Friday, August 12, 2011

Looks like some organizations are getting the message! Note that once the payment information had been processed it was “purged” (I assume that means, “taken offline”) – why do so many companies keep in connected to the Internet forever?

http://www.databreaches.net/?p=20103

Energy Federation Incorporated detects malware, notifies customers

A breach notification by Energy Federation Incorporated to the New Hampshire Attorney General’s Office indicates that on July 12, they discovered two pieces of malware on their server that had been inserted on July 7 and July 10. The malware “was designed to allow a third part to remotely search and collect” information on the server, which included customers’ names, contact information, and credit card numbers and expiration dates. EFI notes that names were stored in a separate database from the credit card data and payment-related information was “purged on an hourly basis.”

Twenty New Hampshire residents were to be notified on July 30; the total number was not indicated.



Nothing startling...

http://www.bespacific.com/mt/archives/028000.html

August 10, 2011

Data-Enabled Government: How Well Is Our Personal Information Used and Protected?

HP Business White Paper

  • "This is a summary of a longer report written in co-operation with the Economist Intelligence Unit. It examines the key issues surrounding the use and protection of personal data and draws on in-depth interviews with experts working on the front lines of public sector data management in the UK, Germany, France and Sweden, as well as academics and other authorities... Governments are continually expanding the breadth and depth of data they hold about their citizens, from the provision of public health and welfare services, to law enforcement and public security. In the pursuit of greater efficiency and improved public services, many are digitising operations and sharing information. However, the issues surrounding how to both deliver better service and safeguard private citizen data are becoming increasingly complex."

[From the report:

Key findings include:

Many doubt the need for government to collect more detailed data on citizens

Sharing information across departments will be a leading concern

A lack of transparency about data usage will be a barrier to gaining citizen trust


(Related)

http://www.concurringopinions.com/archives/2011/08/drm-for-privacy-part-1.html

DRM for Privacy: Part 1

posted by Ryan Calo

Online privacy has been getting quite a bit of attention of late. But the problem seems as intractable as ever. In a pair of posts, I will explore one aspect of the online privacy debate and, drawing from a controversial corner of copyright law, suggest a modest fix. This first post discusses the problem of consumer tracking and the lack of any good solutions.



...and you wonder why governments can't manage to purchase/develop software applications that work.

Obama Administration Closing Recently Opened Datacenters

"After quadrupling the number of government datacenters over his first three years, Obama's Administration is reversing course and closing the most recently opened datacenters. With one datacenter reportedly the size of three football fields, my question is what happens to all those recently purchased servers? Will the government hold a server fire sale? Count me in!"



For my Ethical Hackers...

http://www.thetechherald.com/article.php/201132/7504/SpyEye-source-code-leaked-to-the-Web

SpyEye source code leaked to the Web

One of the most infamous Malware kits in the world, SpyEye, is now available to anyone after a French security researcher published the source code for version 1.3.45 on Thursday. One of the things that has made the Malware kit so popular is that it incorporates features and code from its predecessor, Zeus.

According to reports, Xyliton, a French researcher with the Reverse Engineers Dream Crew, located a copy of the source and created a tutorial on how to crack SpyEye’s hardware identification (HWID) which has been secured using VMProtect (a licensing tool that locks an installation of software to a particular physical device).

This leak is important as it illustrates the coding techniques of Gribo-Demon’s team (the authors of SpyEye) and also deals another blow to the underground criminal ecosystem,” commented Sean Bodmer, Senior Threat Intelligence Analyst at Damballa.

At the same time, this leak also puts the rest of us on notice, he added. As once the builder is in hand, the aspiring criminal can begin tearing apart SpyEye.


(Related)

GPRS Can Be Hacked Easily, Claims German Researcher

"A German technology researcher on Wednesday showed global mobile makers and technology firms how General Packet Radio Servicecan easily be tapped, intercepted, and decrypted with an average mobile phone and a few applications. According to the New York Times, Karsten Nohl, a computer engineer and mobile security researcher, demonstrated to fellow researchers gathered to attend Chaos Communication Camp, a Berlin-based hackers event, how to intercept the voice or data messages sent between mobile devicesover GPRS easily, owing to weak protection provided by mobile network carriers for data information. Nohl, in collaboration with his colleague Luca Melette, tapped the information within a radius of five kilometers using a seven-year-old inexpensive mobile phone from Motorola." Computerworld also has an informative, link-laden account. If you are attending this year's CCC (only every four years, sadly), feel free to drop a line (with the submissions form) about cool projects you encounter there.


No comments: