Saturday, August 20, 2011

Does this mean they found something better?

Microsoft Drops Use of 'Supercookies' On MSN

"In response to work by Stanford University researchers who found that Microsoft and several other high-profile companies were using a controversial technique to keep persistent cookies on users' PCs to track their movements, Microsoft says it has discontinued the practice of using so-called 'supercookies.' In July, Jonathan Mayer, a graduate student at Stanford, revealed that some companies were still employing techniques that enabled browser history sniffing, which give the companies information on what sites users have visited and what links they've clicked on. The research also found that some companies were using cookies that re-spawn even after users have deleted them. Microsoft was using this technique on one of its sites,, and now the company said that it is no longer doing so."

Interesting. How am I to understand a law that different states interpret differently?

Facebook's 'Like' button illegal in German state

The state of Schleswig-Holstein has ordered all government offices to remove the button from their Web presence and shut down any Facebook "fan" pages, on the grounds that these things violate German and European data privacy laws. A release from the Independent Centre for Privacy Protection in the German state claims that information collected from German users' "liking" and other activities is sent back to the United States where Facebook uses it to create a profile, all of which runs afoul of Germany's uberstrict privacy laws.

Sites that don't comply with the take-down order could face a 50,000 Euro fine.

The agency goes on to urge German residents to go a step further and give Facebook one big existential thumbs down. It warns to resist the temptation to click on social plug-ins or to even start a Facebook account, all to "avoid a comprehensive profiling by the company."

(Related) It's not that big a deal in the US... (According to Facebook)

August 18, 2011

A Guide to Facebook Security For Young Adults, Parents, and Educators

A Guide to Facebook Security For Young Adults, Parents, and Educators, Linda McCarthy, Keith Watson, and Denise Weldon-Siviy, August 2011.

"This online guide explains how you can:

  • Protect your Facebook account

  • Avoid the scammers

  • Use advanced security settings

  • Recover a hacked Facebook account

  • Stop imposters

Perhaps it could be tied to a coffee maker?

Car Makers Explore EEG Headrests

"A number of car makers are looking at whether EEG devices built into headrests could prevent accidents by sensing when a driver is in danger of drifting off. The technology comes from Neurosky, which already makes commercial EEG units for use in gaming and market research. Other approaches, such as using cameras to spot drooping eyelids, have proven too unreliable so far. From the story: 'Fatigue causes more than 100,000 crashes and 40,000 injuries, and around 1,550 deaths, per year in the United States, according to the National Highway Traffic Safety Administration. Some studies suggest drowsiness is involved in 20 to 25 percent of all crashes on monotonous stretches of road.'"

This can't be true, can it? I'll have to ask my students...

Most People Have Never Heard of CTRL+F

"Google search anthropologist Dan Russell says that 90 percent of people in his studies don't know how to use CTRL/Command + F to find a word in a document or web page. 'I do these field studies and I can't tell you how many hours I've sat in somebody's house as they've read through a long document trying to find the result they're looking for,' says Russell, who has studied thousands of people on how they search for stuff. 'At the end I'll say to them, "Let me show one little trick here," and very often people will say, "I can't believe I've been wasting my life!"' Just like we learn to skim tables of content or look through an index or just skim chapter titles to find what we're looking for, we need to teach people about this CTRL+F thing, says Alexis Madrigal. 'I probably use that trick 20 times per day and yet the vast majority of people don't use it at all,' writes Madrigal. 'We're talking about the future of almost all knowledge acquisition and yet schools don't spend nearly as much time on this skill as they do on other equally important areas.'"

Sorta like buying an Edsel?

HP Issues TouchPad Liquidation Order – Get Yours Now For $100

Wow. The day after HP announces they’re discontinuing all their webOS devices, and they’ve already issued a liquidation order. Best Buy, Future Shop, The Source, London Drugs, and Staples will be selling the 16GB TouchPad for $100, and the 32GB version for $150 starting tomorrow. Well, in Canada at least.

Friday, August 19, 2011

Unlikely that Vanguard was specifically targeted. Most likely (those who hope they will remain) Anonymous found a simple vulnerability (perhaps an unencrypted home wifi link?) and can now pretend to have defeated the company's security.

Anonymous Hackers Release FBI Contractor’s Drone Data

Alastair Stevenson reports:

The hacker collective Anonymous has released a fresh batch of data taken from Vanguard Defense Industries, a Pentagon and FBI contractor.


Anonymous later said the e-mails belong to the contractor’s senior vice president, Richard T. Garcia, and contained information regarding “internal meeting notes and contracts, schematics, non-disclosure agreements, personal information about other VDI employees, and several dozen ‘counter-terrorism’ documents classified as ‘law enforcement sensitive’ and ‘for official use only.’”

Read more on International Business Times.

Are we doomed?

Google Highlights Trouble In Detecting Malware

"Google issued a new study (PDF) on Wednesday detailing how it is becoming more difficult to identify malicious websites and attacks, with antivirus software proving to be an ineffective defense against new ones. The company's engineers analyzed four years worth of data comprising 8 million websites and 160 million web pages from its Safe Browsing service, which is an API that feeds data into Google's Chrome browser and Firefox and warns users when they hit a website loaded with malware. Google said it displays 3 million warnings of unsafe websites to 400 million users a day."

Technology giveth and technology taketh away...

A Chat With Zavilia, a Tool For Identifying Rioters

"Social media isn't just great for starting 'social unrest,' it's proving to be quite helpful for quashing it too. Not long after the bricks began to fly in London's latest kerfuffle, locals angry over raging mobs scrambled to assist the police in their attempt to identify street-fighters and free-for-all hooligans … Now with more than 1,000 people charged over the chaos, a few citizen groups continue to provide web-based rioter identification platforms, in hopes of being good subjects, maintaining the country's pursuit of order, and keeping their neighborhoods safe."

Significant change of direction?

HP Plans to Buy Autonomy, Leave PCs and Mobile Behind

Hewlett-Packard plans to fundamentally reshape its business, spinning off some or all of its personal computer and consumer hardware division, doubling down on enterprise software and solutions, and killing off its promising but underperforming line of webOS tablets and smartphones.

For all my students...

3 Default Passwords You Must Change & Why

1. Your Windows Administrator Password

2. Your Router Password

3. Your One-For-All Password

Keeping up with the times...

Oxford Dictionary Defines Sexting, Cyberbullying

These additions are just carrying on the tradition of a dictionary that has always sought to be progressive and up to date,” Angus Stevenson, editor of the latest edition, wrote in a blog post discussing the 400 new entries to the reference guide.

The tech-infused update comes just five months after the wordsmiths behind Oxford dictionaries welcomed fun web shorthand exclamations LOL, OMG and ♥ to the lexicon, further evidence that the internet and social media are speeding the evolution (some would say the devolution) of the English language.

Another, more-somber addition to the 12th edition of the Concise Oxford English Dictionary is the term cyberbullying, which has become a near-constant buzzword in the news lately thanks to cases like Lori Drew’s.

The Concise Oxford English Dictionary (not to be confused with the larger Oxford English Dictionary, which added LOL, OMG and ♥) also refined some definitions of existing words to place them in a modern context. For example, follower now means “someone who is tracking a particular person, group, etc. on a social networking site.”

Thursday, August 18, 2011

“Hackers” and “low hanging fruit”

BART Police database hacked

Graham Cluley reports a second breach involving the Bay Area Rapid Transit (BART):

A database belonging to the BART Police Officers Association appears to have been hacked, and the names, postal and email addresses of officers posted online.

Just over 100 officers are listed in the document, in what is clearly a serious security breach.

Read more on Naked Security.

Gizmodo provides an update to the incident:

Update: As it turns out, a single French girl is claiming responsibility for today’s hack. And it was easy, this being her first hack ever. Going by the AIM handle “Lamaline_5mg,” she told SFWeekly that BART had zero security in place to stop her. All she had to do was write a script and break through a single gaping hole in their site.

“Henceforth our WiFi links will be named: 'This is not an FBI Surveillance Van, move along!'”

Accused Teen Bomber Finds FBI Surveillance Team's Wireless Network

"The suspect who is accused of planning to bomb his high school in Tampa updated his Facebook status with the following: 'The weirdest thing happened today...when my homie Nic Peezy was trying to connect to a wireless network the connections list came up and one of them was called: FBI_SURVEILLANCE_VAN,' The FBI might want to revisit their wireless network naming conventions."

Is there something I'm not aware of that makes this market less desirable? If the big players are ducking out, who owns the market?

Cisco Quietly Shuts Down Building Energy Management Program

Another one bites the dust. At the end of June, the names Google PowerMeter and Microsoft Hohm were chiseled on the grave marker of casualties in the race to build smart grid-linked software and gizmos. To this list of famous fallen, Cisco Systems adds its name, with an announcement yesterday that it will exit building management software services while also retreating from the home energy management market.

“Yo Ho! Yo Ho! A Googling we will go!” (Lots of useful links!)

August 17, 2011

Navy Publishes Slideshare on How to Use Google+

Federal Computer Week "Although Google+ has attracted more than 10 million users since its recent debut, many people in government are wondering what it is and how it ought to be used. Thanks to the Navy, now there is an overview of the new site. The Navy recently published a 13-page online guide titled What’s the deal with Google+? on the SlideShare website, providing a basic introduction to the new social networking site and how it could be used by individuals. The Navy’s presentation had been viewed by 606 people as of Aug. 16."

(Related) Social Media is “highly encouraged”

August 17, 2011

VA Issues Guidance on use of Web-based collaboration technologies

"The Department of Veterans Affairs (VA) endorses the secure use of Web-based collaboration and social media tools to enhance communication, stakeholder outreach collaboration, and information exchange; streamline processes; and foster productivity improvements. Use of these tools supports VA and VA’s goal of achieving an interoperable, net-centric environment by improving employee effectiveness through seamless access to information. Web-based collaboration tools enable widely dispersed facilities and VA personnel to more effectively collaborate and share information—which can result in better productivity, higher efficiency, and foster innovation. This Directive establishes policy on the proper use of these tools, consistent with applicable laws, regulations, and policies."

Wednesday, August 17, 2011

This is new. If you can organize a nation-wide protest, scheduling the gang to rob a store should be simple.

'Flash mob' robs Maryland 7-Eleven in less than a minute, police say

Not a huge Identity Theft, but it raises an interesting issue (which many Security & Privacy bloggers want an answer to...) If this turns out to be the Police Chief's cousin, imagine the fallout!

Update on Gallatin, TN card fraud

Law enforcement continues to shield the name of a breached business in Gallatin, Tennessee, even though they acknowledge that past customers might still become victims.

Sarah Kingsbury reports, in part:

To date, Gallatin police have received 203 fraud reports related to the outbreak, with the majority of charges showing up on bank and credit card statements as purchases between $80-$100 at locations in various Florida cities.

Investigators discovered the source of the outbreak, which police initially pinpointed to a location around the 1400 block of Nashville Pike, but the business has not been identified because it is also considered a victim of the scam.

The information was not stolen through a skimming device on a card-swipe machine as Gallatin police originally believed, Mays said.

In terms of size, Mays described the Gallatin outbreak as a “small-scale, localized event that resulted from a computer that was not adequately protected.”

The business “is aware of it, has taken mitigating measures and it’s safe to use your card,” he said. “I don’t think there’s any reason to be unduly alarmed or afraid.”

However, although there isn’t a threat that card information is currently being stolen, consumers who made purchases at the unidentified business in the past may still see fraudulent charges show up on their statements.

If I go into a computer somewhere as a hacker and I steal 1,000 credit card numbers, that doesn’t mean all 1,000 of those numbers will be used tomorrow,” Mays said.

A hacker will sell them off bit by bit or in large groups to people who will use them, and that might take place tomorrow or it might take place several months from now.”

Investigators said it is likely some consumers made a purchase at the business many months ago and only recently saw illicit charges on their accounts. For this reason, police have encouraged credit and debit card users to monitor their monthly statements carefully and report any suspicious activity to their card companies.

Why the hell not alert people, “Hey, if you did business at _______ during ____ to ____, be sure to check your statements or contact your bank and cancel your card?” The way they’re handling this, consumers are not being given information I think they should be given.

Their procedures for ensuring access by terminated employees seems somewhat lacking...

Fired Techie Created Virtual Chaos At Pharma Co.

"Using a secret vSphere console, Jason Cornish, formerly an IT staffer at the U.S. subsidiary of drug-maker Shionogi, wiped out most of the company's computer infrastructure earlier this year. Cornish, 37, pleaded guilty Tuesday to computer intrusion charges in connection with the attack."

[From the article:

He wiped out 15 VMware host systems that were running e-mail, order tracking, financial and other services for the Florham Park, New Jersey, company.

"The Feb. 3 attack effectively froze Shionogi's operations for a number of days, leaving company employees unable to ship product, to cut checks, or even to communicate via e-mail," the U.S. Department of Justice said in court filings. Total cost to Shionogi: $800,000.

Cornish had resigned from the company in July 2010 after getting into a dispute with management, but he had been kept on as a consultant for two more months.

Then, in September 2010, the drug-maker laid off Cornish and other employees, but it did a bad job of revoking passwords to the network. [ya think? Bob] One employee, who was Cornish's friend and former boss, allegedly refused to hand over network passwords to company officials and eventually was fired because of this.

If I read this correctly, AT&T didn't bother to check on these guys before opening their database to them. Surely they noticed “hundreds of millions” of spoofed calls – couldn't they stop them?

AT&T Says Data Miners Defrauded It

Dan McCue reports:

AT&T claims two Utah men defrauded it by breaking into its caller-ID system with auto-dialers to steal valuable customer data through “hundreds of millions of ‘spoofed’ telephone calls.” They probably used the stolen information for telemarketing, AT&T says.

In a federal complaint in Dallas, AT&T and its subsidiaries claim that Phil Iverson and Chris J. Gose masterminded the scam, acting, or claiming to act, on behalf of co-defendants CCI Communications, Feature Films for Families, and Blue Skye, among others.

AT&T claims the men used an auto-dialing program to repeatedly and deliberately place “spoofed” calls to landline and wireless customers.

Read more on Courthouse News.

[From the article:

"Since 2006, AT&T's internal network fraud detection organization has uncovered numerous instances of defendants' data mining schemes. In some cases, AT&T has terminated or disabled the services that defendants have used to accomplish their unlawful data mining; in other cases, defendants themselves have stopped using their AT&T services once the fraud has been detected.

… To run the scam, AT&T says, the men purchased some of its services, including caller ID, then made spoofed calls to cause AT&T's computerized switching system to generate an electronic caller ID inquiry to send information to the called party.

For my Ethical Hackers: Start baking!

Man reveals secret recipe behind undeletable cookies

Dan Goodin reports:

A privacy researcher has revealed the evil genius behind a for-profit web analytics service capable of following users across more than 500 sites, even when all cookie storage was disabled and sites were viewed using a browser’s privacy mode.

The technique, which worked with sites including Hulu, Spotify and GigaOm, is controversial because it allowed analytics startup KISSmetrics to construct detailed browsing histories even when users went through considerable trouble to prevent tracking of the websites they viewed. It had the ability to resurrect cookies that were deleted, and could also compile a user’s browsing history across two or more different browsers. It came to light only after academic researchers published a paper late last month.

Read more on The Register.

Here is a link to the report...

August 16, 2011

McAfee White Paper on Global Cyberattacks

Revealed: Operation Shady RAT by Dmitri Alperovitch, Vice President, Threat Research, McAfee: "An investigation of targeted intrusions into more than 70 global companies, governments, and non-profit organizations during the last five years."

  • "...the targeted compromises we are focused on — known as advanced persistent threats (APTs) — are much more insidious and occur largely without public disclosures. They present a far greater threat to companies and governments, as the adversary is tenaciously persistent in achieving their objectives. The key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the immediate financial gratification that drives much of cybercrime, another serious but more manageable threat. What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth — closely guarded national secrets (including those from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, supervisory control and data acquisition (SCADA) configurations, design schematics, and much more has “fallen off the truck” of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries."

Tools for Students...

How To Get Around Tethering Charges Using EasyTether [Android 1.5+]

For all my students: How will you make it to “geezer age” if you keep watching American Idol?

Every Hour of TV You Watch May Shorten Your Lifespan By 22 Minutes [STUDY]

For my Math and Data Analysis students: Dilbert sums up the difficulty of our job.

Tuesday, August 16, 2011

I suspect this is trivial. No defense contractor would be sending sensitive information via unsecured email... Would they?

Vanguard Defense Industries compromised by AntiSec

AntiSec is targeting defense contractors again. Continuing their beef with law enforcement, and organizations that offer them support, they have targeted Richard Garcia, the Senior Vice President of Vanguard Defense Industries (VDI). AntiSec plans to release nearly 4,713 emails and thousands of documents taken during the breach.

VDI is the Texas-based firm responsible for ShadowHawk, an unmanned helicopter that can be tasked with aerial surveillance or equipped for military usage.

These cases raise lots of interesting questions. If a reporter had filmed this incident, would there be any question of legitimacy/legality? How about a tape from a surveillance camera?

Cop Seeks Wiretapping Charges For Woman Who Videotaped Beating

"A police officer who was disciplined for his role in the beating of a Massachusetts man (many broken bones in his face and permanent partial blindness) is looking to bring criminal wiretapping charges against the woman who caught much of the incident on video. The officer received a 45-day suspension for the beating. He does not appear to deny anything that happened in the video, but he apparently thinks it shouldn't have been filmed."

This is a rather simple device, but they must have other evidence of the content of a secure signal, right?

Cops Use Device to Find Child Porn on Wireless Networks

It's not exactly rocket science to detect Wi-Fi networks, but a new device is helping law enforcement detect wireless networks and locate individuals who are suspected of downloading child pornography. At the Crimes Against Children Conference, Fluke Networks announced that police are using a "one-button interface" on AirCheck Wi-Fi Tester to:

  • more confidently enter the suspect's location, if they determine a wireless network is secured, knowing that illegal Internet content is being downloaded from within that residence;

… You know, secured wireless networks can be cracked. Since Fluke said police can rest-assured that a suspect downloading illegal content on a secured network is the offender, I'm curious to see what happens when an innocent person wrongfully gets busted.

What happened to the “we represent the artist” argument?

Music Copyright War Looming

"When copyright law was revised in the mid-1970s, musicians, like creators of other works of art, were granted 'termination rights,' which allow them to regain control of their work after 35 years, so long as they apply at least two years in advance. Recordings from 1978 are the first to fall under the purview of the law, but in a matter of months, hits from 1979, like 'The Long Run' by the Eagles and 'Bad Girls' by Donna Summer, will be in the same situation. ... ' We believe the termination right doesn’t apply to most sound recordings,' said Steven Marks, general counsel for the Recording Industry Association of America, a lobbying group in Washington that represents the interests of record labels. As the record companies see it, the master recordings belong to them in perpetuity, rather than to the artists who wrote and recorded the songs, because, the labels argue, the records are 'works for hire,' compilations created not by independent performers but by musicians who are, in essence, their employees."

Only 13 states?

August 15, 2011

Database: S&P ratings for all 50 states

"Standard & Poor's downgrading of the U.S. government’s credit rating does not have any impact on individual states ratings, meaning those states that have the highest AAA rating won't have to face an automatic downgrade. There are 13 states that have the coveted Triple A credit rating by S&P, and many other states that have the same AA+ credit rating as the U.S., but with a "stable" outlook rather than the "negative" outlook of the U.S. That’s because bond issuers that have little dependence on the federal government, or that are likely to manage federal budget cuts without hurting their credit, should be able to hold on to their top ratings, an S&P analyst wrote." [via the Business Journals]

  • This database includes all 50 U.S. states and their ratings by S&P. [Online Database by Caspio]

De-gibberishing the SEC. Relatively simple document scrubbing. Why didn't anyone thing of this before?

YC-Funded MarketBrief Makes Obtuse SEC Documents Human-Friendly

How much data is “a lot?” (This is what Intelligence services used to do with pencils...)

InfiniteGraph Steps Out Of Beta To Help Companies Identify Deep Relationships In Large Data Sets

Last year, Eric Schmidt, the former CEO of Google, told a crowd gathered at the Techonomy Conference in Lake Tahoe, CA that we now create as much information in two days as we did from the dawn of civilization through 2003. While Roger J. Moore would disagree and amend that estimation slightly, the fact of the matter is that today we’re seeing a ridiculous (and exponential) telescoping in data production and consumption — which will only continue to increase.

Thus, in today’s world, data is becoming a valuable commodity. Many companies strive to collect as much data about their customer’s habits and interactions as possible to better serve them with ads, recommendations, discovery tools, and personalized product or service experiences (and so on). But, the fact of the matter is, big data management and analysis is still clunky and without being able to understand what that big data means — without being able to identify the important relationships, connections, and patterns within the data — it’s just a big pile of numbers and symbols.

For my Computer Forensics students...

Android Forensic links and resources

For my Ethical hackers... (I was unable to connect... Probably hacked.)

Happy hackers attack sites, submit hacks for ratings on RankMyHack

In theory, there have been more than 1,100 sites hacked. The current leader with a #1 ranking attacked the Huffington Post. Other sites range from Mashable, Mapquest, Monster, Flickr, Linkedin and many more. While XXS (cross-site scripting) attacks are worth fewer points, ['cause anyone can do it... Bob] there are bonus points called "bounty" awarded for hacking government, military, educational or racist websites. Bounties offer "additional ranking point reward" and Ku Klux Klan sites are included on that reward list. Allegedly MIT, Princeton, Harvard, Cornell, Georgetown, and Stanford have all been hacked and that's but naming a few.

If this site is for real, a potential attacker can input a website URL to see how many ranking points it would be worth. In the name of testing purposes, a person might be curious enough to test a couple in order to list examples: " is worth 1704545 Ranking Points. XSS attacks against are worth 17045 points." And " is worth 237341 Ranking Points. XSS attacks against are worth 2373 points." This is not an endorsement or a suggestion to hack anyone. [Sure... Bob]

There is also a "war room" for chatting. Another page is devoted to resources, information, hacking tutorials, tools and forums.

The Twitter account for @RankMyHack shows that the site launched July 22. Not even a month later, the current number of sites allegedly hacked is 1,132.

Should I tweet? (Probably not, but I'm considering it.)

INFOGRAPHIC : How To Twitter Effectively

One for the lawyers. Think of it as a program – “You can't tell the players without a program!”

A Motorola lawsuit primer (infographic)

For my musical students


Print Your Own Blank Sheet Music

Blank Sheet allows you to create your own blank sheet music. Before printing you can select the key signature, time signature, number of staves per set, sets per sheet, and the cleff.

Darn. Some of my students use this app...

Microsoft cancels its Reader e-book app