The world, according to Sony (and Epsilon)
http://www.databreaches.net/?p=18576
Lawmakers Question Sony, Epsilon on Data Breaches
June 2, 2011 by admin
Grant Gross reports:
Recent data breaches at Sony’s PlayStation Network and at e-mail service provider Epsilon will lead to legislation focused on improving cybersecurity at U.S. companies, the chairwoman of a U.S. House of Representatives subcommittee said Thursday.
Representative Mary Bono Mack, a California Republican, said she will soon introduce legislation focused on ensuring that companies holding personal data secure it. [What a concept! (but shouldn't the Board of Directors already require that?) Bob] Although she didn’t provide many details, the legislation will include a data breach notification requirement, Bono Mack said during a hearing of the House Energy and Commerce Committee’s trade subcommittee.
Read more on PCWorld.
[From the article:
Companies need U.S. government support to fight cyber-attacks, Schaaff added. "Despite spending millions of dollars to secure your networks, despite all of the best efforts known to us, our networks are not 100 percent protected," he said. "It's a process that requires continual investment. I think without additional support from the government, it's unlikely that we will all, collectively, be successful, and that will threaten the livelihood of the growing Internet economy." [“Give us a tax break for doing what we should be doing...” Bob]
[For written testimony and the webcast:
(Related) So bad, they get their own acronym! I wonder if this came up in their testimony?
http://www.databreaches.net/?p=18570
YASH (Yet Another Sony Hack)
June 2, 2011 by admin
From the this-can’t-be-good dept. and the folks at Lulz Security:
Greetings folks. We’re LulzSec, and welcome to Sownage. Enclosed you will find various collections of data stolen from internal Sony networks and websites,all of which we accessed easily and without the need for outside support or money.
We recently broke into SonyPictures.com and compromised over 1,000,000 users’ personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts. Among other things, we also compromised all admin details of Sony Pictures (including passwords) along with 75,000 “music codes” and 3.5 million “music coupons”.
Due to a lack of resource on our part (The Lulz Boat needs additional funding!) we were unable to fully copy all of this information, however we have samples for you in our files to prove its authenticity. In theory we could have taken every last bit of information, but it would have taken several more weeks. [See why I'm always complaining about bandwidth? Bob]
Our goal here is not to come across as master hackers, hence what we’re about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?
What’s worse is that every bit of data we took wasn’t encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it’s just a matter of taking it. This is disgraceful and insecure: they were asking for it.
This is an embarrassment to Sony; the SQL link is provided in our file contents, and we invite anyone with the balls to check for themselves that what we say is true. You may even want to plunder those 3.5 million coupons while you can.
Included in our collection are databases from Sony BMG Belgium & Netherlands. These also contain varied assortments of Sony user and staffer information.
Follow our sexy asses on twitter to hear about our upcoming website. Ciao! ^_^
Files and materials linked from LulzSecurity. Depressingly, I note a number of .gov email addresses with plaintext passwords in one of the databases they have released. I hope those folks do not re-use passwords across sites and their work computer or this could be even more problematic.
(Related) And an article about what you should do if you've been “Sony'd”
http://news.cnet.com/8301-17938_105-20068449-1/six-tips-for-surviving-the-sony-breach/
Six tips for surviving the Sony breach
1. Beware of fraudulent e-mails.
2. Use a different e-mail for "junk."
3. Look out for fraudulent calls.
4. Use a unique password for every account.
5. Change your security questions.
6. Don't give up information in the first place. B
How Korea will do it... Perhaps the US Congress could learn something?
http://www.pogowasright.org/?p=23217
Korea Announces Regulations to Personal Information Protection Act
June 2, 2011 by Dissent
As reported by Kwang Hyun Ryoo and Ji Yeon Park of Bae, Kim & Lee LLC in Korea, on May 24, 2011, the government of South Korea published draft regulations to the Personal Information Protection Act (“PIPA”), the Republic’s new omnibus data protection law.
As we previously reported, PIPA was enacted on March 29, 2011, after past privacy legislation had languished in the Korean Parliament. The recently published regulations (an Enforcement Decree and Enforcement Regulations) apply to any “handler of personal information” or “data handler,” which is any entity that uses personal information for business purposes.
Read more on Hunton & Williams Privacy and Information Security Law Blog.
[From the article:
Data handlers create and adhere to administrative and technical security procedures at each place of business where personal information is handled.
… Furthermore, the Regulations impose mandatory contractual provisions for data handler and sub-contractor agreements and require public disclosure of these relationships.
California again takes the lead in education – but not about sexting... (If ever an article lent itself to double entendre... )
http://news.cnet.com/8301-17852_3-20068441-71/california-senate-schools-can-expel-for-sexting/
California Senate: Schools can expel for sexting
I'm not sure the kids are going to like this.
At least not the kids in California. For it seems the California Senate has, with a show of hands that left none hanging, decided to add sexting to the list of bad behavior for which a student can be expelled from school.
In a move that seemed designed to avoid too much naked publicity, the Associated Press reported that the Senate passed a bill Tuesday that specifically cited sexting and defined it as "the sending or receiving of sexually explicit pictures or video images by means of an electronic act."
Should you be a parent, or should you, indeed, be a school student sitting with your cell phone with little to do, you might be wondering just how extensive the Senate's delineation might be.
Well, the ever-helpful AVN reports that the bill actually amends California's Education Code.
This limits schools' ability to expel to the following areas: 1. While on school grounds. 2. While going to or coming from school. 3. During the lunch period whether on or off the campus. 4. During, or while going to or coming from, a school sponsored activity.
Oh, and there's another subsection that the sexting has to be "directed specifically toward a pupil or school personnel."
Sharp minds will be immediately wafting through the nuances of all this. My blunt one suggests that it might still be just fine for, say, a 14-year-old to text a naked picture of himself to anyone, so long as the recipient has nothing to do with the school.
So will this cause scenes in which schools not only attempt to discover what students are sending but also try to ascertain whether the recipient is on their verboten list? Some might find this very slightly icky.
However, Democratic Senator Ted Lieu told the AP that sexting is a vast problem, so much so that one study declared that 20 percent of teens have either sexted or received sexts. However, how much of that sexting activity was, in fact, between teens in the same school?
I'm sure there's a perfectly logical explanation...
Judge Finds Cisco, US Authorities Deceived Canadian Courts
"The Vancouver Sun reports that 'The giant computer company Cisco and US prosecutors deceived Canadian authorities and courts in a massive abuse of process to have a former executive thrown in jail, says a B.C. Supreme Court judge.' Peter Adelkeye was arrested last year as he was testifying in a special hearing in Vancouver. It turns out he was there because US authorities would not grant him permission to enter the US to testify in a civil case between him and Cisco. The Canadian judge said that almost nothing in the US Attorney's letter was true, and has overturned his extradition order. Slashdot discussed this case in April."
About time.
http://www.bespacific.com/mt/archives/027407.html
June 02, 2011
More than 4,000 National Academies Press PDFs Now Available to Download for Free
News release: "The National Academies—National Academy of Sciences, National Academy of Engineering, Institute of Medicine, and National Research Council—are committed to distributing their reports to as wide an audience as possible. Since 1994 we have offered “Read for Free” options for almost all our titles. In addition, we have been offering free downloads of most of our titles to everyone and of all titles to readers in the developing world. [Now taxpayers can enjoy the same benefits as citizens of third world countries! Bob] We are now going one step further. Effective June 2nd, PDFs of reports that are currently for sale on the National Academies Press (NAP) Website and PDFs associated with future reports* will be offered free of charge to all Web visitors. For more than 140 years, the NAS, NAE, IOM, and NRC have been advising the nation on issues of science, technology, and medicine. Like no other collection of organizations, the Academies enlist the nation’s foremost scientists, engineers, health professionals, and other experts to address the scientific and technical aspects of society’s most pressing problems. The results of their work are authoritative and independent studies published by the National Academies Press. NAP produces more than 200 books a year on a wide range of topics in science, engineering, and health, capturing the best-informed views on important issues."
For my Ethical Hackers... Extra points for “the Tweet most likely to result in a heart attack”
“Please call to arrage a time for your audit. @Hanging.Judge.at.IRS.GOV”
http://www.makeuseof.com/dir/tweetforger-create-a-fake-tweet/
TweetForger: Create A Fake Tweet From Any Twitter User
As the name suggests, TweetForger lets you create a tweet that can make people think it came from somebody else’s account.
All you need to do is tell the tool which Twitter handle you want to forge, and write the tweet. Once generated, the tweet will look exactly like it’s coming from the original account. It won’t appear in any Twitter streams but will look completely real for a few seconds before a huge message drops down declaring that it is a forged tweet. [We can remove that... Bob] The tool gives you a permanent URL for each tweet so you can share it with friends.
Also for my Ethical Hackers:
http://www.makeuseof.com/tag/find-files-online-p2p-software/
How To Find Files Online Without Having To Use P2P Software
Ditto
EFF Publishes Study On Browser Fingerprinting
"The Electronic Frontier Foundation investigated the degree to which modern web browsers are susceptible to 'device fingerprinting' via version and configuration information transmitted to websites. They implemented one possible algorithm, and collected data from a large sample of browsers visiting their Panopticlick test site, which we've discussed in the past. According to the PDF describing the study, browsers that supported Flash or Java on average supplied at least 18.8 bits of identifying information, and 94.2% of those browsers were uniquely identifiable in their sample. My own browser was uniquely identifiable from both the list of plugins and available fonts, among 1,557,962 browsers tested so far."
For my Data Mining and Data Analysis students. An interesting summary...
Too Much Data? Then 'Good Enough' Is Good Enough
"While classic systems could offer crisp answers due to the relatively small amount of data they contained, today's systems hold humongous amounts of data content — thus, the data quality and meaning is often fuzzy. In this article, Microsoft's Pat Helland examines the ways in which today's answers differ from what we used to expect, before moving on to state the criteria for a new theory and taxonomy of data."
An interesting Cloud application...
CodeGuard Raises $500K To Monitor And Protect Websites
CodeGuard, which was the audience choice winner from Startup Alley, helps protect and monitor websites from attacks and data thefts. The startup provides a virtual version control system and stores site data in the cloud. Backups are stored hourly or daily, allowing users to see what files have changed. If there is a hack or suspicious change in data, webmasters can quickly revert to the last known “clean” version.
Is it time to call your Broker?
Groupon’s IPO Filing Reveals Incredible Growth And $2.6 Billion Revenue Run-Rate (Charts)
Groupon finally filed for its IPO today and now we can see it’s finances laid bare (click for full financial table). Groupon has been growing at an astounding rate. Last year, it’s revenues grew more than 22,000 percent to $713 million. And in the first quarter of 2011 alone, it nearly matched all of its revenue from last year with $644 million in sales, up 13,575 percent from a year ago.
No comments:
Post a Comment