Saturday, October 15, 2011

If the facts reported here are correct, the process used to allow a client to view his account online somehow depends on a number linked to their records. That number is then displayed in the URL of the webpage generated by the system. A very old security design no-no. Then we seem to have an attempt to keep the whistle blower quiet. That should be legally discouraged, since common sense doesn't seems to be in evidence...
AU: First State Superannuation fails to adequately secure online accounts, then threatens the security researcher?
October 14, 2011 by admin
First, let’s start with the breach, as reported by Darren Pauli on SC Magazine:
A security researcher was questioned by NSW Police after quietly reporting a massive security gaffe to First State Superannuation that potentially exposed millions of customer accounts.
Patrick Webster found he was able to access electronic superannuation notices of any customer by changing numerical values in URLs used to issue statements to clients.
Webster, a customer of First State Superannuation and consultant at OSI Security, increased the URL number value by one and was granted access to a former colleagues’ super statement.
He was shown information such as name, address, date of birth, next of kin and superannuation payments.
Okay, simply changing a numerical value in a url exposes customers’ data? In 2011? First State Superannuation should be very embarrassed.
In a letter to customers dated October 7, they acknowledged that customers’ online accounts had been accessed, but did not reveal how ridiculously simple it was for Webster to access their accounts. Then, in a phrasing that is completely contradicted by the circumstances, they write, “Your account remains secure.” ”Remains?” It was not secure, which is why Webster was able to access others’ member statements. Maybe now it’s more secure, but for them to imply that the accounts had always been secure and remained secure is misleading, I think.
But their response to the breach deserves heaps and heaps of scorn and shaming. As also reported by Darren Pauli:
A security consultant who quietly tipped off First State Superannuation about a web vulnerability that potentially put millions of customers at risk has been slapped with a legal threat demanding he allow the company access to his computer, and warned he may be forced to pay the cost of fixing the flaw.
A legal document (pdf) seen by SC and sent from Pillar, the fund administrator of First State Super, demanded that Patrick Webster provide the company’s IT staff access to his computer.
Read more on SC Magazine. The legal document indicates that Webster reportedly accessed 568 members’ accounts. Why he accessed so many is not explained, and may wind up being important, but First State’s suggestion that he might have to pay for them fixing their sloppy security is mind-numbingly shameful.

Interesting that they detected this. Often, organizations don't know (or care) what their contractor do with their data.
SEC Warns Staff Their Stocks Data Was Exposed
October 14, 2011 by admin
From the heeding-their-own-advice dept.:
The Securities and Exchange Commission is warning staffers that their personal brokerage account information may have been compromised, after it uncovered security flaws with an ethics compliance program.
The SEC put the program in place after its internal watchdog raised concerns about possible insider trading among SEC staffers.
In an October 7 letter to SEC employees, Chief Information Officer Thomas Bayer said that the contractor hired to operate a computer program that tracks trades had violated its agreement with the SEC by providing names and account numbers to a subcontractor without permission.
“We are not aware of any actual misuse of the data,” Bayer wrote. “Nevertheless, it is the SEC’s policy to provide notification of any incident that presents the potential for unauthorized access to personal information.”
Read more on NEWS.GNOM.ES

So if I understand this. If a truly ignorant (or lazy) 'data controller' can't figure out what a competent 12-year-old can, they're free to distribute the data?
UK Information Tribunal Rules Properly Anonymized Personal Data Can Be Disclosed Under FOIA
October 14, 2011 by Dissent
On September 7, 2011, the United Kingdom Information Tribunal published a decision that appears to resolve the long-running uncertainty regarding the extent to which anonymized personal information may be disclosed under the UK’s Freedom of Information legislation. The UK’s FOIA was introduced and applicable to most of the UK in 2000, with equivalent law following for Scotland in 2002.
In short, the High Court’s current position appears to be that if a data controller removes enough identifiers from a copy set of personal data to ensure the controller itself is unable to translate the anonymized copy back into personal data, then the anonymized copy can be disclosed to a third party pursuant to a FOIA request.
Read more on Hunton & Williams Privacy and Information Security Law Blog.
[From the blog:
For years, this personal data exception has befuddled UK courts. The first case on anonymization and disclosure reached the House of Lords in 2008, with three members of the House issuing judgments. Baroness Hale delivered a robust minority view that the test should be whether disclosing the information would allow the recipient to identify individuals, but the majority followed Lord Hope’s lengthy opinion suggesting that the data must be sufficiently altered so as to be anonymous to the controller before it can be disclosed

Don't ya just love that dry British humor?
How private is private?” – a speech by Mr Justice Eady
October 14, 2011 by Dissent
On 8 October 2011, Mr Justice Eady gave a speech entitled How private is private?” to the “2011 Young Bar Conference“. The speech is a characteristically entertaining and informative tour of the privacy landscape, with a little gentle teasing of press and politicians along the way and a firm message about the relationship between parliament and the judiciary.
Read more on Inforrm’s Blog.

We're looking for a new HTML5 textbook. My search returned 127 hits!
PDFSb: Online Database Of Free Ebooks
PDFSb is a free for all website, and may be called a hub of free PDF books. The website serves as a link to the millions of free PDF books online. The good thing, it gives you all of those in 1 place. Not only that, but the ability to search for a book makes things a lot easier. Currently, the database holds 6,500,000+ books and ever growing!

Friday, October 14, 2011

Clear your calendar! I notice that the has scheduled the next Privacy Seminar (and lunch) for Friday, November 4th. Topic to be: Privacy Damage Theories

This is a first! “Stop using “papyrus era” technology!”
By Dissent, October 13, 2011
In the aftermath of a breach:
The province’s privacy watchdog is ordering Cancer Care Ontario to stop sending screening reports to doctors in paper format.
Information and Privacy Commissioner Ann Cavoukian says the agency must find a more secure method to transfer the results, which contain personal health information.
She says the agency has decided to develop its own web portal for the delivery of the reports, but will have to report back to her office to ensure it’s secure.
Read more from The Canadian Press on

Unlikely we will ever get a straight story. Imagine “credential stealing” software that is intended to gather the data, then do nothing with it... Who designed it, government contractors?
"Air Force officials have revealed more details about a malware infection that impacted systems used to manage a fleet of drones at the Creech Air Force Base in Nevada as reported last week. The 24th Air Force first detected the malware – which they characterized as a 'credential stealer' as opposed to a keylogger as originally reported — and notified Creech Air Force Base officials Sept. 15 that malware was found on portable hard drives approved for transferring information between systems. The infected computers were part of the ground control system that supports remotely-piloted aircraft (RPA) operations. The malware is not designed to transmit data or video or corrupt any files, programs or data, according to the Air Force. The ground system is separate from the flight control system used by RPA pilots to fly the aircrafts."

Now this has potential! All of my students can take pictures of license plates. My Ethical Hackers can get names and addresses from DMV, then email addresses.  Launder the money through Luxembourg and sell the Credit Card information to the Rumanian Mob. What (profitable) fun!
Fake Speeding Tickets Harass New Yorkers Via Email [News]
… Once the email has earned your trust, it directs you to open an attachment which is supposedly a form that can be filled out in response to the ticket. Instead, it’s a typical Trojan Horse virus.

I don't like the suggestion that the Police should Photoshop some of their photos. I do like the idea of using all the free software.
Stop, Or I’ll Tweet! Cops Struggle With Social Media
A nightstick, a revolver, and a smartphone to check in on Foursquare.
That’s the necessary gear of the future beat cop, as envisioned at the SMILE Conference — aka Social Media, the Internet, and Law Enforcement — held over three scorching September days in downtown Dallas.

Does this suggest how future regulations will look?
SEC guidance about coming clean about data breaches
October 14, 2011 by admin
Emma Woollacott reports:
The Securities and Exchange Commission (SEC) has ordered companies to disclose security breaches, following a year in which several organizations have been criticized for revealing details late, if at all.
“Cyber incidents may result in losses from asserted and unasserted claims, including those related to warranties, breach of contract, product recall and replacement, and indemnification of counterparty losses from their remediation efforts,” says the SEC in its new guidance notes.
“Cyber incidents may also result in diminished future cash flows, thereby requiring consideration of impairment of certain assets including goodwill, customer-related intangible assets, trademarks, patents, capitalized software or other long-lived assets associated with hardware or software, and inventory.”
Read more on TG Daily. If you read the guidance, you’ll see it’s not really an order….

Not sure I agree with the ranking, but it's a start...

So much for “We're doing it for the customers!” More importantly, this suggests the money invested might be a waste.
Majority of Consumers See No Benefit in Sharing Personal Data
October 14, 2011 by Dissent
Congress held a hearing yesterday on consumer attitude about privacy. Here’s yet another survey on consumer attitude:
Seventy-four percent of American and Canadian consumers said they don’t feel they’re receiving a benefit from sharing personal information with marketers, according to the latest survey research from LoyaltyOne. Just 52% said they somewhat or strongly agree with the statement that companies use their personal data “so they can better serve me.” Breaking down the somewhat and strongly agree responders, only 9% said they strongly agree that companies use their information to serve them better.
Read more on Hospitality Technology.

(Related) The technology exists and (apparently) it is easy to sell the data.
"Australian shopping centers will monitor customers' mobile phones to track how often they visit, which stores they like and how long they stay. One unnamed Queensland shopping center is next month due to become the first in the nation to install receivers that detect unique mobile phone radio frequency codes to pinpoint location within two meters."

(Related) As long as someone buys it, they'll collect it.
Under Verizon's new privacy policy, as noticed by Computerworld, the carrier will collect data on the websites customers are visiting, the apps they're using and the location of their phones. Verizon will then use the aggregate data for "business and marketing reports" and to sell relevant advertising.

Perhaps if it was titled: “How to avoid lawsuits...” it would be read. In any case, a US version would be worthwhile. (Hint, hint!)
Privacy commissioner of British Columbia issues guidelines on using social media for background checks
October 14, 2011 by Dissent
The Information and Privacy Commissioner of British Columbia has issued guidelines to assist organizations and public bodies using social media sites to conduct background checks of prospective employees, volunteers and candidates.
Commissioner Elizabeth Denham cautioned that using social media to conduct background checks presents legal and other challenges.
“We enter a new era with the application of privacy laws to social media background checks,” the Commissioner stated, adding, “the guidelines my Office is issuing today are designed to provide guidance and practical steps to assist organizations and public bodies in complying with the law.”
The guidelines highlight some of the risks associated with performing a social media background check, such as collecting inaccurate information and collecting too much personal information. Commissioner Denham stated that she expected organizations and public bodies to review and adopt the guidelines so that their practices concerning social media background checks comply with privacy obligations.
The use of social media background checks received attention earlier this year when a political party requested the passwords of its potential leadership candidates to permit an examination of their social media sites.

“I'm shocked! Shocked I tell you!” to discover that anyone thinks that secret deals with campaign contributors are not common.
U.S. Copyright Czar Cozied Up to Content Industry, E-Mails Show
Top-ranking Obama administration officials, including the U.S. copyright czar, played an active role in secret negotiations between Hollywood, the recording industry and ISPs to disrupt internet access for users suspected of violating copyright law, according to internal White House e-mails.
The e-mails, obtained via the Freedom of Information Act, (.pdf) show the administration’s cozy relationship with Hollywood and the music industry’s lobbying arms and its early support for the copyright-violation crackdown system publicly announced in July.
… The e-mails do not entail much detail of the discussions between the administration and industry — as any substantive text in the e-mails (.pdf) was blacked out before being released to Soghoian.
But the communications show that a wide range of officials — from Vice President Joe Biden’s deputy chief of staff Alan Hoffman, the Justice Department’s criminal chief Lanny Breuer to copyright czar Victoria Espinel — were in the loop well ahead of the accord’s unveiling.

Judge Lamberth delights in pointing out the ineptitude of government lawyers, and does so again here. However, I find it difficult to logically separate the real-time and historical information (as the law clearly does) As I read the ruling, you need a warrant to find my current location, but you don't need a warrant to find out where I was a millisecond ago... i.e. Once location is recorded (becomes a record) it is fair game. That happens very rapidly in computer systems.
Judge: No Warrant Needed For Cell Phone Location Data
October 13, 2011 by Dissent
Mike Scarcella writes:
Prosecutors do not need a warrant to compel a cellular phone service provider to turn over data about call location, a federal judge in Washington said in a ruling unsealed Wednesday.
The ruling (PDF) examines the government’s attempt to get data from the undisclosed service provider amid a U.S. Attorney’s Office investigation of an armed robbery of an armored truck.
Read more on The Blog of LegalTimes. The memorandum and order contains an interesting discussion of how historical cell location data is not the equivalent of continuous GPS surveillance, and hence, Maynard does not really apply.

Al Gore has everyone looking for the causes of Global Warming.
"Science News reports on a story which blames a centuries long cooling of Europe on the discovery of the new world. Scientists contend that the native depopulation and deforestation had a chilling effect on world-wide climate. 'Trees that filled in this territory pulled billions of tons of carbon dioxide from the atmosphere, diminishing the heat-trapping capacity of the atmosphere and cooling climate, says Richard Nevle, a geochemist at Stanford University.' The story notes that the pandemics in the Americas were possibly an example of human climate manipulation predating the Industrial Revolution, though isotope measurements used during research have much uncertainty, so 'that evidence isn't conclusive.'" [Somewhere between a hint and a guess? Bob]

Gee, if a Harvard guy says so... But I find that most people have great difficulty communicating with other people, let alone logical hardware...
Apple's Siri Is as Revolutionary as the Mac
… Siri, the new iPhone's voice-control software, is going to have as big an impact as that first iPhone did. It's going to fundamentally change our relationship with computers.
… unnecessary complexity remains. Why does a user care whether a message from a friend is an email or an SMS? Why should they have to concern themselves with opening a browser or a specific app to find out what the weather is going to be tomorrow?
And try as we might to design hardware that is ergonomic, there's no denying the impact this technology has had on our bodies. Repetitive strain injury, degradation of eyesight — these are the result of using existing computer and phone interfaces for hours on end.
Siri is the first serious step in changing all that.
In true Apple fashion, there is little that is technologically novel.

My Math students will like the WolframAlpha access via Siri.
A great week for Google challengers
DuckDuckGo Despite the wacky name, it's a traditional search engine.
… the site has started to grow. In fact, its staff doubled late last month, when Weinberg hired employee #1. And this week, he announced that DDG has done something perfectly normal for a tech startup: It's accepted outside financing from venture-capital firm Union Square Ventures and some other investors.
Wolfram Alpha Wolfram Alpha isn't exactly obscure, but it also isn't the household name it deserves to be. So one of the things that excites me most about Apple's iPhone 4S, which goes on sale today, is that its Siri voice assistant has Wolfram Alpha baked in. Ask Siri questions, and she'll hand some of them off to Wolfram Alpha to get answers.

For my Ethical Hackers. How could you use this tool without violating Privacy? This is the kind of software stalkers (or Lower Merion High School administrators) install...
WebCamImageSave Capture Images from your Webcam Automatically
… This is a handy tool that allows you to capture pictures from your camera regularly after the time you have chosen, and then saves it into image file on your hard disk. In this way you can keep tabs on who has used your PC during any particular period. This awesome tool also adds a label with the date/time that the photo was taken into the image, by using the font, color, and date/time format that you select.

Thursday, October 13, 2011

If your Security Manager is waiting for a report like this to determine what changes/upgrades he should make, it's already too late.
Hacker attacks against retailers up 43 percent
October 12, 2011 by admin
Angela Moscaritolo reports:
Hacks targeting the retail sector have increased 43 percent since last year, largely due to an increase in SQL injection and the use of exploit toolkits, according to researchers at Dell SecureWorks.
During the first nine months of 2011, Dell SecureWorks blocked an average of 91,500 attacks per retailer, compared to 63,651 during the final nine months of 2010.
Read more on SC Magazine.
[From the article:
Other verticals have also experienced an increase in attacks, though not to the same degree as the retail sector, he said. Merchants are being more heavily targeted than those within other sectors, likely because they maintain vast amounts of information that attackers want, [And often maintain it online, simply because it is easier... Bob] and often have less stringent security controls.

This does not “prove” that the FBI sets their crime fighting priorities based on how much publicity they can get from the case. It could be that this is just a very poorly trained hacker who was easy to catch. Or they could be trying to assure everyone who has nude self-portraits on their phones (everyone in Hollywood?) that this hacker has been caught.
FBI Arrests Man Who Allegedly Hacked Celebrities to Steal Nude Photos

(Related) a “phones in California sorta way”
Secure Your Mobile Phone
… Want to stop big brother from sinking his teeth into your data? Well, it's not easy to do. In fact, you probably can't stop determined experts from getting into your phone. You can, however, put up some roadblocks that will slow them down and most likely stump the average person — law enforcement or otherwise — from accessing your data. Here's our guide to securing your mobile phone.

Facebook v. the Irish Data Protection laws. “You have no idea how much we know about you, and we'd like to keep it that way.” NOTE: Includes an interesting list of the data generating techniques they built into the system.
Facebook: Releasing your personal data reveals our trade secrets
October 12, 2011 by Dissent
Emil Protalinski writes:
An Austrian group called Europe versus Facebook has so far made 22 complaints regarding the social network’s practices. In the process, the organization has stumbled upon an important tidbit: Facebook says it is not required to give you a copy of some of your personal data if it deems doing so would adversely affect its trade secrets or intellectual property.
Read more on ZDNet.

(Related) What Facebook HQ says...
Facebook: The law reasonably states you can’t have all your data

(Related) “Oh look! Another way to gather user data! Quick, let's change our Privacy Policy.” (At least they sent a notice of the change...)
Verizon tweaks privacy policy for ad targeting based on physical address
October 13, 2011 by Dissent
Larry Dignan writes:
Verizon is changing its privacy policy so local advertisers can better target customers based on physical address.
In an email to customers, Verizon noted that it started a program where advertisers can target Verizon Online customers by physical address. The address will be masked to advertisers, but the idea is that pitches will be more relevant.
The program is opt-out so if the targeting is troubling you’ll have to change your privacy settings.
Read more on ZDNet.

Unfortunately, a brief history of failure...
Many Failures: A Brief History of Privacy Self-Regulation in the United States
October 12, 2011 by Dissent
Bob Gellman and Pam Dixon have written a report for the World Privacy Forum: “Many Failures: A Brief History of Privacy Self-Regulation in the United States.” Here’s the summary of their report:
Major efforts to create self-regulatory, or voluntary, guidelines in the area of privacy began in 1997. Industry promoted privacy self-regulation at the time as a solution to consumer privacy challenges. This report reviews the leading efforts of the first self-regulatory wave from 1997 to 2007, and includes a review of the life span, policies, and activities of the Individual Reference Services Group, Privacy Leadership Initiative, Online Privacy Alliance, Network Advertising Initiative, BBBOnline Privacy Program, US-EU Safe Harbor Framework, Children’s Online Privacy Protection Act, and the Platform for Privacy Preferences. A key finding of this report is that the majority of the industry self-regulatory programs that were initiated failed in one or more substantive ways, and, many disappeared entirely. The report concludes with a discussion of possible reforms for the process, including a defined and permanent role for consumers, independence, setting benchmarks, and other safeguards.
You can read the full report here.
Pam will be testifying about the report and related issues tomorrow (Thursday) at the House Energy and Commerce Committee hearing, “Understanding Consumer Attitudes About Privacy,” at 9:00. You can find the witness list and prepared testimony at

Perhaps it is easier to write a good (as in logical) law in countries where it is unlikely to be enforced?
Colombian Data Protection Law Approved by Constitutional Court
October 12, 2011 by Dissent
On October 7, 2011, the Constitutional Court of Colombia approved a landmark omnibus data protection law. … Some highlights include:
  • With certain exceptions, the law prohibits the processing of personal data without the data subject’s prior consent. When the personal data are sensitive data (e.g., health data), the consent must take the form of an explicit authorization.
  • The law permits cross-border transfers of personal data to countries that lack adequate data protection laws only in specified circumstances, such as (1) when the data subject has given express and unequivocal consent for the transfer (2) the transfer is necessary for the performance of a contract between the data subject and the data controller, or (3) with the approval of the Superintendence of Industry and Commerce.
  • The processing of children’s personal data is generally prohibited.
  • Data subjects have access rights.
Read more on Hunton & Williams Privacy and Information Security Law Blog.

A simple extension of “Face recognition” technology. Instead of “who is this?” the technology answers “What is this and where can I buy it?” (Which suggests why advertisers are interested in where you are...)
Point, Click, Search: eBay To Add Image Recognition To Mobile Apps
… The image recognition integration will allow users of eBay’s mobile apps to snap photos of items they see in the real world on their mobile phones, at which point the apps will then match the photo with similar products currently on sale on

A very useful video for researchers. (Also a simple, inexpensive way to “market” CU)
October 12, 2011
YouTube Training Videos: What is FDsys and How to Use FDsys
Government Information Education and Outreach Librarian.

It's for my starving students!
Get Paid For Your Opinions By Completing Online Surveys For Paid Viewpoint
Paid Viewpoint. PV, a market research survey site, has created a unique process for getting views from their members, making sure they get paid for their time and effort.
… Paid Viewpoint has streamlined the survey taking process, so that you don’t spend more than six minutes on average completing a survey. You earn points for each survey you complete.
The payout comes when you have earned $15 in points.
… You can earn additional points through Paid Viewpoint’s referral system–when your friends sign up and complete a minimum of six surveys. [Of course, I would never make it mandatory for my students to sign-up and complete surveys. Extra Credit maybe. Bob]
… Paid Viewpoint is an international site, but it only makes cashout payments through PayPal, which is done within 72 hours of you reaching your $15 USD earnings.

Handy backup storage! Collaborate and share files! ...and yes, find and download pirated movies...
The Top 10 Largest File Sharing Websites On The Net Right Now
A free account provides 10GB of free storage space which can be used to upload files below 2GB.
Registering a free account is worth it in order to net 200GB of free storage and a maximum upload file size of 2GB.
MediaFire’s free accounts are supported with adverts and pleasantly provide no limits to your total storage or number of files. The drawback? A maximum file size of 200MB.
Not a cyberlocker, but a search engine which scours other cyberlockers and returns the results in one easy to find place.
A free membership allows you to upload all you want, with no restrictions. That’s right – unlimited file size and unlimited storage for free! However, if a file is not downloaded within 30 days it is earmarked for deletion – so be warned.
A public torrent tracker currently indexing over 3.5 million torrents in a variety of categories.
FileServe provides free accounts that are good for files under 1GB.
A relatively average site, only allowing for files up to 400MB to be uploaded for free.
Torrentz is a no-fuss search engine designed to check elsewhere so you don’t have to.
Deposit Files is the least popular of all the file sharing websites on this list, yet has an incredible free option. With maximum file sizes of 2GB, unlimited storage and no deletion policy, this host is a beast.

Tools for students... - Learn To Code Online
Learning languages like Java, C++, C# and PHP is no longer something that is done within a classroom. Sites like Programr enable people who have no prior knowledge of such languages learn all there is to know using their computers, in the comfort of their own rooms.

Apple publishes guide on how to set up iCloud
The guide explains how to get the online service working on Apple's iOS devices (iPhone, iPad, iPod Touch) as well as on a PC and Mac, a process that can be confusing.

Wednesday, October 12, 2011

Could be new. Could be a 'left over' from the original attacks. Looks more like a third-party weakness, but it's going to be hard to be sure with such minimal reporting.
Sony attacked again – 93,000 usernames and passwords compromised
October 12, 2011 by admin
Associated Press reports:
Sony said Wednesday intruders staged a massive attempt to access user accounts on its PlayStation Network and other online entertainment services in the second major attack on its flagship gaming site this year.
The Tokyo-based company temporarily locked about 93,000 accounts whose IDs and passwords were successfully ascertained by the blitz. [Unencrypted? Bob] Sony sent email notifications and password reset procedures to affected customers on the PlayStation Network, Sony Entertainment Network and Sony Online Entertainment services.
It’s bad enough that their earlier breach embarrassed them on data security. But after claims of improved security, this incident has the potential to embarrass them again, even though this time, it appears that there might have been a brute force attack using usernames and passwords obtained from some other database(s).
Having also been criticized for its slow response in disclosing and warning people, Sony was quicker this time. The attacks appear to have occurred between October 7 and 10, and the firm posted a notice on its site October 11, although it had not yet sent out e-mails to those affected at the time of its blog post. Users generally responded appreciatively to the quick disclosure, as evident in the comments in response to the blog post.
In related coverage, John Leyden reports:
Sony has warned users against a massive bruteforce attack against PlayStation and Sony network accounts.
The attack – which used password and user ID combinations from an unidentified third-party source – succeeded in compromising 60,000 PlayStation Network and 33,000 Sony Online Entertainment network accounts. These accounts have been locked and passwords reset.
Credit card information is not stored on the dashboard of Sony accounts but it might have been possible that unauthorised charges were made against the wallets held on compromised accounts. Sony has promised to refund any such losses, as explained in a statement by Philip Reitinger, senior vice president and chief information security officer at Sony Group, on the PlayStation blog here.
Read more on The Register.

It could be very useful to have the “key” to systems protected by RSA's SecurID tool. It is much less valuable to be so clumsy in your hack that your target is immediately aware of your success and changes the algorithm.
RSA Blames Breach on Two Hacker Clans Working for Unnamed Government
Two separate hacker groups whose activities are already known to authorities were behind the serious breach of RSA Security earlier this year and were likely working at the behest of a government, according to new statements from the company’s president.
RSA President Tom Heiser, speaking at the RSA conference in London this week, said that the two unidentified hacker groups had not previously been known to work together and that they possessed inside information about the company’s computer naming conventions that helped their activity blend in with legitimate users on the network, according to IDG news service.
Heiser said that due to the sophistication of the breach, “we can only conclude it was a nation-state-sponsored attack.”
… The company was forced to replace SecurID customer tokens after the breach.

Somehow I doubt this. The military normally does not ignore procedure and there would definitely be a reporting procedure.
Get Hacked, Don’t Tell: Drone Base Didn’t Report Virus
Officials at Creech Air Force Base in Nevada knew for two weeks about a virus infecting the drone “cockpits” there. But they kept the information about the infection to themselves — leaving the unit that’s supposed to serve as the Air Force’s cybersecurity specialists in the dark. The network defenders at the 24th Air Force learned of the virus by reading about it in Danger Room.
… Nevertheless, the virus has sparked a bit of a firestorm in military circles. Not only were officials in charge kept out of the loop about an infection in America’s weapon and surveillance system of choice, but the surprise surrounding that infection highlights a flaw in the way the U.S. military secures its information infrastructure:

Very interesting, but I'll have to study the study to see how useful it might be...
Tracking the Trackers: Where Everybody Knows Your Username
October 12, 2011 by Dissent
Jonathan Mayer writes:
Click the local Home Depot ad and your email address gets handed to a dozen companies monitoring you. Your web browsing, past, present, and future, is now associated with your identity. Swap photos with friends on Photobucket and clue a couple dozen more into your username. Keep tabs on your favorite teams with Bleacher Report and you pass your full name to a dozen again. This isn’t a 1984-esque scaremongering hypothetical. This is what’s happening today.
Stanford conducted an important web leakage study to assess its pervasiveness, summarized in the blog post. Of note, Jonathan notes the implications:
From a legal perspective, identifying information leakage is a debacle. Many first-party websites make what would appear to be incorrect, or at minimum misleading, representations about not sharing PII.
Read more about the study’s methodology and results on CIS.
Jim Puzzanghera and Jessica Guynn of the Los Angeles Times, Grant Gross of IDG provide some of the extensive media coverage of the study with reactions from others.

Never, ever challenge hackers.
IT Olympics: Cyberattacks to test cybersecurity of London Olympic Games
The London 2012 Olympic Games open in nine months, but geeks and security freaks are preparing to go for the gold now in simulated cyberattacks against the technology systems running the Olympics. During the 2008 Beijing Olympics, there were reportedly 12 million cyberattacks per day, so it's a mighty big claim for officials to say the London 2012 Olympics will be "safe from cyberattacks" and from cybercriminals disrupting the games. Gerry Pennell, the CIO over cybersecurity for the London Olympics, confidently told the Wall Street Journal that "even if police shut down the mobile network in response to a major attack, the games would still be able to carry on." [Perhaps they haven't seen the “Build your own mobile network” tools the Berkman Center recommends? Bob]

What am I missing here? “Texting while driving is dangerous and possibly illegal so let's build it into our cars!”
Cadillac revamps the instrument panel with CUE
Cadillac has introduced a new central instrument panel that features touch-screen technology popularized by smartphones and tablets. The fully capacitive faceplate has an 8-inch touch screen that utilizes multitouch gestures to interact with it.

Key finding: Executive management does not know what is going on...
Data Mining: DHS Needs to Improve Executive Oversight of Systems Supporting Counterterrorism, GAO-11-742, Sep 7, 2011

Tuesday, October 11, 2011

Today's theme seems to be “We're the government. We don't need to worry about laws, regulations or that Consti-whosit thing!”

There is no “government of the people” – people don't have the same rights as governments. (King George is laughing)
Anonymous Speech, Subpoenas and Internet User Identities, and Government Investigations
October 11, 2011 by Dissent
Eugene Volokh writes:
Over the last several years, various courts have held — in cases such as Dendrite Int’l, Inc. v. Doe No. 3 and Doe v. Cahill — that the First Amendment provides substantial, though limited, protection against subpoenas aimed at unmasking anonymous commenters; for more details on that protection, see this EFF analysis. But last week, Doe v. United States (N.D. Cal. Oct. 4, 2011) held that such rules generally do not apply to government investigations, here by the SEC, as opposed to investigations by private litigants. I just thought this was worth noting for readers who follow such matters.

(Related) Even California is getting all “Big Brother” on us, dude.
California Governor Vetoes Bill Requiring Warrant to Search Mobile Phones
October 10, 2011 by Dissent
David Kravets reports:
California Gov. Jerry Brown is vetoing legislation requiring police to obtain a court warrant to search the mobile phones of suspects at the time of any arrest.
The Sunday veto, announced Monday, means that when police arrest anybody in the Golden State, they may search that person’s mobile phone — which in the digital age likely means the contents of persons’ e-mail, call records, text messages, photos, banking activity, cloud-storage services, and even where the phone has traveled.
Read more on Threat Level.
I’m not only disappointed, but surprised by this veto. The legislature came up with a law that protected citizens’ rights and made law enforcement’s obligations clear. Rather than having courts decide cases, it makes more sense for the legislature to enact laws that make their intentions and expectations clear.

“We don't want to tell you what we're doing because then you'll whine and complain.” Ignorance of the law is no excuse, but is ignorance of a secret (don't tell the citizens) interpretation of a law an excuse?
FOIA and the Question of Secret Law
October 10, 2011 by Dissent
Robert Chesney writes:
Charlie Savage of the New York Times has filed this FOIA suit in an effort to acquire a classified report issued by DOJ and ODNI to Congress “pertaining to intelligence collection authorities” under section 215 of the USA PATRIOT Act (permitting the government to obtain from the FISC an order for the production of “any tangible things” upon a showing of “reasonable grounds” in relation to an international terrorism or counterintelligence investigation).
Read more on Lawfare.
I hope the court does order disclosure. Our government should not be permitted to have secret analyses of how they are interpreting a law that is used to surveill citizens. This is truly a matter of public interest and urgent concern.

Not only are there threats to Privacy, but now Public is also in danger, from unpublished “policies” and unique (secret?) interpretation of laws.
"A man was questioned by security guards and then police after taking a photo of his own child in a UK shopping center. The center apparently has a 'no photography' policy 'to protect the privacy of staff and shoppers and to have a legitimate opportunity to challenge suspicious behavior.' He was told by a security guard that taking a photo was illegal. He also said that a police officer claimed, 'he was within in his rights to confiscate the mobile phone on which the photos were taken.'"

(Related) Even if you aren't arrested for taking a photo, what makes you think you have any ownership rights? Here are a few “Terms of Service” that show how wrong headed that is.
4 More Ways You’ve Sold Your Soul To The Internet
You may remember my article from a while back, 3 Ways You’ve Sold Your Soul to the Internet. As it turns out, there seems to be a variety of ways that one can make it happen, and as a matter of fact, I’ve found four more ways that you can do so!

For my Ethical Hackers: Develop a hack for a similar service for non-Apple phones.
iMessage Coming This Week: A Wake-Up Call for Wireless Carriers
Wireless carriers in the U.S., who are earning as much as 20 cents for sending and another 20 cents for receiving a text message, are worried that this profitable source of revenue will no longer be available to them, once Apple's new instant messaging application, iMessage, is released on Wednesday.
With iMessage in place, any user of an iPhone, iPad or even iPod touch can send an unlimited number of messages from their iOS 5 device to any other iOS 5 device, for free.
… According to a Topnews report, Craig Moffett, an analyst at Sanford C. Bernstein, estimated that the wireless industry pockets more than $20 billion in revenue from text messaging.

Interesting speculation or keen observation? Or perhaps a conspiracy by IP lawyers?
"Sam Ramji thinks the days where Microsoft's, (and Apple's, and Oracle's) love-hate relationship with open source are numbered, thanks to the cloud. Whereas some open source advocates say the cloud may kill open source, because users won't have access to the source, Ramji says the cloud will be its salvation. Ramji, Microsoft's original internal open source dude, thinks companies building clouds won't be able to keep up if they don't participate in open source communities because that's where the developers building new cloud infrastructure are doing most of their work. The main concerns standing in the way for both cloud builders and users of free software are legal fears, he contends. These include fears of the GPL's copyleft provision and fears of being sued by downstream users. Is he right ... or full of FUD?"

Make your old clunky desktop PC work just like that spiffy new smartphone! NOTE: It's only in Alpha so far!
BlueStacks Releases App Player And Cloud Connect Service To Let You Run Android Apps On Your PC
Back in May, BlueStacks raised $7.5 million in series A financing from Andreessen Horowitz, Ignition Ventures, Radar Partners, Redpoint Ventures, and more. This was all pre-launch. Why that kind of money for a startup that hasn’t launched a product yet? Because approximately 630 million new Windows PCs will be shipped by the end of this year, and because BlueStacks has designed downloadable software that will enable Android apps to run on (hopefully) all of them.
And today, to put that money where its mouth is, BlueStacks is announcing the release of the first products that will be a part of its ongoing quest to do just that. For starters, the company is making available the alpha version of its app player for Windows that is basically a free software download that will give users one-click access to Android apps on any Windows PC, tablet, or laptop. (And the ability to view these apps in full-screen.)
[So, you're gonna need:

Monday, October 10, 2011

This one is rather unique (if we can believe the article)
MI: Hackers hit Troy schools
October 9, 2011 by admin
Mike Martindale reports:
Police and Troy school officials are investigating a widespread hacking of the school district’s computer system.
In a letter to parents obtained by The Detroit News, schools Superintendent Barbara Fowler said she told students and staff with accounts on the system to change their passwords so whoever’s responsible can’t access personal information.
The hacking has been stopped, police said, but there are concerns data gleaned by hackers could lead to identity theft and fraud.
“No one is in custody yet, but when it all comes out, I expect it to be significant,” police Officer Andy Breidenich said Friday.
Read more on The Detroit News.
[From the article:
According to Fowler's letter to parents, dated Sept. 30, the hacking involved the decryption of passwords and user names in a district database. [Decrypting on the school's computer system? (How else would they know?) I've never seen that before. Bob]
In the letter, Fowler wrote that police had asked the school district to delay notifying parents to avoid compromising the investigation. [Why? The only reason I can see is to keep the hacker accessing the system in hopes of tracing him. (And in this case, the cops had NOT asked them to hold off...) Bob]

Managers assume that anyone with a smattering of technical skill knows everything they need to know to get a job done correctly.
"The UK Ministry of Defence has been left with egg on its face, after a supposedly redacted PDF detailing secrets related to air defence radar systems was published on a parliamentary website. The problem? Whoever did the redacting simply changed the sensitive text to black on a black background, making it possible for anyone to access the information simply by cutting-and-pasting. The incident is particularly embarrassing for the Ministry, as six months ago precisely the same security screw-up occurred — that time related to sensitive information about nuclear submarines."

For my Ethical Hackers: Tools like this are readily available and free. What free tools detect/block/remove these tools.
German ’Trojan’ Spyware May Violate Constitution
October 10, 2011 by Dissent
Cornelius Rahn and Brian Parkin report:
The German government is using spying software that violates the country’s constitutional law because it contains functions beyond the interception of Internet-based communication, a hacker organization said.
The malware, once installed on a target computer, can receive software and remotely execute it, the Chaos Computer Club said. It can also be used to control hardware such as microphones and cameras for room surveillance as well as upload falsified evidence to the target hard drive, said Hamburg-based CCC, which called itselfEurope’s largest hacker group.
Read more on Bloomberg.

Sooner or later, one of the people who communicate with one of the people who communicated with Appelbaum will communicate with Kevin Bacon.
Justice Department ramps up WikiLeaks e-mail probe
The U.S. Department of Justice has expanded its investigation of WikiLeaks-related accounts to encompass Google and Internet provider
Both companies received [Not so secret Bob] secret court orders directing them to turn over information from the e-mail account of Jacob Appelbaum, a hacker and human rights activist who has been affiliated with WikiLeaks, the Wall Street Journal reported this evening.
… Appelbaum has not been charged with a crime.
… Ever since appearing at The Next HOPE hacker conference in July 2010 on behalf of WikiLeaks' Assange, who's currently out on bail in England while fighting extradition charges, Appelbaum has been the subject of strict police scrutiny. The Tor Project programmer has been repeatedly targeted when he crosses the border, with his electronics seized, and he no longer travels with any sensitive data. Even his friends have had their laptops and cell phones temporarily seized.
… In this case, it appears that the Justice Department is not asking for the contents of Appelbaum's communications--instead, they want to know the identities of his correspondents, which can be even more useful.

What (beside 'remedial grammar school') do they teach these “educators?” Perhaps they need to add Forrest Gump to the school board, because he knows that “Stupid is as stupid does.”
"Anaheim Union High School District has killed a controversial incentive program that assigned students color-coded ID cards and planners based on state test scores, required those who performed poorly to stand in a separate lunch line and awarded the others with discounts. The program was designed to urge students to raise scores on the California Standards Tests, but it also raised concern among parents and students who said it illegally revealed test scores and embarrassed those who didn't do well."
[From the article:
The program, in place at Cypress and Kennedy high schools, [Attention Class Action lawyers! Bob] was designed to urge students to raise scores on the California Standards Tests, but it also raised concern among parents and students who said it illegally revealed test scores and embarrassed those who didn't do well.
… "Because we believe having incentives can appropriately motivate students, we will develop another system for them to access the incentives. This is similar to acknowledging students for their participation in athletics, performing arts, extra-curricular activities, and community involvement," the statement reads. [Actually, it is similar to announcing that you failed your teacher certification test, again. Bob]
The California Department of Education characterized the practice as "inappropriate" and a violation of student privacy laws, and urged school administrators to curtail the practice.
A UC Irvine educational psychologist, AnneMarie Conley, who has extensively studied student motivation strategies in Orange County schools, called the system "one of the worst ideas ever" to promote learning.
Cypress High Principal Ben Carpenter said Wednesday that he believed the program did not violate student privacy laws because administrators intentionally designed it to obscure students' exam performance.

Someday, CEO's will ask their customers BEFORE they make a huge change to their services...
Netflix cancels Qwikster spinoff
… Critics said Netflix was doing the unthinkable: making a successful, simple service more complicated. Michael Pachter, an analyst who has covered Netflix for years, called the move the "dumbest" he's seen any company make in a long time.

Perhaps we should add Facebook etiquette to our student Career Services?
7 Reasons Why Recruiters Like Facebook More Than LinkedIn
… While employers continue to use professional networking site LinkedIn for recruiting, especially when hand-picking for executive positions, they prefer interacting with students and graduates via Facebook rather than LinkedIn, according to a study by online recruiting research lab Potentialpark.
… Potentialpark interviewed HR professionals about their motivation to be active on Facebook and found that they had multiple reasons for involvement. Here’s an overview of reasons why recruiters cited a preference for Facebook when dealing with young talent:
  • 1. It’s more engaging. With Facebook, employers can follow a “let them come to us” strategy by setting up a business page for recruitment and career purposes. Recruiters noted that the interesting content on pages leads to comments, discussions and more personal interactions. With LinkedIn, the communication is very much one-way in the recruiting world, as employers proactively search for candidates and message them.
  • 2. Facebook is where the action is. Recruiters perceive that few students and recent graduates actively update their LinkedIn profiles, whereas they are quite active on Facebook. Therefore, it just makes sense to connect with them where they already hang out online.
  • 3. It’s free. Employers like that Facebook enables them to upload advanced recruitment content, such as testimonials, videos, pictures or a job search — and it’s all free of charge. This broad range of tools enables a company to showcase itself as an attractive employer.
  • 4. It’s a bigger network. Facebook offers a larger audience, with more than 800 million active users worldwide, compared with LinkedIn’s user base of around 120 million members.
  • 5. It’s more open. Facebook is free for all members and requires no premium accounts to use certain features. As a result, it’s a more open network than LinkedIn.
  • 6. The Like button. When it comes to career website integration, Facebook takes the cake — Facebook feeds and the Like button are easier to integrate.
  • 7. It’s better for branding. Recruiters report they tend toward LinkedIn and other business networks for networking, screening and recruiting. However, when it comes to employer branding activities and talent communication — especially with students, graduates and early career professionals — many prefer Facebook.