Saturday, July 25, 2009

Another example of delayed use of stolen data. As long as the cards remain valid, the crooks can plan and execute their scheme for converting that information into cash.

http://www.databreaches.net/?p=6393

First National Bank closes debit accounts

July 24, 2009 by admin Filed under Breach Incidents, Financial Sector, Hack, ID Theft, Malware, U.S.

Another delayed effect of the Heartland breach….

More than two thousand debit card customers of First National Bank of Howell have had their accounts closed down after learning of a security breach. [Almost certain that they learned about this months ago. They chose to delay replacing cards in hopes that they could avoid the expense – leaving their customers at risk too. Will they repair any damage does to credit scores? Bob] Bank officials tell WHMI that after learning of an information breach at Heartland Payment Systems, a national credit and debit card processing company, they began to closely monitor their customer’s accounts and quickly found a pattern of suspicious activity. Randy Greene is the First National’s Vice President in charge of retail banking. He says that on Thursday they deactivated 2,300 of their customers debit cards as a precaution. He adds that any fraudulent activity will be completely covered and they are notifying all of their customers and arranging for new cards to be sent. A mass letter is also being sent out explaining the situation. Greene stresses that none of their customers personal identification data such as Social Security numbers or pin codes are believed to have been compromised.

Source: WHMI

Thanks to the good folks at ITRC for sending me this link.



Technical sophistication isn't enough and you can't spend all of your security budget on prevention. Some resources must be allocated to detecting a breach.

http://www.databreaches.net/?p=6397

Network Solutions hacked

July 24, 2009 by admin Filed under Breach Incidents, Business Sector, Hack, Of Note, U.S.

Hackers have broken into Web servers owned by domain registrar and hosting provider Network Solutions, planting rogue code that resulted in the compromise of more than 573,000 debit and credit card accounts over the past three months, Security Fix has learned.

Herndon, Va. based Network Solutions discovered in early June that attackers had hacked into Web servers the company uses to provide e-commerce services - a package that includes everything from Web hosting to payment processing — to at least 4,343 customers, mostly mom-and-pop online stores. The malicious code left behind by the attackers allowed them to intercept personal and financial information for customers who purchased from those stores, Network Solutions spokeswoman Susan Wade said.

Wade said the company is working with federal law enforcement and a commercial data breach forensics team to determine the cause and source of the break-in. The payment data stolen was captured from transactions made between March 12, 2009 and June 8, 2009.

Read more on Security Fix.



(Related) Military power isn't enough. If the MoD can't protect data, is there any hope for the rest of us?

http://www.pogowasright.org/?p=2160

MoD admits to fourfold rise in data breaches

July 24, 2009 by Dissent Filed under Breaches, Govt, Non-U.S.

The government’s information security reputation suffered another blow this week, after the Ministry of Defence (MoD) revealed that serious data breaches have risen fourfold over the past year.

The MoD’s latest resource accounts (PDF) reveal that the department suffered eight serious breaches in the 2008 to 2009 period, up from just two in the preceding year.

The worst incident involved the loss of a portable hard disk from a contractor’s premises, which contained the names, passport information and bank account details of an estimated 1.7 million people.

Read more on v3.co.uk



Almost news? If the laptop was truly encrypted, there is little risk of data theft. The City's comments make me doubt that...

http://www.databreaches.net/?p=6405

Brighton laptop stolen while IT engineer golfed

July 25, 2009 by admin Filed under Breach Incidents, Government Sector, Theft, U.S.

Anger is seething among several employees of the city of Brighton (Colorado) whose bank account numbers, social security numbers and addresses may have been compromised by the city’s lead IT engineer.

Jeromy King was playing in a charity golf tournament Monday at the Ranch County Club in Westminster when someone apparently took a laptop computer from his pickup.

The laptop contained the sensitive payroll information of city employees.

[...]

Johnson did say the information on the computer was encrypted.

Read more on TheDenverChannel.com

The companion news video indicates that almost 350 employees had data on the laptop. [One employee had data on 350 people... Bob]

[From the article:

City officials declined to talk about the security breach, saying they didn’t want the thief to know what was on the computer. [If the data was encrypted (looks like gibberish) what's the big deal? Besides, the crook probably knows someone who can read this article. Bob]

… While there is no indication that the employee information was accessed... [The thief didn't call us... Bob]

… Charles Luce, a Denver attorney who specializes in computer technology and internet law, told 7NEWS that he was not aware of any restrictions governing the downloading of HR data from a municipality's main computer to a city-owned laptop.

He added that municipalities should take all steps necessary to make sure the sensitive information remains secure.

Luce, of the law firm Moye | White said, “We shouldn’t have to legislate common sense.”


(Related) Not all encryption is created equal...

http://it.slashdot.org/story/09/07/24/2218201/iPhone-3Gs-Encryption-Cracked-In-Two-Minutes?from=rss

iPhone 3Gs Encryption Cracked In Two Minutes

Posted by Soulskill on Friday July 24, @07:07PM from the see-it-really-is-fast dept. security cellphones encryption apple

An anonymous reader writes

"In a Wired news article, iPhone Forensics expert Jonathan Zdziarski explains how the much-touted hardware encryption of the iPhone 3Gs is but a farce, and demonstrates how both the passcode and backup encryption can be bypassed in about two minutes. Zdziarski also goes on to say that all data on the iPhone — including deleted data — is automatically decrypted by the iPhone when it's copied, allowing hackers and law enforcement agencies alike access the device's raw disk as if no encryption were present. A second demonstration features the recovery of the iPhone's entire disk while the device is still passcode-locked. According to a similar article in Ars Technica, Zdziarski describes the iPhone's hardware encryption by saying it's 'like putting privacy glass on half your shower door.' With the iPhone being sold into 20% of Fortune-100s and into the military, just how worried should we be with such shoddy security?"



Wal-Mart likely has the best picture of the retail world. It will be interesting to see how that translates to a Privacy Policy...

http://www.pogowasright.org/?p=2200

Wal-Mart to revamp its privacy policy

July 25, 2009 by Dissent Filed under Businesses, U.S.

One month from now, Wal-Mart will unveil a radically changed privacy policy, one that envisions a merged channel world, where consumers are as likely to use their phone and laptop to interact with Wal-Mart as much as they would walk into a store or speak with a call center. The policy talks about data not merely from a PCI and a purchase history perspective, but also from a security camera’s and cellphone’s perspective.

Read more on StorefrontBacktalk.

[From the article:

“Our goal is to have it be completely comprehensive, for both online and offline,” said Zoe Strickland, the Wal-Mart VP who serves as the chain’s Chief Privacy Officer. “We need to govern all the different ways that we collect and use information. Privacy is not just about using the Web site. It’s everything that happens when you’re interacting with the company.”



Are they arguing the wrong point? The concern isn't what they know about our browsing, it's how they use that information.

http://www.pogowasright.org/?p=2178

Can privacy and consumer protection coexist online?

July 24, 2009 by Dissent Filed under Internet

Legislation that would create privacy regulations for online advertising could cause consumers to get fewer free services and isn’t necessary because privacy advocates have shown no harm from data collection, the co-author of a study on online advertising said.

Online services have been tracking consumer behavior for a decade without creating problems for consumers, said Paul Rubin, a fellow at the Technology Policy Institute (TPI), a free-market think tank, and an economics and law professor at Emory University.

Read more on NetworkWorld.

Report: In Defense of Data: Information and the Costs of Privacy [pdf]. Technology Policy Institute, May 2009. The report states, in part:

Privacy advocates suggest privacy is a “free lunch.” Privacy advocates argue that online practices violate individuals’ rights and therefore should be curtailed. Innovations, such as the development of search engines or, more recently, the possibility that Internet Service Providers might use deep packet inspection as an online-advertising tool, have led to increased apprehension. However, more privacy implies less information available for producing benefits for consumers. Privacy advocates have provided little detail on the benefits of more privacy and have typically ignored the costs or tradeoffs associated with increasing privacy (i.e., reducing information). Their analysis suggests they believe that privacy is a “free lunch” consumers can obtain more of without giving up anything else.



Who to trust

http://www.pogowasright.org/?p=2155

Study: Internet content filtering harmful

July 24, 2009 by Dissent Filed under Businesses, Featured Headlines, Internet

Public Knowledge has released a study, ‘Forcing the Net Through a Sieve: Why Copyright Filtering is Not a Viable Solution for U.S. ISPs‘ [pdf]. The Executive Summary:

Copyright filtering, the latest proposed “magic bullet” solution from the major music and movie studios and industry trade groups, poses a number of dangers to Internet users, legitimate businesses and U.S. federal government initiatives to increase the speed, affordability and utilization of broadband Internet services. The following whitepaper presents a number of reasons why the use of copyright filters should not be allowed, encouraged or mandated on U.S. Internet Service Provider (ISP) networks. Among them:

1. Copyright filters are both underinclusive and overinclusive. A copyright filter will fail to identify all unlawful or unwanted content while harming lawful uses of content.
2. Copyright filter processing will add latency. Copyright filters will slow ISP networks, discouraging use, innovation and investment and harming users, businesses and technology policy initiatives.
3. The implementation of copyright filters will result in a technological arms race. Users will act to circumvent the filters and the architects of the filters will find themselves caught in a costly, unwinnable arms race.
4. Copyright filters do not make economic sense. The monetary costs associated with copyright filtering far outweigh any perceived benefits.
5. Copyright filters will discourage investment in the Internet economy.
Copyright filters will disrupt the Internet ecosystem, severely undermining our most promising engine for economic growth.
6. Copyright filters will harm free speech. Due to technological limitations, copyright filters will harm lawful, protected forms of speech such as parody and satire.
7. Copyright filters could undermine the safe harbor provisions that shield ISPs from liability. Under the Digital Millennium Copyright Act (DMCA), ISPs are shielded from liability for their users’ actions. Copyright filters could undermine these safe harbors, which have allowed the Internet to become the most important communications medium of the modern era.
8. Copyright filtering could violate the Electronic Communications and Privacy Act. Copyright filtering could constitute unlawful interception under the Electronic Communications and Privacy Act (ECPA).

- Full Report (PDF; 398 KB)

- Public Knowledge’s reply comments to the Federal Communications Commission (PDF; 271 KB)



Skype is relatively low bandwidth. (You could transfer 'War & Peace' in the time it takes me to read the first page aloud.) Twitter is just as useful for short messages (Attack Now!) so why are they concerned with Skype? Because it threatens a government monopoly.

http://www.pogowasright.org/?p=2174

Skype singled out as threat to Russia’s security

July 24, 2009 by Dissent Filed under Govt, Internet, Non-U.S., Surveillance

Russia’s most powerful business lobby moved to clamp down on Skype and its peers this week, telling lawmakers that the Internet phone services are a threat to Russian businesses and to national security.

In partnership with Prime Minister Vladimir Putin’s political party, the lobby created a working group to draft legal safeguards against what they said were the risks of Skype and other Voice over Internet Protocol (VoIP) telephone services.

Read more from Reuters on MSNBC.com

Thanks to the crew at the Jeff Farias Show for sending this link.

And who knows? Maybe as part of rebooting the relationship with Russia, our government will show them how to swoop up all communications.



A conundrum indeed. Use advanced technology to give yourself control (and a competitive advantage?) then learn to deal with the consequences. (I wonder what their contracts say?) Question: If you neither BUY nor LEASE your e-book, what exactly have you paid for?

http://www.pogowasright.org/?p=2189

Amazon Kindle doomed to repeat Big Brother moment

July 25, 2009 by Dissent Filed under Businesses

Yes, Amazon chief Jeff Bezos has apologized for the Orwellian removal of Orwell from digital book readers tucked inside the pockets of American citizens. And yes, the new-age retailer has promised not to repeat its Big Brother moment. But that’s not a promise it can promise to keep.

[...]

Amazon doesn’t distribute books to the Kindle over the public internet. Etexts are downloaded via a private wireless network dubbed “Whispernet,” and the company has shown it has the technical power to vanish those titles at any time. If a copyright holder sued for the removal of a title, a judge may very well force Amazon to remove it.

“Amazon has the capacity to control the bits after they’ve left the store,” says Santa Clara University law professor and tech law blogger Eric Goldman. “I’m reasonably confident that what promoted Amazon to wipe the bits off of people’s devices was them asking themselves ‘How are we going to explain to a judge that we have the capacity to wipe bits from the device but we sat back and chose not to use it?’”

Read more on The Register.

[From the article:

"We're entering these new domains where what acquisition means and what ownership means has not been well demarcated," Brantley says.


(Related) Perhaps some nice hacker will do this for the Kindle? (Hint, hint. Wink, wink.)

http://reviews.digitaltrends.com/guide/285/how-to-rip-a-dvd-or-blu-ray-movie

How to Rip a DVD or Blu-ray Movie by Michael Brown

Are you ready to turn outlaw?

Hollywood wants you to buy its movies on DVD and Blu-ray disc, but then it wants to control what you do with them once you get home. We’re going to show you how to do something that Hollywood most definitely does not want you to do: Copy those movies to your hard drive or media server so that you can enjoy them without ever having to get off your couch to drop a disc in your DVD player.

Once you have the movie on your hard drive, you can do all kinds of other neat stuff with it, such as transcode it to another format so you can watch it on a handheld digital media player—or delete those annoying messages from the FBI and Interpol messages warning you of the penalties for doing what we’re about to show you how to do.

While we fully acknowledge that the movie industry has the right to protect its intellectual property, we also believe that consumers have the right to enjoy the property they purchase. The concept is called fair use: If you bought a movie on DVD, you should have the right to make a back-up copy of it or transfer the content to another medium, such as your computer’s hard drive. You don’t have the right distribute copies of that disc to anyone else, of course, and you don’t have the right to copy discs you don’t own, e.g, movies you borrow from a friend or rent from Netflix. But you knew that already.



For my Computer Security students. If they will produce a summary video each month, this could be fun.

http://www.pcworld.idg.com.au/article/312324/hacker_group_l0pht_makes_comeback_sorts

Hacker group L0pht makes a comeback, of sorts

Its new Web site and the Hacker News Network are online, but the L0pht is not getting back together

Robert McMillan (IDG News Service) 24/07/2009 11:09:00

The news report begins with shots of a tense space shuttle launch. Engineers hunch over computer banks and techno music pounds in the background. There is a countdown, a lift-off, and then you see a young man in a black T-shirt and sunglasses, apparently reporting from space.

This is the Hacker News Network, and after a decade offline it is lifting off again, this time with a quirky brand of video reports about security.



Tools & Techniques (Probably not cheaper than retail, but custom!)

http://www.maximumpc.com/article/features/video_how_build_pc_ever_step_explained

Video: How to Build a PC - Every Step Explained

Posted 07/24/09 at 11:22:23 AM by Will Smith

I'm Will Smith, the editor of Maximum PC and the guy in the video below. We shot this video demonstration to show people how to build a killer PC, one step at a time. It's a great reference for beginners and experts alike. This video was created for viewing by attendees of Comic-Con 2009.



Something for all my students? (I may have reported on this before, sorry)

http://www.makeuseof.com/dir/free-tutorial-for-me-free-pdf-tutorials/

Free-Tutorial-For.me: Download Free PDF Tutorials

Here is another Google powered custom search engine that lets you search and download free PDF tutorials from among 38.000.000 tutorials online.

www.free-tutorial-for.me



Is it me or is this too retro for words? Perhaps they could run an article on “Creating your own scroll!”

http://www.makeuseof.com/tag/how-to-make-index-cards-using-ms-word-2007/

How to Make Index Cards in Microsoft Word 2007

Jul. 24th, 2009 By Saikat Basu

No comments: