Saturday, November 13, 2010

Does this establish yet another sentencing benchmark?

http://www.wired.com/threatlevel/2010/11/palin-hacker-sentenced/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Sarah Palin E-mail Hacker Sentenced to 1 Year in Custody

David Kernell, the former Tennessee student convicted of hacking into Sarah Palin’s personal e-mail account, was sentenced on Friday to one year in custody.

Kernell, 22, was convicted earlier this year of misdemeanor computer intrusion and a felony count of obstruction of justice. The jury found him not guilty of a wire-fraud charge and hung on a fourth charge for identity theft, after four days of deliberating.

The convictions carried a maximum sentence of 20 years in custody and a possible fine of up to $250,000. Federal sentencing guidelines recommend a sentence of between 15 and 21 months in prison. The government was seeking 18 months, but Kernell’s attorney asked the court to forgo a prison sentence and give his client probation instead.

Kernell was sentenced to one year and one day in custody and three years of probation. Federal Judge Thomas W. Phillips recommended that his sentence be served in a halfway house in Tennessee, although his destination will be determined by the federal Bureau of Prisons. The judge also recommended that Kernell get mental health treatment. According to court filings, Kernell had suffered from depression since the age of 11.


(Related) In a world where many (most?) “text before thinking” this is likely to be repeated many times. Is this the right way to handle it?

http://news.cnet.com/8301-17852_3-20022722-71.html?part=rss&subj=news&tag=2547-1_3-0-20

Twitter airport bomb joker loses appeal, tweeters revolt

The British are renowned for their sense of humor. It is, indeed, one of the only reliable British exports over the last 40 years. Together with airlines, Carey Mulligan, Cadbury's chocolate.

So you might have thought that even judges in a dreary place like Doncaster, U.K. have the ability to estimate when something might be intended to be a joke.

It seems not. As Paul Chambers, the man who tweeted his frustration about the possibility of a canceled flight, has lost his appeal against what some might think is one of the more putrid convictions of recent times.

Should you have been yourself incarcerated for jestingly suggesting that the TSA's naked screeners can't afford online porn, here is what Paul Chambers tweeted about Robin Hood airport in Doncaster: "Robin Hood airport is closed. You've got a week and a bit to get your sh*t together, otherwise I'm blowing the airport sky high!!"

His tweet was seen by an airport manager, who sent it on to his manager, even though it was not deemed credible.

Naturally, it ended up before the eyes of policemen and Chambers was arrested and charged with "sending by a public communications network a message that was grossly offensive or of an indecent, obscene or menacing character contrary to Section 127 of the Communications Act 2003."

Oh, of course he was found guilty. But everyone thought that, on appeal, a judge in Doncaster might see the joke. Or, at least, sense.

Perhaps everyone believes that all kittens, in a former life, were hangmen.

For Chambers' appeal was denied and, as if to show just how cheery the British judicial system can be (at least in Doncaster), he was ordered to pay a further 2,000 pounds in prosecution costs.

You might well believe that Chambers' tweet wasn't particularly funny. But, as with so many pieces of communication one encounters, it would surely have been fairly clear to anyone not made of metal and foam that it was meant to be funny.

In order to make the point, his fellow tittering Twitterers decided to repeat Chambers' threat. Over and over again. Using the hashtag #IamSpartacus, they inundated the Interwebs with threats aimed at Robin Hood airport.

I feel readers might be especially moved by a tweet from Dara O'Briain: "Robin Hood! All your base are belong to us! Somebody set up us the Bomb! #iamspartacus #butimalsoanerd"

Some might also feel uplifted by Hugh Miller's tweet: "Anyone else think this #TwitterJokeTrial has been blown up out of proportion? #IAmSpartacus."

You might have imagined that some enterprising journalists might have asked the local South Yorkshire Police whether they would attempt to prosecute all of the more than 5,000 threatening joke-tweeters.

Well, the Associated Press did. The police no doubt thought about it for a vastly long time, balancing the hope of overtime with the possibility that Doncaster might enjoy perhaps the greatest march of the reasonable since Robin Hood himself prowled the local forests, before reportedly replying: "No."



The death of newspapers? Or the death of newsprint?

http://www.bespacific.com/mt/archives/025730.html

November 12, 2010

ICON: International Coalition on Newspapers - Newspaper digitization projects

The International Coalition on Newspapers (ICON) project develops strategies to preserve and improve access to newspapers from around the globe, working on issues including bibliographic access, copyright, and information dissemination. ICON was officially established in 1999 by 13 charter members and is based at the Center for Research Libraries: "This page of Newspaper digitization projects highlights and links to past, present, and prospective digitization projects of historic newspapers. The focus is primarily on digital conversion efforts, not full-text collections of current news sources."


Friday, November 12, 2010

Not as bad as it sounds. The records were available to unauthorized NHS staff, not the entire world.

http://www.phiprivacy.net/?p=4959

UK: Security alert over NHS data breach

By Dissent, November 11, 2010

Alison Dayani reports:

A severe security alert has been issued over confidential NHS medical records of every Birmingham patient being left open to breach, the Birmingham Post can reveal.

The National Information Commissioner has ordered an investigation into access of IT files held by Birmingham Primary Care Shared Services Agency, which holds all staff and patient files for the city’s three primary care trusts (PCTs) plus all GP surgeries.

The highest level of Serious Untoward Incident – level five – has been issued over the computer network allegedly being left repeatedly compromised and insecure, an insider said.

Read more on Birmingham Post.

[From the article:

All patient data along with staff pay and personal details up to chief executive level are believed to have been left accessible to more than 6,000 NHS workers who normally would not be allowed access to such private material.



Security Breach: The rift that keeps on giving!

http://www.databreaches.net/?p=15273

(ALDI update) Five Star Bank hit by debit-card fraud

November 11, 2010 by admin

Jonathan D. Epstein reports:

A debit-card security breach at a discount grocery chain that operates in 11 states is costing Five Star Bank as much as $850,000 in fraud losses.

Financial Institutions, the Warsaw-based parent of the bank, expects to suffer a pretax loss of about $750,000 to $850,000 in the fourth quarter in connection with fraudulent debit transactions, the company disclosed in a regulatory filing with the Securities and Exchange Commission.

Spokesman Matthew Murtha said the fraud stems from “ongoing” theft of customers’ confidential card information from national retailers, including clothing, gas and food stores. Some of the thefts occurred through hacking of computer systems, but others were on-site.

[...]

Five Star was not unique in suffering losses, although its estimate appears much higher than those of two other financial institutions known to be affected: ESL Federal Credit Union in Rochester and Bank of Castile, a subsidiary of Ithacabased Tompkins Financial Corp.

Read more on BuffaloNews.com



A research tool for my Computer Security students. (and a guidebook for my Ethical Hackers?)

http://www.databreaches.net/?p=15285

Get hacked and spill the beans, anonymously

November 11, 2010 by admin

Elinor Mills reports:

A new Web site could help turn security breach guesswork into science.

Database breaches, social engineering attacks, and hacking incidents happen at companies every day, but very few end up being reported publicly. That’s because organizations fear–and rightly so–damage to their reputation, public humiliation, and loss of customer confidence.

But this silent victim syndrome means that others can’t learn from the missteps of victims and that the industry as a whole doesn’t have a good grasp on the scope of the problem.

In a first-of-its-kind effort, Verizon Business is launching a public Web site for reporting security incidents that could crack open the self-defeating secrecy of data breaches.

Read more on cnet

[From the article:

Verizon is officially launching today its Veris information-sharing site where network or security professionals can provide detailed information about an incident and get back a report that illustrates via charts, graphs, and other information how the reported incident compares with others.

[From Veris:

you can subscribe to the RSS Feeds for recently changed pages or comments to monitor and engage in the wiki interaction.



Here's what I get reading between the lines: MessageLabs is in the spam fighting business. They are pretty good detecting spam inbound (sent TO their customers) but completely missed one of their customers sending spam after someone took control of the customer's email system. Apparently they didn't notice the increased volume until another spam-blocking firm started to block all email traffic from MessageLabs' clients. Just proves that even companies owned by big name anti-virus companies don't always get security right.

http://it.slashdot.org/story/10/11/12/0258246/Hackers-Blamed-For-MessageLabs-Spam-Blunder?from=rss

Hackers Blamed For MessageLabs Spam Blunder

Posted by timothy on Friday November 12, @05:58AM

"MessageLabs claims to have discovered that the systems of one of its customers were hacked by spammers after an entire block of MessageLabs IP addresses was blocked by antispam service SORBS. Customers of the managed email service had problems with outbound mail last week after MessageLabs' IP addresses were included in SORBS' block list. The Symantec-owned service provider has assured customers it has systems in place to prevent such incidents from happening again."



Properly secured, this could be a valuable tool (until we can embed RFID chips in people like we now do for dogs, cats and other livestock...)

http://www.killerstartups.com/Web20/wanderid-com-for-the-identification-of-people?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+killerstartups%2FBkQV+%28KillerStartups.com%29

WanderID.com - For The Identification Of People

Although it is available only in Central Texas, Wander ID offers such a practical service that I feel it is only fair to include it on KillerStartups today. You see, Wander ID is an automatic system that can be used to identify people who can not identify themselves. This includes people with Alzheimer, autism and dementia, as well as minors.

Whenever any situation arises, such people become vulnerable because they can not really express who they are. Wander ID addresses that by creating an online database in which four photos of each person are entered into. These photos are accompanied by the relevant contact information.

From that point onwards, if there is indeed an emergency and your loved one is involved then any police officer or concerned person will be able to identify him/her by taking a digital photograph and sending it to Wander ID.

The photo will be matched with the ones in the database using advanced facial recognition technology. The person will be identified, and you will be notified about his/her whereabouts immediately.

http://www.wanderid.com/



A nose for surveillance? I suspect this will only work if they more or less constantly check the air. After all, there is a big difference before and during Stock Show here in Denver, not to mention the astounding rise in methane levels during Centennial's Bean Burrito Bash

http://www.wired.com/dangerroom/2010/11/darpa-wants-to-sniff-your-citys-distinct-chemical-scent/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Darpa Wants to Sniff Your City’s Distinct Chemical Scent

In theory, chemical attacks can be detected before they happen. Even trace amounts of chemicals give off specific signatures that tools like sorbent tube samplers can register. But in order to figure out if dangerous chemicals are stockpiled somewhere or are floating through the air, the government’s going to have to know the baseline level for those chemicals wafting near your trash receptacle. [Clearly not true. If you detect Sarin or Ricin, you don't need to know that none had ever been detected before. However, you will need constant monitoring to notice when Non-Zero levels are detected. Bob]



Interesting that laws are already changing to reflect the “Double Secret” ACTA

http://yro.slashdot.org/story/10/11/12/0432229/Aussie-Govt-Says-Wiretap-Laws-Fine-Telcos-Wrong?from=rss

Aussie Gov't Says Wiretap Laws Fine, Telcos 'Wrong'

Posted by timothy on Friday November 12, @12:06AM

"A top bureaucrat from the Australian Attorney-General's department has said telcos are wrong to complain about changes to the country's wiretapping laws, which will force them to report every product and network system change to law enforcement for approval, [Is there any other area where the government must approve innovation? Bob] lest they affect the ability to intercept communications. The telcos argue there are simply too many products and network architecture changes to report and that it would become overbearing. It's the latest in a string of changes to communications law in the country, and comes as the government mulls data retention and the Anti-Counterfeiting Trade Agreement."



Internet economics (according to Google?)

http://www.bespacific.com/mt/archives/025716.html

November 11, 2010

Report: The Connected Kingdom - How the Internet is Transforming the UK Economy

"Google commissioned The Boston Consulting Group to produce an independent analysis of the value of the UK’s Internet economy, the factors that are driving this, how we compare to other countries, and how this will change in the future. Google wants to help UK businesses get online and use the Internet to grow and have run programmes like ‘Getting British Business Online’ to help businesses create their first website, we’re also interested in helping existing online businesses to grow further... The Internet is a fundamental part of everyday life in the UK - 73% of households have broadband. Our research has revealed that the UK Internet economy is worth £100 billion a year, is growing at 10% a year and directly employs 250,000 people. To have your say in future policy to continue this growth, explore the site, post a question and add to the debate."


(Related) The physical infrastructure of virtual businesses. Clearly the state is not counting on vastly increased Income Tax revenue from these data centers. One wonders if a naturally low rate of Property Tax or a tax amnesty was a significant part of the attraction?

http://techcrunch.com/2010/11/11/facebook-to-build-its-second-data-center-to-the-tune-of-450-million/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

Facebook To Build Its Second Data Center To The Tune Of $450 Million

Earlier this year, Facebook reaffirmed its status as a bonafide Internet giant when it broke ground on its first data center, which will be located in Oregon with plans to begin operations in 2011. [Pop quiz: If their FIRST data center won't start operating until next year, whose laptop has the company been running on thus far? Bob] Today, the company has announced that it’s building its second data center, this time in Rutherford, North Carolina. And it’s not coming cheap: Facebook is investing $450 million to build the new facility.

… and will have around 35-45 full-time and contract workers once it’s done.

… Facebook isn’t the first tech company to turn to North Carolina to build a massive East Coast data center — Apple is building a $1 billion facility that’s expected to be finished this year. Google and IBM also have data centers in the state.



Attention my fellow Nerds! Can you believe someone would actually part with such a precious tech toy? Let's hope he died and the widow needs the money...

http://www.thetechherald.com/article.php/201045/6411/Rare-Apple-1-computer-expected-to-fetch-240-000-at-Christie-s

Rare 'Apple 1' computer expected to fetch $240,000 at Christie's

The Apple 1 was released back in 1976 and sold for a wallet-busting $666.66 USD

… all 200 units of the computer were completely manufactured by hand.

With only 30 to 50 units of the Apple 1 left in existence,

Come November 23, the computer’s lucky new owner will secure a “superb example” of the Apple 1, along with its original shipping box, the positively space-age Apple 1 cassette interface, the Apple 1 operations manual, a dated invoice, and even a signed letter from Apple co-founder Steve Jobs.



What is the Information Age equivalent of “A sign of the times?” Pop-up of the Times? Also note that a wildly popular free book will never be on the “Best SELLer List” – is this a business opportunity? (A Best Freebie List, perhaps?)

http://www.nytimes.com/2010/11/11/books/11list.html?partner=rss&emc=rss

Times Will Rank E-Book Best Sellers

In an acknowledgment of the growing sales and influence of digital publishing, The New York Times said on Wednesday that it would publish e-book best-seller lists in fiction and nonfiction beginning early next year.



Speaking of Free

http://www.bespacific.com/mt/archives/025718.html

November 11, 2010

Watch FedFlix - *No late charges* in the public domain!

"FedFlix is a joint venture with the National Technical Information Service (NTIS) in cooperation with other government agencies including the National Archives. They send us government videotapes, we upload them to the Internet Archive, YouTube, and our own public domain stock footage video library — then we send the government back their videotapes and a disk drive with their digitized video. To The Movies!"

[See also: http://www.archive.org/details/usgovfilms

http://www.archive.org/details/movies



From Gary Alexander, for my Computer Security students

http://communications.focus.com/emails/3433.html

Protecting Your Customers' Data: An Update on Changes to PCI Standards Development

FREE LIVE Webinar: Monday, November 15, 2010 11 AM PST / 2 PM EST



For those times when I want to yell at my students rather than just TYPE IN CAPS (This works well, even with my (very) cheap microphone.)

http://www.freetech4teachers.com/2010/11/vocaroo-simple-way-to-make-voice.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+freetech4teachers%2FcGEY+%28Free+Technology+for+Teachers%29

Thursday, November 11, 2010

Vocaroo - A Simple Way to Make Voice Recordings

Vocaroo is a free service that allows users to create audio recordings without the need to install any software. You don't even have to create an account to use Vocaroo. All you need to provide is a microphone. I used the microphone built into my MacBook to make the recording below. To create a recording just go to Vocaroo.com, click record, grant Vocaroo access to your mic, and start talking. After completing your recording, Vocaroo gives you the choice to publish it or to scrap it and try again.

What I like about Vocaroo besides the ability to record without installing software is the option to embed the recording anywhere, Vocaroo provides the embed code for you. You can also download your recording, just look for the download link at the bottom of the page (it's small and easily overlooked).



My website students can use this...

http://www.makeuseof.com/dir/downloadtube-download-online-videos-multiple-devices/

DownloadTube: Convert & Download Online Videos Direct to PC

Most of the tools that let you download videos from the internet are cluttered with banners and pop-ups. DownloadTube is a bit different since it has a clean interface in addition to a simple functionality. Just enter the URL of an FLV file and select the format you want to download video for.

Options include Windows, Mac, Flash, Mobile, audio only and MP4. Click convert and download to fetch the video. The information on what format is required for a specific device also helps a lot in choosing the right output format.

Update: Without registration you can process only one video per 90 min period. Registering lifts all the limitations.

www.downloadtube.org

Similar tools: Meep, KeepTube and BYTubeD. [and Zamzar http://zamzar.com/


Thursday, November 11, 2010

Suspicions confirmed!

http://www.pogowasright.org/?p=17044

10 Riskiest Places to Give Your Social Security Number

November 10, 2010 by Dissent

Kashmir Hill kindly pointed me to this piece by Cameron Huddleston:

McAfee, the antivirus software company, recently released a list of the most dangerous places to give your Social Security number. Many of the places on the list might surprise you:

1. Universities and colleges
2. Banking and financial institutions
3. Hospitals
4. State governments
5. Local government
6. Federal government
7. Medical businesses (These are businesses that concentrate on services and products for the medical field, such as distributors of diabetes or dialysis supplies, medical billing services, pharmaceutical companies, etc.)
8. Non-profit organizations
9. Technology companies
10. Health insurers and medical offices

Read more on Kiplinger http://www.kiplinger.com/columns/kiptips/archives/10-riskiest-places-to-give-your-social-security.html

[From the article:

The places are ranked based on the number of data breaches involving Social Security numbers from January 2009 to October 2010. What’s most disturbing is that you must disclose your Social Security number if you want to receive services from most of those places (either as required by law or the groups' own policies).



Perhaps “Any sufficiently advanced Cyber Crime is indistinguishable from Cyber War” (with apologies to Issac Asimov)

http://yro.slashdot.org/story/10/11/10/1810234/Targeted-Attacks-Focus-On-Economic-Cyberterrorism?from=rss

Targeted Attacks Focus On Economic Cyberterrorism

Posted by samzenpus on Wednesday November 10, @01:23PM

"When it comes to dangerous Web threats, the only constant is change and gone are the days of predictable attack vectors. Instead, modern blended threats such as Aurora, Stuxnet, and Zeus infiltrate organizations through a variety of coordinated tactics, usually a combination of two or more. Phishing, compromised websites, and social networking are carefully coordinated to steal confidential data, because in the world of cybercrime, content equals cash. And, as a new Websense report illustrates, the latest tactics have now moved to a political and nationalistic stage. Cybercriminals and their blended attacks are having a field day taking advantage of security gaps left open by legacy technologies like firewalls, anti-virus, and simple URL blockers."



Is 3D printing the next “Betamax?”

http://hardware.slashdot.org/story/10/11/11/034210/3D-Printing-May-Face-Legal-Challenges?from=rss

3D Printing May Face Legal Challenges

Posted by samzenpus on Thursday November 11, @07:57AM

"A coming revolution in 3D printing, with average consumers able to copy and create new three-dimensional objects at home, may lead to attempts by patent holders to expand their legal protections, a paper from Public Knowledge says. Patent holders may see 3D printers as threats, and they may try to sue makers of the printers or the distributors of CAD (computer-aided design) blueprints, according to digital rights group Public Knowledge."



We have to justify all that money we spent!”

http://news.cnet.com/8301-31921_3-20022477-281.html?part=rss&subj=news&tag=2547-1_3-0-20

Backlash grows over TSA's 'naked strip searches'

"We have received minimal complaints," a TSA spokeswoman told CNET yesterday. She said that the agency, part of DHS, keeps track of air traveler complaints and has not seen a significant rise.

A growing number of airline passengers, labor unions, and advocacy groups, however, say the new procedures--a choice of full-body scans or what the TSA delicately calls "enhanced patdowns"--go too far. (They were implemented without much fanfare in late October, amid lingering questions (PDF) about whether travelers are always offered a choice of manual screening.)



Remember, the FTC closed their investigation in late October. Why another investigation you ask? (see the next article)

http://www.pogowasright.org/?p=17046

FCC investigates Google for Street View privacy breach, UK ICO criticized for sending non-techies to investigate

November 10, 2010 by Dissent

Cecilia Kang reports:

The Federal Communications Commission said Wednesday it is investigating a data breach by Google, whose Street View mapping cars scooped up e-mail addresses and passwords from unencrypted residential Wi-Fi networks.

Last month, Google disclosed that its Street View cars collected passwords, e-mails and other personal information wirelessly from unsuspecting people across the country,” said Michele Ellison, the FCC’s enforcement bureau chief. “In light of their public disclosure, we can now confirm that the Enforcement Bureau is looking into whether these actions violate the Communications Act.”

Read more in the Washington Post. Sara Jerome also covers the development on The Hill, as do Amy Schatz and AMir Efrati in the Wall Street Journal.

Meanwhile, across the great pond, the UK ICO is getting hammered for lack of indepth investigation of the breach. Josh Halliday reports:

The Information Commissioner’s Office (ICO) is facing renewed criticism for sending two ‘non-technical’ members of staff to investigate Google’s illegal collection of data from Wi-Fi connections in July.

Two senior members of ICO staff with “considerable experience” of data protection law cleared Google of any wrongdoing earlier this year after examining a sample of so-called “payload” data at Google’s London headquarters. Conservative MP Rob Halfon said it was “astonishing” that the ICO “did not send technical people” to investigate the breach, which the ICO later ruled was a “significant breach” of the Data Protection Act.

Read more in the Guardian.


(Related) “Who you know” only goes so far...

http://tech.slashdot.org/story/10/11/10/172210/Critics-Call-For-Probe-Into-Google-Government-Ties?from=rss

Critics Call For Probe Into Google Government Ties

Posted by CmdrTaco on Wednesday November 10, @12:40PM

"The National Legal and Policy Center has written to the House Oversight Committee to investigate alleged ties between Google and the Obama administration, specifically with regards to the closure of an FTC probe into Google's Wi-Fi privacy breach, when the company admitted to having collected users' unencrypted information over the course of three years. The NLPC compares Google's relationship with the administration to that of Halliburton and cites the timing of a $30,000-a-head Democratic fundraiser at Google CEO Marissa Meyer's home less than a week before the FTC ended its inquiry, where Obama made a personal appearance, as well as the fact that US deputy chief technology officer Andrew McLaughlin is a former Google employee. The NLPC further alleges that the FTC is tougher on other companies, issuing fines to Twitter and Sears for their privacy violations while letting Google off the hook after the company promised to improve its privacy practices."



...because Doctors are too poor to buy their own? What skills those Apple salesmen have! Will the US follow suit or will the Obama Administration wait for the Google version?

http://apple.slashdot.org/story/10/11/11/022255/Australian-State-Govt-To-Fund-iPads-For-Doctors?from=rss

Australian State Govt. To Fund iPads For Doctors

Posted by samzenpus on Thursday November 11, @03:48AM

"The current premier of the Australian state of Victoria, John Brumby, has promised every doctor in Victoria's public hospital system would be issued with an Apple iPad if his incumbent Labor Government was returned to power in the state's upcoming election."



For my Ethical Hackers

http://www.wired.com/threatlevel/2010/11/v-for-vendetta-hacker-strikes-at-washington-state-university/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

V for Vendetta Hacker Strikes at Washington State University

An anonymous hacker wearing a Guy Fawkes mask took over classroom projection screens at Washington State University last Friday, the fifth of November, to broadcast a prerecorded message adapted from V For Vendetta, in a prank that evidently alarmed administrators and amused students.

The nearly four minute video, which was also posted on YouTube, and has its own website, Facebook page and Twitter hashtag, criticizes the university’s IT department. It also urges the student body to rise up against squirrels on the campus grounds. The rodents, the ersatz V complains, do nothing but “eat, drink and breed.”

Video projectors in two dozen classrooms were high-jacked in the prank, according to news reports, and the video was set to replay automatically every hour. The hacker’s website advised university staff that the messages would stop automatically at the end of the day, but referred them to a batch file left on the AV servers that would also reverse the hack. “This script will cleanly remove and reverse all modifications made to the systems.” [“This tape will self-destruct in 5 seconds. Good luck Mr Phelps.” Bob]

A spokeswoman told the Chronicle of Higher Education that campus police were working to identify the perpetrator. “Childish pranks just don’t have a place anymore,” said Darin Watkins. “What may have been seen as cute and clever years ago really doesn’t get that kind of reaction today.” [Apparently the students haven't lost their sense of humor, but having their security failures pointed out to the world does not sit will with the Administration. Bob]



Still not getting serious about security.

http://www.bespacific.com/mt/archives/025714.html

November 10, 2010

Intel - 2010 HIMSS Security Survey

2010 HIMSS Security Survey Sponsored by Intel, Final Report, November 3, 2010

  • "Now in its third year, the 2010 HIMSS Security Survey [Healthcare Information and Management Systems Society], sponsored by Intel reports the opinions of information technology (IT) and security professionals from healthcare provider organizations across the U.S. regarding key issues surrounding the tools and policies in place to secure electronic patient data at healthcare organizations. This year, the study was supported by Medical Group Management Association (MGMA) to encourage additional representation in the medical group and ambulatory space. The study was designed to collect information on a multitude of security-related items, including organizations’ general security environment, access to patient data, access tracking and audit logs, security in a networked environment and technology tools in place. This year, we’ve added a series of questions to evaluate how healthcare organizations are handling patient identity issues."

[The report: http://www.himss.org/content/files/2010_HIMSS_SecuritySurvey.pdf

[From the report:

Formal Security Position: Slightly more than half (53 percent) of respondents reported they have either a CSO/CISO or full-time staff in place to handle their organizations’ security function. Those working for a hospital were more likely to report that they had a CSO/CSIO in place compared to individuals working for medical practices.

Future Use of Security Technologies: Mobile device encryption, e-mail encryption and single sign on and were most frequently identified by respondents as technologies that were not presently installed at their organization but were planned for future installation.

Medical Identity Theft: One-third of respondents reported that their organization has had at least one known case of medical identity theft at their organization.



For my Computer Security students...

http://web.docuticker.com/go/docubase/61621

The Role of Internet Service Providers in Cyber Security (PDF)

The current level of insecurity of the Internet is a worldwide problem that has resulted in a multitude of costs for businesses, governments, and individuals. Past research suggests that one significant factor in these cyber security problems is the inadequate level of security maintained by home users and small businesses. A handful of research studies and security experts have suggested that Internet Service Providers (ISPs) may be in a good position to cost-effectively prevent certain types of malicious cyber behavior, such as the operation of botnets on home users’ and small businesses’ computers. This research brief will review the existing literature and popular press on actions that ISPs are taking or could take to better secure their customers, economic barriers to such solutions, and incentives needed to increase ISP involvement.



For my Computer Security students. This reminds me of a story about a producer of MALT who, during Prohibition, carefully listed ingredients and processes under the warning that “This will make the illegal substance called Beer!”

http://www.baltimoresun.com/entertainment/bal-mobile-piratemusic-1110,0,4999462.story

Recording Industry: Here's a (inadvertent) handy guide on best websites for stealing music

In response to an inquiry from the federal government trade czar, the Recording Industry Association of America released Monday a filing itemizing "notorious markets" across the globe.

Notorious markets are physical places and websites "driven by the illegal sales or downloads of unauthorized music."

Unfortunately for them, the filing inadvertently doubles as a primer on the best websites for stealing music. If you didn't know what The Pirate Bay was, you will now thanks to the geniuses at the RIAA.


(Related) For my Ethical Hackers – not that they would ever download music...

http://www.makeuseof.com/tag/7-completely-free-vpn-services-protect-privacy/

7 Completely Free VPN Services To Protect Your Privacy

A VPN allows you to connect your machine to a virtual network which in turn encrypts the data you send, hiding everything from the public domain. A good VPN will keep no records of your browsing history, meaning you’re essentially an anonymous user.



Interesting growth curve. Is this the “next big thing” for my students?

http://techcrunch.com/2010/11/10/evernote-5-million/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

Flush With Fresh Funding, Evernote Hits 5 Million Users

Mere weeks after raising a $20 million round from the likes of Sequoia Capital and Morgenthaler Ventures, memory enhancement service Evernote is today announcing that they’ve hit 5 million users.

The news, which Evernote just announced on its blog, comes less than three months after the startup reached the 4 million users milestone.

In other words, the time to add another million users keeps getting shorter for Evernote (22,130 users signed up yesterday, the company claims).

They needed 446 days to get its first million users, 222 days to get to its second million, 133 days to get to its third and 108 days to reach the 4 million users milestone.

As you can tell from the graph above, they’ve gone from 4 to 5 million users in just 83 days.

http://www.evernote.com/

Evernote allows users to capture, organize, and find information across multiple platforms. Users can take notes, clip webpages, snap photos using their mobile phones, create to-dos, and record audio.


(Related) Why you might need Evernote...

http://www.smashingapps.com/2010/11/10/how-americans-consume-3-6-zettabytes-a-day-infographic.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SmashingApps+%28Smashing+Apps%29

How Americans Consume 3.6 Zettabytes A Day [Infographic]


Wednesday, November 10, 2010

Crooks have move from carpet bombing to smart bombs.

http://www.itworldcanada.com/news/why-data-breach-costs-are-really-going-down/141906

Why data breach costs are really going down

A new study by Telus Corp. reveals that while Canadian organizations reported 29 per cent more data breaches in 2010 versus the previous year, the annual cost of these security issues has dropped substantially.

The telecom giant’s report, which polled 500 business and IT professionals, was part of a joint study with the University of Toronto’s Rotman School of Management. The report found that breaches were up almost 30 per cent year-over-year, largely because of a doubling in reported incidents at government agencies.

Yogen Appalraju, vice-president of Telus’ security solutions division, said better detection and protection technologies have not only led to more reporting across the board, but also to better containment techniques. This, he said, starts to explain why reported breaches have jumped 30 per cent in 2010, while breach costs dropped from an average of $834,000 in 2009 to $179,508 in 2010.

Appalraju added, however, that targeted attacks have been on the rise during the same period, which might be contributing to the underreporting of data breach losses at some firms.

“In a lot of cases, organizations might not know that they’ve been breached for a long time,” he said.

For Walid Hejazi, professor of business economics at Rotman, the massive 78 per cent decrease in breach costs underscores a drastic change in the way hackers and cyber criminals are going about their trade.

“They’re not trying to bring down the network anymore,” he said.

Increasingly, criminals are targeting organizations and employees that can give them sensitive data that can be sold or repurposed for financial gain.



Unfortunately, we need articles like this...

http://www.makeuseof.com/tag/5-ways-block-facebook-stalker/

5 Ways You Can Block A Facebook Stalker



It's all part of the surveillance service!

http://bucks.blogs.nytimes.com/2010/11/03/a-new-way-to-compare-merchants/

A New Way to Compare Merchants

Mint.com recently released a free service called Mint Data that presents a snapshot of how much people in cities around the country are spending at individual vendors like restaurants, stores and gyms. It also lists which merchants are most popular.

… Mint.com users, meanwhile, can’t opt out of having their data shared, though it is anonymous. [What to bet? Bob] Plus, the data is skewed in the sense that it only reflects the spending habits of Mint.com users.



“Gee, it's not like we're going to staple an RFID tag to the babies!”

http://www.pogowasright.org/?p=17021

Plan to tag new babies causes outcry

November 9, 2010 by Dissent

Laure Belot reports:

A French company, Lyberta, has just dropped plans to fit children in several nurseries in Paris with electronic tags, after a newspaper revealed the scheme. Trade unions, councils and civil liberties groups were indignant at the invasion of privacy. But the response to the idea in online forums was much more divided: “I have been longing for this ever since my first child was born,” a woman wrote. “My three-year-old daughter walked out of her infant school and the teachers found her in the next street … I would rather put a tag on my child than sign up for a kidnap warning scheme.”

[...]

Portugal and Brazil have even passed laws to make individual security devices compulsory in maternity hospitals, to combat kidnapping and swaps,” Levasseur says. In 2009, some 300,000 infants were tagged around the world.

In France, 50,000 babies were tagged in 2009. “About 30 hospitals use our wristbands, but the subject is still something of a taboo,” Levasseur says. “Last year there were two attempted kidnappings in French maternity units, with one in our area,” says Philippe Cruette, deputy head of the Bordeaux-Nord clinic. “We were keen to respond to the concerns of mothers who had heard about these in the media.” RFID wristbands have been available since January. Cruette adds: “Roughly half the mothers ask for a tag, mainly young women having their first baby.”

Read more in the Guardian.



For my Ethical Hackers. The “Internet of Things” includes your car. If you go to court, you need to produce the car's computer files “proving” that you were NOT going 85 in a school zone.

http://www.pogowasright.org/?p=17027

How a Savvy Coder Hacked His Tesla

November 9, 2010 by Dissent

Justin Hyde writes:

A software engineer asked by a Tesla Roadster owner to see what information the car was collecting on its performance managed to crack Tesla’s data format. He found it records every second of its use.

[...]

Last month, after getting the request from another Tesla owner, the software engineer went to work, finding a 12Mb data file stored in the vehicle:

The binary file contains two sections, the first is a long term data logging section with 1 entry per day since the vehicle was made along with firmware update information and other vehicle data. The second section is an 8M wrapped block for data on driving and charging of the vehicle. Data while driving is saved once per second, minute and 10 minutes. Data from charging is once per minute as well as other unknown entries.

The previous parses found that in addition to basic data like speed and charging times, the Tesla also collects GPS data about where the vehicle was charged.

Read more on Jalopnik.com.



Ubiquitous surveillance.

http://www.networkworld.com/community/blog/welcome-skynet-cctv-surveillance-society

Welcome to Skynet, the CCTV Surveillance Society

… The next time someone calls you paranoid or asks about your tin foil hat, point them toward the ACLU's website, You Are Being Watched. The site asks "Do we want a society where we live under an ever-watchful video eye?" Along with highlighting surveillance hot spots, the You Are Being Watched website reveals the high costs of camera surveillance systems, "both in terms of money and civil liberties." The site mentions true "horror stories" such as when CCTV surveillance has been misused for racial profiling and voyeurism.

The government wants to appear like it is doing something productive to cut crime and terrorism. In regard to CCTV, it has been reported that one crime is solved for every 1,000 cameras. New York University published a statistical study that surveillance cameras do not deter crime much, "if at all, based on five years of evidence." Furthermore, criminologists and others studying cameras found that violent crime levels showed "no statistically significant change in the level of crime anywhere in the 500 foot range around the cameras." On the other hand, all that CCTV footage may be successful after a crime has been committed by improving conviction rates and by decreasing the frequency of false convictions. New Orleans recently scrapped its crime camera program. In seven years, its CCTV program produced only six indictments; three were for crimes and three were for bribes.



Fixing HIPAA

http://www.phiprivacy.net/?p=4924

World Privacy Forum files two sets of regulatory comments on HIPAA

By Dissent, November 9, 2010

The World Privacy Forum filed two sets of detailed regulatory comments on recently proposed changes to HIPAA. The first comments focused on proposed changes to HIPAA in the area of marketing patient information. The proposed changes would be harmful to patient privacy, and are contrary to the law. WPF was joined in the marketing comments by the Center for Digital Democracy, Consumer Action, Consumer Federation of America, the Electronic Frontier Foundation, Privacy Activism, Privacy Rights Clearinghouse, and Privacy Times. The second set of comments WPF filed included the comments on marketing as well as on additional provisions that would be problematic if enacted.

Read the joint marketing comments on HIPAA (8 pages)
Read the long comments on HIPAA (15 pages)


(Related)

http://www.phiprivacy.net/?p=4944

Identity Theft Reported By 33% Of Healthcare Organizations

By Dissent, November 9, 2010

Nicole Lewis reports:

A Healthcare Information and Management Systems Society (HIMSS) survey has revealed that 33% of respondents said their organization has had at least one known case of medical identity theft, and that some cases may never be reported.

In addition, only 17% of respondents working for medical practices said they were likely to report an instance of medical identity theft, compared to 38% of those working for a hospital. These results come from the 2010 HIMSS Security Survey, a report sponsored by Intel and supported by the Medical Group Management Association.

Read more on InformationWeek.



Well, that's one approach.

http://yro.slashdot.org/story/10/11/10/0435218/Worker-Rights-Extend-To-Facebook-Says-NLRB?from=rss

Worker Rights Extend To Facebook, Says NLRB

Posted by timothy on Wednesday November 10, @07:14AM

"American Medical Response of Connecticut had a policy that barred employees from depicting the company 'in any way' on Facebook or other social media. The National Labor Relations Board has ruled that this policy runs afoul of the National Labor Relations Act, which gives employees the right to form unions and prohibits employers from punishing workers for discussing working conditions."



A simple “solution” to the “Free WiFi” question?

http://nakedsecurity.sophos.com/2010/11/09/dear-starbucks-the-skinny-on-how-you-can-be-a-security-hero/

Dear Starbucks: The skinny on how you can be a security hero

The recent hubbub around Firesheep has provided me with a golden opportunity to Venti my views on public WiFi hotspots and present my Grande Plan.

All of the attention (as intended) resulting from the release of Firesheep has been focused on the service providers and how they should be using SSL/TLS to protect users' sessions. That's great, even if I would have preferred a more delicate approach to proving the point.

But I think it's the right answer to the wrong question.

The right question is this: why is "public Wifi" always synonymous with "unencrypted WiFi?" Encryption has been a basic component of WiFi technology since the first versions of 802.11 were approved. I wouldn't suggest we go back to using WEP like we did in the early days, but even WEP is an improvement over nothing.

While Facebook and other companies should be providing us secure methods of connecting to their services, those companies kind enough to provide us with free internet access at cafes, airports and other public places are also part of the problem.

I propose standard adoption of WPA2 and a default password of "free". Whenever you wish to connect to complimentary WiFi, you select "Courtyard Marriott" or "Starbucks" like you always have, but you are then prompted for a password.

… What is the value of a password if it is a "well-known secret?" WPA2 negotiates unique encryption keys with every computer that connects to it. This means you and I cannot spy on one another's traffic even when sharing access on the same access point. This is not true for WEP, but nearly all 802.11g access points (the most common) support WPA2 and can provide safe, convenient, free internet access.



Tools & Techniques for my Ethical Hackers

http://news.slashdot.org/story/10/11/10/144250/Nevercookie-Eats-Evercookies?from=rss

Nevercookie Eats Evercookies

Posted by CmdrTaco on Wednesday November 10, @09:04AM

"Anonymizer, Inc. has developed Anonymizer Nevercookie, a free Firefox plugin that protects against the Evercookie, a javascript API built and made available by Samy Kamkar (same guy who brought you the Samy Worm and XSS Hacking to Determine Physical Location) who set out to prove that the more you store and the more places you store it, the harder it is for users to control a Web site's ability to uniquely identify their computer. The plugin extends Firefox's private browsing mode by preventing Evercookies from identifying and tracking users."



I hadn't thought of myself as a node, but clearly I am.

http://www.bespacific.com/mt/archives/025702.html

November 09, 2010

Pew: How libraries can serve Networked Individuals

"Pew Internet Director Lee Rainie spoke at the annual meeting of the Tampa Bay Library Consortium. His speech is entitled, How libraries can serve Networked Individuals. In it he discusses the latest research of the Project and previews the themes of his forthcoming book, “Networking: The New Social Operating System.” He also describes how the social world of “networked individuals” is different from previous generations and how libraries can plug into the information needs and habits of this new tribe of media users."



Probably, since it's as hard to find clear definition of “Cloud Computing” as it is to summarize the contents of the Library of Congress in 25 words or less.

http://news.cnet.com/8301-19413_3-20022250-240.html?part=rss&subj=news&tag=2547-1_3-0-20

Are IT vendors missing the point of cloud?

There were two conferences in the San Francisco Bay Area last week with content targeted at cloud-computing consumers. These two conferences, Cloud Expo and QCon, helped me to articulate a trend I've been noticing for some time; the cloud market may be sending very different messages to IT operations audiences than it is to software developers.

… What was striking to me last week was how many vendors were pitching "here's how to replicate in the cloud what you do in your existing data center environment today".

… Don't get me wrong, there were exceptions. Some vendors have discovered that their technologies can bridge the gap from infrastructure operations to service or even application operations. So they were positioning their products as useful in strengthening a cloud service offering, or providing a valuable service to an application system. There were also some professional services companies that clearly understood how cloud changes software development and deployment.


(Related) If we can't agree on a definition, how to we agree which “services” need “levels?”

http://www.computerworld.com/s/article/9195638/Amazon_adds_SLA_to_cloud_based_content_delivery_service

Amazon adds SLA to cloud-based content delivery service

The SLA specifies that if the availability of a user's content drops below 99.9% in any given month, it can apply for a credit equal to 10% of the monthly bill, according to a blog post. And if the availability drops below 99%, users can apply for a 25% discount, it said.


(Related) Another “bundling” attempt at Microsoft? Just a rumor, but logical. (Also a great way to look over the shoulders of end users)

http://www.readwriteweb.com/cloud/2010/11/windows-8-to-include-cloud-bac.php

Windows 8 To Include Cloud Backup?

Windows 8 will be released in 2012 but news is already swirling about the operating system backing up to Microsoft's cloud storage service.



For my fellow SciFi junkies... Suitable for framing?

http://www.wired.com/autopia/2010/11/this-is-the-blueprint-to-the-millennium-falcon/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

This Is the Blueprint to the Millennium Falcon

… you can download the full-size image (jpg).