How does this match with “Best
Practices?”
Barnes
& Noble discloses breach involving pin pads at dozens of stores
October 24, 2012 by admin
Remember when Michael’s Stores found
that pin pads in some stores had been replaced? It looks like the
same thing has happened to bookseller Barnes & Noble’s brick
and mortar stores. According to the New
York Times, the firm discovered the breach on
September 14. As of now, it appears that pads at 63
stores were tampered with in the following states: California,
Connecticut, Florida, New York, New Jersey, Rhode Island,
Massachusetts, Illinois, and Pennsylvania. There have reportedly
been some claims of fraudulent use of card numbers associated with
the breach.
So when will B&N send notifications
to consumers – or won’t they? They did notify card issuers, and
if all B&N has is name and card number, they may leave it to the
card issuers to notify customers. The chain does suggest changing
your PIN number, but doesn’t indicate how far back
this breach might go. They do say that most fraudulent
charges occurred in September.
Although the breach was detected on
September 14, initial disclosure was delayed so as not to interfere
with the government investigation. That’s understandable and
permissible, but consider this:
The company has
received two letters from the United States attorney’s office for
the Southern District of New York that said it did not have to report
the attacks to its customers during the investigation, according to
the official. At least one of the letters said that the
company could wait until Dec. 24 to tell the customers.
Where did the USAO get that December
24th date? Were they asked
specifically if they could delay that long so as not to interfere
with holiday sales, or was the USAO guestimating how long the
investigation would take or….?
There is no notice on B&N’s web
site at the time of this posting.
Think of this as the keys to your home.
Would you leave them just anywhere?
"PS3 security has
been compromised again. The holy grail of the PS3 security
encryption keys — LV0
keys — have been found and leaked into the wild. For the
homebrew community, this means deeper access into the PS3: the
possibility of custom (or modified) firmware up to the most recent
version, the possibility of bypassing PS3 hypervisor for installing
GNU/Linux with full hardware access, dual firmware booting, homebrew
advanced recovery (on the molds of Bootmii on Wii), and more. It
might lead to more rampant piracy too, because the LV0 keys could
facilitate the discovering of the newer games' encryption keys, ones
that require newer firmware."
(Related) But there is such a thing as
“bad management decisions” – when do they rise to negligence?
Sony
PSN hacking lawsuit dismissed by judge
A California district judge has
dismissed a handful of charges that plaintiffs brought against Sony,
including negligence, restitution, and unjust enrichment in its
handling of a PlayStation
Network data breach last year.
Several lawsuits were filed against
Sony PlayStation Network in the wake of a major
security breach of the personal data of more than 75 million
customers in April 2011.
On Friday, Judge Anthony Battaglia of
the U.S. District Court in Southern California ruled that one of
those class action suits is invalid, according to Courthouse
News.
… Additionally,
Battaglia said Sony couldn't be fully responsible for the hack.
"There is no such thing as perfect security," he said,
according to The
Register. "We cannot ensure or warrant the security of any
information transmitted to us.
Tools for the Cyber warrior... This
could be mounted on a Hummer, but it would kill the engine too.
It’s perhaps
every tech-lover’s nightmare, but it’s something everyone should
be aware of: electronics-killing missiles. On October 16th, Boeing
tested one such weapon named CHAMP, a non-lethal high-powered
microwave missile that successfully snuffed the life out of a bunch
of PCs, making history in the process. In fact, the
test was so successful, the missile killed the cameras set up to
record the event as well.
Interesting. Do you think Australia
will fall for it? How will they check “push updates” in real
time?
Huawei
offers Australia 'unrestricted' access to hardware, source code
Huawei has offered to give the
Australian government "unrestricted" access to the firm's
software source code and hardware equipment in an effort to dispel
security fears, months after the Chinese telecoms giant was barred
from supplying infrastructure equipment for the country's national
broadband network.
The Australian government barred Huawei
from bidding on contracts for the network earlier this year, saying
it had a "a
responsibility to do our utmost to protect [the network's] integrity
and that of the information carried on it".
For my Ethical Hackers (and my Math
students)
How
a Google Headhunter’s E-Mail Unraveled a Massive Net Security Hole
It was a strange e-mail, coming from a
job recruiter at Google, asking Zachary Harris if he was interested
in a position as a site-reliability engineer.
“You obviously have a passion for
Linux and programming,” the e-mail from the Google recruiter read.
“I wanted to see if you are open to confidentially exploring
opportunities with Google?”
Harris was intrigued, but skeptical.
The e-mail had come to him last December completely out of the blue,
and as a mathematician, he didn’t seem the likeliest candidate for
the job Google was pitching.
So he wondered if the e-mail might have
been spoofed – something sent from a scammer to appear to come from
the search giant. But when Harris examined the e-mail’s header
information, it all seemed legitimate.
Then he noticed something strange.
Google was using a weak cryptographic key to certify to recipients
that its correspondence came from a legitimate Google corporate
domain. Anyone who cracked the key could use it to impersonate an
e-mail sender from Google, including Google founders Sergey Brin and
Larry Page.
… “I love factoring
numbers,” Harris says. “So I thought this was fun. I
really wanted to solve their puzzle and prove I could do it.”
(Related) Future areas for my Ethical
Hackers?
We’ve reached this strange moment in
time when updates are released for our cars in the same manner
they’re released for our gadgets. Thus is the case with the 2013
Chevy Volt, which GM has pushed a software update out
for after reports of shutdowns. The manufacturer is not issuing a
recall, however.
Sometimes the old hacks are the best
hacks...
'Jesus,'
'welcome' join list of worst passwords
Despite the vulnerability presented by
weak passwords, many Internet users continue to put their security at
risk by using common words or number sequences that are easily
guessable.
Unchanged from last year, the three
most popular passwords for 2012 were "password," "123456,"
and "12345678," according to SplashData's annual "25
Worst Passwords of the Year" list. The list was compiled from
files containing millions of stolen passwords posted online by
hackers.
… A security breach revealed in
July at Yahoo yielded nearly a half
million login credentials stored in plain text. Other password
thefts at LinkedIn, eHarmony, and Last.fm contributed to
approximately
8 million passwords posted in two separate lists to hacker sites
in early June.
“Guilt by proximate geography”
Megaupload
User Seeks to Unseal Documents Relating to Data Seizure
October 23, 2012 by Dissent
From EFF:
The Electronic Frontier Foundation
(EFF), on behalf of its client Kyle Goodwin, asked a federal court
yesterday to unseal warrant-related documents surrounding the loss of
access to Mr. Goodwin’s data after the government shut down
Megaupload.com. Goodwin used Megaupload’s cloud-based storage
system for his small business reporting on high school sporting
events in Ohio. The site’s servers housing Mr. Goodwin’s data
were frozen as part of a government seizure in January of this
year–since then, Mr. Goodwin and others like him have had no access
to their data.
Mr. Goodwin has consistently asked the
court for the return of his property. In response, the court
recently asked Mr. Goodwin and the government to provide
additional information on how such a hearing might proceed.
“The government engaged in a
overbroad seizure, denying Mr. Goodwin
access to his data, along with likely millions of others who have
never been accused of wrongdoing,” said
Julie Samuels, EFF Staff Attorney. “Access to the government’s
warrant application and related materials can help us learn how this
could have happened and provide assistance in our efforts to get Mr.
Goodwin his property back.”
In running his small business, Goodwin
stored video footage on Megaupload servers as a backup to his hard
drive and so he could share those large files with his producers all
over Ohio. Earlier this year, the FBI shut down Megaupload.com and
executed search warrants on the company’s servers, locking
out all
Megaupload customers in the process. When Goodwin’s
hard drive crashed, he could not get access to any of his own video
files, which he needed to conduct his business.
“Unsealing the court documents in
this case is not only important to Mr. Goodwin, it is critical to the
ongoing public and Congressional debate about the
U.S. government’s increasing use of its seizure power in
intellectual property cases,” added Cindy Cohn, EFF’s
Legal Director. “A court in New Zealand recently upbraided the
authorities who conducted similar seizures for failing to protect
innocent people whose property was obviously likely to be swept up.
The questions raised by the New Zealand court about overbroad
seizures should also be asked, and answered, here in the U.S.”
EFF was assisted by co-counsel Abraham
Sofaer of the Hoover Institution and John Davis of Williams Mullen.
For the full motion to unseal:
https://www.eff.org/document/motion-unseal
For more on the Megaupload Data
Seizures: https://www.eff.org/cases/megaupload-data-seizure
Somehow I can't buy that they have no
way to access the data they gather and store. That's like saying,
“We so incompetent in so many areas, what make you think we can
make those computer thingies work?”
October 23, 2012
TRAC
Challenges ICE Claim That Data Are Off-Limits to the Public
for TRAC - Jeff Lamicela: "On
October 22, 2012 the Transactional Records Access Clearinghouse
(TRAC) filed suit in D.C. District Court under the Freedom of
Information Act (FOIA) challenging a ruling by Immigration and
Customs Enforcement (ICE) that its master repository of
investigations and operations information is off-limits to the
public... The material sought by TRAC is stored in the ICE-operated
Enforcement Integrated Database (EID), which records and maintains
information related to the investigations and operations of ICE as
well as Customs and Border Protection (CBP) and that agency's Office
of Field Operations. Despite this, ICE has stated
that its office "does not have the means to extract the data or
any other aspect of [TRAC's] request. For more on this
matter, link to the
complaint document and legal exhibits
(Related) Who would we be keeping this
secret from? Countries who already do it to their citizens?
Feds
Cite ‘State Secrets’ in Dragnet Surveillance Case — Again
The Obama administration is again
arguing that a lawsuit accusing the National Security Agency of
vacuuming up Americans’ electronic communications without warrants
threatens national security and would expose state secrets if
litigated.
“This case may be dismissed on the
ground that its very subject matter constitutes a state secret,”
the government said
(.pdf) in a legal filing in San Francisco federal court.
Brought by the Electronic Frontier
Foundation, the case is now four years old and its merits have never
been litigated. The civil rights group claims that the major
telecoms provided the NSA a warrantless backdoor to the nation’s
communication backbone.
Is there really that much of a
disconnect between technology and the law? Did no one even ask the
privacy questions?
McDonald’s
removes networking features in some online games
October 24, 2012 by Dissent
Cecilia Kang reports:
McDonald’s said
it has removed social networking features in some of its online games
after a privacy advocacy group complained to federal regulators that
the restaurant chain was violating child online privacy laws.
In a complaint
filed last August to the Federal Trade Commission, the Center for
Digital Democracy said McDonald’s was using a “tell-a-friend”
feature on games and other functions of HappyMeal.com and McWorld.com
that asked children to upload photos and videos onto the site and
then pass along that information to friends. McDonald’s also asked
for children to list the e-mail addresses of friends, without
gathering parental consent for that information.
Read more on Washington
Post.
(Related) Would something like this
help?
Navigating
App Privacy Laws and Best Practices
October 24, 2012 by Dissent
Tim Kridel writes for Digital
Innovation Gazette:
More than half of
app users have uninstalled or decided to not install an app due to
concerns about personal information, according to a recent Pew
Internet Project survey. If that isn’t motivation enough to
protect customer privacy, consider the growing number of federal and
state laws penalizing breaches.
But
how can developers determine which laws apply? And what
about industry best practices such as those from the Mobile Marketing
Association (MMA) and CTIA – The Wireless Association? We spoke
with Alan Chapell, co-chair of the MMA’s privacy and advocacy
committee, about what developers need to know to
protect customer privacy — and, in the process, their
app’s market potential.
Read the interview on ITBusiness.net
I'm shocked again!
Online
Ad Survey: Most U.S. Consumers “Annoyed” By Online Ads; Prefer TV
Ads To Online; Want Social Media Dislike Button; And Reckon Most
Marketing Is “A Bunch Of B.S.”
… The survey
makes amusing reading at times – almost half of the respondents
agree ‘online advertising is creepy and stalks you’, and more
than half agree that ‘most marketing is a bunch of B.S.’.
For my Intro to Computer Security
students...
Facebook has basically made a business
out of knowing as much as they can possibly find out about everyone.
So, tracking your behaviour online and offline makes perfect sense to
them. However, it might not seem that rosy to you. Sometimes, it’s
nice to have a little privacy.
There are many ways Facebook is
tracking you and it’s worth knowing how to block this tracking
where possible and how to opt out when required. Sadly, it’s
getting more and more complicated as time goes by. Here
are the main ways Facebook keeps tabs on you and the best ways to
stop them.
Do we need more (and better) technology
or are there “some things man was not meant to know?” Is this a
field crying out for entrepreneurs?
"Maryn McKenna writes in
Scientific American that the standard autopsy
is becoming increasingly rare for cost reasons, religious objections,
and because autopsies reveal medical mistakes,
making doctors and hospitals uncomfortable. Researchers in several
countries have been exploring the possibility that medical imaging
might substitute
a 'virtual autopsy' for the more traditional variety. 'So few
autopsies are being done now that many medical students get out of
school never having seen one,' says Gregory Davis. 'And yet in
medicine, autopsy is the most powerful
quality-control technique that we have and the
reason we know as much as we do about many diseases and injuries.'
The process, dubbed 'virtopsy,' combines
MRI and CT scanning with computer-aided 3-D reconstruction to
prove causes of death for difficult cases, which included drownings,
flaming car crashes, and severe injuries to the skull and face.
Since 2004 the U.S. military has performed x-rays and CT scans on
the bodies of every service member killed where the armed forces
have exclusive jurisdiction — that is, not just on battlefields
abroad but on U.S. bases as well. 'It allows us to identify any
foreign bodies present, such as projectiles,' says Edward
Mazuchowski. 'X-rays give you the edge detail of radio-opaque or
metallic objects, so you can sort out what the object might be, and
CT, because it is three-dimensional, shows you where the object is in
the body.' A study conducted among intensive care unit patients in
Germany compared diagnoses made before death with the results of both
traditional and virtual autopsy in 47 patients and with only virtual
autopsy in another 115 whose families refused standard autopsy.
Virtual autopsies confirmed
88 percent of diagnoses made before death, not far behind the 93
percent rate for traditional postmortem exams. 'The findings so far
are mixed,' says Elizabeth Burton of Johns Hopkins University.
Virtual autopsy, she says, 'is better for examining trauma, for
wartime injuries, for structural defects. But when you start getting
into tumors, infections and chronic conditions, it's not as good, and
I doubt it will ever be better.'"
No comments:
Post a Comment