Friday, June 24, 2011

Sony in the news again. It's amazing what comes out after a breach (and before the Class Action) Makes it seem that Sony is doomed.

http://www.databreaches.net/?p=19180

Sony laid off employees before data breach: Lawsuit

June 24, 2011 by admin

Reuters reports:

Sony Corp laid off employees in a unit responsible for network security two weeks before a massive data breach, according to a lawsuit filed this week.

Sony also spent lavishly on security to protect its own corporate information, while failing to do the same for its customers’ data, the proposed class action lawsuit alleges.

[...]

In a lawsuit filed in a San Diego federal court on Monday, a proposed class of Sony customers says the company knew it was at increased risk of attack because it had experienced prior, smaller breaches.

Read more on Times of India.



Now this is interesting/scary... and very slick.

http://www.databreaches.net/?p=19155

Postal Inspectors Probe Gold Coin Purchases Made With Stolen American Express Cards

June 23, 2011 by admin

A reader sent along this item from CoinWeek, noting the interesting references to tampering with AmEx security:

U.S. Postal Service inspectors are investigating the fraudulent use of stolen American Express credit cards to purchase apparently tens of thousands of dollars of gold coins.

“The orders are placed by phone, often for $10,000 to $20,000 worth of Liberty Double Eagles or other, large-sized gold coins. The callers have a foreign accent and sometimes have problems pronouncing the name on the credit card. They’ll phone dealers and will correspond by email, but no one ever answers the phones when dealers try to call them back,” said Michael Fuljenz, President of Universal Coin & Bullion in Beaumont, Texas who has been working with postal inspectors on several cases.

“The callers want the coins shipped by overnight delivery to residential addresses in either Gaithersburg or Montgomery Village in Maryland, then phone or email back asking for the tracking number of the shipment. The location they give for delivery matches the address you get when you use the American Express address verification system; however, it turns out those are not the actual addresses of the victims whose stolen credit card numbers are being used,” said Fuljenz.

The four-digit verification codes and other information on the credit card are also seemingly correct when you check with American Express or the credit card processor. However, it appears that various precautionary security mechanisms may have been tampered with because it’s really not the right verification information despite the seemingly correct initial match up. The thieves may have somehow compromised the American Express records system.”

Fuljenz has provided evidence and assisted regional postal inspectors in Washington, DC in their recent investigations. He urges anyone with information or requiring assistance to contact Postal Inspector Christopher Saunders by phone at (202) 636-1484 or by email at CASaunders@uspis.gov, or contact Mike Fuljenz at (409) 658-4533.

Okay, you security folks: how can they do this?



Interesting management strategy...

http://www.databreaches.net/?p=19159

Arizona Department of Public Safety hacked; LulzSec starts to reveal data reportedly acquired

June 23, 2011 by admin

With each day, LulzSec seem more and more to be “hactivists.” Today, they revealed what seems clearly to be a politically motivated hack/compromise. From their press release:

We are releasing hundreds of private intelligence bulletins, training manuals, personal email correspondence, names, phone numbers, addresses and passwords belonging to Arizona law enforcement. We are targeting AZDPS specifically because we are against SB1070 and the racial profiling anti-immigrant police state that is Arizona.

The documents classified as “law enforcement sensitive”, “not for public distribution”, and “for official use only” are primarily related to border patrol and counter-terrorism operations and describe the use of informants to infiltrate various gangs, cartels, motorcycle clubs, Nazi groups, and protest movements.

Every week we plan on releasing more classified documents and embarassing personal details of military and law enforcement in an effort not just to reveal their racist and corrupt nature but to purposefully sabotage their efforts to terrorize communities fighting an unjust “war on drugs”.

Hackers of the world are uniting and taking direct action against our common oppressors – the government, corporations, police, and militaries of the world.

See you again real soon! ;D

The Arizona Republic reports that the AZDPS has confirmed that they were hacked. In a somewhat surprising statement:

Steve Harrison, a DPS spokesperson, confirmed late Thursday that the agency’s system had been hacked earlier in the day. He told 12 News the agency had heard rumors that someone was working on hacking the agency’s system, but DPS could not do anything until the system was actually breached. [And if the volume of data taken is any indication, they didn't do anything for some time after the breach. Bob]

Experts are working on closing the loopholes and have closed external access to the DPS system.

They couldn’t do anything like… um… unplug?



New options for minimal wording on those PR releases? My guess is that NATO probably wasn't told...

http://www.databreaches.net/?p=19178

NATO e-bookshop discloses “probable” data breach

June 24, 2011 by admin

In an example of how to leave breach watchers scratching their heads, NATO issued the following statement on its site yesterday:

23 Jun. 2011

Probable data breach from a NATO-related website

Police dealing with digital crimes have notified NATO of a probable data breach from a NATO-related website operated by an external company. NATO’s e-Bookshop is a separate service for the public for the release of NATO information and does not contain any classified data. Access to the site has been blocked and subscribers have been notified.

A little more transparency would be good, guys. What kind(s) of data did the attacker probably get? When did this probably happen? What should users probably do? I probably need more coffee before I read such notices.

If any reader actually received a notice from NATO’s e-Bookshop, please forward a copy to me via this site or DataLossDB.org so that we can include it in the database.

Kudos to The H for catching the notice.



They do things differently in the Ukraine...

http://www.news24.com/SciTech/News/16-cyber-hackers-detained-20110623

16 cyber hackers detained

… The detainees, all "young men from the age of 26 to 33 with splendid technical educations", have been interrogated but remain free as no charges have yet been filed against them, said Vitaly Khlevitsky, an SBU spokesperson.

The alleged cyber thieves used an existing computer virus and internet servers in the US, UK, France, Germany, Cyprus and Latvia to identify targets and break into their accounts, he said.

The virus, Conficker, specialises in attacking the Windows computer operating system and shutting down its defensive sub-programs.

The men allegedly used a less virulent virus to infect user software and used automated messages to offer victims an anti-virus programme via the internet.

A multinational police task force on Wednesday raided 30 potential server sites in "several" nations and confiscated 74 computers and more than 300 memory devices. More than 40 bank accounts in Latvia and Cyprus are believed to have been used by the hackers to transport stolen funds, Interfax reported.

US officials said its Federal Bureau of Investigation had been monitoring the operations of the purported Ukrainian hacker group for more than three years.

The amount of money stolen by the hackers over that time period could be "substantially more" than $72m, Khlevitsky said.



Note to my Ethical Hackers. You don't need to swipe a card to read the data...

Card.io’s SDK Makes Entering Credit Card Information As Easy As Taking A Snapshot

Card.io is a new startup making its public debut today that’s looking to make lives easier for developers and users alike — by making inputting your credit card information as easy as holding your card in front of your phone’s camera for a few seconds. You can see the feature in action in the video...



Intellectual Property law is hard for judges and lawyers to understand, no wonder I find it a bit confusing...

Removal of Photo Credit Qualifies As DMCA Violation

"A federal appeals court in Philadelphia has reinstated a photographer's copyright lawsuit against a New Jersey radio station owner, after finding that a lower court came to the wrong decision on every issue in the case. Most significantly, the appeals court said that a photo credit printed in the gutter of a magazine qualifies as copyright management information (CMI) under the Digital Millennium Copyright Act (DMCA). The DMCA prohibits the unauthorized removal of encryption technology or copyright management information from copyrighted works."


(Related) It apparently confuses the lawyers who apply for patents too.

Microsoft's Virtual Skywriting Patent App Features the Real Thing

"GeekWire reports that Microsoft this week was awarded a patent on something it calls 'virtual skywriting', an augmented reality service that adds fake skywriting to scenes captured on a cell phone screen. Odd enough in its own right, but Microsoft also included an unattributed photo in the patent application which it described as 'an example of virtual skywriting in use,' although it certainly appears to be identical to a famous image of actual skywriting from a 2001 public art project. If that turns out to be the case, could the self-described opponent of half-baked patents and IP misuse find itself in hot water with the USPTO for using the 'prior art' to fake its fake skywriting?"



While I'm confessing my shortcomings, here's another area I don't understand. When did schools change places with parents?

http://www.pogowasright.org/?p=23534

MB: Schools ban posting of student photos online

June 24, 2011 by Dissent

Nick Martin reports:

Manitoba’s largest school division is trying to put the social-media genie back in the bottle just in time for graduation.

The Winnipeg School Division has adopted stringent privacy policies -increasing up its already rigid standards -in an effort to keep photo and video of its students off the Internet.

Anyone [That includes you Mom and Dad... Bob] recording a public event at the school, including those held after school, off-campus or at a school in another division, may do so only for personal use, [Is this a ban on journalists? Bob] and may not post on the Internet, the division says.

It’s a policy proponents say is meant to protect young children. But just how school officials can enforce it in the era of Facebook and social media is unclear.

“We believe student safety is paramount,” said trustee Kristine Barr, chairwoman of the policy/ program committee that recommended the changes to the board.

“It could be a holiday concert, a band recital, a sports game,” Barr said.

Principals will be responsible for notifying people attending school organized public events of the rules and it will be up to principals to ask people to take down any postings that violate the rules, Barr said.

“They’re welcome to do so for their own use, but they can’t be posted on the Internet,” she said. “Our hope is there’s going to be compliance.”

Barr would not talk about what steps the division could take if anyone refused to take down postings that violated the policy.

Read more in the Edmonton Journal.

While their proposal may sound like a serious over-reach, I would point out that here in the U.S., we also have similar rules. People who take photos of students in school or at a school event may not publish them or use them without written consent of those photographed and their parents. But those rules fall under our federal FERPA law and it’s not clear to me what a school district here would/could really do to enforce that other than suspend first and hope that the student or parents cave in.



This could be useful. The unsubscribing process can be tedious, confusing, and nearly impossible to complete.

Now You Can Unsubscribe.com From Social Apps Too

When Unsubscribe.com launched last October, the premise was pretty simple. You install it in your email, and any time you want to unsubscribe from a marketing email, you just hit the “Unsusbcribe” button and the service takes care of the rest.

Now the service is expanding to social apps. If you are like me, you have dozens of both Web and mobile apps that you’ve signed into with with your Facebook, Twitter, or LinkedIn ID. Some of these you keep using, some you forget about, but they still have access to your data unless you remove them.


No comments: