http://www.databreaches.net/?p=10819
Recommended: Gonzalez Lawyers, Judges Debate Data Breach Costs
March 25, 2010 by admin
Evan Schuman writes:
When two Boston-based federal judges sentence Albert Gonzalez Thursday (March 25) and Friday (March 26) for a rash of retail cyber-break-ins that he confessed to orchestrating, the exact sentence may be academic. The key legal argument is shaping up to be this question: “When a retailer is breached, what’s the most reasonable way to determine loss?” The answer is proving to be as baffling—or contradictory–to the federal jurists as it is for most retail CIOs.
[...]
The law says the court should define “loss” as “the greatest of actual loss or intended loss.” The government cited a recent appellate court decision as offering yet a third metric: “The First Circuit has held that, in the case of stolen credit cards, intended loss reasonably may be found to be the stolen payment cards’ aggregate credit limit, since it is natural and probable to expect that purchasers of the stolen card numbers will charge as much as possible to them. It is also reasonable to hold a defendant accountable for the amount of loss as measured by the aggregate credit limit, even though the defendant’s personal profit has been dramatically less.”
Defense counselor Martin Weinberg disagreed. He pointed out that “the government’s discussion omits the fact that tens of millions of the accounts had expired and would therefore no longer have had credit limits at all.” He added that “the $500 per access device equation from which this figure is derived is completely arbitrary and lacking in any empirical validation” and that it was “irrational.”
Read more on StorefrontBacktalk.
Not for nothing, but the court documents in the Gonzalez use figures for the TJX breach that do not match what media and web sites such as this one have reported in terms of number of account numbers or records stolen. For example, Weinberg refers to the the TJX breach as capturing 36 million card numbers, not 45 million or 94 million (as the banks had claimed in their lawsuit).
Another high school in the Philadelphia area. What are they teaching these kids?
http://www.databreaches.net/?p=10817
Haddonfield students arrested in computer hacking
March 25, 2010 by admin
Another hack-to-change-grades scheme?
Several Haddonfield Memorial High School students are under police investigation on accusations they hacked into the school’s computer system.
The breach was discovered in the last few days, and the students, whom school district officials declined to identify, have been turned over to local police [That is what the article says, but I suspect that only Names” were turned over to police, unless the school has arrest powers? Bob]and the Camden County Prosecutor’s Office.
At a regularly scheduled meeting with parents to discuss end-of-year activities, principal Michael Wilson said the FBI might get involved in the investigation.
The students used a keystroke-logging program installed on computers at the high school to capture the user names and passwords of anyone using one of the rigged computers.
With that data, they gained access to an internal information system on which the school posts grades, class schedules, attendance, even the status of homework assignments for students and their parents to view.
In an e-mail to students and parents, Wilson said the students had gained access to about 200 of the nearly 2,000 accounts that have access to the computer system at the high school.
Read more on Philly.com
[From the article:
We are confident we have identified the students and built in the appropriate controls to restrict their activity and that of anyone else who may foster a similar plan." [If they were using the Principal's Logon ID, how did they identify the students? Didn't the reporter ask? Bob]
So is a Twitter Hacker a Twacker? How do you say that in French? Monsieur le Twackeur?
http://www.pogowasright.org/?p=8534
Cops: Notorious Twitter hacker caught, released
March 24, 2010 by Dissent
Caroline McCarthy reports:
Twitter’s equivalent of an elusive masked bandit was caught in France this week, according to an Agence France-Presse story citing police sources, after the FBI began working with authorities there. A 25-year-old who goes by the name “Hacker Croll,” believed to be responsible for two high-profile Twitter hacking incidents in which both celebrity accounts and internal servers were breached, was reportedly in police custody in the French city of Clermont-Ferrand before being released later on Wednesday.
The hacker was allegedly behind an attack about a year ago in which the Twitter accounts of celebrities ranging from Britney Spears to President Obama were breached; he gained access to a Twitter administrator’s password by hacking that administrator’s Yahoo Mail account first…… It’s also likely that the hacker arrested in France was responsible for an internal Twitter security breach that gave him access to hundreds of sensitive company documents–which he then turned over to industry blog TechCrunch.
Read more on CNET.
No wonder computers get stolen!
http://www.databreaches.net/?p=10774
American Traffic Solutions leaves building open
March 24, 2010 by admin
What may be a corporate security breach at American Traffic Solutions was uncovered by CameraFRAUD volunteers Saturday night. The photo radar ticket processing facility, located in the Phoenix suburb of Ahwatukee, was reportedly left unlocked and unattended:
Numerous bundles of network cables were spotted throughout the building, potentially allowing anyone with a laptop to access internal systems containing vital “chain of evidence” data. A dozen trashcans full of unshredded documents were spotted, possibly containing sensitive data on their “customers:” so-called “violators” who are accused of triggering the automated ticketing machines.
Read more on CameraFraud.
American Traffic Solutions has not responded to a request by this site to clarify whether any personal data were exposed or left vulnerable by the incident. A number of commenters on the original article debate CameraFRAUD volunteers’ conduct.
Thanks to ITRC for making me aware of this incident.
Another clear indication that “Secure” doesn't really mean “Secure”
Law Enforcement Appliance Subverts SSL
By Ryan Singel March 24, 2010 1:55 pm
… At a recent wiretapping convention, however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds. The boxes were designed to intercept those communications — without breaking the encryption — by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.
The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there.
The existence of a marketed product indicates the vulnerability is likely being exploited by more than just information-hungry governments, according to leading encryption expert Matt Blaze, a computer science professor at University of Pennsylvania.
(Related)
http://blogs.zdnet.com/security/?p=5865
Pwn2Own hack topples Firefox on Windows
… And, for the second year in a row, a German hacker known simply as “Nils” exploited a previously unknown vulnerability in Mozilla Firefox to take complete control of a 64-bit Windows 7 machine.
Don't say we didn't warn you.
http://www.bespacific.com/mt/archives/023834.html
March 24, 2010
New GAO Reports: Information Security, Joint Strike Fighter, Veterans' Disability Benefits, Recovery Act
Information Security: Concerted Response Needed to Resolve Persistent Weaknesses, GAO-10-536T, March 24, 2010: "Without proper safeguards, federal computer systems are vulnerable to intrusions by individuals who have malicious intentions and can obtain sensitive information. The need for a vigilant approach to information security has been demonstrated by the pervasive and sustained cyber attacks against the United States; these attacks continue to pose a potentially devastating impact to systems as well as the operations and critical infrastructures that they support."
Joint Strike Fighter: Significant Challenges and Decisions Ahead, GAO-10-478T, March 24, 2010
Veterans' Disability Benefits: VA Has Improved Its Programs for Measuring Accuracy and Consistency, but Challenges Remain, GAO-10-530T, March 24, 2010
Recovery Act: Officials' Views Vary on Impacts of Davis-Bacon Act Prevailing Wage Provision, GAO-10-421, February 24, 2010
Another tool, but how to use it?
http://www.pogowasright.org/?p=8530
Google Alerts Gmail Users to Suspicious Logins
March 24, 2010 by Dissent
Riva Richmond reports:
Google has introduced a new security feature that alerts Gmail users whose e-mail accounts may have been broken into by a malicious intruder and helps them regain full control.
In a blog post Wednesday, Google said that if it sees unusual account activity, such as an uncharacteristic login from a computer with a suspicious I.P. address in Poland, it will show a warning in a red bar at the top of the page. Users will be able to click to get more information, or hit “Ignore” if they were, indeed, in Poland and nothing is wrong. [Or if you are the crook in Poland? Bob]
Users who click for more details will see a list of their recent account activity, including the numerical I.P. addresses of computers that have accessed the account and the number of devices logged in at the same time –- for instance, you at home in New York and a mysterious someone in Nigeria. A warning in a red bar asks users to change their password immediately if they see activity that was not theirs.
Read more in the New York Times Gadgetwise blog.
Imagine how much easier this will be when all our Health Records are online!
http://www.phiprivacy.net/?p=2289
Your health, tax, and search data siphoned
By Dissent, March 25, 2010 9:19 am
Dan Goodin reports:
Google, Yahoo, Microsoft’s Bing, and other leading websites are leaking medical histories, family income, search queries, and massive amounts of other sensitive data that can be intercepted even when encrypted, computer scientists revealed in a new research paper.
Researchers from Indiana University and Microsoft itself were able to infer the sensitive data by analyzing the distinct size and other attributes of each exchange between a user and the website she was interacting with. Using man-in-the-middle attacks, they could glean the information even when transactions were encrypted using the Secure Sockets Layer, or SSL, protocol or the WPA, or Wi-fi Protected Access protocol.
[...]
“An eavesdropper can infer the medications/surgeries/illnesses of the user, her annual family income and investment choices and money allocations, even though the web traffic is protected by HTTPS. We also show that even in a corporate building that deploys the up-to-date WPA/WPA2 wi-fi encryptions, a stranger without any credential can sit outside the building to glean the query words entered into employees’ laptops, as if they were exposed in plain text in the air.”
Read more in The Register.
A PDF of the paper is here. Princeton University computer science professor and Freedom to Tinker blogger Ed Felton has additional analysis here.
You might call it convergence. Google will have a wired or wireless connection to every home, school, office and car. Why shouldn't they make a sales pitch that starts” “As long as we're here...”
Google Wants To Be Your Electricity Meter
Posted by samzenpus on Thursday March 25, @07:57AM
An anonymous reader writes
"Google has teamed up with a microcontroller maker Microchip to develop an API for a piece of software called Google PowerMeter, according this EE Times story. Why? Because Google wants to host all the details of the electricity and other energy consumption of people's homes. It wants to do this so that it can show people on their iGoogle homepages when and where they are consuming energy so that they can start to reduce their power consumption. The good news is that it is an opt-in service and free so you don't have to make Google your energy-monitor if you dont't want to do so."
Convergence of a different kind?
http://news.cnet.com/8301-17852_3-10470474-71.html?part=rss&subj=news&tag=2547-1_3-0-20
Is Facebook to blame for U.K. rise in syphilis?
Normally not a big fan of slide shows, but I did learn a new word!
http://www.pogowasright.org/?p=8538
Couvakian on Facebook privacy
March 25, 2010 by Dissent
Anne Cavoukian, the Information and Privacy Commissioner of Ontario, spoke at the Facebook Speaker Series in Palo Alto, California on Tuesday. The title of her talk was “Privacy …It’s All About Freedom: Maximizing Control, Maintaining Freedom of Choice.” The overheads from her talk are available online, here (pdf).
[From the slides:
pee-mail – (noun) a text message or email sent from your workplace bathroom because policy dictates you may not do so on company time.
[I also found this slide interesting:
The Default Rules:
80% of the time, whatever option is presented as the default, that will be the condition that prevails
Does this law “Get it right?” Is this the direction we want to move?
http://www.databreaches.net/?p=10831
Addition to Washington Breach Law Imposes Retailer Liability in Payment Card Breaches
March 25, 2010 by admin
Under a Washington law effective July 1, 2010, certain entities involved in payment card transactions may be liable to financial institutions for costs associated with reissuing payment cards after security breaches. Designed to encourage the reissuance of payment cards as a means of mitigating harm caused by security breaches, Washington H.B. 1149 applies to three types of entities: businesses, processors and vendors. Under the law, a business is an entity that “processes more than six million credit card and debit card transactions annually, and who provides, offers, or sells goods or services to . . . residents of Washington.” A processor is any entity, other than a business, that “directly processes or transmits [payment card] account information for or on behalf of another person as part of a payment processing service.” A vendor is any “entity that manufactures and sells software or equipment that is designed to process, transmit, or store [payment card] account information or that maintains account information that it does not own.”
Read more on Hunton & Williams LLP
Perhaps if there was a “Commissariat for Verifying Citizen IDs” this wouldn't be an issue?
GoDaddy Follows Google's Lead; No More Registrations In China
Posted by timothy on Wednesday March 24, @03:48PM
phantomfive writes
"GoDaddy has announced it will no longer register domain names in China, in response to new requirements that each registrant be photographed, and their business ID number be submitted. GoDaddy's representative said, 'The intent of the procedures appeared, to us, to be based on a desire by the Chinese authorities to exercise increased control over the subject matter of domain name registrations by Chinese nationals.'"
My Security students argued that this would never happen. Welcome to the economic realities of the real world.
Who Should Own Your Smartphone?
Posted by timothy on Wednesday March 24, @05:13PM
snydeq writes
"The great corporate barrier against employees using personal smartphones in business contexts has been breached, writes InfoWorld's Galen Gruman. According to a recent report from Forrester Research, half of the smartphones in use among US and Canadian businesses are not company-issued equipment. In fact, some organizations are even subsidizing employees' service plans as an easy way to avoid the procurement and management headaches of an increasingly standard piece of work equipment. Gruman discusses the pros and cons of going with a subsidized, employee-owned smartphone plan, which is part of a larger trend that sees IT loosening its grip on 'dual-use' devices, including laptops and PCs."
So maybe this “leak” was intentional? This is far from “Best Practices”
http://www.databreaches.net/?p=10808
An ACTA of insecurity
March 24, 2010 by admin
By now, the leaked copy of the January 18, 2010 draft of ACTA is all over the web. What I don’t understand is the notice on the cover:
This document must be protected from unauthorized disclosure, but may be mailed or transmitted over unclassified e-mail or fax, discussed over unsecured phone lines, and stored on unclassified computer systems. It must be stored in a locked or secured building, room, or cabinet.
In other words, they weren’t serious about protecting it from unauthorized disclosure.
This is interesting. Now I can redesign my Excel “Budget Project” with some real world numbers!
http://www.bespacific.com/mt/archives/023838.html
March 24, 2010
2010 Bundle Report: How America Spends
"...the first-ever Bundle Report, a breakdown of how America spent for all of 2009. The numbers...show how much the average American household spent last year: $37,782, not counting mortgage or rent (which are not included in the Bundle data). Divided into six categories, that's 23 percent of their daily budget spent on shopping, 14.5 percent on getting around (gas and auto expenses), 17.5 percent on food and drink, 7 percent on travel and leisure, 17 percent on house- and home-related expenses, and 21 percent on health and family..."
One highlight: The 25 top-spending cities in the U.S. (plus: the bottom five)...1. Austin ($67,076)"
For my website students
http://www.makeuseof.com/tag/3-free-tools-video-website/
3 Ways To Add Cool Video Features To Your Website
For my “better” students
http://www.makeuseof.com/dir/certificatestreet-free-printable-award-certificates
CertificateStreet: Get Free Printable Award Certificates
For my Capstone students
http://www.makeuseof.com/tag/zim-desktop-wiki-life-universe/
Zim: An Easy To Use Desktop Wiki For Your Life & Everything
by Justin Pot on Mar. 24th, 2010
… The Zim wiki is an open-source program available for Linux and Windows, and it’s a great way to build a simple desktop wiki. Best of all, it’s named after the single greatest cartoon character in history.
… Installing the Zim wiki is easy. If you’re a Linux user, the program is most likely in your repositories already, so check out your package manager and find the package called “Zim.” Alternatively, you can find links to packages here.
Windows users can find a link to an installer here. Simply run the executable and you’ll install Zim wiki in one easy step.
No comments:
Post a Comment