It's perfectly natural. When there is
blood in the water, the sharks gather for a meal.
Attorney General George Jepsen of CT
and Attorney General Douglas Gansler of Maryland have written to
LivingSocial to request more information on their recent breach and
how it may impact consumers. Their actions were announced in a press
release yesterday.
The Attorneys
General have asked the company to provide a detailed timeline of the
incident, including when and how the company learned of the data
breach, as well as a breakdown on the number of affected individuals
in each state and the types of information compromised.
They
are seeking information about the password protection, information
storage and internal security systems the company had in place, and
have asked whether the company has received any reports or complaints
from users about unauthorized charges.
Additionally,
among other information, they’ve requested:
• Copies of
LivingSocial’s privacy policies at the time of the breach,
• Copies of any security reports or forensic analyses related to the incident, and
• An outline of any plan developed to prevent the recurrence of a breach and a timeline for the plan’s implementation.
• Copies of any security reports or forensic analyses related to the incident, and
• An outline of any plan developed to prevent the recurrence of a breach and a timeline for the plan’s implementation.
You can read their full letter here.
As of April 26, when LivingSocial reported the breach to the New
Hampshire Attorney General’s Office, they indicated that the
number of individuals in each state was “uncertain” and that they
were “working on methods to develop reliable estimates.”
Victim organizations are not in the
business of answering questions about their security breach. That's
probably why they do such a bad job of it.
Back in February, I noted that the FBI
had been called in to investigate a breach involving the Iron
Horse Bicycle Classic. A number of those who signed up for the
event had reported credit card fraud.
Now lawyers for Iron Horse Bicycle
Classic have reported
the breach to the New Hampshire Attorney General’s Office.
Their report provides some additional details on what the
investigators found.
According to the statement, on March
1, IHBC learned that the server they shared with other
companies on an unnamed web host provider had been attacked, and the
attacker had been able to send information from the server to an
unauthorized address on the Internet. Significantly, the
attack may have occurred as early as November 30, 2012.
Although IHBC notified registrants by
e-mail on March 14, they first mailed out letters in the last week of
April. The letters informed them that the attacker may have obtained
their names, postal and e-mail addresses, credit card information,
and ages.
IHRB made some changes in how it
handles payments, but surprisingly in light of know fraudulent use of
information, did not offer registrants any free credit monitoring
services.
Of course, now I’m also wondering
what other companies on the shared server may also have been
hacked or had PII compromised. I’m also wondering what the
unnamed web host provider is doing to prevent or catch future
attacks.
For my Ethical Hackers. It might be
amusing to have a few backdoor entries onto the North Korean military
networks in order to disguise the true source. (Just saying...)
Pentagon
Warns North Korea Could Become a Hacker Haven
North Korea is barely connected to the
global internet. But it’s trying to step up its hacker game by
breaking into hostile networks, according to a new Pentagon report.
“North Korea probably has a military
computer network operations (CNO) capability,” assesses the
Pentagon’s latest public
estimate (.PDF) of the military threat from North Korea.
So far, suspected North Korean cyber
efforts are more like vandalism and espionage than warfare — as
with most so-called “cyberattacks” not related to the
U.S./Israeli
Stuxnet worm. But the Pentagon believes Pyongyang is going to
lean into network attacks in the future, largely out of necessity.
“Given North Korea’s bleak economic
outlook, CNO may be seen as a cost-effective way to modernize some
North Korean military capabilities,” the report assesses. “The
North Korean regime may view CNO as an appealing platform from which
to collect intelligence.”
Could be very useful for storing
passwords or information on credit cards.
mikejuk writes with news of an
advancement for homomorphic
encryption and open source:
"To be
fully homomorphic the code has to be such that a third party can add
and multiply numbers that it contains without needing to
decrypt it. In other words they can change the data by
working with just the encrypted version. This may sound like magic
but a fully homomorphic scheme was invented in 2009 by Craig Gentry.
This was a step in the right direction but the problem was that it is
very inefficient and computationally
intensive. [Not
a big problem when you are doing individual transactions Bob]
Since then there have been a number of improvements that make the
scheme practical in the right situations Now Victor Shoup and Shai
Halevi of the IBM T J Watson Research Center have
released an open source (GPL) C++ library, HElib, as
a Github project. The code is said to incorporate many
optimizations to make the encryption run faster. Homomorphic
encryption has the potential to revolutionize security by allowing
operations on data without the need to decrypt it."
We want the same powers! (Are you
going to let us fall behind the Dutch?)
"The Dutch government today
presented a draft bill that aims to give
law enforcement the power to hack into computer systems —
including those located in foreign countries
— to do research, gather and copy evidence or block access to
certain data. Law enforcement should be allowed to block access to
child pornography, read emails that contain information exchanged
between criminals and also be able to place taps on communication,
according to a draft bill published Thursday and signed by Ivo
Opstelten, the Minister of Security and Justice. Government agents
should also be able to engage in activities such as turning on a
suspect's phone GPS to track their location, the bill said.
Opstelten announced last October he was planning to craft this bill."
As goes California, so goes the nation?
There must be much more to this than what is reported in the
article. If not, it's possible we have gone crazy.
The L.A. Times has
reported
that people who live anywhere within a mile of the site of the
Coachella Valley Music Festival in Indio, California (and perhaps
residents’ visitors, if any visitors were allowed?) were “required”
to wear individually numbered RFID-chipped tracking bracelets
throughout the two weekends of the festival:
In 2011, the
organization began using microchip-embedded wristbands….
No one can so much
as get within a mile of the Empire Polo Field, where Coachella is
held, without wearing one. Local residents, whose homes surround the
polo field, also have to wear one just to get to their houses, and
Guitron said homeowners must also register their cars….
Guitron said it
created a safe perimeter for the event, where every concertgoer and
resident can be identified via a microchip.
It’s not clear
by whom, or by what authority, nearby residents or their guests and
visitors could be “required” to wear devices each of which
transmit a unique tracking ID number any time it is requested by
private parties.
Read more on Papers,
Please! Has no resident really challenged this in court?
Looks like the court examines each
request long enough to find a place to rubber stamp it...
Secretive
Spy Court Approved Nearly 2,000 Surveillance Requests in 2012
A secretive federal court last year
approved all of the 1,856 requests to
search or electronically surveil people within the United States “for
foreign intelligence purposes,” the Justice Department reported
this week.
The report
(.pdf), released Tuesday to Harry Reid, the Senate majority leader
from Nevada, provides a brief glimpse into the caseload of what is
known as the Foreign Intelligence Surveillance Court. None of its
decisions are public.
The 2012 figures represent a 5
percent bump from the prior year, when no requests were denied
either.
Clearly a big fan of James Bond
movies...
May 02, 2013
For
Their Eyes Only: The Commercialization of Digital Spying
Citizen Lab [University of Toronto]
"released a new report, For
Their Eyes Only: The Commercialization of Digital Spying. The
report features new findings, as well as consolidating a year of our
research on the commercial market for offensive computer network
intrusion capabilities developed by Western companies. Our new
findings include:
- We have identified FinFisher Command & Control servers in 11 new Countries. Hungary, Turkey, Romania, Panama, Lithuania, Macedonia, South Africa, Pakistan, Nigeria, Bulgaria, Austria.
- Taken together with our previous research, we can now assert that FinFisher Command & Control servers are currently active, or have been present, in 36 countries.
Self-regulation my foot...
"The Internet advertising
industry is keen to stave off government privacy rules and
opt-in-only browsers by loudly proclaiming its adherence to a
self-imposed code of conduct. Yet a little digging shows that even
"self-regulated" advertisers link to services that link to
other services that nobody's
really sure what they do. That's why, for instance, when you
visit a page on the Sears website, your web browsing behavior is
being collected by a company that sells ringtones and won't return
emails asking about their privacy policy."
Interesting destinction: Destroy
evidence after the phone is in police custody. Isn't there software
to do just that whaen you phone is stolen?
Orin Kerr writes:
I recently
mentioned my new short essay, Accounting
for Technological Change, 36 Harv. J. of Law and Public Policy
403 (2013), about how the Supreme Court should resolve the lower
court division on the Fourth Amendment rule for searching a cell
phone incident to arrest. In light of that, I thought I would flag
this morning’s decision by the Florida Supreme Court deepening the
lower court division, Smallwood
v. Florida. Smallwood rules that the police can routinely
seize a cell phone incident to arrest, but they generally
need a warrant to search it absent a
demonstrated risk that evidence on the phone could be destroyed after
it had been seized.
Read more on The
Volokh Conspiracy.
When we start talking “equitable,”
I cover my wallet.
May 02, 2013
Paper
- Internet Content Governance & Human Rights
Lucchi, Nicola, Internet Content
Governance & Human Rights (May 1, 2013). Vanderbilt Journal of
Entertainment and Technology Law Vol. 16, No. 3 (2013). Available
at SSRN
- "The paper examines how Internet content governance is posing regulatory issues directly related to the growing importance of an equitable access to digital information. In particular, it looks at conflicts arising within the systems of rights and obligations attached to communication (and especially content provision) over the Internet. It seeks to identify emerging tensions and to draw out the implications for the nature and definitions of rights (e.g. of communication and access, but also of IP ownership) and for regulations and actions taken to protect, promote or qualify those rights. These points are illustrated by a series of recent examples."
Why does this make me antsy?
Chinese
Scientists Create New Mutant Bird-Flu Virus
… The experiments, described May 2
in Science, reflect a
controversial approach to studying influenza: attempting to
create strains in a lab that would, if accidentally
released or used for nefarious purposes, pose a potentially global
health threat.
Some scientists think the risks don’t
outweigh the benefits, and that institutional safeguards don’t
sufficiently reduce chances of accidents. Public unease with
such experiments resulted in a year-long
moratorium on the research.
Back when I started working with
computers (leaving my job as a dinosaur hunter) maintenance was
estimated at 'about 80%.' Either we have improved a bit or we can
measure better.
May 02, 2013
CIO
Insights: Leading Innovation in a Time of Change
"Each year TechAmerica and Grant
Thornton LLP survey
federal Chief Information Officers (CIO) on issues most affecting the
community. CIOs had a lot to say about budget, policy and
governance, acquisition, human capital, mobility, and
cybersecurity... The budget is the top concern of CIOs. While
budget cuts drive CIOs to improve efficiency and spark innovation,
they also hinder investments in modern technologies needed to support
the mission. Today, more than 76% of IT spending goes to operations
and maintenance (O&M) and infrastructure."
(Related) I have to think about this
one...
The
Metamorphosis of the CIO
As we all know, the very nature of the
enterprise is changing. This is the result of the rapid shifts that
have been occurring in the business world over the last few
years--the commoditization of goods and services, the individuation
of value, the transformation of the workforce--which I discussed in
my previous blog post . In order to keep up with these changes
and to succeed, future enterprises will need to have three clear
characteristics: They will be socially enabled;
they will operate as digital business ecosystems,
offering innovative services and products as rapidly and
inexpensively as possible; and they will view
innovation not as an optional advantage, but as the only advantage.
I think they are giving me a firm
“maybe.”
I expect a brief flurry of interest in
this journal, then a return to Playboy... Might be an excuse for
detailed research...
Upcoming
Porn Journal to Explore Sexy Science
A soon-to-launch academic journal will
peer into corners of the Internet most people erase from their search
histories. "Porn Studies," set to debut next spring, will
be dedicated to a critical exploration of "those cultural
products and services designated as pornographic," according
to The Guardian.
The journal will be under the umbrella
of academic publisher Routledge, and will welcome work by academics
in sociology, film, media, labor studies, law and criminology. Sound
prurient? Well, despite the ubiquity of pornography online, very
little is known about the psychology
of those who participate, or even those who watch. Perhaps the
new journal will finally answer the age-old question, "Is
porn bad for you?"
Nerd out, dudes!
Free
Comic Book Day: These Are the 10 Titles You Need to Grab
Saturday, May 4th is Free
Comic Book Day, the very special day each year when comic book
shops around the world give away, well, comic books. There will be
dozens of free books up for grabs at participating shops--find one
near you here--and
figuring out what to grab when you get there can actually be a bit
overwhelming.
But don't panic. We're here to help.
We've sorted through a stack of 50-plus
FCBD comics provided by Things from
Another World, and selected the 10 gotta-read books.
Geek out, dudes!
If you’ve yet to play around with
your own virtual machine, you’re missing out.
… Using a virtual machine offers a
great sandbox
if you’re ever dealing with sketchy software that may be riddled
with things that you’re way too nervous to allow on your main disk.
While some trojans and malware are sophisticated enough to pass
through virtual disks, it’s still a common practice.
In a very well-written post from Justin
just last year, it was thoroughly explained how
you can get a VirtualBox up and running in practically a matter
of minutes (depending on your download speed). In this post, I’d
like to show you three great websites where you can find a heap of
free virtual disk images.
No comments:
Post a Comment