http://www.pogowasright.org/article.php?story=20081002203102538
Auditor reports that Alberta government computer system hacked
Thursday, October 02 2008 @ 08:31 PM EDT Contributed by: PrivacyNews
Weak computer security across the Alberta government allowed sophisticated hackers to worm their way into the system, auditor general Fred Dunn reported Thursday.
Dunn says the hackers, possibly high-tech criminals from Asia or Eastern Europe, left tell-tale signs that they had been inside Alberta’s computer network.
... Work also says there is although there’s evidence that some systems have been compromised, there’s no indication if any information has actually been accessed.”
Source - Edmonton Sun
[From the article:
Dunn says his department found that hacking into government computers was “easier than it should have been.”
He says 400 computer systems were targeted in his review, but they stopped after checking 69 systems.
“The problems we were finding were too frequent and too severe that we said, `we’ve got to stop,”’ he said. “They immediately engaged outside expertise to start the correction.”
... But the cabinet minister responsible for data security immediately challenged the auditor general’s findings.
“I don’t agree there was a problem,” said Heather Klimchuk, minister of Government Services. “I agree we can always improve and make things better. Nothing is ever perfect.” [Because a politician with no information in front of him is always wiser than an auditor with all the data. Bob]
“We didn't know!”
http://www.pogowasright.org/article.php?story=20081003041025687
Forever 21: Assessor Missed 5-Year-Old Transaction Data (follow-up)
Friday, October 03 2008 @ 04:10 AM EDT Contributed by: PrivacyNews
As more details drip out from Forever 21's data breach of almost 100,000 payment cards, the chain now says it had been certified PCI compliant, despite having stored complete card information from as far back as 2003.
"The files were inadvertently retained within other data files and this was not uncovered by the assessor," a statement from the chain said. (Our story from last week has been updated with the new information, along with a link to the earlier report of the breach.)
Source - StorefrontBacktalk
[From the article:
This is proving to be a frightening trend, with retailers believing they are compliant and much later on discovering various pockets of forbidden data scattered through their network.
In Forever 21's case, it only learned of the breach when the U.S. Secret Service called. Even after that heads up, the chain said it was unable to verify that it had been breached until the Secret Service walked executives through the incident and gave them more information (months later).
... One of the problems in this case—and it could be argued it's a problem with PCI itself—is that it's up to the retailer's IT person to map out the networks for the assessor. If the IT manager isn't aware that someone from marketing had run a credit card experiment two years ago and that the files were never deleted (meaning that there might be live credit card data sitting in a marketing folder that IT would have no reason to ever look at), then IT can't tell that to the assessor.
In other words, the assessor has almost no chance of finding that data, making the certification much less meaningful.
More on the local breach reported yesterday.
http://breachblog.com/2008/10/02/foothills.aspx?ref=rss
"illegal hacking" exposes Foothills Park & Recreation District patron information
Posted by Evan Francen at 10/2/2008 12:04 PM
Words of wisdom from a victim?
http://news.cnet.com/8301-1009_3-10056893-83.html?part=rss&subj=news&tag=2547-1_3-0-5
Estonia posts its cybersecurity strategy
Posted by Robert Vamosi October 2, 2008 4:17 PM PDT
Eighteen months after a denial-of-service attack, the Estonian Ministry of Defense has posted a detailed report (PDF) on the attacks. While focusing on specific steps the nation needs to take to prevent another attack, the report contains global recommendations as well.
For your security manager
http://www.bespacific.com/mt/archives/019466.html
October 02, 2008
National Institute of Standards and Technology Guide to Bluetooth Security, and Security Testing
Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, September 2008
Special Publication 800-121, "Guide to Bluetooth Security, has been finalized. It describes the security capabilities of technologies based on Bluetooth, which is an open standard for short-range radio frequency communication. The document gives recommendations to organizations employing Bluetooth technologies on securing them effectively."
Special Publication 800-115, "Technical Guide to Information Security Testing and Assessment, has been published as final. It seeks to assist organizations in planning and conducting technical information security testing and assessments, analyzing findings, and developing mitigation strategies. The publication provides practical recommendations for designing, implementing, and maintaining technical information security assessment processes and procedures. SP 800-115 provides an overview of key elements of security testing, with an emphasis on technical testing techniques, the benefits and limitations of each technique, and recommendations for their use."
Ditto
http://www.newscientist.com/blogs/shortsharpscience/2008/10/the-iphone-generation-user-in.html
October 2, 2008 5:08 PM
Personal secrets your iPhone could reveal
... As Nokia's cellphone anthropologist puts it, all over the world people take three things with them when they leave the house: keys, money and phone.
The result: an easily lost or stolen device with a lot of private and sensitive data on. And a book released this week called iPhone Forensics (published by O'Reilly) gives an insight into the surprising amount of personal information a smartphone can store. Or give away.
Ditto
http://www.bespacific.com/mt/archives/019459.html
October 02, 2008
Director of National Intelligence Announces New Security Policy for Information Systems
News release: "A groundbreaking new policy from the Office of the Director of National Intelligence changes how the intelligence community and, by influence, the entire federal government will build, validate and approve information technology systems. The policy requires common security controls and risk management procedures – a unified approach to enhance collaboration. Intelligence Community Directive 503 covers a lot of ground, but two key details stand out: There will be a single certification and accreditation process, which means all systems must follow the same authorized security requirements. Systems managers, the policy adds, should accept security risks when necessary to yield a decision advantage from timely and accurate intelligence. Those measures will make it easier for the IC to adopt cutting-edge technology. They also foster reciprocity as well as information sharing. If one IC element certifies a system or major application, then others in the community can trust that it is secure without spending more time and money to duplicate tests."
Intelligence Community Directive Number 503 - Intelligence Community Information Technology Systems Security Risk Management, Certification and Accreditation Unclassified (Effective 15 September 2008)
Another of those “add on” laws so the book is bigger when it gets thrown at you. Should be very difficult to prove, there is no way to detect someone using “passive” scanning tools.
http://www.pogowasright.org/article.php?story=20081002140937157
California outlaws RFID tag skimming
Thursday, October 02 2008 @ 02:09 PM EDT Contributed by: PrivacyNews
California governor Schwarzenegger has signed a law making the illegitimate reading of RFID tags illegal, but blocked a measure making the unauthorised tracking of kids equally so.
RFID Journal reports that anyone skimming an RFID tag issued by a government agency, health insurance company, employer or library could find themselves in prison for up to a year, or facing a $1,500 fine, though you're OK if you read it by accident, for a medical emergency or if you're a law-enforcement official. [or an Academic? Bob]
Source - The Register
Related? Will new Jersy also fall to Ron Paul? Don't worry, the report will become available no later than November 5th...
http://yro.slashdot.org/article.pl?sid=08/10/03/129249&from=rss
Judge Suppresses Report On Voting Systems
Posted by kdawson on Friday October 03, @08:20AM from the tell-me-but-don't-tell-them dept. The Courts Government Politics
Irvu writes
"A New Jersey Superior Court Judge has prohibited the release of an analysis conducted on the Sequoia AVC Advantage voting system. This report arose out of a lawsuit challenging on constitutional grounds the use of these systems. The study was conducted by Andrew Appel on behalf of the plaintiffs, after the judge in the case ordered the company to permit it. That same judge has now withheld it indefinitely from the public record on a verbal order."
Hack the vote! Rub my bald spot with wool and Ron Paul will win with 104% of the vote!
http://ask.slashdot.org/article.pl?sid=08/10/03/001209&from=rss
Can Static Electricity Generate Votes?
Posted by timothy on Thursday October 02, @08:39PM from the dc-elections-crack-me-up-and-barry-too dept. Government Hardware Politics
artgeeq writes
"A recent local election in Washington, DC, resulted in 1500 extra votes for a candidate. The board of elections is now claiming that static electricity caused the malfunction. Is this even remotely possible? If so, couldn't an election be invalidated pretty easily?"
Business Models Decimals (better still fractions) of a penny per arrow? Kids will buy millions of them on Dad's credit card.
http://games.slashdot.org/article.pl?sid=08/10/02/2149239&from=rss
South Korea's Free Computer Game Business Model Hits the US
Posted by Soulskill on Thursday October 02, @11:01PM from the nickel-and-dime dept. The Almighty Buck Games
Anti-Globalism writes with this excerpt from AFP via Yahoo! News:
"Seoul-based 'free-to-play' computer game titan Nexon on Wednesday blasted into the US videogame arena with a 'Combat Arms' online first-person shooter title that makes its cash from optional 'micro-transactions' by players. The game makes its money from players that buy animated helmets, outfits, emblems or other virtual items to customize in-game characters. To keep the battlefield even, players earn experience or advanced weaponry by skill so people essentially can't pay for power. ... Startups and established game makers including Japanese goliath Sony are venturing into the free computer game market, according to DFC Intelligence analyst David Cole. 'It looks like it could be very big,' Cole told AFP. 'It's one of the things everybody seems to be looking at. The challenge is it is a very new model and it remains to be seen whether customers used to a free model will be tight when it comes to actually spending money on it.'"
Business Model Get you satire to market while it's hot! I suggest we call it the “Yankovic technique”
http://entertainment.slashdot.org/article.pl?sid=08/10/03/0415206&from=rss
Weird Al To Release Songs As He Records Them
Posted by timothy on Friday October 03, @04:59AM from the pitch-perfect-parodies-piecemeal dept. Music Media Entertainment
slapout writes
"Weird Al has announced that with the Internet he can now release his songs for sale as he records each one rather than waiting for a whole album to be produced."
For my website students
Vidified.com - Create & Customize Videos
Vidified is a video site that enables members of the online community to share their very own mashups. The premise is quite simple, as the featured videos enable the site user to place his face inside them. The videos that make up the site were either created by the Vidified team or purchased. The site also includes videos that have been submitted by members of the community for others to use.
Hack the grapes! (Sounds like an April Fools story to me.)
http://idle.slashdot.org/article.pl?sid=08/10/01/2320248&from=rss
Ultrasound Machine Ages Wine
Posted by samzenpus on Thursday October 02, @02:07PM from the I'll-take-the-cheap-stuff dept.
Inventor Casey Jones says his creation uses ultrasound technology to recreate the effects of decades of aging by colliding alcohol molecules inside the bottle. Mr. Jones said, "This machine can take your run-of-the-mill £3.99 bottle of plonk and turn it into a finest bottle of vintage tasting like it costs hundreds. It works on any alcohol that tastes better aged, even a bottle of paintstripper whisky can taste like an 8-year-aged single malt." The Ultrasonic Wine Ager, which looks like a Dr. Who ice bucket, takes 30 minutes to work and has already been given the thumbs up by an English winemaker. I know a certain special lady who is about to have the best bottle of Boone's Farm in the world.
No comments:
Post a Comment