Wednesday, February 19, 2014

What happens in Vegas gets hacked in Vegas. Sounds big, but might not be very significant.
Eduard Kovacs reports:
The hackers that (sic) breached and defaced the websites of several casinos owned by Las Vegas Sands Corp last week have published a video to demonstrate that they’ve stolen 828 Gb of files from the company’s systems.
The data apparently stolen by the hacktivsts hasn’t been published online. They’ve only made the video to show that it’s stored on a local hard drive.
Read more on Softpedia.
[From the article:
It’s difficult to say if the large amount of files obtained by the Anti WMD Team contains any customer information, but it’s clear that the attackers had unrestricted access to at least some of Las Vegas Sands’ servers.

...and we're a long way from done.
From the Credit Union National Association:
Financial institutions continue to respond to the massive data breach at Target. According to data collected by the Consumer Bankers Association (CBA) and the Credit Union National Association the costs associated with the Target data breech (sic) exceed $200 million. CBA estimates the cost of card replacements for its members to have reached $172 million, up from an initial finding of $153 million, CUNA has stated the cost to credit unions has increased to $30.6 million from an original estimate of $25 million.
So far, cards replaced by CBA members and credit unions account for more than half of all affected cards. Between members of the Consumer Bankers Association (CBA) and the Credit Union National Association (CUNA), 21.8 million of the 40 million compromised cards have been replaced.

"Ontogeny recapitulates phylogeny," at least when it comes to technology. Each new generation must re-learn how to secure their users (and the user's data).
Dan Nakaso reports:
App developers are increasingly targeting the more lucrative iOS market, where more than 91 percent of the top 100 apps for Apple devices exposed users to security breaches and other data leaks, according to a study released Tuesday by San Francisco-based Appthority.
By comparison, Appthority found that 83 percent of the top 100 Android-based apps exposed their users to leaks of both personal and company information.
Read more on SiliconBeat.

(Related) The same problem when old technology shows up in new places.
Eduard Kovacs reports:
Security researches from IOActive have identified a number of vulnerabilities in Belkin WeMo home automation devices that allow people to control their electronics from their mobile phones. More than half a million users are said to be impacted.
According to experts, the vulnerabilities can be exploited not only to perform malicious firmware updates, but also to remotely monitor and hijack the devices. Furthermore, the security holes can be leveraged to gain access to local networks.
Once they have access to the local network, the attackers can target laptops, mobile phones and other devices.
IOActive says the vulnerabilities have been reported to CERT, which in turn has notified Belkin. However, the company “was unresponsive.”
Read more on Softpedia.

(Related) An easy way to find those “things” on the Internet.
Shodan Adds Visual Search Results With 'Shodan Maps'
Shodan, the specialized search engine that lets users search for Internet-connected devices rather than web sites, today launched Shodan Maps, a new feature designed to let users see search results on a map instead of a regular (text) listing.
Shodan, which often reveals basic information about a device, such as what kind of system it is, version of software it runs, and other options that are supported, is a powerful tool for enterprise security teams, researchers, and even malicous attackers.

Because surveillance is big business, even surveiling the Internet of Things.
AT&T, IBM in Big Data Tie-up
AT&T and IBM announced plans Tuesday to join forces to help cities, utilities and others use big data analytics to better manage their infrastructure.
The companies said in a joint statement they will "combine their analytic platforms, cloud, and security technologies with privacy in mind to gain more insights on data collected from machines in a variety of industries."
The new project will focus initially on helping city governments and midsize utilities analyze vast quantities of data, including from mass transit vehicles, utility meters, and video cameras.

Log on like a cop and no one cares?
It has now been about two years since I filed a complaint with the FTC to alert them to all the data security breaches involving Experian’s credit report database.
And while I continue to wait to see the FTC take action against Experian over their numerous breaches involving misuse of clients’ login credentials, Experian has reported yet another breach of the same type, it seems.
This time it’s reportedly the Colorado Bureau of Investigation whose login credentials were compromised. The fact that the CBI had their login credentials compromised does not inspire confidence in them, but the fact of the matter is that it doesn’t seem to matter what clients have their login credentials compromised. Login credentials of a client seem to be the keys to the kingdom of Experian’s vast credit report database.

Did someone leak just how bad it was in order to make Vice Adm. Michael Rogers' confirmation hearings more entertaining? (It was his job to clean this up)

Why admit anything when you have a handy culprit for everyone to hate?
On February 4, the Dutch government admitted that it was not NSA that collected 1,8 million metadata from phone calls of Dutch citizens, but actually their own military intelligence service MIVD. They gathered those data from foreign communications and subsequently shared them with partner agencies like NSA.
Just like everyone else, the Dutch interior minister was mislead by how Glenn Greenwald erroneously interpreted the data shown in screenshots from the NSA tool BOUNDLESSINFORMANT. This let him misinform the Dutch public and parliament too, and only after being faced with a lawsuit, he finally disclosed the truth. Here’s the full story.
Read more on Top Level Telecommunications. It’s a lengthy piece, and I’m in no position to verify its accuracy, but it’s certainly interesting and – if NSA wasn’t responsible for the metatadata collection in this case – the record needs to be set straight.

Where you are now is not protected but where you have been is. So don't commit a crime now, do it yesterday...
Today brings a welcome ruling in Commonwealth v. Augustine: people may have a reasonable expectation of privacy in their historical cell location information data and prosecutors may need a warrant based on probable cause – and not just a 2703(d) order under ECPA – to obtain it. The opinion relies on Art. 14 of the Massachusetts constitution and not the Fourth Amendment, but hey, I’ll take it.
Orin Kerr writes:
The Massachusetts Supreme Judicial Court has issued a new decision interpreting the Massachusetts constitution to require a search warrant for access to a two-week span of historical cell-site information. The court divided by a vote of 5-2. Note that the decision did not interpret the Fourth Amendment of the federal constitution, but rather interpreted Article 14 of the Massachusetts Declaration of Rights. This means that the decision is binding on Massachusetts state law enforcement, but it does not apply to federal law enforcement (whether in Massachusetts or outside it).
The decision appears to adopt a mosaic theory for the state constitution, by which the time of surveillance determines what is a state-constitution search.
Read more on WaPo Volokh Conspiracy.

Poor Kim. It looks like he'll have to come here to insult the MPAA.
NZ court rules Megaupload warrant legal, dealing blow to Dotcom
A New Zealand court on Wednesday ruled that the search warrant used in the arrest of Megaupload founder Kim Dotcom on U.S. online piracy charges was legal, dealing a blow to the internet entrepreneur who is fighting extradition to the United States.
… The decision will benefit U.S. prosecutors who say the Megaupload website cost film studios and record companies more than $500 million and generated more than $175 million in criminal proceeds by letting users store and share copyrighted material, such as movies and TV shows.
If Dotcom is extradited, the ensuing copyright case could set a precedent for internet liability laws and, should he win, could force entertainment companies to rethink online distribution methods.
… However, the appeals court upheld an earlier ruling that prosecutors had not been authorized to send clones of seized electronic evidence to the United States.
The decision could pose a setback to a separate case in which Dotcom is seeking damages from the government for its role in the raid on the German-born, New Zealand resident's home.
At the same time, Dotcom could now find it difficult to challenge evidence at his extradition hearing set for July. A Supreme Court decision is pending on whether U.S. prosecutors must disclose evidence to be used in the hearing.
Dotcom's lawyers said they could also appeal to the Supreme Court against Wednesday's ruling.
… Dotcom says Megaupload, which housed everything from family photos to Hollywood blockbusters, was merely an online warehouse and should not be held accountable if stored content was obtained illegally.
The U.S. Justice Department counters that Megaupload encouraged piracy by paying users who uploaded popular content and by deleting content that was not regularly downloaded.
A New Zealand government enquiry in 2012 found the nation's secretive spy agency acted unlawfully by giving information on Dotcom to U.S. authorities before the 2012 raid.

Eight will get you 10, there's an App for that. Could this eliminate a bunch of entry level mob jobs?
Cellphones may accelerate NJ online gambling
Internet gambling analysts and casino executives say the increased use of cellphones to place bets could accelerate the growth of the nascent industry in New Jersey.
"Mobile applications will play an enormous piece of the puzzle in online wagering, which is why we are so positive and see so much upside in months ahead," said Joe Lupo, senior vice president of the Borgata Hotel Casino & Spa, which began offering gambling Monday over Android cellphones on 3G and 4G networks.

No comments: