Tuesday, April 09, 2013

A pot that needs no more cracks...
The Chosun Ilbo reports on a major prosecution in South Korea:
The Seoul Central Prosecutors’ Office on Sunday charged two South Koreans with cooperating with North Korean hackers in China to run illegal websites and steal the personal information of millions of individuals.
Investigators discovered the personal data of 140 million South Koreans on their computers and believe they could have shared the information with North Korea.
Among the data some 1000 were found to be obtained from a North Korean agent and a hacker in 2011.
“The data were obtained by hacking into the websites of department stores, gas stations and online shopping malls as well as from illegal dealers,” a prosecution spokesman said. “If this information was passed on to North Korea, the North has a significant amount of personal information about South Korean individuals.”
Read more on Chosun Ilbo.
For its part, North Korea is having its own problems with hackers. AsiaOne reports:
International hacker activist group Anonymous exposed some 6,000 more alleged members of the North Korean propaganda website Uriminzokkiri on Saturday, calling their action a warning against the Kim Jong-un regime.
An additional 523 e-mail accounts registered with the North Korean website were found to be those provided by South Korean portal sites, other news reports said Sunday.
The information disclosed by the group include the name and ID of the user, as well as their e-mail addresses, phone numbers and dates of birth.
[...]
According to Yonhap News, 523 of the 6,216 e-mail accounts used by members of the website disclosed by Anonymous were those provided by local portal sites.
On Thursday, the group made its first announcement that it had obtained information on about 15,000 members of the website as a result of a hacking attack carried out by a group of about 30, which included South Koreans, and released information on 9,001 registered members of the website.
Including those among the 9,001 e-mail addresses, members of Anonymous revealed on Thursday a total of 2,393 of the 15,217 people who joined the Uriminzokkiri website used e-mail accounts provided by South Korean portal sites.
In addition, 111 e-mail accounts provided by South Korean companies, one Seoul National University and one each of the Chosun Ilbo and Dong-A Ilbo accounts were used to join the website.
Read more on AsiaOne.


Big Teacher? How easily self-deception comes... It should be obvious there are serious flaws if one over-relies on this data.
RougeFemme writes with this story in the New York Times about one disconcerting aspect of the ongoing move to electronic textbooks:
"Teachers at 9 colleges are testing technology from a Silicon Valley start-up that lets them know if you're skipping pages, highlighting text, taking notes — or, of course, not opening the book at all. '"It's Big Brother, sort of, but with a good intent," said Tracy Hurley, the dean of the school of business" at Texas A&M.' 'Major publishers in higher education have already been collecting data from millions of students who use their digital materials. But CourseSmart goes further by individually packaging for each professor information on all the students in a class — a bold effort that is already beginning to affect how teachers present material and how students respond to it, even as critics question how well it measures learning.'"


I think they are severely underestimating the numbers...
April 08, 2013
CRS - Drones in Domestic Surveillance Operations
  • "The prospect of drone use inside the United States raises far-reaching issues concerning the extent of government surveillance authority, the value of privacy in the digital age, and the role of Congress in reconciling these issues. Drones, or unmanned aerial vehicles (UAVs), are aircraft that can fly without an onboard human operator. An unmanned aircraft system (UAS) is the entire system, including the aircraft, digital network, and personnel on the ground. Drones can fly either by remote control or on a predetermined flight path; can be as small as an insect and as large as a traditional jet; can be produced more cheaply than traditional aircraft; and can keep operators out of harm’s way. These unmanned aircraft are most commonly known for their operations overseas in tracking down and killing suspected members of Al Qaeda and related organizations. In addition to these missions abroad, drones are being considered for use in domestic surveillance operations to protect the homeland, assist in crime fighting, disaster relief, immigration control, and environmental monitoring. Although relatively few drones are currently flown over U.S. soil, the Federal Aviation Administration (FAA) predicts that 30,000 drones will fill the nation’s skies in less than 20 years."


I know I disagree with my favorite Ethics Professor, but I would use the data.
Are you free to use data unintentionally disclosed to you in a data breach? Adam Bennett reports that the New Zealand Earthquake Commission (EQC) has gone to court to block the use of data on 98,000 claims erroneously emailed to someone last month:
The Earthquake Commission has taken out a court injunction against the insurance advocate it accidentally sent thousands of claimants’ records to last month to block him from using the information.
A commission (EQC) claims manager caused a massive privacy breach when she last month accidentally sent Brian Staples of Earthquake Services Ltd a spreadsheet containing confidential details about 98,000 claims.
Mr Staples signed a statutory declaration saying he had deleted the information but later told the EQC he would retrieve the information to use as he pursued payment from the commission for quake repairs on behalf of about 10 of his clients.
The EQC responded by laying a complaint with police.
This afternoon it said it had been granted an interim injunction from the High Court at Christchurch “to prevent any further dissemination [So, no new users, but existing users are Okay? Bob] of confidential information by two parties from a spreadsheet sent in error”.
“The injunction has been served on Earthquake Services director Bryan Staples and the blogger known as EQC Truths,” EQC chief executive Ian Simpson said in a statement.
[...]
As someone who has recently criticized heavy-handed techniques following breaches to hapless recipients, this case is somewhat different. I wonder whether the data would have been obtainable under NZ’s freedom of information laws.
But if you’re handed valuable information that affects your clients, wouldn’t you try to use it? And should you be able to use it? If it had been disseminated to the press, wouldn’t they able to publish it, thereby putting it in the public domain?


Sounds like another case of, “We don't bother with security until it's too late”
With all the news about #OpIsrael, it was easy to miss a breach that was reported today involving Kirkwood Community College in Iowa.
On March 13, they were hacked, and the hacker had access to 125,000 records from students who had applied online for credit courses between February 2005 and March 5, 2013. The school is not sure whether any data were downloaded [because they don't log activity on their computers? Bob] at the time of this publication.
In WCF Couriers’ coverage of the breach, vice president of student services Kristie Fisher was quoted:
She said the college believes that its database was adequately protected, but that hacking has become too common.
How can you claim your database was adequately protected when it was just hacked to the tune of 125,000 records?
“Unfortunately, we think we just found ourselves in the middle of something that’s happening all over the world,” she said. “In today’s world, you can’t protect anything 100 percent when it’s online.”
OK, so then knowing that, why did you need to have records going back to February 2005 connected online? Are students who signed up in February 2005 at your two-year community college still signing up for classes 8 years later?
Knowing the risk, did you really need all that data connected?


Where is the line and when did we cross it? Does “stingray” always require provider authorization?
Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight
A legal fight over the government’s use of a secret surveillance tool has provided new insight into how the controversial tool works and the extent to which Verizon Wireless aided federal agents in using it to track a suspect.
Court documents in a case involving accused identity thief Daniel David Rigmaiden describe how the wireless provider reached out remotely to reprogram an air card the suspect was using in order to make it communicate with the government’s surveillance tool so that he could be located.
… To make sure the air card connected to the FBI’s simulator, Rigmaiden says that Verizon altered his air card’s Preferred Roaming List so that it would accept the FBI’s stingray as a legitimate cell site and not a rogue site, and also changed a data table on the air card designating the priority of cell sites so that the FBI’s fake site was at the top of the list.
Rigmaiden makes the assertions in a 369-page document he filed in support of a motion to suppress evidence gathered through the stingray. Rigmaiden collected information about how the stingray worked from documents obtained from the government, as well as from records obtained through FOIA requests filed by civil liberties groups and from open-source literature.
During a hearing in a U.S. District Court in Arizona on March 28 to discuss the motion, the government did not dispute Rigmaiden’s assertions about Verizon’s activities.


Bold, but is it wise?
Jeff Kosseff writes:
A Michigan appellate court ruled last week that state discovery rules provide adequate safeguards for anonymous online speech. The opinion is a significant deviation from the rulings of other state courts, which have applied a First Amendment balancing test to determine whether to grant discovery requests for the identities of anonymous online speakers.
Read more about the opinion on Covington Inside Privacy.


“We'll take what they give us and make it ours...” New term: apperating system
Move Over, Apple and Google: Apperating Systems Are Taking Over Your Phones
… Facebook Home, in and of itself, isn’t that big of a deal. What it represents, however, is huge. We’re calling Home an apperating system, one of a new breed of software platforms that sit between operating systems and apps. Apperating systems are coming—in a major way.
… More so than Facebook Home, the Kindle Fire already seems to be pushing the limits of the operating system/apperating system relationship. The Fire ejects Google’s digital store, Google’s browser, and Google’s email client from Google’s own operating system, replacing them with Amazon-native alternatives. Unlike with Facebook Home, installing core Google services like the Google Play app store and basic Android apps involves hacking the device and voiding your warranty.


Perspective: I see my job to be ensuring that my Ethical Hackers are never considered “everyday”
"Research suggests there will be a rise in everyday hackers. A simple Google search for 'SQL injection hack' provides 1.74 million results, including videos with explicit instructions on how to exploit SQL injection vulnerabilities. The ready availability of this information makes it possible for less technically skilled hackers to take advantage of this common flaw. Although SQL injection flaws are easy to identify and fix, Veracode found that 32 percent of web applications are still affected by SQL injection vulnerabilities. As a result, as many as 30 percent of breaches in 2013 will be from SQL injection attacks. The research also concluded that the leading cause of security breaches and data loss for organizations is insecure software. The report found that 70 percent of software failed to comply with enterprise security policies on their first submission for security testing."

No comments: