My Ethical Hacker students thank you
for pointing out a major bank vulnerability! (Postcards from Brazil
to follow...) Let's not encourage improved security here, at least
until we offer to return all their bank accounts in exchange for an
end to weapons development...
Computer
specialist who had warned Iranian banks about vulnerability, hacks
and dumps 3 million accounts to make his point
April 16, 2012 by admin
Is it just me, or have
these folks missed the point? From The
Tehran Times:
A computer
specialist, who used to work for a PSP (payment service provider)
company which offers a number of Iranian banks services for accepting
electronic payments, has hacked accounts of three million bank
customers to show the vulnerability of the banks to computer security
threats, the Persian service of the Fars News Agency reported on
Sunday.
According to the
report, the hacker had provided the managing directors of the
targeted banks with information about the bank accounts of 1000
customers in the previous Iranian calendar year (ended on March 19)
to warn them about the susceptibility of their computer systems and
networks to cyber threats.
The Central Bank
of Iran issued a statement on Saturday advising the bank customers to
change the passwords of their bank cards to prevent possible credit
card fraud.
An official at the
Central Bank of Iran also told the Persian service of IRNA on Sunday
that no one has illegally accessed people’s bank accounts.
“It is possible
that certain individuals have some information… but they cannot use
this information until the bank cards are not in their possession,”
Nasser Hakimi said.
The deputy chief
of Iran’s cyber police, Mohsen Mirbahresi, also said on Sunday that
there is no cause for concern because the hacker has not acquired
important financial information, such as bank account numbers.
No statement about improving security?
Changing passwords isn’t going to do it if the security problems
aren’t addressed.
Radio
Free Europe and Kabir
News identify the hacker as Khosrow Zare Farid, a former manager
at Eniak,the operator of Shetab payment network in Iran. According
to Kabir News, Farid had previously warned the banks of the
problem but got no response and decided to publish the data of 3
million accounts from ten Iranian banks.
I suspect he’s got
their attention now. [Run! Bob]
The Iran
Independent News Service reports that ATM’s in the country are
no longer dispensing cash and that the only function working is the
mode for changing the passwords.
I have a friend whose life goal is to
“invent a new sin!” This, he assures me, is a way to guaranteed
riches... Cybercrime isn't “a new sin.”
April 15, 2012
Commentary
- Experts question validity of cybercrime statistics
New York Times: The
Cybercrime Wave That Wasn’t, by Dinei FlorĂȘncio, researcher
and Cormac Herley, principal researcher at Microsoft Research
- "In less than 15 years, cybercrime has moved from obscurity to the spotlight of consumer, corporate and national security concerns. Popular accounts suggest that cybercrime is large, rapidly growing, profitable and highly evolved; annual loss estimates range from billions to nearly $1 trillion. While other industries stagger under the weight of recession, in cybercrime, business is apparently booming. Yet in terms of economics, there’s something very wrong with this picture. Generally the demand for easy money outstrips supply. Is cybercrime an exception? If getting rich were as simple as downloading and running software, wouldn’t more people do it, and thus drive down returns? We have examined cybercrime from an economics standpoint and found a story at odds with the conventional wisdom. A few criminals do well, but cybercrime is a relentless, low-profit struggle for the majority. Spamming, stealing passwords or pillaging bank accounts might appear a perfect business. Cybercriminals can be thousands of miles from the scene of the crime, they can download everything they need online, and there’s little training or capital outlay required. Almost anyone can do it. Well, not really. Structurally, the economics of cybercrimes like spam and password-stealing are the same as those of fishing. Economics long ago established that common-access resources make for bad business opportunities. No matter how large the original opportunity, new entrants continue to arrive, driving the average return ever downward. Just as unregulated fish stocks are driven to exhaustion, there is never enough “easy money” to go around. How do we reconcile this view with stories that cybercrime rivals the global drug trade in size? One recent estimate placed annual direct consumer losses at $114 billion worldwide. It turns out, however, that such widely circulated cybercrime estimates are generated using absurdly bad statistical methods, making them wholly unreliable."
This is news? You probably teach torts
in the torts class. By the time you reach Privacy Law, you should
recognize a tort when you trip over one. You don't teach Class
Actions in that class either.
How
irrelevant are privacy torts to today’s biggest privacy concerns?
April 16, 2012 by Dissent
Over on Concurring Opinions, Peter
Swire explains why he
doesn’t teach the privacy torts in his privacy law class. He
writes, in part:
Privacy torts
aren’t about the data. They usually are individualized revelations
in a one-of-a-kind setting. Importantly, the reasonableness test in
tort is a lousy match for whether an IT system is well designed.
Torts have not done well at building privacy into IT systems, nor
have they been of much use in other IT system issues, such as
deciding whether an IT system is unreasonably insecure or suing
software manufacturers under products liability law. IT
systems are complex and evolve rapidly, and are a terrible match with
the common sense of a jury trying to decide if the defendant did some
particular thing wrong. [That assumes juries would not understand
“here is how we protected customer privacy.” Bob]
That certainly helps answer questions
I’ve raised repeatedly on this blog, as to which privacy
tort might apply in a particular situation that I find disturbing or
egregious. It also helps explain why I find myself turning to the
FTC more to go after businesses under their authority to address
unfair business practices that can harm consumers.
Read more on Concurring
Opinions.
Think of this as a 'rant'
in graphic form, sort of a rant-o-graphic...
April 15, 2012
LLRX:
SOPA’s Evil Twin Sister – CISPA
Via LLRX.com
- SOPA’s Evil Twin
Sister – CISPA: Well known graphic artists Jake O'Neil and
Spencer Belkofer created this infographic out of a sense of urgency
to visualize the salient information with as many communities as
possible. This bill, the Cyber Intelligence Sharing and Protection
Act of 2011, has not garnered the media coverage of the Stop Online
Piracy Act (SOPA), but its high impact implications target key legal
issues involving privacy and intellectual property.
This is not about reading individual
emails. The software described looks at the overall semantic shifts.
Are employees whose emails contained invites to local fast food
joints now talk about going to the Union meeting? This is like
Google scanning your emails to deliver targeted ads, only here
employers are looking to see if they are the target.
"In an effort to protect
sensitive data from internal security threats, some organizations are
'using new technology to look at the language of their IT staff's
emails to determine
whether their behavior or mind-set has changed,' the Wall Street
Journal reports. Is secretly spying on and linguistically
interpreting employee emails going too far in the name of security?
from the article: 'I understand the need to be aware of the attitudes
of workers with high-level access to data and networks, but this
strikes me as creepy. What if an IT employee suddenly has
relationship problems or family issues? Will they then be flagged by
HR as potentially troublesome or even a data security risk? [and
will HR be correct? Bob] And all without them
even knowing there's a dossier being created of them and their
"suspect" behavior?'"
Think of “Mom” as a codeword for
“old fuddy-duddy”
So I'm not actually trying to teach my
mom to use Twitter, but it makes for a nice title to this post. Mom,
This Is How Twitter Works is an excellent explanation with
visuals and text of how Twitter works. The post, written by Jessica
Hische, explains everything you need to know about
Twitter. Want to know what a reTweet is? That's covered.
Do you want to know which things on your timeline can or can't be
seen by others? That's explained. And just how does Twitter compare
to Facebook? Jessica has that covered too.
Applications
for Education
If you have ever tried Twitter, but
just didn't "get it" Mom,
This Is How Twitter Works is for you. If you're trying to get
your colleagues to try Twitter to build their own personal learning
networks online, Mom,
This Is How Twitter Works could be a good primer to have them
read and or reference.
For my future, e-book using students.
(In Beta, less than 800 books so far...)
April 15, 2012
Directory
of Open Access Books - DOAB
"The primary aim of DOAB
is to increase discoverability of Open Access books. Academic
publishers are invited to provide metadata of their Open Access books
to DOAB.
Metadata will be harvestable in order to maximize dissemination,
visibility and impact. Aggregators can integrate the records in
their commercial services and libraries can integrate the directory
into their online catalogues, helping scholars and students to
discover the books. The directory will be open to all publishers who
publish academic, peer reviewed books in Open Access and should
contain as many books as possible, provided that these publications
are in Open Access and meet academic standards."
Geeky: So simple, no one
thought to try this before? (Axiom: The best is rarely the most
heavily advertised.)
Measuring
Battery Capacity With an Arduino
Denis Hennessy recently encountered a
problem we’ve all faced: he needed some AAs for a battery-eating
gizmo, and he was overwhelmed by the choices available. Ignoring the
shiny packaging and its marketing jargon, the core question was:
which brand offered the best bang-for-the-buck?
Hennessy knew that the cheapest price
did not necessarily mean the best value, so he did the only logical
thing: pull on his Mad Science labcoat, buy samples of all the
batteries, build an Arduino-controlled testing rig, and start
generating data.
… Over on his
blog, Hennessy has published the results of his tests of 10
different brands of battery. Most of the batteries perform about the
same from 1.5V down to about 1.2V, but below that, the results
diverge wildly, with about a 9x difference between the best and the
worst.
[From
the blog:
There’s a difference of
over 9X between the best value (RS Power Ultra) and the worst value
(Panasonic Evolta).
No comments:
Post a Comment