Friday, August 19, 2016

“We didn’t know how to secure our terminals until we were breached, then we immediately secured our terminals.”
Eddie Bauer Is Latest Retailer Infected With Data Breach Malware
Just days after hotel operator HEI said 20 of its hotels had been infected, Eddie Bauer said its 350-or-so stores in the U.S. and Canada had also been the victim of a malware attack.
Cleaning up the mess won’t be cheap—Eddie Bauer said Thursday that it had arranged for all customers who made purchases and returns during this period to get free identity protection services from Kroll for the next year.
   Eddie Bauer’s terminals were infected on various dates between January 2 and July 17 of this year.  Since it discovered the infection, it said, it has strengthened its security.
   “We have been working closely with the FBI, cybersecurity experts and payment card organizations, and want to assure our customers that we have fully identified and contained the incident and that no customers will be responsible for any fraudulent charges to their accounts.”

At least it’s not Pokémon!
Catalin Cimpanu reports:
Data breach index service LeakedSource has told Softpedia that it has received the full database and source of, a service for creating and running Minecraft Pocket Edition servers.
According to a LeakedSource spokesperson, the database includes records for 6,084,276 users that have signed up with
For each user, the data included a username, a hashed password, the registration and last login dates, and a user ID.  For the vast majority of users, but not for all, there was also an email address associated with their account.
Read more on Softpedia.

Be careful if you use this to keep track of your kids!
Maker of web monitoring software can be sued, says court
The maker of so-called spyware program WebWatcher can be sued for violating state and federal wiretap laws, a U.S. appeals court has ruled, in a case that may have broader implications for online monitoring software and software as a service.
   Awareness pitches WebWatcher as monitoring software for parents and employers.  "All WebWatcher products install easily in 5 minutes or less, are undetectable (thus tamper proof) and all recorded data is sent to a secure web-based account which allows you to monitor kids and employees at your convenience from any computer," the company says.
   The case also may have implications for corporate monitoring of employees when those employees correspond with people outside the company, added Braden Perry, a regulatory and government investigations attorney with Kansas City-based Kennyhertz Perry.
"If services monitor in 'real-time' even with the employees’ consent, those that the employee corresponds with may have a cause of action," he said by email.  "This decision not only places potential liability on the individual using the service but the service itself."

Hands off?  That’s a new idea in government.  (I agree, but now I’m also suspicious!)
The US government’s fix for airlines’ tech problems is to do nothing
From the US to UK to India and elsewhere, technical failures have been plaguing the commercial aviation industry in recent years.  We’ve counted 24 major disruptions in the US since 2015.  Yet, the US Department of Transportation has no plans to try to regulate the industry into technical resiliency.
A spokesperson for the DOT told Quartz that the agency is of the opinion that the high cost of glitches is the only needed deterrent to prevent future outages.
   According to the DOT, the combined incentives to avoid losing revenue, keep performance metrics high and have happy customers are “likely a more effective incentive than detailed regulations concerning the carriers’ IT systems.” [How Adam Smith-like.  Bob]
   Other than systems that are directly related to aviation safety the department “does not inspect or regulate airlines’ IT systems,” according to the DOT’s statement.
Nonetheless, the issues have attracted the attention of members of the US Congress.  Two Senators, Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.), have sent letters to US airlines requesting information about what the carriers are doing to prevent future outages and how it deals with them when they do.

(Related) Another version of “hands-off?”  “We’re going to sanction them, but not really.”
U.S. Grants ZTE Another Extension of Trade-Sanctions Relief
The U.S. government extended a lifting of sanctions against ZTE Corp. for the second time, as the Chinese maker of telecommunications equipment works to repair its reputation after allegedly violating U.S. trade rules.
In a statement Thursday, the U.S. Commerce Department said its temporary sanctions relief will be extended to Nov. 28, which allows ZTE to continue working with U.S. suppliers.
   The U.S. Commerce Department added ZTE to its “Entity List,” a list of foreign groups or individuals that present risks to U.S. national security or foreign policy interests.
   But just two weeks after announcing its sanctions, the U.S. granted ZTE a temporary reprieve through June 30, saying that the temporary license it was granting ZTE would be renewable if the Chinese company cooperated fully.  In June, the U.S. government extended the temporary relief through Aug. 30.

Yik Yak completes a pivot away from anonymity with status messages and a feed of nearby users
In March, the college-centric social network Yik Yak took a step away from its origins in anonymity by asking users to create "handles" that they could optionally attach to their posts. Today the company is eliminating the last traces of anonymity from its app, requiring users to create handles that will be attached to their activity on Yik Yak.
   The result feels much more like a chat app than the Yik Yak of old, which served as a kind of (anonymous) community bulletin board for discussing in-jokes and campus events.  Droll and his co-founder, Brooks Buffington, positioned the new version of Yik Yak as a way to help its users feel more connected to the world around them.  But it’s also an acknowledgement of what founders of social networks have come to accept as a law of gravity: apps that don’t require users to establish a persistent identity are doomed to fail.  Secret,, Formspring — each app allowed users to post or send messages anonymously, and each saw an early spike in users only to fade when their novelty wore off.

Another technique for my Crypto students.
This algorithm can hide messages in dance music
It's long been known that secret messages can be included in music through techniques such as backmasking, but now a Polish researcher has developed an entirely new approach.  By subtly varying the tempo of a particular type of dance music, he's managed to encode information in a way that's completely inaudible to human listeners.
   His paper is now available online.

No comments: