For my Ethical Hacker/Entrepreneurs:
Okay, now you have managed to let everyone know... Time to raise
your prices.
Service
Sells Access to Fortune 500 Firms
October 22, 2012 by admin
An increasing
number of services offered in the cybercrime underground allow
miscreants to purchase access to hacked computers at specific
organizations. For just a few dollars, [Keep this
tag line, but get rid of the Clint Eastwood picture – you don't
want to mess with the Copyright Cops. Bob] these services
offer the ability to buy your way inside of Fortune 500 company
networks.
The service I
examined for this post currently is renting access to nearly 17,000
computers worldwide, although almost 300,000 compromised systems have
passed through this service since its inception in early 2010.
Read more on Krebs
on Security.
Could it be that someone actually
noticed what is going on? Or just noticed that even the agents
didn't know how their “tools” worked.
Judge
Questions Tools That Grab Cellphone Data on Innocent People
October 22, 2012 by Dissent
Jennifer Valentino-DeVries reports:
A
judge in Texas is raising questions about whether investigators are
giving courts enough details on technological tools that
let them get data on all the cellphones in an area, including those
of innocent people.
In two cases,
Magistrate Judge Brian Owsley rejected federal requests to allow the
warrantless use of “stingrays” and “cell tower dumps,” two
different tools that are used for cellphone tracking. The judge said
the government should apply for warrants in the cases, but the
attorneys had instead applied for lesser court orders.
Read more on WSJ.
[From the article:
Among the judge’s biggest concerns:
that the agents and U.S. attorneys making the
requests didn’t provide details on how the tools worked or would be
used — and even seemed to have trouble explaining the technology.
“Without such an understanding, they
cannot appreciate the constitutional implications of their requests,”
Magistrate Judge Brian Owsley wrote in an
order last month, adding the government was essentially asking
him to allow “a very broad and invasive search affecting likely
hundreds of individuals in violation of the Fourth Amendment.”
(Related) Mentioned in
the article above, and based on the Fourth Amendment (cites lots of
cases and other sources) but “The
government cannot obtain judicial approval for a search using
sophisticated, uniquely invasive technology that
it never explained to the magistrate
”
In
Court: Uncovering Stingrays, A Troubling New Location Tracking Device
October 22, 2012 by Dissent
Linda Lye of the ACLU writes:
The ACLU and
Electronic Frontier Foundation have filed an amicus
brief in what will be the first case in the country to address
the constitutional implications of a so-called “stingray,” a
little known device that can be used to track a suspect’s location
and engage in other types of surveillance. We argue that if the
government wants to use invasive surveillance technology like this,
it must explain the technology to the courts so they can perform
their judicial oversight function as required by the Constitution.
The case is highly
significant for two reasons. First, it shows that the government is
using new types of technology—not just GPS and cell site location
records—to track location. Second, it shows that the government is
going to great lengths to keep its surveillance practices secret.
Read more on ACLU.
My concern is throwing the baby out
with the bath water... Would the UN have blocked the communications
that brought about Arab Spring?
U.N.
calls for 'anti-terror' Internet surveillance
The United Nations is calling for more
surveillance of Internet users, saying it would help to investigate
and prosecute terrorists.
A 148-page report (PDF)
released today titled "The Use of the Internet for Terrorist
Purposes" warns that terrorists are using social networks and
other sharing sites including Facebook, Twitter, YouTube, and
Dropbox, to spread "propaganda."
"Potential terrorists use advanced
communications technology often involving the Internet to reach a
worldwide audience with relative anonymity and at a low cost,"
said Yury Fedotov, executive director of the U.N.
Office on Drugs and Crime (UNODC).
… That echoes the U.S. Department
of Justice's lobbying
efforts aimed at convincing Congress to require Internet service
providers to keep track of their customers -- in case police want to
review those logs in the future. Privacy groups mounted
a campaign earlier this year against the legislation, which has
already been approved by a House committee.
… Other excerpts from the UN report
address:
Open Wi-Fi
networks: "Requiring registration for the use of Wi-Fi
networks or cybercafes could provide an important data source for
criminal investigations... There is some doubt about the utility of
targeting such measures at Internet cafes only when other forms of
public Internet access (e.g. airports, libraries and public Wi-Fi
hotspots) offer criminals (including terrorists) the same access
opportunities and are unregulated."
Cell phone
tracking: "Location data is also important when used by law
enforcement to exclude suspects from crime scenes and to verify
alibis."
Terror video
games: "Video footage of violent acts of terrorism or video
games developed by terrorist organizations that simulate acts of
terrorism and encourage the user to engage in role-play, by acting
the part of a virtual terrorist."
Paying
companies for surveillance: "It is therefore desirable that
Governments provide a clear legal basis for the obligations placed on
private sector parties, including... how the cost of providing such
capabilities is to be met."
It's called “BYOT” Bring Your Own
Technology and it has been around at least since accountants started
sneaking Apples with VisiCalc into accounting departments.
Cell
phones are replacing pagers in pediatric hospitals
Ah, pagers -- still beloved by a wide
range of users, from physicians to restaurant hostesses to bird
watchers to drug dealers.
And given the simple telecommunication
tech has been around for more than half a century, it should come as
no surprise that it is gradually being replaced -- at least in
hospital settings -- by cell phones.
That's according to an electronic
survey administered by researchers out of the University of Kansas
and presented
this week at the American Academy of Pediatrics (AAP) National
Conference and Exhibition in New Orleans.
Of the 106 pediatric hospital
physicians surveyed, 96 percent say they text and 90 percent say they
use a smartphone, with 57 percent of the physicians reporting they've
sent or received work-related text messages and 49 percent even when
they weren't working or on call.
… The underlying issue with this
shift toward texting over paging is that few of the physicians said
their hospital had Health
Insurance Portability and Protection Act (HIPPA)-encrypted
software for texting, let alone an actual policy regarding texting at
the hospital.
Cell phones in hospitals pose numerous
potential privacy breaches, be it taking
photos of patients or routinely
texting them about a range of health issues, including extremely
personal ones such as drug use and sex.
Sort of the reciprocal of “Best
Practices” these are “Likely to get you involved with the FTC
Practices”
Data
security flaws part of FTC complaint against Compete
October 22, 2012 by admin
The FTC has been active in going after
companies that do not provide adequate data security. Today, they
announced that Compete,
Inc. had settled charges involving unfair or deceptive practices
associated with collecting and sharing personal information of users.
Of interest here, however, are the charges in the complaint
that relate to data security:
Compete’s Data
Security Practices
16. In addition to
the representations made about the collection of data, Compete made
statements about the security of user data such as the following:
We take reasonable
security measures to protect against unauthorized access to or
unauthorized alteration, disclosure or destruction of personal
information. These measures include internal reviews of our data
collection, storage and processing practices and security practices.
See General
Compete Privacy Policy, Exhibit 5.
17. Respondent
engaged in a number of practices that, taken together, failed to
provide reasonable and appropriate security for consumer information
collected and transmitted by Compete. Among other things,
respondent:
a. created
unnecessary risks of unauthorized access to consumer information by
transmitting sensitive information from secure web pages, such
as financial account numbers and security codes, in clear readable
text over the Internet; [i.e Unencrypted Bob]
b. failed to
design and implement reasonable information safeguards to control the
risks to customer information; and
c. failed to use
readily available, low-cost measures to assess and address the risk
that the data collection software would collect sensitive consumer
information that it was not authorized to collect. [In other words,
acting link the FBI? Bob]
18. These security
failures resulted in the creation of unnecessary risk to consumers’
personal information. Compete transmitted the information it
gathered – including sensitive information – over the Internet in
clear readable text. Tools for capturing data in transit over
unsecured wireless networks, such as those often provided in coffee
shops and other public spaces, are commonly available, making such
clear-text data vulnerable to interception. The misuse of such
information, particularly financial account information and Social
Security numbers, can facilitate identity theft and related consumer
harms.
19. After flaws in
Compete’s data collection practices were revealed publicly in
January 2010, Compete upgraded its filters, added new algorithms to
screen out information such as credit card numbers, and began
encrypting data in transit.
The settlement doesn’t require any
admission of guilt, but it is encouraging to see the FTC continue to
protect consumers from the risk of ID theft by insisting on adequate
security.
Think advertisers will ignore this? I
know they'd like to and after all they're only guidelines...
FTC
publishes guidelines for facial recognition
October 22, 2012 by Dissent
You can read “Best Practices for
Common Uses of Facial Recognition Technologies” on the FTC’s
site. Here’s a snippet from the Executive Summary:
Finally, there are
at least two scenarios in which companies should obtain consumers’
affirmative express consent before collecting or using biometric data
from facial images.
First, they should
obtain a consumer’s affirmative express consent before using a
consumer’s image or any biometric data derived from that image in a
materially different manner than they represented when they collected
the data.
Second, companies
should not use facial recognition to identify anonymous images of a
consumer to someone who could not otherwise identify him or her,
without obtaining the consumer’s affirmative express consent.
Consider the
example of a mobile app that allows users to identify strangers in
public places, such as on the street or in a bar. If such an app
were to exist, a stranger could surreptitiously use the camera on his
mobile phone to take a photo of an individual who is walking to work
or meeting a friend for a drink and learn that individual’s
identity – and possibly more information, such as her address –
without the individual even being aware that her photo was taken.
Given the significant privacy and safety risks
[wouldn't a law be better than some “guidelines?” Bob]
that such an app would raise, only consumers who have affirmatively
chosen to participate in such a system should be identified.
This is not deterrence... Pay off the
attorneys, give a nominal amount to the victims who started the
lawsuit, and promise not to use outdated technology any more? What
we need is someone with both a law degree and an economics
degree (hint, hint) to determine what amount puts the punitive back
in punitive.
KISSmetrics
Settles Supercookies Lawsuit
October 22, 2012 by Dissent
Wendy Davis reports:
Analytics company
KISSmetrics has agreed to settle a class-action lawsuit by promising
to avoid using ETags or other “supercookies” to track people
online without first notifying them and giving them a choice.
The company also
will pay $2,500 each to the consumers who sued — John Kim and Dan
Schutzman — and around $500,000 to the attorneys who brought the
case, according to court papers filed on Thursday.
If approved by
U.S. Magistrate Judge Laurel Beeler in San Francisco, the settlement
would resolve a dispute alleging that KISSmetrics violated wiretap
laws by using ETags (and other supercookies) for tracking.
Read more on MediaPost.
99 cans of worms on the wall, 99 cans
of worms...
USPTO
nixes Apple patent used in victory over Samsung
Apple might have some trouble on its
hands.
The U.S. Patent and Trademark Office
(USPTO) yesterday ruled that all twenty claims included in Apple's
so-called "rubber-banding" patent are invalid, according
to Foss Patents' Florian Mueller, who first discovered the
rejection. Following that ruling, Samsung quickly filed a motion
with Judge Lucy Koh, informing her of the USPTO's decision.
At least tell me why...
Remote
Wipe of Customer’s Kindle Highlights Perils of DRM (Updated)
Imagine having every book on your
Kindle remotely wiped, with no way to get it back. If you’ve
invested hundreds or even thousands of dollars, that may seem
frightening, if unlikely. Yet it’s exactly what happened to one
Amazon customer in Europe. And even more shockingly, it was
apparently the company itself responsible for deleting her library.
According to Linn Nygaard, an IT consultant living in Norway, Amazon
remotely wiped her Kindle and closed her Amazon account for as
yet unspecified violations to its terms of service. It’s
frightening evidence that when you buy into an ecosystem built on
DRM, while you may own your device, you don’t own the data that
lives on it.
… (It seems likely that it was
because she was using her Kindle in Norway to buy content licensed in
the U.K.)
Something every Ethical Hacker should
know...
October 22, 2012
UK
Report - The Future of Computer Trading in Financial Markets
"A new two-year Foresight
study The
Future of Computer Trading in Financial Markets - An International
Perspective, sheds new light on technological advances which have
transformed market structures in recent years. The independent and
international study has involved 150 leading experts from more 20
countries to provide the best possible analysis on computer trading
to date. Sponsored by Her Majesty's Treasury, the project was led by
the Government Office for Science under the direction of the
Government's Chief Scientific Adviser, Professor Sir John Beddington.
It has involved leading experts in the field and explores how
computer generated trading in financial markets will evolve over the
next 10 years. It assembles and analyses evidence on the effect of
HFT on financial markets looking out to 2022."
Now here's an interesting use of
“Social Media”
Icelanders
'like' their crowdsourced constitution
In the wake of a crushing recession and
raging protests, the government decided to rewrite its constitution
and asked
its citizens for help. Rather than requesting petitions,
letters, or phone calls, the government asked people to help draft
the new constitution through Facebook, Twitter, YouTube, and Flickr.
Over the course of the year, Iceland's
citizens offered roughly 3,600 comments and 370 suggestions on the
draft constitution, which was then drawn up by 25 members of a
constitutional council, according to Reuters.
[The draft:
Add this to your 3D Printer and perhaps
you can make guns at home...
"Affordable 3-D printers and
CNC mills are popping up everywhere, opening up new worlds of
production to wide ranges of designers. However, one major tool
still
hasn’t received a DIY overhaul: the laser cutter. Maybe people
are sensitive because Goldfinger tried to cut James Bond in half with
one, but all that changes now with Patrick Hood-Daniel’s new
Kickstarter, 'Build Your Own Laser Cutter.' ... A 40-watt laser
tube and power supply means it can cut a variety of materials: wood,
plastic, fabric, and paper. ... There is one major red flag,
however. The machine’s frame is built from of Medium Density
Overlay (MDO) — a type of plywood. Hood-Daniels says this is a
feature, making the blackTooth less sensitive to thermal distortion
and inaccuracy than a metal frame, but it also creates a serious,
fire-breathing concern. ... When asked for comment, Hood-Daniel says
'Initially, I had the same thoughts as to the precarious use of wood
for the structure, but even with long burns to the structure which
were made on accident when starting a run, there was no ignition.'"
No comments:
Post a Comment