Saturday, May 31, 2014
Looks like the ATMs don't edit the data from the card. Really bad programming?
Thieves Planted Malware to Hack ATMs
A recent ATM skimming attack in which thieves used a specialized device to physically insert malicious software into a cash machine may be a harbinger of more sophisticated scams to come.
Authorities in Macau — a Chinese territory approximately 40 miles west of Hong Kong — this week announced the arrest of two Ukrainian men accused of participating in a skimming ring that stole approximately $100,000 from at least seven ATMs.
Local police said the men used a device that was connected to a small laptop, and inserted the device into the card acceptance slot on the ATMs. Armed with this toolset, the authorities said, the men were able to install malware capable of siphoning the customer’s card data and PINs.
… The Macau government alleges that the accused would return a few days after infecting the ATMs to collect the stolen card numbers and PINs. To do this, the thieves would reinsert the specialized chip card to retrieve the purloined data, and then a separate chip card to destroy evidence of the malware.
Perspective. Give it a few years and everyone will be hacked multiple times each year. So often, you won't know who to sue.
Report – Half of American Adults Data Hacked So far This Year
EPIC: “A new report finds that 432 million online accounts in the US have been hacked this year, concerning about 110 million Americans. In the last year, 70 million Target customers, 33 million Adobe users, 4.6 million Snapchat users, and potentially all 148 million eBay users had their personal information exposed by database breaches. Earlier this month, the President’s science advisors found little risk in the continued collection of personal data. However, the FTC’s recent report on data brokers warned that, “collecting and storing large amounts of data not only increases the risk of a data breach or other unauthorized access but also increases the potential harm that could be caused.” Earlier, EPIC urged the White House to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. For more information, see EPIC: Big Data and the Future of Privacy,EPIC: Identity Theft and EPIC: Choicepoint.”
Got any embarrassing photos you'd like removed? Send your request from a European address.
Google sets up 'right to be forgotten' form after EU ruling
Google has launched a service to allow Europeans to ask for personal data to be removed from online search results.
The move comes after a landmark European Union court ruling earlier this month, which gave people the "right to be forgotten".
Links to "irrelevant" and outdated data should be erased on request, it said.
Google said it would assess each request and balance "privacy rights of the individual with the public's right to know and distribute information".
"When evaluating your request, we will look at whether the results include outdated information about you, as well as whether there's a public interest in the information," Google says on the form which applicants must fill in.
‘Right To Be Forgotten’ is a hit in Europe; 12,000 requests to Google on Day 1
Because the government needs to know if you can afford campaign contributions or are rich enough to have good lawyers (and therefore laws don't apply to you) or are failing to report cash (and therefore are a drug dealer)
New federal database will track Americans’ credit ratings, other financial information
Washington Examiner, Richard Pollock: “As many as 227 million Americans may be compelled to disclose intimate details of their families and financial lives — including their Social Security numbers — in a new national database being assembled by two federal agencies. The Federal Housing Finance Agency and the Consumer Financial Protection Bureau posted an April 16 Federal Register notice of an expansion of their joint National Mortgage Database Program to include personally identifiable information that reveals actual users, a reversal of previously stated policy… But under the April register notice, the database expansion means it will include a host of data points, including a mortgage owner’s name, address, Social Security number, all credit card and other loan information and account balances. The database will also encompass a mortgage holder’s entire credit history, including delinquent payments, late payments, minimum payments, high account balances and credit scores, according to the notice. The two agencies will also assemble “household demographic data,” including racial and ethnic data, gender, marital status, religion, education, employment history, military status, household composition, the number of wage earners and a family’s total wealth and assets.”
Does anyone believe this? Could the FTC articulate “Best Practices?” How about “Not too bad Practices?”
Companies should already know how to protect data, FTC argues
The Federal Trade Commission (FTC) has published enough information publicly for companies to know exactly what the agency considers reasonable security practices for protecting sensitive data, an FTC representative said in deposition entered this week in a closely watched case challenging its authority to enforce data security standards.
"The [FTC] has published a great deal of consumer and business education on the issue of what is reasonable data security," Daniel Kaufman, the deputy director for the FTC's Bureau of Consumer Protection, said in deposition before an FTC administrative court. "The Commission has testified on it on a number of occasions, and there's a lot of other publicly available information on what constitutes reasonable data security."
The deposition involves a dispute between the FTC and LabMD, an Atlanta-based medical laboratory that claims it was driven out of business by an FTC data breach investigation.
… The FTC last August filed a formal compliant against LabMD over data leaks dating back to 2008 that exposed personal information on close to 10,000 people. In its complaint, the FTC charged LabMD with unfair trade practices for not doing enough to protect data. [Enough? Or what we have published as “reasonable?” Bob]
Over the past few years, the agency has filed similar complaints against dozens of companies that suffered data breaches and has won settlements from almost all of them.
LabMD, however, challenged the FTC complaint and accused the agency of holding it to data security standards that do not exist officially at the federal level. The only other company to challenge the FTC so far is Wyndham Hotels, which has argued that the agency has no legal authority to enforce data security controls on companies.
Both cases are widely seen as a test of the FTC's authority to punish companies that suffer data breaches. Many have expressed concern that the FTC may be overstepping its authority in going after breached firms.
… In response to the LabMD motion, the FTC argued that it was not obligated to disclose the standards it uses to judge whether a company has adequate controls or not. However, in a setback for the agency, the FTC's chief administrative judge earlier this month held that the agency could indeed be compelled to disclose the standards.
Assuming this proves the concept at the state level, will other/all states do this?
The Texas Tribune and Oyez® to launch multimedia site for Texas high courts
IIT Chicago Kent College of Law - “Texas will soon benefit from an online archive for its two highest courts, launched through a partnership between The Texas Tribune and Oyez®, a free law project at IIT Chicago-Kent College of Law, with support from the John S. and James L. Knight Foundation. Amidst a scarcity of news coverage about law, the partnership between The Texas Tribune and Oyez will increase public access to the cases before the Supreme Court of Texas and Texas Court of Criminal Appeals. This offers more opportunities for in-depth reporting and research on the state’s judicial system… The site will go live in late summer 2014 and offer case summaries written for a non-legal audience. The multimedia resource will include opinions, transcript-synchronized videos of oral arguments, justice biographies and decision information. Fundraising is also underway to provide Spanish translations of case information… The partnership is part of a larger initiative to expand Oyez’s successful U.S. Supreme Court site to all federal appellate and state supreme courts. The Knight Foundation has funded Oyez’s efforts in Texas, as well as in California, New York, Florida and Illinois, covering one-third of the U.S. population.”
Perhaps my Criminal Justice students would find this useful.
– Search more than five million legal cases with precision, using natural language or Boolean. Ravel lets you focus on judges’ words and analysis, removing clutter so that you can read and scan quickly. Mining the connections that link millions of court documents, Ravel’s technology identifies cases’ key passages and shows how later cases have rephrased or interpreted them.
Tools for my Computer Security and Ethical Hacking students.
– is a collection of useful online tools for your computer. As the name of the site suggests, you can view DNS settings and DNS changes. But that is not all the site offers. It also offers various tools that you would normally have to surf to other sites to use. Here they all are on the same page for your convenience. This includes Is My Site Down, and an IP location finder.
(Related) The start of a series about analyzing the “Big Data” from security logs. Simple in concept, tedious to implement.
Finding Needles in the Haystack of Security Events
… Security devices generate volumes of raw data, usually in a proprietary manner. Parsing such unstructured data and making sense out of it is a tedious, if not an impossible task. If that’s not enough to make you cringe, when your organization is under a DDoS attack, your CIO is going to want not only a resolution but the answers to Who, What, Where, When, Why and How – fast. Security is time-sensitive; every minute counts and every second that ticks by negatively impacts your bottom line – brand degradation, unhappy customers and ultimately lost revenues.
… The goal of inspecting Internet traffic and establishing a baseline is to determine the normal activity level for your environment and establish any thresholds that would indicate a threat or security event in order to generate the proper alerts. Normal activity levels can vary by time of day or by the month of the year or by some other factors specific to your business.
… Once the baselines are established, SOCs monitor all activity (network activity, security events) and analyze those that exceed the pre-determined thresholds or indicate suspicious behavior. Monitoring involves tracking abnormal behavior, outside the range of normal activity levels established during the baseline, and is almost always done via the alerting procedures that notify SOC personnel via an e-mail, SMS, dashboard indicators, or a combination of these.
Continuing to automate the legal functions. Soon there will be nothing left for lawyers to do!
5 Apps & Online Tools To Help You Write a Will
Is it because too many people have too much money, or is it that I don't?
Did Steve Ballmer pay too much for the Los Angeles Clippers? The market says no.
At least on a surface level, the Los Angeles Clippers appeared to be a lousy investment for any potential buyer — a franchise with none of the championship history and Hollywood buzz of the rival Lakers and one still reeling from the racist comments made five weeks ago by now-deposed owner Donald Sterling.
But as the sports industry begins to process the staggering amount — $2 billion — for which Sterling’s wife agreed to sell the Clippers, it is clear, in this new Golden Age of sports television, there is no franchise too weak or too sullied to command a windfall at auction, especially in Hollywood.
I must be out of touch. I can't imagine what a good old fashioned spanking would result in. (Is Hawaii infested with pedophiles?)
Father Gets Probation For Making Son Walk Home From School
A Hawaii man has been sentenced to a year of probation after making his son walk a mile [Oh the horror! Bob] home from school.
Robert Demond was convicted of a misdemeanor charge of second-degree endangering the welfare of a minor.
Demond explained that his son had been involved in some sort of rule-breaking at school. When Demond picked him up, he asked about it, but his son refused to respond. Demond then stopped the car and told his son to walk to rest of the way home to think about what he had done, reports the Garden Island.
The judge, Kathleen Watanabe, ruled that the punishment was “old-fashioned” and inappropriate. She said that it is dangerous for children to walk alongside the road due to potential pedophiles. It was a form of punishment no longer supported by the community.
(Related) What are we teaching/failing to teach our teachers?
The Sydney Morning Herald reports:
A Victorian mother is demanding answers after her teenage daughter’s armpits were shaved by her teacher as part of the school’s curriculum.
Melissa Woods, mother of 14-year-old Taylah, says her daughter was “extremely upset” when her armpits were shaved in front of two other girls in a classroom.
Read more on Sydney Morning Herald.
Something for my Statistics students to debate. No doubt Google and whichever auto makers lease their software will get sued a lot. Probably worth having insurance for anything that gets past their lawyers. (Will cars be subject to “grounding” like airplanes? One measly little wing falls off and the FAA gets all safety conscious.)
Car insurance would be a lot cheaper without drivers
… Driverless cars may shrink your insurance costs.
Human error accounts for more than 90% of car crashes, multiple studies have found. Cars that drive themselves are expected to dramatically reduce that statistic, particularly since Google’s version nixes the steering wheel and brakes. “They have sensors that remove blind spots, and they can detect objects out to a distance of more than two football fields in all directions, which is especially helpful on busy streets with lots of intersections,” Chris Urmson, director of Google’s self-driving car project, wrote in a blog post. Those factors could also largely absolve drivers from liability for accidents, experts say.