What would
you do if you “owned” Facebook?
SEA
Comes Close to Owning Facebook
06 February 2014
The Syrian Electronic
Army (SEA) claimed yesterday that it had owned Facebook. It wasn't
quite true in any meaningful way, but SEA came very close to being
able to redirect millions of Facebook users to its own websites.
… SEA's latest
exploit, announced yesterday, seems to have failed. "Happy
Birthday Mark! http://Facebook.com owned by #SEA." It appears
that while this was strictly true, briefly, it had no effect on
Facebook users. It was again a DNS poisoning attack, again through
Facebook's registrar, which was again MarkMonitor.
It seems that, already
on high alert after the Paypal attack, MarkMonitor reacted fast
enough to prevent any serious damage. It immediately took down its
management portal and regained control over the accounts. "We
changed the nameservers, but it's taking too much time..."
confirmed SEA on Twitter. Why it took so long is not clear, but
seems to imply that MarkMonitor has additional security in this area.
Exactly what that security might be is unknown because Markmonitor
has a strict policy of not commenting on its clients (which SEA
screenshots indicate also include Google, Yahoo and Amazon).
Interesting.
Why would an air conditioner repairman have access to the credit
card system?
Target
Hackers Broke in Via HVAC Company
Last week, Target
told reporters at The Wall Street Journal and Reuters
that the initial intrusion into its systems was traced back to
network credentials that were stolen from a third party vendor.
Sources now tell KrebsOnSecurity that the vendor in question was a
refrigeration, heating and air conditioning subcontractor that has
worked at a number of locations at Target and other top retailers.
Sources close to the
investigation said the attackers first broke into the retailer’s
network on Nov. 15, 2013 using network credentials stolen from Fazio
Mechanical Services, a Sharpsburg, Penn.-based provider of
refrigeration and HVAC
systems.
… According to the
company’s homepage, Fazio Mechanical also has done refrigeration
and HVAC projects for specific Trader Joe’s, Whole Foods and BJ’s
Wholesale Club locations in Pennsylvania, Maryland, Ohio, Virginia
and West Virginia.
… It’s not
immediately clear why Target would have given an HVAC company
external network access, or why that access would not be cordoned off
from Target’s payment system network. But according to a
cybersecurity expert at a large retailer who asked not to be named
because he did not have permission to speak on the record, it is
common for large retail operations to have a team that routinely
monitors energy consumption and temperatures in stores to save on
costs (particularly at night) and to alert store managers if
temperatures in the stores fluctuate outside of an acceptable range
that could prevent customers from shopping at the store.
… Avivah
Litan, a fraud
analyst with Gartner
Inc., said that although the
current PCI standard (PDF) does not require organizations to
maintain separate networks for payment and non-payment operations
(page 7), it does require merchants to incorporate two-factor
authentication for remote network access originating from outside the
network by personnel and all third parties — including vendor
access for support or maintenance (see section 8.3).
In
any case, Litan estimates that Target
could be facing losses of up to $420 million as a result of this
breach,
including reimbursement associated with banks recovering the costs of
reissuing millions of cards; fines from the card brands for PCI
non-compliance; and direct Target customer service costs, including
legal fees and credit monitoring for tens of millions of customers
impacted by the breach.
I would be concerned that this was
a test of
impact and response. The
substation feed Silicon Valley, but disruption seemed short
lived and minor.
Snipers
Coordinated an Attack on the Power Grid, but Why?
Last April, unknown
attackers shot up 17 transformers at a California substation in what
the then-chairman of the Federal Energy Regulatory Commission Jon
Wellinghoff called "the most significant incident of domestic
terrorism involving the grid that has ever occurred" in this
country.
Though news
reports about the incident at the Metcalf transmission facility
came out in April, The Wall Street Journal just pieced
together the larger story of the attack together from regulatory
filings and outside reporting.
… Before the
attackers opened fire on the transformers, fiber optic lines running
nearby were cut.
Whoever executed the
maneuver knew where to shoot the transformers. They aimed at the
oil-cooling systems, causing them to leak oil and eventually
overheat. By the time that happened, the attackers were long gone.
[From
the WSJ:
… it
took utility workers 27 days to make repairs and bring the substation
back to life.
[Also
see this video:
http://live.wsj.com/video/mystery-assault-on-power-grid-raises-alarms/9AFCC446-5B2E-4749-A8AC-6E4B0A8A7301.html?KEYWORDS=assault#!9AFCC446-5B2E-4749-A8AC-6E4B0A8A7301
Part
of this is “We can, therefore we must” and part is “We don't
need parental approval for anything we do to our students.” But
mostly it's, “Stupid is as stupid does.”
Kathleen McGrory
reports from Tallahassee:
Polk
County parents were apoplectic last year
when they discovered the school district had been scanning the irises
of students’ eyes without parental permission.
The
controversial practice might soon be banned.
On
Tuesday, state lawmakers will take up a proposal that would prohibit
school districts from collecting biometric information, including the
characteristics of fingerprints, hands, eyes and the voice. It would
affect the Pinellas County school district, which allows schools to
scan the palms of students’ hands instead of accepting cash in the
cafeteria, and school systems that use fingerprint scanners.
“We’ve
been able to get kids through a lunch line for decades,” said state
Sen. Dorothy Hukill, a Port Orange Republican who brought the idea to
the Florida Senate. “Why do we need to take their biometric
information when we know there is the potential for identity theft?”
Read more on Miami
Herald.
[From
the article:
“Biometrics is
coming,” said Miami-Dade School Board member Raquel Regalado, who
spearheaded an effort to create a local biometrics policy this month.
“It exists in the market. It will exist in our schools. It may
end up being a viable way to ensure there isn’t fraud.”
Interesting,
but how do you prove “willful?” Perhaps their procedures don't
bother checking “facts?”
Tim Hull reports on a
case that privacy advocates should keep our eyes on:
An
unemployed man can sue the website Spokeo.com for inaccurately
describing him as wealthy and well educated, the 9th Cicuit ruled
Tuesday.
Virginia
resident Thomas Robins claims that his job search has been hampered
by a description of him as a high earner with a graduate degree on
Spokeo, a search engine that aggregates information about
individuals.
Alleging
that the misinformed profile violated the Fair Credit Reporting Act
(FCRA), Robins proposed a 2010 class action against Spokeo in Los
Angeles.
U.S.
District Judge Otis Wright dismissed Robins’s first complaint for
lack of standing, and eventually did the same with an amended
complaint. The judge found that Robins had failed to show that he
had suffered any actual harm.
A three-judge panel of
the federal appeals court reversed Tuesday.
Read more on Courthouse
News.
[From
the article:
At this early stage of
the case, Robins can gain standing by alleging a violation of the
FCRA "without showing actual harm," according to the
ruling.
"The statutory
cause of action does not require a showing of actual harm when a
plaintiff sues for willful violations,"
Judge Diarmuid O'Scannlain wrote for the panel.
Perspective
Computer
and Internet Access in the United States: 2012
by Sabrina
I. Pacifici on February 5, 2014
“Computer
and Internet Use: 2012 Based on Current Population Survey statistics
from July 2012, the Computer and Internet Access in the United States
infographic
provides household and individual level analysis of
computer use and Internet access, as well as a profile of individual
smartphone usage. A set
of tables will accompany the infographic.”
An interesting article
for my Economics students.
… But there is a
catch that many people have not thought about. The marijuana plant
is sturdy and not
difficult to grow
… So imagine a near
future when marijuana seeds and even starter plants could be sold
through garden centers and other similar outlets much like tomato
seeds and plants are sold today. These seeds and plants could be
grown in a backyard garden (or even a flower pot on a patio) with the
same degree of difficulty as growing fresh tomatoes.
For my
student geeks...
With
the Release of the Google Chromecast SDK, Expect Big Things
… After just over
six months, Google
has released the Google
Cast Software Development Kit (SDK) for developers.
This means that
developers now have all the tools necessary to build apps and
websites that are Chromecast compatible. For end users of the
Chromecast, it means that there could be a whole new world of
entertainment waiting for them on their television sets.
Developers who want to
find out more about their options and what they can expect should
keep tabs on the Google
Developers Blog. For the rest of us, bookmark the Chromecast
Apps page where you can see all the new options that will be
available to you. With an incredibly vibrant ecosystem built around
Google’s Android platform, we can only imagine how many more
creative
uses for the Chromecast we’ll be presented with.
No comments:
Post a Comment