Wednesday, October 24, 2012

How does this match with “Best Practices?”
Barnes & Noble discloses breach involving pin pads at dozens of stores
October 24, 2012 by admin
Remember when Michael’s Stores found that pin pads in some stores had been replaced? It looks like the same thing has happened to bookseller Barnes & Noble’s brick and mortar stores. According to the New York Times, the firm discovered the breach on September 14. As of now, it appears that pads at 63 stores were tampered with in the following states: California, Connecticut, Florida, New York, New Jersey, Rhode Island, Massachusetts, Illinois, and Pennsylvania. There have reportedly been some claims of fraudulent use of card numbers associated with the breach.
So when will B&N send notifications to consumers – or won’t they? They did notify card issuers, and if all B&N has is name and card number, they may leave it to the card issuers to notify customers. The chain does suggest changing your PIN number, but doesn’t indicate how far back this breach might go. They do say that most fraudulent charges occurred in September.
Although the breach was detected on September 14, initial disclosure was delayed so as not to interfere with the government investigation. That’s understandable and permissible, but consider this:
The company has received two letters from the United States attorney’s office for the Southern District of New York that said it did not have to report the attacks to its customers during the investigation, according to the official. At least one of the letters said that the company could wait until Dec. 24 to tell the customers.
Where did the USAO get that December 24th date? Were they asked specifically if they could delay that long so as not to interfere with holiday sales, or was the USAO guestimating how long the investigation would take or….?
There is no notice on B&N’s web site at the time of this posting.

Think of this as the keys to your home. Would you leave them just anywhere?
"PS3 security has been compromised again. The holy grail of the PS3 security encryption keys — LV0 keys — have been found and leaked into the wild. For the homebrew community, this means deeper access into the PS3: the possibility of custom (or modified) firmware up to the most recent version, the possibility of bypassing PS3 hypervisor for installing GNU/Linux with full hardware access, dual firmware booting, homebrew advanced recovery (on the molds of Bootmii on Wii), and more. It might lead to more rampant piracy too, because the LV0 keys could facilitate the discovering of the newer games' encryption keys, ones that require newer firmware."

(Related) But there is such a thing as “bad management decisions” – when do they rise to negligence?
Sony PSN hacking lawsuit dismissed by judge
A California district judge has dismissed a handful of charges that plaintiffs brought against Sony, including negligence, restitution, and unjust enrichment in its handling of a PlayStation Network data breach last year.
Several lawsuits were filed against Sony PlayStation Network in the wake of a major security breach of the personal data of more than 75 million customers in April 2011.
On Friday, Judge Anthony Battaglia of the U.S. District Court in Southern California ruled that one of those class action suits is invalid, according to Courthouse News.
Additionally, Battaglia said Sony couldn't be fully responsible for the hack. "There is no such thing as perfect security," he said, according to The Register. "We cannot ensure or warrant the security of any information transmitted to us.

Tools for the Cyber warrior... This could be mounted on a Hummer, but it would kill the engine too.
It’s perhaps every tech-lover’s nightmare, but it’s something everyone should be aware of: electronics-killing missiles. On October 16th, Boeing tested one such weapon named CHAMP, a non-lethal high-powered microwave missile that successfully snuffed the life out of a bunch of PCs, making history in the process. In fact, the test was so successful, the missile killed the cameras set up to record the event as well.

Interesting. Do you think Australia will fall for it? How will they check “push updates” in real time?
Huawei offers Australia 'unrestricted' access to hardware, source code
Huawei has offered to give the Australian government "unrestricted" access to the firm's software source code and hardware equipment in an effort to dispel security fears, months after the Chinese telecoms giant was barred from supplying infrastructure equipment for the country's national broadband network.
The Australian government barred Huawei from bidding on contracts for the network earlier this year, saying it had a "a responsibility to do our utmost to protect [the network's] integrity and that of the information carried on it".

For my Ethical Hackers (and my Math students)
How a Google Headhunter’s E-Mail Unraveled a Massive Net Security Hole
It was a strange e-mail, coming from a job recruiter at Google, asking Zachary Harris if he was interested in a position as a site-reliability engineer.
“You obviously have a passion for Linux and programming,” the e-mail from the Google recruiter read. “I wanted to see if you are open to confidentially exploring opportunities with Google?”
Harris was intrigued, but skeptical. The e-mail had come to him last December completely out of the blue, and as a mathematician, he didn’t seem the likeliest candidate for the job Google was pitching.
So he wondered if the e-mail might have been spoofed – something sent from a scammer to appear to come from the search giant. But when Harris examined the e-mail’s header information, it all seemed legitimate.
Then he noticed something strange. Google was using a weak cryptographic key to certify to recipients that its correspondence came from a legitimate Google corporate domain. Anyone who cracked the key could use it to impersonate an e-mail sender from Google, including Google founders Sergey Brin and Larry Page.
… “I love factoring numbers,” Harris says. “So I thought this was fun. I really wanted to solve their puzzle and prove I could do it.”

(Related) Future areas for my Ethical Hackers?
We’ve reached this strange moment in time when updates are released for our cars in the same manner they’re released for our gadgets. Thus is the case with the 2013 Chevy Volt, which GM has pushed a software update out for after reports of shutdowns. The manufacturer is not issuing a recall, however.

Sometimes the old hacks are the best hacks...
'Jesus,' 'welcome' join list of worst passwords
Despite the vulnerability presented by weak passwords, many Internet users continue to put their security at risk by using common words or number sequences that are easily guessable.
Unchanged from last year, the three most popular passwords for 2012 were "password," "123456," and "12345678," according to SplashData's annual "25 Worst Passwords of the Year" list. The list was compiled from files containing millions of stolen passwords posted online by hackers.
… A security breach revealed in July at Yahoo yielded nearly a half million login credentials stored in plain text. Other password thefts at LinkedIn, eHarmony, and contributed to approximately 8 million passwords posted in two separate lists to hacker sites in early June.

“Guilt by proximate geography”
Megaupload User Seeks to Unseal Documents Relating to Data Seizure
October 23, 2012 by Dissent
From EFF:
The Electronic Frontier Foundation (EFF), on behalf of its client Kyle Goodwin, asked a federal court yesterday to unseal warrant-related documents surrounding the loss of access to Mr. Goodwin’s data after the government shut down Goodwin used Megaupload’s cloud-based storage system for his small business reporting on high school sporting events in Ohio. The site’s servers housing Mr. Goodwin’s data were frozen as part of a government seizure in January of this year–since then, Mr. Goodwin and others like him have had no access to their data.
Mr. Goodwin has consistently asked the court for the return of his property. In response, the court recently asked Mr. Goodwin and the government to provide additional information on how such a hearing might proceed.
“The government engaged in a overbroad seizure, denying Mr. Goodwin access to his data, along with likely millions of others who have never been accused of wrongdoing,” said Julie Samuels, EFF Staff Attorney. “Access to the government’s warrant application and related materials can help us learn how this could have happened and provide assistance in our efforts to get Mr. Goodwin his property back.”
In running his small business, Goodwin stored video footage on Megaupload servers as a backup to his hard drive and so he could share those large files with his producers all over Ohio. Earlier this year, the FBI shut down and executed search warrants on the company’s servers, locking out all Megaupload customers in the process. When Goodwin’s hard drive crashed, he could not get access to any of his own video files, which he needed to conduct his business.
“Unsealing the court documents in this case is not only important to Mr. Goodwin, it is critical to the ongoing public and Congressional debate about the U.S. government’s increasing use of its seizure power in intellectual property cases,” added Cindy Cohn, EFF’s Legal Director. “A court in New Zealand recently upbraided the authorities who conducted similar seizures for failing to protect innocent people whose property was obviously likely to be swept up. The questions raised by the New Zealand court about overbroad seizures should also be asked, and answered, here in the U.S.”
EFF was assisted by co-counsel Abraham Sofaer of the Hoover Institution and John Davis of Williams Mullen.
For the full motion to unseal:
For more on the Megaupload Data Seizures:

Somehow I can't buy that they have no way to access the data they gather and store. That's like saying, “We so incompetent in so many areas, what make you think we can make those computer thingies work?”
October 23, 2012
TRAC Challenges ICE Claim That Data Are Off-Limits to the Public
for TRAC - Jeff Lamicela: "On October 22, 2012 the Transactional Records Access Clearinghouse (TRAC) filed suit in D.C. District Court under the Freedom of Information Act (FOIA) challenging a ruling by Immigration and Customs Enforcement (ICE) that its master repository of investigations and operations information is off-limits to the public... The material sought by TRAC is stored in the ICE-operated Enforcement Integrated Database (EID), which records and maintains information related to the investigations and operations of ICE as well as Customs and Border Protection (CBP) and that agency's Office of Field Operations. Despite this, ICE has stated that its office "does not have the means to extract the data or any other aspect of [TRAC's] request. For more on this matter, link to the complaint document and legal exhibits

(Related) Who would we be keeping this secret from? Countries who already do it to their citizens?
Feds Cite ‘State Secrets’ in Dragnet Surveillance Case — Again
The Obama administration is again arguing that a lawsuit accusing the National Security Agency of vacuuming up Americans’ electronic communications without warrants threatens national security and would expose state secrets if litigated.
“This case may be dismissed on the ground that its very subject matter constitutes a state secret,” the government said (.pdf) in a legal filing in San Francisco federal court.
Brought by the Electronic Frontier Foundation, the case is now four years old and its merits have never been litigated. The civil rights group claims that the major telecoms provided the NSA a warrantless backdoor to the nation’s communication backbone.

Is there really that much of a disconnect between technology and the law? Did no one even ask the privacy questions?
McDonald’s removes networking features in some online games
October 24, 2012 by Dissent
Cecilia Kang reports:
McDonald’s said it has removed social networking features in some of its online games after a privacy advocacy group complained to federal regulators that the restaurant chain was violating child online privacy laws.
In a complaint filed last August to the Federal Trade Commission, the Center for Digital Democracy said McDonald’s was using a “tell-a-friend” feature on games and other functions of and that asked children to upload photos and videos onto the site and then pass along that information to friends. McDonald’s also asked for children to list the e-mail addresses of friends, without gathering parental consent for that information.
Read more on Washington Post.

(Related) Would something like this help?
Navigating App Privacy Laws and Best Practices
October 24, 2012 by Dissent
Tim Kridel writes for Digital Innovation Gazette:
More than half of app users have uninstalled or decided to not install an app due to concerns about personal information, according to a recent Pew Internet Project survey. If that isn’t motivation enough to protect customer privacy, consider the growing number of federal and state laws penalizing breaches.
But how can developers determine which laws apply? And what about industry best practices such as those from the Mobile Marketing Association (MMA) and CTIA – The Wireless Association? We spoke with Alan Chapell, co-chair of the MMA’s privacy and advocacy committee, about what developers need to know to protect customer privacy — and, in the process, their app’s market potential.
Read the interview on

I'm shocked again!
Online Ad Survey: Most U.S. Consumers “Annoyed” By Online Ads; Prefer TV Ads To Online; Want Social Media Dislike Button; And Reckon Most Marketing Is “A Bunch Of B.S.”
… The survey makes amusing reading at times – almost half of the respondents agree ‘online advertising is creepy and stalks you’, and more than half agree that ‘most marketing is a bunch of B.S.’.

For my Intro to Computer Security students...
Facebook has basically made a business out of knowing as much as they can possibly find out about everyone. So, tracking your behaviour online and offline makes perfect sense to them. However, it might not seem that rosy to you. Sometimes, it’s nice to have a little privacy.
There are many ways Facebook is tracking you and it’s worth knowing how to block this tracking where possible and how to opt out when required. Sadly, it’s getting more and more complicated as time goes by. Here are the main ways Facebook keeps tabs on you and the best ways to stop them.

Do we need more (and better) technology or are there “some things man was not meant to know?” Is this a field crying out for entrepreneurs?
"Maryn McKenna writes in Scientific American that the standard autopsy is becoming increasingly rare for cost reasons, religious objections, and because autopsies reveal medical mistakes, making doctors and hospitals uncomfortable. Researchers in several countries have been exploring the possibility that medical imaging might substitute a 'virtual autopsy' for the more traditional variety. 'So few autopsies are being done now that many medical students get out of school never having seen one,' says Gregory Davis. 'And yet in medicine, autopsy is the most powerful quality-control technique that we have and the reason we know as much as we do about many diseases and injuries.' The process, dubbed 'virtopsy,' combines MRI and CT scanning with computer-aided 3-D reconstruction to prove causes of death for difficult cases, which included drownings, flaming car crashes, and severe injuries to the skull and face. Since 2004 the U.S. military has performed x-rays and CT scans on the bodies of every service member killed where the armed forces have exclusive jurisdiction — that is, not just on battlefields abroad but on U.S. bases as well. 'It allows us to identify any foreign bodies present, such as projectiles,' says Edward Mazuchowski. 'X-rays give you the edge detail of radio-opaque or metallic objects, so you can sort out what the object might be, and CT, because it is three-dimensional, shows you where the object is in the body.' A study conducted among intensive care unit patients in Germany compared diagnoses made before death with the results of both traditional and virtual autopsy in 47 patients and with only virtual autopsy in another 115 whose families refused standard autopsy. Virtual autopsies confirmed 88 percent of diagnoses made before death, not far behind the 93 percent rate for traditional postmortem exams. 'The findings so far are mixed,' says Elizabeth Burton of Johns Hopkins University. Virtual autopsy, she says, 'is better for examining trauma, for wartime injuries, for structural defects. But when you start getting into tumors, infections and chronic conditions, it's not as good, and I doubt it will ever be better.'"

No comments: