Thursday, December 06, 2012

Another moderate sized hack that sneaked past me?
Hackers steal customer info from insurance provider Nationwide
Hackers broke into insurance company Nationwide's network in October, stealing the personal information of more than a million customers across the country, the insurance company recently revealed.
The company said the compromised information included people's names and a combination of Social Security numbers, driver's license numbers, their date of birth, and possibly marital status, gender, and occupation, as well as the names and addresses of employers. Nationwide said it had no evidence that any medical information or credit card account data was stolen.
… Although the hack occurred on October 3, the company didn't launch an investigation until October 16. The company learned from the investigation that information had indeed been compromised and confirmed the identities of affected customers on November 2. The case has now been handed over to law enforcement.


Definately worth a read. Consider this in connection to the recent ruling that said Banks were responsible if their security was “unreasonable” – would that apply here?
"Check Point has revealed how a sophisticated malware attack was used to steal an estimated €36 million from over 30,000 customers of over 30 banks in Italy, Spain, Germany and Holland over summer this year. The theft used malware to target the PCs and mobile devices of banking customers. The attack also took advantage of SMS messages used by banks as part of customers' secure login and authentication process. The attack infected both corporate and private banking users, performing automatic transfers that varied from €500 to €250,000 each to accounts spread across Europe."
[From the article:
The attack worked by infecting victims’ PCs and mobiles with a modified version of the Zeus trojan. When victims attempted online bank transactions, the process was intercepted by the trojan.
Under the guise of upgrading the online banking software, victims were duped into giving additional information including their mobile phone number, infecting the mobile device. The mobile Trojan worked on both Blackberry and Android devices, giving attackers a wider reach.
With victims’ PCs and mobile devices compromised, the attackers could intercept and hijack all the victims’ banking transactions, including the key to completing the transaction: the bank’s SMS to the customer containing the ‘transaction authentication number’ (TAN). With the account number, password, and TAN, the attackers were able to stealthily transfer funds out of victims’ accounts while victims were left with the impression that their transaction had completed successfully.


Making survillance even more ubiquitous? Go to my website and I'll grab control of your webcam and snap photos of you...
Add an HTML5 Webcam to Your Site With Photobooth.js
The big web development news for 2013 is shaping up to be WebRTC, a set of APIs being developed by Mozilla, Google and others at the W3C that allows web developers to access device hardware — your camera, microphone, accelerometer and so on. Even now hardly a day goes by without a new demo showcasing WebRTC in some way.
The latest WebRTC hotness to catch our eye is developer Wolfram Hempel’s Photobooth.js, a JavaScript library for working with a device’s camera. Photobooth.js allows users to take pictures directly on your website, for example, to add an avatar. It also acts a bit like the OS X Photobooth app, offering real-time adjustments for hue, saturation and brightness (one word of warning, hue can really slow down Firefox).
Want to add a Photobooth-style camera app to your site? Just download Photobooth.js and add this code to your page:
1
myPhotobooth = new Photobooth( document.getElementById( "container" ) );
That’s it.


Another version of “Behavioral” tracking?
"Coursera announced its 'career services' feature yesterday for students who opt in. The company that works with elite colleges to offer free courses is sharing more than just academic scores — showing potential employers evidence of 'soft skills,' like how helpful students were in class discussion forums. 'Udacity, another company that provides free online courses, offers a similar service. ... Udacity's founder, Sebastian Thrun, said in an interview that 350 partner companies had signed up for its job program. While Mr. Thrun would not say how much employers pay, he characterized the fee as "significantly less than you'd pay for a headhunter, but significantly more than what you'd pay for access to LinkedIn," a popular social network for job hunters.'"


Three in Colorado...
Newly Released Drone Records Reveal Extensive Military Flights in US
December 5, 2012 by Dissent
Jennifer Lynch writes:
Today EFF posted several thousand pages of new drone license records and a new map that tracks the location of drone flights across the United States.
These records, received as a result of EFF’s Freedom of Information Act (FOIA) lawsuit against the Federal Aviation Administration (FAA), come from state and local law enforcement agencies, universities and—for the first time—three branches of the U.S. military: the Air Force, Marine Corps, and DARPA (Defense Advanced Research Projects Agency).
Read what EFF found and see their map, here.

(Related) Turning a Black Hawk into a drone is as easy as adding a few electronic components and an inflatable pilot...
"A specially equipped Black Hawk was recently used to demonstrate the helicopter's ability to operate on its own. In the first such test of its type, the U.S. Army Aviation and Missile Research's Development and Engineering Center, based at Redstone Arsenal, flew the Black Hawk over Diablo Mountain Range in San Jose, Calif. Pilots were aboard the aircraft for the tests, but all flight maneuvers were conducted autonomously: obstacle field navigation, safe landing area determination, terrain sensing, statistical processing, risk assessment, threat avoidance, trajectory generation and autonomous flight control were performed in real-time. 'This was the first time terrain-aware autonomy has been achieved on a Black Hawk,' said Lt. Col. Carl Ott, chief of the Flight Projects Office at AMRDEC's Aeroflightdynamics Directorate and one of the test's pilots."

(Related) Drigibles make great drones, since they can loiter for days. They will also make “death-by-drone” much cheaper, since with their huge lift capacity they just carry a bunch of really big rocks to drop on the bad guys...
"The dirigible airship, the oddball aircraft of another era, is making a comeback. California-based Aeros Corporation has created a prototype of its new breed of variable buoyancy aircraft and expects the vehicle to be finished before the end of 2012. With its new cargo handling technology, minimum fuel consumption, vertical take-off and landing features and point to point delivery, the Aeroscraft platform promises to revolutionize airship technology. The Aeroscraft ship uses a suite of new mechanical and aerospace technologies. It operates off a buoyancy management system which controls and adjusts the buoyancy of the vehicle, making it light or heavy for any stages of ground and flight operation. Automatic flight control systems give it equilibrium in all flight modes and allow it to adjust helium pressurized envelopes depending on the buoyancy requirements. It just needs one pilot and has an internal ballast control system, which allows it to offload cargo, without using ballast. Built with a rigid structure, the Aeroscraft can control lift at all stages with its Vertical Takeoff and Landing (VTOL) capabilities and carry maximum payload while in hover. What makes it different from other cargo vehicles is that it does not need a runway or ground infrastructure."

(Related) Speaking of “death-by-drone”
Death by Algorithm: West Point Code Shows Which Terrorists Should Disappear First
Paulo Shakarian has an algorithm that might one day help dismantle al-Qaida — or at least one of its lesser affiliates. It’s an algorithm that identifies which people in a terror network really matter, like the mid-level players, who connect smaller cells with the larger militant group. Remove those people, either by drone or by capture, and it concentrates power and authority in the hands of one man. Remove that man, and you’ve broken the organization.


How do I stalk thee...
FTC settles charges against Epic Marketplace over “history sniffing” to collect data from consumers
December 5, 2012 by Dissent
From the FTC’s press release:
An online advertising company agreed to settle Federal Trade Commission charges that it used “history sniffing” to secretly and illegally gather data from millions of consumers about their interest in sensitive medical and financial issues ranging from fertility and incontinence to debt relief and personal bankruptcy.
The FTC settlement order bars the company, Epic Marketplace Inc., from continuing to use history sniffing technology, which allows online operators to “sniff” a browser to see what sites consumers have visited in the past.
… Epic Marketplace is a large advertising network that has a presence on 45,000 websites. Consumers who visited any of the network’s sites received a cookie, which stored information about their online practices including sites they visited and the ads they viewed.
… In its privacy policy, Epic claimed that it would collect information only about consumers’ visits to sites in its network.
… The consent order bars Epic Marketplace, Inc., and Epic Media Group, LLC from using history sniffing, and requires that they delete and destroy all data collected using it. [That's a new one... Bob]
Documents on this case, including the complaint and proposed consent order, can be found here.

(Related)
FTC to Host Comprehensive Collection of Web Data Workshop TODAY
December 6, 2012 by Dissent
The FTC reminds everyone:
The Federal Trade Commission will host a workshop exploring the practices and privacy implications of comprehensive data collection. FTC Commissioner Julie Brill will deliver the opening remarks, and Commissioner Maureen Ohlhausen will provide remarks after lunch. Consumer protection organizations, academics, business and industry representatives, privacy professionals, and others will join FTC staff to examine the technological landscape, benefits and risks, consumer knowledge and attitude, and the future of comprehensive data collection.
Webcast
The workshop will be webcast live.
Submit questions online
FTC staff will live-tweet the day-long event using the hashtag #FTCpriv from the agency’s @FTC account. To submit questions for panelists online, tweet them with the hashtag, post them to the FTC’s Facebook page, or email them toopa@ftc.gov.
More details on the FTC’s site.


Still room for my Computer Security students Also for my Statistics students...
The following is a press release from HITRUST, released today:
According to the Health Information Trust Alliance’s (HITRUST) analysis of U.S. healthcare data breaches from 2009 to the present, the healthcare industry has made little progress in reducing the number of breaches with troubling statistics seen from the same types of organizations, breaches and locations. The retrospective analysis of breaches affecting 500 or more individuals indicates a slight decline in the total number of breaches during the past three years, but overall the industry’s susceptibility to certain types of breaches has been largely unchanged since breach data became available from the U.S. Department of Health and Human Services (HHS) and the new HIPAA and HITECH Act regulations went into effect.
… A close look at the HHS data reveals that since 2009 the industry has experienced 495 breaches involving 21 million records at an estimated cost of $4 billion. With the annual number of total breaches remaining fairly consistent, hospitals and health systems is one of the few groups that can claim some improvements in protecting health information with the largest decline in reported breaches. This group experienced a decline of 71 percent from 2010 to 2011 in the number of breaches, and for the first two quarters of 2012 has only experienced 14 breaches (compared with a total of 48 for 2011). Health plans have also seen a steady decline in breaches since 2009 and have not had to post since the first quarter of 2012.
… The HITRUST report – “A Look Back: U.S. Healthcare Data Breach Trends” – is publically available for download at HITRUSTalliance.net/breachreport along with an infographic of the analysis.
I have not yet read their report, but already wonder about the fact that if this is based solely on breaches reported to HHS, the year-to-year comparisons may be valid, but overall, they may be underestimating breaches in the entire sector as many breaches that incorporate ID theft for Medicare fraud do not get reported on HHS/OCR’s breach tool, and well, frankly, I think there are a lot more insider breaches than the known numbers might suggest. This is apart from hacking/malware breaches that they recognize are also likely under-reported. Records breached is an important measure when it comes to calculating costs and the total number of patients affected, but insider breaches seem to do more harm and perhaps, need to be viewed or weighted differently. But let me try to read the report this weekend and then we’ll see…


I wonder how many taxpayers “Like” the Revenue Department?
December 05, 2012
State of North Carolina - Social Media Archive
"This free and open archive provides access to more than 55,000 social media records from selected North Carolina state agencies. It is currently in beta. Social media activity from these agencies is continually being captured and indexed, and additional agencies will be included in the future. The content in this archive has been captured because it was made or received pursuant to law or ordinance in connection with the transaction of public business by an agency of North Carolina government or its subdivisions (G.S. § 132-1). Enter a keyword to search across the entire archive of social media sites, or use the Advanced Search for more options."


How bad must this be if the judge is allowing their equivalent of the NSA to be sued?
Megaupload’s Kim Dotcom allowed to seek damages against spy agency
December 6, 2012 by Dissent
Jeremy Kirk reports:
New Zealand’s High Court ruled Wednesday that Kim Dotcom and a Megaupload colleague can pursue damages against police and one of the country’s spy services for illegally intercepting their communications.
In her judgment, Justice Helen Winkelmann also added the Government Communications Security Bureau (GCSB) as a defendant in the case, ordering the agency to turn over some details of the agency’s surveillance with respect to national security concerns. Another hearing is planned for next week.
New Zealand’s government admitted it illegally spied on Dotcom and Bram van der Kolk prior to a January raid on Dotcom’s mansion that coincided with the shutdown of their Megaupload file-sharing service.
Read more on Computerworld. Can you imagine a court here ever letting someone sue the government this way?

(Related) True, but not exactly as they might like us to believe. I also find it interesting that all of these “pirate movie sites” (thanks for the list) seem to be accessed heavily from the DU Law School. No doubt they are preparing cases against offenders. I'll ask them during one of their Free Movie Nights...
"The Motion Picture Association of America (MPAA) has declared that the Megaupload shutdown earlier this year has been a great success. In a filing to the Office of the U.S. Trade Representative, the group representing major movie studios says the file hosting and sharing industry has been massively disrupted. Yet the MPAA says there is still work to be done, identifying sites that make available to downloaders 'unauthorized copies of high-quality, recently-released content and in some cases, coordinate the actual upload and download of that content.' Here's the list of sites, including where they are hosted: Extratorrent (Ukraine), IsoHunt (Canada), Kickass Torrents (Canada), Rutracker (Russia), The Pirate Bay (Sweden), Torrentz (Canada), and Kankan (China)."


The Design students use it to manipulate photos, Criminal Justice students use it to generate evidence...
Photoshop is one insanely powerful program. It has so many features that it is honestly hard to wrap your head around it. Unfortunately, it also comes with a price tag and learning curve that reflect the load of features and options. After all, there are entire classes dedicated to just learning the program, and once you do, you will have to run out and drop hundreds of dollars to have it installed on your own computer.
… So what can you do to get some of the features of Photoshop without the price tag? You can download Sumo Paint for Chrome. It offers many of the high-end features you expect from Photoshop, but without the insane price tag. In fact, it runs right in your web browser and is available from the Chrome Webstore for the low cost of $0.


An Origami design tool! God I wish I had a drop of artistic talent...
Fold It Right There: New iPad App Makes Papercraft More Fun Than Ever
… Indie developer Pixle is releasing a tool for the iPad to make designing your own papercraft figures super easy.
The app, called Foldify, uses a mixture of pre-build patterns and finger painting tools to allow you to create designs while previewing them in 3-D on the fly. Once you’re done, print them out on card stock, cut and fold. As easy as that, more weird things for your desk.


For my Math students

No comments: