Thursday, February 06, 2014

What would you do if you “owned” Facebook?
SEA Comes Close to Owning Facebook
06 February 2014
The Syrian Electronic Army (SEA) claimed yesterday that it had owned Facebook. It wasn't quite true in any meaningful way, but SEA came very close to being able to redirect millions of Facebook users to its own websites.
… SEA's latest exploit, announced yesterday, seems to have failed. "Happy Birthday Mark! owned by #SEA." It appears that while this was strictly true, briefly, it had no effect on Facebook users. It was again a DNS poisoning attack, again through Facebook's registrar, which was again MarkMonitor.
It seems that, already on high alert after the Paypal attack, MarkMonitor reacted fast enough to prevent any serious damage. It immediately took down its management portal and regained control over the accounts. "We changed the nameservers, but it's taking too much time..." confirmed SEA on Twitter. Why it took so long is not clear, but seems to imply that MarkMonitor has additional security in this area. Exactly what that security might be is unknown because Markmonitor has a strict policy of not commenting on its clients (which SEA screenshots indicate also include Google, Yahoo and Amazon).

Interesting. Why would an air conditioner repairman have access to the credit card system?
Target Hackers Broke in Via HVAC Company
Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers.
Sources close to the investigation said the attackers first broke into the retailer’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems.
… According to the company’s homepage, Fazio Mechanical also has done refrigeration and HVAC projects for specific Trader Joe’s, Whole Foods and BJ’s Wholesale Club locations in Pennsylvania, Maryland, Ohio, Virginia and West Virginia.
… It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network. But according to a cybersecurity expert at a large retailer who asked not to be named because he did not have permission to speak on the record, it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store.
Avivah Litan, a fraud analyst with Gartner Inc., said that although the current PCI standard (PDF) does not require organizations to maintain separate networks for payment and non-payment operations (page 7), it does require merchants to incorporate two-factor authentication for remote network access originating from outside the network by personnel and all third parties — including vendor access for support or maintenance (see section 8.3).
In any case, Litan estimates that Target could be facing losses of up to $420 million as a result of this breach, including reimbursement associated with banks recovering the costs of reissuing millions of cards; fines from the card brands for PCI non-compliance; and direct Target customer service costs, including legal fees and credit monitoring for tens of millions of customers impacted by the breach.

I would be concerned that this was a test of impact and response. The substation feed Silicon Valley, but disruption seemed short lived and minor.
Snipers Coordinated an Attack on the Power Grid, but Why?
Last April, unknown attackers shot up 17 transformers at a California substation in what the then-chairman of the Federal Energy Regulatory Commission Jon Wellinghoff called "the most significant incident of domestic terrorism involving the grid that has ever occurred" in this country.
Though news reports about the incident at the Metcalf transmission facility came out in April, The Wall Street Journal just pieced together the larger story of the attack together from regulatory filings and outside reporting.
… Before the attackers opened fire on the transformers, fiber optic lines running nearby were cut.
Whoever executed the maneuver knew where to shoot the transformers. They aimed at the oil-cooling systems, causing them to leak oil and eventually overheat. By the time that happened, the attackers were long gone.
[From the WSJ:
it took utility workers 27 days to make repairs and bring the substation back to life.

Part of this is “We can, therefore we must” and part is “We don't need parental approval for anything we do to our students.” But mostly it's, “Stupid is as stupid does.”
Kathleen McGrory reports from Tallahassee:
Polk County parents were apoplectic last year when they discovered the school district had been scanning the irises of students’ eyes without parental permission.
The controversial practice might soon be banned.
On Tuesday, state lawmakers will take up a proposal that would prohibit school districts from collecting biometric information, including the characteristics of fingerprints, hands, eyes and the voice. It would affect the Pinellas County school district, which allows schools to scan the palms of students’ hands instead of accepting cash in the cafeteria, and school systems that use fingerprint scanners.
“We’ve been able to get kids through a lunch line for decades,” said state Sen. Dorothy Hukill, a Port Orange Republican who brought the idea to the Florida Senate. “Why do we need to take their biometric information when we know there is the potential for identity theft?”
Read more on Miami Herald.
[From the article:
“Biometrics is coming,” said Miami-Dade School Board member Raquel Regalado, who spearheaded an effort to create a local biometrics policy this month. “It exists in the market. It will exist in our schools. It may end up being a viable way to ensure there isn’t fraud.”

Interesting, but how do you prove “willful?” Perhaps their procedures don't bother checking “facts?”
Tim Hull reports on a case that privacy advocates should keep our eyes on:
An unemployed man can sue the website for inaccurately describing him as wealthy and well educated, the 9th Cicuit ruled Tuesday.
Virginia resident Thomas Robins claims that his job search has been hampered by a description of him as a high earner with a graduate degree on Spokeo, a search engine that aggregates information about individuals.
Alleging that the misinformed profile violated the Fair Credit Reporting Act (FCRA), Robins proposed a 2010 class action against Spokeo in Los Angeles.
U.S. District Judge Otis Wright dismissed Robins’s first complaint for lack of standing, and eventually did the same with an amended complaint. The judge found that Robins had failed to show that he had suffered any actual harm.
A three-judge panel of the federal appeals court reversed Tuesday.
Read more on Courthouse News.
[From the article:
At this early stage of the case, Robins can gain standing by alleging a violation of the FCRA "without showing actual harm," according to the ruling.
"The statutory cause of action does not require a showing of actual harm when a plaintiff sues for willful violations," Judge Diarmuid O'Scannlain wrote for the panel.

Computer and Internet Access in the United States: 2012
by Sabrina I. Pacifici on February 5, 2014
“Computer and Internet Use: 2012 Based on Current Population Survey statistics from July 2012, the Computer and Internet Access in the United States infographic provides household and individual level analysis of computer use and Internet access, as well as a profile of individual smartphone usage. A set of tables will accompany the infographic.”

An interesting article for my Economics students.
The Pipe Dream of Big Marijuana Revenues
… But there is a catch that many people have not thought about. The marijuana plant is sturdy and not difficult to grow
… So imagine a near future when marijuana seeds and even starter plants could be sold through garden centers and other similar outlets much like tomato seeds and plants are sold today. These seeds and plants could be grown in a backyard garden (or even a flower pot on a patio) with the same degree of difficulty as growing fresh tomatoes.

For my student geeks...
With the Release of the Google Chromecast SDK, Expect Big Things
… After just over six months, Google has released the Google Cast Software Development Kit (SDK) for developers.
This means that developers now have all the tools necessary to build apps and websites that are Chromecast compatible. For end users of the Chromecast, it means that there could be a whole new world of entertainment waiting for them on their television sets.
Developers who want to find out more about their options and what they can expect should keep tabs on the Google Developers Blog. For the rest of us, bookmark the Chromecast Apps page where you can see all the new options that will be available to you. With an incredibly vibrant ecosystem built around Google’s Android platform, we can only imagine how many more creative uses for the Chromecast we’ll be presented with.