Tuesday, October 23, 2012
For my Ethical Hacker/Entrepreneurs: Okay, now you have managed to let everyone know... Time to raise your prices.
Service Sells Access to Fortune 500 Firms
October 22, 2012 by admin
An increasing number of services offered in the cybercrime underground allow miscreants to purchase access to hacked computers at specific organizations. For just a few dollars, [Keep this tag line, but get rid of the Clint Eastwood picture – you don't want to mess with the Copyright Cops. Bob] these services offer the ability to buy your way inside of Fortune 500 company networks.
The service I examined for this post currently is renting access to nearly 17,000 computers worldwide, although almost 300,000 compromised systems have passed through this service since its inception in early 2010.
Read more on Krebs on Security.
Could it be that someone actually noticed what is going on? Or just noticed that even the agents didn't know how their “tools” worked.
Judge Questions Tools That Grab Cellphone Data on Innocent People
Jennifer Valentino-DeVries reports:
A judge in Texas is raising questions about whether investigators are giving courts enough details on technological tools that let them get data on all the cellphones in an area, including those of innocent people.
In two cases, Magistrate Judge Brian Owsley rejected federal requests to allow the warrantless use of “stingrays” and “cell tower dumps,” two different tools that are used for cellphone tracking. The judge said the government should apply for warrants in the cases, but the attorneys had instead applied for lesser court orders.
Read more on WSJ.
[From the article:
Among the judge’s biggest concerns: that the agents and U.S. attorneys making the requests didn’t provide details on how the tools worked or would be used — and even seemed to have trouble explaining the technology.
“Without such an understanding, they cannot appreciate the constitutional implications of their requests,” Magistrate Judge Brian Owsley wrote in an order last month, adding the government was essentially asking him to allow “a very broad and invasive search affecting likely hundreds of individuals in violation of the Fourth Amendment.”
(Related) Mentioned in the article above, and based on the Fourth Amendment (cites lots of cases and other sources) but “The government cannot obtain judicial approval for a search using sophisticated, uniquely invasive technology that it never explained to the magistrate ”
In Court: Uncovering Stingrays, A Troubling New Location Tracking Device
Linda Lye of the ACLU writes:
The ACLU and Electronic Frontier Foundation have filed an amicus brief in what will be the first case in the country to address the constitutional implications of a so-called “stingray,” a little known device that can be used to track a suspect’s location and engage in other types of surveillance. We argue that if the government wants to use invasive surveillance technology like this, it must explain the technology to the courts so they can perform their judicial oversight function as required by the Constitution.
The case is highly significant for two reasons. First, it shows that the government is using new types of technology—not just GPS and cell site location records—to track location. Second, it shows that the government is going to great lengths to keep its surveillance practices secret.
Read more on ACLU.
My concern is throwing the baby out with the bath water... Would the UN have blocked the communications that brought about Arab Spring?
U.N. calls for 'anti-terror' Internet surveillance
The United Nations is calling for more surveillance of Internet users, saying it would help to investigate and prosecute terrorists.
A 148-page report (PDF) released today titled "The Use of the Internet for Terrorist Purposes" warns that terrorists are using social networks and other sharing sites including Facebook, Twitter, YouTube, and Dropbox, to spread "propaganda."
"Potential terrorists use advanced communications technology often involving the Internet to reach a worldwide audience with relative anonymity and at a low cost," said Yury Fedotov, executive director of the U.N. Office on Drugs and Crime (UNODC).
… That echoes the U.S. Department of Justice's lobbying efforts aimed at convincing Congress to require Internet service providers to keep track of their customers -- in case police want to review those logs in the future. Privacy groups mounted a campaign earlier this year against the legislation, which has already been approved by a House committee.
… Other excerpts from the UN report address:
Open Wi-Fi networks: "Requiring registration for the use of Wi-Fi networks or cybercafes could provide an important data source for criminal investigations... There is some doubt about the utility of targeting such measures at Internet cafes only when other forms of public Internet access (e.g. airports, libraries and public Wi-Fi hotspots) offer criminals (including terrorists) the same access opportunities and are unregulated."
Cell phone tracking: "Location data is also important when used by law enforcement to exclude suspects from crime scenes and to verify alibis."
Terror video games: "Video footage of violent acts of terrorism or video games developed by terrorist organizations that simulate acts of terrorism and encourage the user to engage in role-play, by acting the part of a virtual terrorist."
Paying companies for surveillance: "It is therefore desirable that Governments provide a clear legal basis for the obligations placed on private sector parties, including... how the cost of providing such capabilities is to be met."
It's called “BYOT” Bring Your Own Technology and it has been around at least since accountants started sneaking Apples with VisiCalc into accounting departments.
Cell phones are replacing pagers in pediatric hospitals
Ah, pagers -- still beloved by a wide range of users, from physicians to restaurant hostesses to bird watchers to drug dealers.
And given the simple telecommunication tech has been around for more than half a century, it should come as no surprise that it is gradually being replaced -- at least in hospital settings -- by cell phones.
That's according to an electronic survey administered by researchers out of the University of Kansas and presented this week at the American Academy of Pediatrics (AAP) National Conference and Exhibition in New Orleans.
Of the 106 pediatric hospital physicians surveyed, 96 percent say they text and 90 percent say they use a smartphone, with 57 percent of the physicians reporting they've sent or received work-related text messages and 49 percent even when they weren't working or on call.
… The underlying issue with this shift toward texting over paging is that few of the physicians said their hospital had Health Insurance Portability and Protection Act (HIPPA)-encrypted software for texting, let alone an actual policy regarding texting at the hospital.
Cell phones in hospitals pose numerous potential privacy breaches, be it taking photos of patients or routinely texting them about a range of health issues, including extremely personal ones such as drug use and sex.
Sort of the reciprocal of “Best Practices” these are “Likely to get you involved with the FTC Practices”
Data security flaws part of FTC complaint against Compete
October 22, 2012 by admin
The FTC has been active in going after companies that do not provide adequate data security. Today, they announced that Compete, Inc. had settled charges involving unfair or deceptive practices associated with collecting and sharing personal information of users. Of interest here, however, are the charges in the complaint that relate to data security:
Compete’s Data Security Practices
16. In addition to the representations made about the collection of data, Compete made statements about the security of user data such as the following:
We take reasonable security measures to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of personal information. These measures include internal reviews of our data collection, storage and processing practices and security practices.
17. Respondent engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for consumer information collected and transmitted by Compete. Among other things, respondent:
a. created unnecessary risks of unauthorized access to consumer information by transmitting sensitive information from secure web pages, such as financial account numbers and security codes, in clear readable text over the Internet; [i.e Unencrypted Bob]
b. failed to design and implement reasonable information safeguards to control the risks to customer information; and
c. failed to use readily available, low-cost measures to assess and address the risk that the data collection software would collect sensitive consumer information that it was not authorized to collect. [In other words, acting link the FBI? Bob]
18. These security failures resulted in the creation of unnecessary risk to consumers’ personal information. Compete transmitted the information it gathered – including sensitive information – over the Internet in clear readable text. Tools for capturing data in transit over unsecured wireless networks, such as those often provided in coffee shops and other public spaces, are commonly available, making such clear-text data vulnerable to interception. The misuse of such information, particularly financial account information and Social Security numbers, can facilitate identity theft and related consumer harms.
19. After flaws in Compete’s data collection practices were revealed publicly in January 2010, Compete upgraded its filters, added new algorithms to screen out information such as credit card numbers, and began encrypting data in transit.
The settlement doesn’t require any admission of guilt, but it is encouraging to see the FTC continue to protect consumers from the risk of ID theft by insisting on adequate security.
Think advertisers will ignore this? I know they'd like to and after all they're only guidelines...
FTC publishes guidelines for facial recognition
You can read “Best Practices for Common Uses of Facial Recognition Technologies” on the FTC’s site. Here’s a snippet from the Executive Summary:
Finally, there are at least two scenarios in which companies should obtain consumers’ affirmative express consent before collecting or using biometric data from facial images.
First, they should obtain a consumer’s affirmative express consent before using a consumer’s image or any biometric data derived from that image in a materially different manner than they represented when they collected the data.
Second, companies should not use facial recognition to identify anonymous images of a consumer to someone who could not otherwise identify him or her, without obtaining the consumer’s affirmative express consent.
Consider the example of a mobile app that allows users to identify strangers in public places, such as on the street or in a bar. If such an app were to exist, a stranger could surreptitiously use the camera on his mobile phone to take a photo of an individual who is walking to work or meeting a friend for a drink and learn that individual’s identity – and possibly more information, such as her address – without the individual even being aware that her photo was taken. Given the significant privacy and safety risks [wouldn't a law be better than some “guidelines?” Bob] that such an app would raise, only consumers who have affirmatively chosen to participate in such a system should be identified.
This is not deterrence... Pay off the attorneys, give a nominal amount to the victims who started the lawsuit, and promise not to use outdated technology any more? What we need is someone with both a law degree and an economics degree (hint, hint) to determine what amount puts the punitive back in punitive.
KISSmetrics Settles Supercookies Lawsuit
Wendy Davis reports:
Analytics company KISSmetrics has agreed to settle a class-action lawsuit by promising to avoid using ETags or other “supercookies” to track people online without first notifying them and giving them a choice.
The company also will pay $2,500 each to the consumers who sued — John Kim and Dan Schutzman — and around $500,000 to the attorneys who brought the case, according to court papers filed on Thursday.
If approved by U.S. Magistrate Judge Laurel Beeler in San Francisco, the settlement would resolve a dispute alleging that KISSmetrics violated wiretap laws by using ETags (and other supercookies) for tracking.
Read more on MediaPost.
99 cans of worms on the wall, 99 cans of worms...
USPTO nixes Apple patent used in victory over Samsung
Apple might have some trouble on its hands.
The U.S. Patent and Trademark Office (USPTO) yesterday ruled that all twenty claims included in Apple's so-called "rubber-banding" patent are invalid, according to Foss Patents' Florian Mueller, who first discovered the rejection. Following that ruling, Samsung quickly filed a motion with Judge Lucy Koh, informing her of the USPTO's decision.
At least tell me why...
Remote Wipe of Customer’s Kindle Highlights Perils of DRM (Updated)
Imagine having every book on your Kindle remotely wiped, with no way to get it back. If you’ve invested hundreds or even thousands of dollars, that may seem frightening, if unlikely. Yet it’s exactly what happened to one Amazon customer in Europe. And even more shockingly, it was apparently the company itself responsible for deleting her library. According to Linn Nygaard, an IT consultant living in Norway, Amazon remotely wiped her Kindle and closed her Amazon account for as yet unspecified violations to its terms of service. It’s frightening evidence that when you buy into an ecosystem built on DRM, while you may own your device, you don’t own the data that lives on it.
… (It seems likely that it was because she was using her Kindle in Norway to buy content licensed in the U.K.)
Something every Ethical Hacker should know...
October 22, 2012
UK Report - The Future of Computer Trading in Financial Markets
"A new two-year Foresight study The Future of Computer Trading in Financial Markets - An International Perspective, sheds new light on technological advances which have transformed market structures in recent years. The independent and international study has involved 150 leading experts from more 20 countries to provide the best possible analysis on computer trading to date. Sponsored by Her Majesty's Treasury, the project was led by the Government Office for Science under the direction of the Government's Chief Scientific Adviser, Professor Sir John Beddington. It has involved leading experts in the field and explores how computer generated trading in financial markets will evolve over the next 10 years. It assembles and analyses evidence on the effect of HFT on financial markets looking out to 2022."
Now here's an interesting use of “Social Media”
Icelanders 'like' their crowdsourced constitution
In the wake of a crushing recession and raging protests, the government decided to rewrite its constitution and asked its citizens for help. Rather than requesting petitions, letters, or phone calls, the government asked people to help draft the new constitution through Facebook, Twitter, YouTube, and Flickr.
Over the course of the year, Iceland's citizens offered roughly 3,600 comments and 370 suggestions on the draft constitution, which was then drawn up by 25 members of a constitutional council, according to Reuters.
Add this to your 3D Printer and perhaps you can make guns at home...
"Affordable 3-D printers and CNC mills are popping up everywhere, opening up new worlds of production to wide ranges of designers. However, one major tool still hasn’t received a DIY overhaul: the laser cutter. Maybe people are sensitive because Goldfinger tried to cut James Bond in half with one, but all that changes now with Patrick Hood-Daniel’s new Kickstarter, 'Build Your Own Laser Cutter.' ... A 40-watt laser tube and power supply means it can cut a variety of materials: wood, plastic, fabric, and paper. ... There is one major red flag, however. The machine’s frame is built from of Medium Density Overlay (MDO) — a type of plywood. Hood-Daniels says this is a feature, making the blackTooth less sensitive to thermal distortion and inaccuracy than a metal frame, but it also creates a serious, fire-breathing concern. ... When asked for comment, Hood-Daniel says 'Initially, I had the same thoughts as to the precarious use of wood for the structure, but even with long burns to the structure which were made on accident when starting a run, there was no ignition.'"