes Peake, adding 'Once we begin relying on AI mentors for our children and we get those mentors increasing in sophistication at an exponential rate, we're dipping our toe into symbiosis between humans and the AI that shape them.'"

For my Intro to IT students...

A beginner's guide to more telecom jargon

Another tool to torture my students!

Spiderscribe: Free-Form Mind Mapping & Brainstorming Tool

A lot of online mind mapping tools today are usually limited by their very structured form. While they are very useful for basic brainstorming sessions, their capabilities are quite limited. SpiderScribe offers a unique online mind mapping and brainstorming tool that provides more flexibility with the structure and the kind of items that you can put on it. With SpiderScribe, you may create free-style, multi-directional maps, as well as combine various elements such as text, images, files, calendar events, and geographic locations in your mind map.

Similar Tools: Diagramly, Sneffel, and Think.