Friday, February 08, 2013

I'm confused. Wasn't this obvious? I seem to recall an earlier “change the limit” hack too. (Yes Bob, you were right again: http://www.pogowasright.org/article.php?story=20080124055948438 and Coordinated, Global ATM Heist Nets $13 Million )
Reports are coming in that in the final days of 2012 hackers were able to pull off a major scam using ATM machines and prepaid credit cards. The attack was so successful, that Visa warned all US payment card issuers to be on high alert for additional ATM cash-out fraud schemes in 2013. Sources in the financial industry and law enforcement cited by Krebsonsecurity.com say that thieves made off with approximately $9 million in the scam.
The sources claim that the attackers used a small number of reloadable prepaid debit cards to pull cash out of ATMs in at least a dozen countries. According, to the sources the crooks took approximately $9 million in only a few hours. The sources also claim that around New Year’s Eve the group struck again.
The second attack occurred on ATM networks in India and resulted in the thieves making off with a little less than $2 million according to investigators. This sort of attack is typically avoided because the reloadable, prepaid debit cards are limited to low dollar amounts being withdrawn within a 24-hour period. However, the criminals were somehow able to increase or completely eliminate those withdrawal limits for the accounts they control.
Visa says that the attacks were made possible because the hackers were able to gain access to issuer authorization systems and card parameter information. Once the hackers had access to that information, they were able to manipulate daily withdrawal amount limits, card balances, and other parameters. Visa says that in some instances over $500,000 was withdrawn from a single card within 24 hours. [Must be a really big ATM Bob]


It's not like it's a real computer, why do we need to secure it?”
Vulnerability Lets Hackers Control Building Locks, Electricity, Elevators and More
A critical vulnerability discovered in an industrial control system used widely by the military, hospitals and others would allow attackers to remotely control electronic door locks, lighting systems, elevators, electricity and boiler systems, video surveillance cameras, alarms and other critical building facilities, say two security researchers.
The vulnerability in the Tridium Niagara AX Framework allows an attacker to remotely access the system’s config.bog file, which holds all of the system’s configuration data, including usernames and passwords to log in to operator work stations and control the systems that are managed by them.


Worst Practices? People still mail things? Unencrypted? Don't know what happened to “Certified mail?” 46 days to notify victims?
This was reported by James Haggerty on January 23, but I just stumbled across it now:
A compact disc including information on Medicare patients at Wayne Memorial Hospital disappeared recently en route to its intended recipient.
An administrator at Wayne Memorial in Honesdale on Nov. 28 sent the unencrypted disc and related paperwork by certified mail to the Pittsburgh office of Novitas Solutions Inc., a Camp Hill-based Medicare administrative contractor, the hospital reported.
Although it was mailed in a legal envelope, [they couldn't afford a CD mailer? Bob] Wayne Memorial officials say it arrived at Novitas’s Pittsburgh offices in a cardboard box without the disc. They were notified Dec. 3 that the disc was missing.
Hospital officials suspect the original package was damaged at a postal facility, the disc was lost and the paperwork was inserted into another package, which was delivered to Novitas.
The disc contained the names of 1,182 people who had been Medicare patients at the Honesdale hospital between 2007 and 2012 and have account balances outstanding, hospital spokeswoman Lisa Champeau said. Most of the patients’ Medicare account numbers were included on the disc, she said.
Read more on Citizens Voice.
On January 22, the hospital posted the following notice, linked from their home page:
The News Eagle reports that notification letters were sent out beginning January 18.


Could the people [or the “offices”) responsible actually be held responsible? Stay tuned!
Meg Kinnard of Associated Press reports that Circuit Judge G. Thomas Cooper has dismissed Governor Haley and South Carolina’s former revenue director as defendants in a lawsuit over the state’s massive security breach last year in the Department of Revenue.
But… and this will be interesting to watch, the judge said he needed more time to decide whether to dismiss the claims against the Governor’s office, the Department of Revenue, South Carolina’s Division of Information Technology, and Trustwave.
Read more on ABC.


Words to live by... Or at least to secure your data by... Security is as strong as it's weakest link.
"Deloitte predicts that 8-character passwords will become insecure in 2013. Humans have trouble remembering passwords with more than seven characters, and it is difficult to enter long, complex passwords into mobile devices. Users have not adapted to increased computing power available to crackers, and continue to use bad practices such as using common and short passwords, and re-using passwords across multiple websites. A recent study showed that using the 10000 most common passwords would have cracked >98% of 6 million user accounts. All of these problems have the potential for a huge security hazard. Password vaults are likely to become more widely used out of necessity. Multifactor authentication strategies, such as phone texts, iris scans, and dongles are also likely to become more widespread, especially by banks."


A tool for Stalkers? Always has been, but now it's simpler...
"Software developer Jeff Cogswell is back with an extensive under-the-hood breakdown of Facebook's Graph Search, trying to see if peoples' privacy concerns about the social network's search engine are entirely justified. His conclusion? 'Some of the news articles I've read talk about how Graph Search will start small and slowly grow as it accumulates more information. This is wrong—Graph Search has been accumulating information since the day Facebook opened and the first connections were made in the internal graph structure,' he writes. 'People were nervous about Google storing their history, but it pales in comparison to the information Facebook already has on you, me, and roughly a billion other people.' There's much more at the link, including a handy breakdown of graph theory."
[From the article:
The system allows users to make lengthy natural-language queries in search of Facebook-based information about photos, friends, and other content. For example, you could input “Friends of friends who like trail running” and receive a list of people who meet that description—provided their information is public, and they indicated to Facebook that they “Like” trail running.
Should you input “Friends of friends who like trail running,” you’ll also see a related search: “People who like trail running.” This is interesting, because it goes outside your list of friends, traversing further into Facebook’s enormous data tree. From there, you can refine the search still further, via a list of dropdown boxes on the right side of the page. Want to know which of those “People who like trail running” actually live near you? Simply click on the appropriate box.
When it comes to finding very specific people, how deep does this thing go?


Track your dog, track you?
Dog owners face £500 fine for failing to microchip pets


But I've been doing it for years! How come you're just now telling me it's a crime?”
Mike Durkin reports that federal charges have now been filed against John Hunt, the Minnesota Department of Natural Resources employee accused of improperly accessing 5,000 residents’ information from the state driver’s license database:
The Minnesota Bureau of Criminal Apprehension said Hunt committed a federal crime during off-duty hours. Hunt is accused of illegally viewing the records of 5,000 people roughly 12,000 times between January 2008 and October 2012. [Took them a long time to notice... Bob]
Investigators said the majority of files Hunt accessed belong to women in the public eye: local celebrities, television news personalities, politicians and professional athletes.
Read more on MyFox9.com,
[From the article:
What makes this case particularly egregious is that Hunt was also a data practices designee, responsible for making sure new employees were familiar with the laws and rules concerning access to driver's license records.
… Hunt is charged with six counts of unauthorized computer and data access, as well as public employee misconduct. The six charges are:
    Misconduct of public officer or employee, gross misdemeanor
    Unauthorized computer access (not public data), gross misdemeanor
    Unauthorized computer access, gross misdemeanor
    Use of encryption to conceal commission of a crime, gross misdemeanor
    Unlawful use of private data (license photograph), misdemeanor
    Unlawful use of private data (address on license), misdemeanor
If found guilty, Hunt could be forced to pay $2,500 for each record he illegally viewed.


Is snobbery, not a privacy violation? “Hey your kid is too dumb to get into our school, how about donating miney?”
Wealthy parents are fuming after the uber-exclusive Dalton School sent out an e-mail naming dozens of kids rejected by the school.
Dalton — whose alumni include Anderson Cooper, Chevy Chase, Sean Lennon and Claire Danes — is known for its fiercely competitive admissions process as presided over by the admissions director, Elizabeth Krents.
Recently, the upper-crust school sent out a letter to boosters and alumni with a list of families that have applications pending, as well as names of students who were rejected from Dalton.
The list also included names of students who withdrew applications — which gave away others who didn’t make the cut. Sources explained that alumni parents are often “tipped off” by Dalton that their child may not get in, and the family then has the choice to withdraw their child’s application, saving the embarrassment of having their kid rejected.
The revealing e-mail went out as part of a fundraising effort to have school supporters lobby parents of recently rejected kids for money, sources say.
Read more on The New York Post. The Daily Beast has the school’s apology letter.


That buzzing you hear comes from the dozens of drones monitoring state legislatures.
February 07, 2013
EPIC - States Move to Limit Drone Surveillance
  • "Oregon became the most recent state to consider limits on the deployment of drones in the United States. A new bill sets out licensing requirements for drone use in Oregon and would fine those who use unlicensed drone to conduct surveillance. New limitations are also proposed for federal evidence collected by drone use in a state court. Florida, North Dakota, and Missouri are among the other states that are also considering laws that limit drone use within their jurisdiction. For more information, see EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones."


I thought that was a can of worms...
After Google’s $80M French Publishers’ Fund, Press Lobby Group Chief Calls For Search Giant To Pay Media In Every European Country


Perspective
http://www.businessinsider.com/more-mobile-devices-than-people-2013-2
There Will Soon Be More Mobile Devices Than Humans — And We'll Need A New Internet To Cope


The difficulty of transition and some perspective on how much 'digital' has replaced print... Sounds like Paul David's research still applies http://elsa.berkeley.edu/~bhhall/e124/David90_dynamo.pdf
February 07, 2013
Rebooting the Government Printing Office: Keeping America Informed in the Digital Age
The National Academy of Public Administration (NAPA) independent study of the U.S. Government Printing Office (GPO), Rebooting the Government Printing Office: Keeping America Informed in the Digital Age, January 2013
  • "Over the past two decades, the shift from an industrial age to an information age has affected the way both public and private sector organizations operate. For GPO, the demand for federal print products has declined by half over the past twenty years, but the demand for information that government creates has only increased. While conducting this review, the Panel determined that GPO faces challenges in dealing with the movement to the digital age that are shared across the federal government. Critical issues for the federal government include publishing formats, metadata, authentication, cataloging, dissemination, preservation, public access, and disposition. The Panel believes that the federal government needs to establish a broad government-wide strategy to manage digital information through all stages of its lifecycle. The absence of such a strategy has resulted in a chaotic environment with significant implications for public access to government information—and, therefore, the democratic process—with some observers describing federal digital publishing as the “wild west.” Now that approximately 97 percent of all federal documents are “born digital,” many important documents are not being authenticated or preserved for the future, and the public cannot easily access them. GPO has a critical role to play along with other agencies in developing a government-wide strategy that streamlines processes, clearly defines agency responsibilities, avoids duplication and waste, and effectively provides information to current and future generations."


For my lawyer friends, who are engaged in the buying and selling of lawyers...
February 07, 2013
2013 Report on the State of the Legal Market
"The Center for the Study of the Legal Profession at the Georgetown University Law Center and Thomson Reuters Peer Monitor are pleased to present this 2013 Report on the State of the Legal Market highlighting the trends that we perceived in the legal market in 2012, as well as the factors that we believe will impact the market in 2013 and beyond."


For my Ethical Hackers: “We don't need no stinking phone company!”
… . Those people who have lived through floods, earthquakes, cyclones, fires, tsunamis and other major catastrophes will no doubt agree that having working phones after the disaster struck would have made an incredible difference.
Using mesh technology, the Serval Project has created a way for mobile phone users to stay connected to each other even when the infrastructure of the regular phone network is not working. This means users of the smartphone application will have the ability to communicate amongst themselves in the midst of a disaster when they need it most. At the moment the free mobile chat app is available for Android only, but will eventually be made available on other platforms.
… Here’s where you can get the Serval Mesh Android application for free [Android 2.2+]. The first thing you should acknowledge is that this application is still in development and has only just been released on the Google Play store. You are warned not to expect this application to replace your current phone service and that it may still be buggy. If you are interested in the technology and want to help improve the application, by all means download it and give it a go.
A little warning: If you grant Serval root access, Serval Mesh will take over your phone’s Wi-Fi, so you will need to log out of Serval in order to return to your normal Wi-Fi connections.


For my Design students...
"Web designers, graphics artists, and others who create and edit digital images, have a number of commercial image-manipulation packages from which they can choose — such as Adobe Photoshop and Adobe Fireworks (originally developed by Macromedia). Yet there are also many alternatives in the open-source world, the most well-known being GNU Image Manipulation Program. GIMP is available for all major operating systems, and supports all commonly-used image formats. This powerful application is loaded with features, including plug-ins and scripting. Yet detractors criticize it as being complicated (as if Photoshop is intuitively obvious). Admittedly, anyone hoping to learn it could benefit from a comprehensive guide, such as The Book of GIMP."
Keep reading for the rest of Michael's review.


Education on the cheap...
Curbing The Cost Of College: Coursera Wins Approval To Offer Online Courses For Credit For Under $200

No comments: