I'm
confused. Wasn't this obvious? I seem to recall an earlier “change
the limit” hack too. (Yes Bob, you were right again:
http://www.pogowasright.org/article.php?story=20080124055948438
and Coordinated,
Global ATM Heist Nets $13 Million )
Reports are coming in that in the final
days of 2012 hackers were able to pull off a major scam using ATM
machines and prepaid credit cards. The attack was so successful,
that Visa warned all US payment card issuers to be on high alert for
additional ATM cash-out fraud schemes in 2013. Sources in the
financial industry and law enforcement cited by Krebsonsecurity.com
say that thieves made off with approximately $9 million in the scam.
The sources
claim that the attackers used a small number of reloadable prepaid
debit cards to pull cash out of ATMs in at least a dozen countries.
According, to the sources the crooks took approximately $9 million in
only a few hours. The sources also claim that around New Year’s
Eve the group struck again.
The second attack occurred on ATM
networks in India and resulted in the thieves making off with a
little less than $2 million according to investigators. This sort of
attack is typically avoided because the reloadable, prepaid debit
cards are limited to low dollar amounts being withdrawn within a
24-hour period. However, the criminals were somehow
able to increase or completely eliminate those withdrawal limits for
the accounts they control.
Visa says
that the attacks were made possible because the hackers were able to
gain access to issuer authorization systems and card parameter
information. Once the hackers had access to that information, they
were able to manipulate daily withdrawal amount limits, card
balances, and other parameters. Visa says that in some instances
over $500,000 was withdrawn from a single card within
24 hours. [Must be a really big ATM Bob]
“It's
not like it's a real computer, why do we need to secure it?”
Vulnerability
Lets Hackers Control Building Locks, Electricity, Elevators and More
A critical vulnerability discovered in
an industrial control system used widely by the military, hospitals
and others would allow attackers to remotely control electronic door
locks, lighting systems, elevators, electricity and boiler systems,
video surveillance cameras, alarms and other critical building
facilities, say two security researchers.
The vulnerability in the Tridium
Niagara AX Framework allows an attacker to remotely access the
system’s config.bog file, which holds all of the system’s
configuration data, including usernames and passwords to log in to
operator work stations and control the systems that are managed by
them.
Worst
Practices? People still mail things? Unencrypted? Don't know what
happened to “Certified mail?” 46 days to notify victims?
This was reported by James Haggerty on
January 23, but I just stumbled across it now:
A compact disc
including information on Medicare patients at Wayne Memorial
Hospital disappeared recently en route to its intended
recipient.
An administrator
at Wayne Memorial in Honesdale on Nov. 28 sent the unencrypted
disc and related paperwork by certified mail to the Pittsburgh
office of Novitas Solutions Inc., a Camp Hill-based
Medicare administrative contractor, the hospital reported.
Although
it was mailed in a legal envelope, [they couldn't afford a CD mailer?
Bob] Wayne Memorial officials say it arrived at Novitas’s
Pittsburgh offices in a cardboard box without the disc. They
were notified Dec. 3 that the disc was missing.
Hospital
officials suspect the original package was damaged at a
postal facility, the disc was lost and the paperwork was inserted
into another package, which was delivered to Novitas.
The disc contained
the names of 1,182 people who had been Medicare patients at the
Honesdale hospital between 2007 and 2012 and have account balances
outstanding, hospital spokeswoman Lisa Champeau said. Most of the
patients’ Medicare account numbers were included on the disc, she
said.
Read more on Citizens
Voice.
On January 22, the
hospital posted the following notice,
linked from their home page:
The News Eagle reports
that notification letters were sent out beginning
January 18.
Could
the people [or the “offices”) responsible actually be held
responsible? Stay tuned!
Meg Kinnard of Associated Press reports
that Circuit Judge G. Thomas Cooper has dismissed Governor Haley and
South Carolina’s former revenue director as defendants in a lawsuit
over the state’s massive security breach last year in the
Department of Revenue.
But… and this will be interesting to
watch, the judge said he needed more time to decide whether to
dismiss the claims against the Governor’s office, the Department of
Revenue, South Carolina’s Division of Information Technology, and
Trustwave.
Read more on ABC.
Words to live by... Or at least to
secure your data by... Security is as strong as it's weakest link.
"Deloitte predicts that
8-character
passwords will become insecure in 2013. Humans have trouble
remembering passwords with more than seven characters, and it is
difficult to enter long, complex passwords into mobile devices.
Users have not adapted to increased computing power available to
crackers, and continue to use bad practices such as using common and
short passwords, and re-using passwords across multiple websites. A
recent study showed that using the 10000 most common passwords would
have cracked >98% of 6 million user accounts.
All of these problems have the potential for a huge security hazard.
Password vaults are likely to become more widely used out of
necessity. Multifactor authentication strategies, such as phone
texts, iris scans, and dongles are also likely to become more
widespread, especially by banks."
A tool for Stalkers? Always has been,
but now it's simpler...
"Software developer Jeff
Cogswell is back with an extensive under-the-hood breakdown of
Facebook's Graph Search, trying to see if peoples'
privacy concerns about the social network's search engine are
entirely justified. His conclusion? 'Some of the news articles
I've read talk about how Graph Search will start small and slowly
grow as it accumulates more information. This is wrong—Graph
Search has been accumulating information since the day Facebook
opened and the first connections were made in the
internal graph structure,' he writes. 'People were nervous about
Google storing their history, but it pales in comparison to the
information Facebook already has on you, me, and roughly a billion
other people.' There's much more at the link, including
a handy breakdown of graph theory."
[From the article:
The system allows users to make lengthy
natural-language queries in search of Facebook-based information
about photos, friends, and other content. For example, you could
input “Friends of friends who like trail running” and receive a
list of people who meet that description—provided their information
is public, and they indicated to Facebook that they “Like” trail
running.
Should you input “Friends of friends
who like trail running,” you’ll also see a related search:
“People who like trail running.” This is interesting, because it
goes outside your list of friends, traversing further into
Facebook’s enormous data tree. From there, you can refine the
search still further, via a list of dropdown boxes on the right side
of the page. Want to know which of those “People who like trail
running” actually live near you? Simply click on the
appropriate box.
When it comes to finding very specific
people, how deep does this thing go?
Track your dog, track you?
Dog
owners face £500 fine for failing to microchip pets
“But
I've been doing it for years! How come you're just now telling me
it's a crime?”
Mike Durkin reports that federal
charges have now been filed against John Hunt, the
Minnesota Department of Natural Resources employee accused of
improperly accessing 5,000 residents’ information from the state
driver’s license database:
The Minnesota
Bureau of Criminal Apprehension said Hunt committed a federal crime
during off-duty hours. Hunt is accused of illegally viewing the
records of 5,000 people roughly 12,000 times between January 2008 and
October 2012. [Took them a long time to notice...
Bob]
Investigators said
the majority of files Hunt accessed belong to women in the public
eye: local celebrities, television news personalities, politicians
and professional athletes.
Read more on MyFox9.com,
[From the article:
What makes this case particularly
egregious is that Hunt was also a data practices designee,
responsible for making sure new employees were familiar with the laws
and rules concerning access to driver's license records.
… Hunt is charged with six counts
of unauthorized computer and data access, as well as public employee
misconduct. The six charges are:
Misconduct of public officer or
employee, gross misdemeanor
Unauthorized computer access (not
public data), gross misdemeanor
Unauthorized computer access, gross misdemeanor
Use of encryption to conceal commission of a crime, gross misdemeanor
Unlawful use of private data (license photograph), misdemeanor
Unlawful use of private data (address on license), misdemeanor
Unauthorized computer access, gross misdemeanor
Use of encryption to conceal commission of a crime, gross misdemeanor
Unlawful use of private data (license photograph), misdemeanor
Unlawful use of private data (address on license), misdemeanor
If found guilty, Hunt could be forced
to pay $2,500 for each record he illegally viewed.
Is snobbery, not a privacy violation?
“Hey your kid is too dumb to get into our school, how about
donating miney?”
Wealthy parents
are fuming after the uber-exclusive Dalton School sent out an e-mail
naming dozens of kids rejected by the school.
Dalton — whose
alumni include Anderson Cooper, Chevy Chase, Sean Lennon and Claire
Danes — is known for its fiercely competitive admissions process as
presided over by the admissions director, Elizabeth Krents.
Recently, the
upper-crust school sent out a letter to boosters and alumni with a
list of families that have applications pending, as well as names of
students who were rejected from Dalton.
The list also
included names of students who withdrew applications — which gave
away others who didn’t make the cut. Sources explained that alumni
parents are often “tipped off” by Dalton that their child may not
get in, and the family then has the choice to withdraw their child’s
application, saving the embarrassment of having their kid rejected.
The
revealing e-mail went out as part of a fundraising effort to have
school supporters lobby parents of recently rejected kids for money,
sources say.
Read more on The
New York Post. The Daily
Beast has the school’s apology letter.
That
buzzing you hear comes from the dozens of drones monitoring state
legislatures.
February 07, 2013
EPIC
- States Move to Limit Drone Surveillance
- "Oregon became the most recent state to consider limits on the deployment of drones in the United States. A new bill sets out licensing requirements for drone use in Oregon and would fine those who use unlicensed drone to conduct surveillance. New limitations are also proposed for federal evidence collected by drone use in a state court. Florida, North Dakota, and Missouri are among the other states that are also considering laws that limit drone use within their jurisdiction. For more information, see EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones."
I thought that was a can of worms...
After
Google’s $80M French Publishers’ Fund, Press Lobby Group Chief
Calls For Search Giant To Pay Media In Every European Country
Perspective
http://www.businessinsider.com/more-mobile-devices-than-people-2013-2
There
Will Soon Be More Mobile Devices Than Humans — And We'll Need A New
Internet To Cope
The
difficulty of transition and some perspective on how much 'digital'
has replaced print... Sounds like Paul David's research still
applies http://elsa.berkeley.edu/~bhhall/e124/David90_dynamo.pdf
February 07, 2013
Rebooting
the Government Printing Office: Keeping America Informed in the
Digital Age
The National Academy of Public
Administration (NAPA) independent study of the U.S. Government
Printing Office (GPO), Rebooting
the Government Printing Office: Keeping America Informed in the
Digital Age, January 2013
- "Over the past two decades, the shift from an industrial age to an information age has affected the way both public and private sector organizations operate. For GPO, the demand for federal print products has declined by half over the past twenty years, but the demand for information that government creates has only increased. While conducting this review, the Panel determined that GPO faces challenges in dealing with the movement to the digital age that are shared across the federal government. Critical issues for the federal government include publishing formats, metadata, authentication, cataloging, dissemination, preservation, public access, and disposition. The Panel believes that the federal government needs to establish a broad government-wide strategy to manage digital information through all stages of its lifecycle. The absence of such a strategy has resulted in a chaotic environment with significant implications for public access to government information—and, therefore, the democratic process—with some observers describing federal digital publishing as the “wild west.” Now that approximately 97 percent of all federal documents are “born digital,” many important documents are not being authenticated or preserved for the future, and the public cannot easily access them. GPO has a critical role to play along with other agencies in developing a government-wide strategy that streamlines processes, clearly defines agency responsibilities, avoids duplication and waste, and effectively provides information to current and future generations."
For my lawyer friends, who are engaged
in the buying and selling of lawyers...
February 07, 2013
2013
Report on the State of the Legal Market
"The Center for the Study of the
Legal Profession at the Georgetown University Law Center and Thomson
Reuters Peer Monitor are pleased to present this 2013
Report on the State of the Legal Market highlighting the trends
that we perceived in the legal market in 2012, as well as the factors
that we believe will impact the market in 2013 and beyond."
For
my Ethical Hackers: “We don't need no stinking phone company!”
… . Those people who have lived
through floods, earthquakes, cyclones, fires, tsunamis and other
major catastrophes will no doubt agree that having working phones
after the disaster struck would have made an incredible difference.
Using mesh
technology, the Serval
Project has created a way for mobile phone users to stay
connected to each other even when the infrastructure of the regular
phone network is not working. This means users of the smartphone
application will have the ability to communicate amongst themselves
in the midst of a disaster when they need it most. At the moment the
free mobile chat app is available for Android only, but will
eventually be made available on other platforms.
… Here’s where you can get the
Serval
Mesh Android application for free [Android 2.2+]. The first
thing you should acknowledge is that this application is still in
development and has only just been released on the Google Play store.
You are warned not to expect this application to replace your
current phone service and that it may still be buggy. If you are
interested in the technology and want to help improve the
application, by all means download it and give it a go.
A
little warning: If you grant Serval root access, Serval Mesh will
take over your phone’s Wi-Fi, so you will need to log out of Serval
in order to return to your normal Wi-Fi connections.
For my Design students...
"Web designers, graphics
artists, and others who create and edit digital images, have a number
of commercial image-manipulation packages from which they can choose
— such as Adobe
Photoshop and Adobe
Fireworks (originally developed by Macromedia). Yet there are
also many alternatives in the open-source world, the most well-known
being GNU Image Manipulation Program.
GIMP is available for all major operating systems, and supports all
commonly-used image formats. This powerful application is loaded
with features, including plug-ins and scripting. Yet detractors
criticize it as being complicated (as if Photoshop is intuitively
obvious). Admittedly, anyone hoping to learn it could benefit from a
comprehensive guide, such as The Book of GIMP."
Keep reading for the rest of Michael's
review.
Education on the cheap...
Curbing
The Cost Of College: Coursera Wins Approval To Offer Online Courses
For Credit For Under $200
No comments:
Post a Comment