Why does this ring hollow?
http://www.databreaches.net/?p=7138
Heartland CEO: Credit Card Encryption Needed
September 15, 2009 by admin Filed under Breach Incidents, Financial Sector
Grant Gross of IDG News Service reports that in testimony before the Senate Homeland Security and Governmental Affairs Committee yesterday, Heartland Payment Systems CEO Robert Carr was hit with a question about how the payment processor could have been breached for over one year and yet not detected it:
Senators asked Carr some pointed questions about the breach. Senator Susan Collins, a Maine Republican, wanted to know how the company could be compromised from October 2006 to May 2008 without discovering the breach. “I was astounded at what a long period elapsed where these hackers were able to steal these credit card numbers,” she said. “Explain to me how a breach of that magnitude could go undetected for so long.”
Card holders were not reporting major breaches, [Translation: We rely on complaints from our customer's customers, even though they have no idea who we are... Bob] Carr answered. “The way breaches are normally detected is that fraudulent uses of cards are determined,” he said. “There was no hint of fraudulent use of cards that came to our attention until toward the end of 2008.”
Collins pressed him further. “But are there no computer programs that one can use to check to see if an intrusion has occurred?” she asked.
“There are, and the cybercriminals are very good at masking themselves,” Carr said.
Read more on PC World.
'We rely on intimidation and obfuscation to secure our computers.” Note: He was released in February 2007 and not re-arrested until November 2008. I guess no one noticed what he had done.
http://www.databreaches.net/?p=7150
Former inmate pleads guilty to hacking prison computer
September 15, 2009 by admin Filed under Breach Incidents, Government Sector, Hack
A former prisoner of the Plymouth County Correctional Facility pled guilty today in federal court to intentionally damaging the prison’s computer network while he was an inmate.
Acting United States Attorney Michael K. Loucks and Warren T. Bamford, Special Agent in Charge of the Federal Bureau of Investigation - Boston Field Division, announced that Francis G. Janosko, age 43, pled guilty before U.S. District Judge George A. O’Toole, Jr., to one count of intentional damage to a protected computer.
At today’s plea hearing, the prosecutor told the Court that had the case proceeded to trial the Government’s evidence would have proven that while Janosko was an inmate at the Plymouth County Correctional Facility in 2006 and 2007, the correctional facility provided inmates a computer for legal research with security controls to prohibit Internet access, e-mail, or using other computers or computer programs. [The simplest “control” would have been to ensure no physical connection (no network card and no wireless card) Bob] Despite these restrictions, Janosko hacked the computer network to send e-mail; provide inmates access to a report that listed the names, dates of birth, Social Security numbers, home addresses and telephone numbers, and past employment history of over 1,100 current and former Plymouth County Correctional Facility personnel and applicants; and access (without success) an important prison management computer program.
Judge O’Toole scheduled sentencing for December 15, 2009. Under the terms of the plea agreement, both parties will recommend a sentence of incarceration for 18 months, to be followed by 3 years of supervised release, and restitution to Plymouth County in an amount to be determined. Janosko had been free following his release from the Plymouth County Correctional Facility, but has been incarcerated since he was re-arrested in November 2008.
The case was investigated by the Federal Bureau of Investigation and the Plymouth County Sheriff’s Department. It is being prosecuted by Assistant U.S. Attorney Scott L. Garland of Loucks’s Computer Crime Unit.
Source: U.S. Attorney’s Office
Update: The Patriot Ledger provides a few additional details.
[From the Patriot Ledger article:
Investigators said Janosko down-loaded an aerial photograph of the jail, and shared jail workers’ phone numbers and employment histories with other inmates. He also obtained a user name and password for a prison-management computer program [Another indication of lousy security. Bob] but was stopped before gaining access, an indictment against him stated.
For my Security Students. (Tip: It's not just China)
http://it.slashdot.org/story/09/09/16/1256249/Feds-Ask-IT-Execs-To-Throw-Away-Cellphones-After-Visiting-China?from=rss
Feds Ask IT Execs To Throw Away Cellphones After Visiting China
Posted by Soulskill on Wednesday September 16, @09:46AM from the guilty-of-aberrant-longitude dept.
sholto writes
"US intelligence agencies are advising top US IT executives to weigh their laptops before and after visiting China as one of many precautions against corporate espionage. Symantec Chief Technology Officer Mark Bregman said he was also advised to buy a new cellphone for each visit and to throw it away after leaving. Bregman said he kept a separate MacBook Air for use in China, which he re-images on returning, but claimed he didn't subscribe to the strictest policies. 'Bregman said the US was also concerned about its companies employing Chinese coders, particularly in security.'"
Not quite a “How to” guide, but enough for my Security students. Thank you, US Attorney!
http://www.databreaches.net/?p=7146
Trial set in botnet hacking conspiracy
September 15, 2009 by admin Filed under Malware, U.S.
Thomas James Frederick Smith, 21, and David Anthony Edwards, 20, have been charged in a federal indictment with conspiring to intentionally cause damage to a protected computer and commit computer fraud. The indictment was announced U.S. Attorney James T. Jacks of the Northern District of Texas. Edwards, of Mesquite, Texas, and Smith, most recently of Parris Island, South Carolina, both entered not guilty pleas and are on pre-trial release. Trial has been set for November 16, 2009, before U.S. District Judge Jane J. Boyle.
The indictment alleges that from summer 2004 through October 2006, Smith, a/k/a “Zoot,” “TJ,” and “kingsmith007,” and Edwards, a/k/a “Davus,” conspired together to cause the transmission of a program, information, code, or command, by using an IRC chat network to cause damage to a protected computer.
The indictment alleges that Smith and Edwards searched the Internet for vulnerable computers [i.e. unprotected computers? Bob] and planted a malicious program on the computers that caused all the compromised computers to login to an IRC chat room. Once the compromised computers were logged into the IRC chat room, Smith and Edwards typed in commands which remotely controlled the behavior of the compromised computers, such as causing all of the compromised computers to simultaneously participate in a Distributed Denial of Service (DDOS) attack. Smith and Edwards also accessed, without authorization, websites and either defaced the site, or in the case of one webhost server, “published” its client database.
In trying to sell the bot to a potential botnet purchaser, Smith demonstrated the partial capabilities of the bot to the potential purchaser by causing a portion of the botnet to engage in a DDOS by flooding an IP address at ThePlanet.com, an internet-hosting company in Dallas.
An indictment is an accusation by a federal grand jury and a defendant is entitled to the presumption of innocence unless proven guilty. However, if convicted, each defendant faces a maximum statutory sentence of five years in prison, a $250,000 fine and restitution.
The case is being investigated by the FBI and prosecuted by Assistant U.S. Attorney C.S. Heath.
Source: U.S. Attorney’s Office
“It's for the children!” The question about how the data will be used is on target. Is it ONLY to prevent over-stressing during exercise? Will it become part of the child's permanent record? Who has access to the data besides the parents?
http://yro.slashdot.org/article.pl?sid=09/09/15/206254
Heart Monitors In Middle School Gym Class?
Posted by kdawson on Tuesday September 15, @05:17PM from the please-don't-sue-me dept.
Education Privacy
An anonymous reader writes
"My son brought home an order form from his middle school. Apparently the 7th (his grade) and 8th graders are being asked (required?) to purchase their own straps for the heart monitors they're to wear during gym class. I know nothing yet of the device in question, but have left a voice-mail with the assistant principal asking him to call me so I may ask some questions about the program and the device. My tinfoil-hat concern is that the heart rate data will be tied to each child, then archived and eventually used for/against them down the road when applying for insurance, high-stress jobs, etc. 'I see you had arrhythmia during 7th grade pickle ball? No insurance for you' Has anyone heard of such a program, or had their child(ren) take part in it? Does the device transmit to the laptop the overweight gym teacher will be watching instead of running laps with the kids? Perhaps data is downloaded from the device after the class? Or am I just being paranoid? Thanks for any insight."
(Related) “It's for the taxes!” ...and because we want to know where you are every minute of every day.
http://yro.slashdot.org/story/09/09/15/1952208/Congress-Mulls-Research-Into-a-Vehicle-Mileage-Tax?from=rss
Congress Mulls Research Into a Vehicle Mileage Tax
Posted by kdawson on Tuesday September 15, @04:20PM from the just-get-on-the-bike dept.
BJ_Covert_Action writes to let us know that an Oregon congressman has filed legislation to spend $154.5M for a research project into tracking per-vehicle mileage in the US, and asks: "Do we really want the government to track our movement and driving habits on a regular basis?"
"US Representative Earl Blumenauer (D-Oregon) introduced H.R. 3311 earlier this year to appropriate $154,500,000 for research and study into the transition to a per-mile vehicle tax system... Oregon has successfully tested a Vehicle Miles Traveled fee... the [Oregon] report urged a mandate for all drivers to install GPS tracking devices that would report driving habits [That sounds like more than “miles driven” Bob] to roadside RFID scanning devices."
Here is the bill (PDF). The article notes that the congressman's major corporate donors would likely benefit with contracts if such a program were begun. [I'm shocked! Bob]
(Related) Will this be broadened to include a “right” to any data that monitors products and services you purchase? i.e. will we be able to see an ISP's performance data to ensure we are getting the advertised speeds?
http://yro.slashdot.org/story/09/09/15/2236213/Right-To-Repair-Bill-Advances-In-Massachusetts?from=rss
"Right To Repair" Bill Advances In Massachusetts
Posted by kdawson on Tuesday September 15, @06:55PM from the not-open-source-but-it's-a-step dept.
Wannabe Code Monkey sends along an article from the Patriot Ledger about an effort in Massachusetts to pass a "Right to Repair" bill.
"Since the advent of congressionally mandated computers in vehicles more than 15 years ago (for emissions), cars have evolved into complex machines that are no longer just mechanical. Computers now monitor and control most systems in the car from brakes to tire pressure and all the electronics and engine fluids... [and] car manufacturers continue to hold back on some of the information that your mechanic needs in order to properly repair your car and reset your codes and warning lights... Massachusetts is now poised to solve this problem and car-driving consumers should pay attention this fall when the Massachusetts Legislature takes up landmark legislation that would force manufacturers to respect the right of consumers to access their own repair information. The legislation, known as Right to Repair, is seen by car manufacturers as a threat to the lucrative service business in their dealerships and they are massing their lobbyists on Beacon Hill in an effort to defeat it."
The charge is e-Pimping? Craigslist automates ads, newspapers still put people in the loop. If there are ads in the local newspapers, shouldn't that be the first place you look?
http://news.cnet.com/8301-17852_3-10353855-71.html?part=rss&subj=news&tag=2547-1_3-0-20
Another sheriff goes after Craigslist
by Chris Matyszczyk September 15, 2009 4:23 PM PDT
Grady Judd, the sheriff for Polk County in Florida, has followed in the anti-Craigslist footsteps of Cook County, Illinois, counterpart, Tom Dart.
In a sweep imaginatively titled "Operation Hot Date," the sheriff's forces arrested 28 women for allegedly advertising prostitution services on Craigslist.
The Smoking Gun quoted the sheriff as declaring that the site is still a "one-stop shop for all your prostitution needs."
For my statistics class?
http://yro.slashdot.org/story/09/09/15/2111252/AU-Goverment-To-Break-Up-Telstra-Filtering-News?from=rss
AU Goverment To Break Up Telstra; Filtering News
Posted by kdawson on Wednesday September 16, @12:21AM from the breaking-up-is-hard-to-do dept.
benz001 writes
"The Minister who has pushed the ridiculous broadband filter plan has at least won a few brownie points with yesterday's press conference, in which he promised to force Telstra to split its network and wholesale businesses. Australia's largest ISP, and the country's main infrastructure owner, will be given a chance to implement the structural separation voluntarily; if it does not, the Government will step in with legislation. Here is the Minister's official press release."
And speaking of the filtering program, reader smash writes
"After several years of debate and electioneering, some statistics on the Australian national web filtering effort have been disclosed. Apparently, the typical Aussie web surfer is 70 times more likely to win the national lotto than stumble across a blocked page. Additionally, despite the claim that the main aim of the filter is to block child pornography, only 313 of the 977 total sites blocked is on the basis of child porn. At $40M AU so far in taxpayers funds, the cost so far is around $40,900 per blocked URL. Government efficiency at work..."
Just because we vilified Bush for it in the campaign doesn't mean we don't love it!
http://www.pogowasright.org/?p=3855
Obama: Renew PATRIOT Act provisions on domestic surveillance
September 16, 2009 by Dissent Filed under Featured Headlines, Govt, Surveillance, U.S.
David Kravets writes:
The Obama administration is informing Congress it supports renewing three Patriot Act provisions expiring at year’s end, measures making it easier for the government to spy in the United States.
In a letter to Patrick Leahy, the Vermont senator and chairman of the Senate Judiciary Committee, the Justice Department on Monday suggested the administration might consider “modifications” to the act to protect civil liberties.
“The administration is willing to consider such ideas, provided that they do not undermine the effectiveness of these important authorities,” Ronald Weich, assistant attorney general, wrote to the Vermont senator, (.pdf) whose committee is expected next week to consider renewing the three expiring Patriot Act provisions. The government disclosed the letter Tuesday.
Read more about the expiring provisions that Obama wants to renew over the objections of privacy advocates and civil libertarians on Threat Level.
Note that Obama’s position on this is not a flip flop. During his campaign, when asked about the PATRIOT Act, he pointed out what he saw as its advantages and blamed the problems on executive orders. [That other President Bob]
Could be useful for scholarly research, or even e-discovery.
http://news.cnet.com/8301-27076_3-10353904-248.html?part=rss&subj=news&tag=2547-1_3-0-20
Perpetually archives the Web for you
by Josh Lowensohn September 15, 2009 3:57 PM PDT
Perpetually is a new Web archiving tool demoed at the TechCrunch50 conference. It saves entire instances of Web pages, then lets users dial back to older versions. You just point it to a site or entire domain name then tell it what you want it to archive and for how long. It then does the hard work of saving pages to its servers.
… The service is not free; in fact, it's not even aimed at consumers. The lowest plan costs $99 a month, all the way up to $499 month, each with a higher level of monthly archiving storage. Considering each page takes up some storage space, it can fill up quickly, which is why the pro plans offer more.
The company said it's aiming Perpetually at media networks, historians, and PR companies. It also butts heads with Iterasi and its Positive Press product whose core technology was first demoed in January 2008.
This could be real useful! For example, I should be able to attach a link to the scene in The Treasure of the Sierra Madre that I (mis-)quote so often: “Badges? We ain't got no badges. We don't need no badges. I don't have to show you any stinking badges. ”
http://www.techcrunch.com/2009/09/15/tc50-find-the-perfect-scene-every-time-anyclip-is-a-search-engine-for-movie-clips/
TC50: Find The Perfect Scene, Every Time. AnyClip Is A Search Engine For Movie Clips
by Jason Kincaid on September 15, 2009
… People reference scenes all the time in their daily lives, and on the web it’s not uncommon for a blogger to accentuate their post with a particularly relevant clip. But for their popularity, there still isn’t an established site that’s known as the place to find a movie clip — YouTube and Hulu are always worth a shot, but they can be very hit or miss. AnyClip, a new startup that’s launching today at TechCrunch 50, wants to be the solution, with a searchable database of movie scenes.
Another TechCrunch article. Not sure I like the first start-up, but Insttant is interesting!
http://news.cnet.com/8301-27076_3-10354087-248.html?part=rss&subj=news&tag=2547-1_3-0-20
TC50: Two new ways to get the news
by Josh Lowensohn September 15, 2009 5:48 PM PDT
SAN FRANCISCO--Two new companies are launching products designed to get the news to users faster--and from a wider variety of sources. Both are in private beta and not yet available to the general public but were demoed live at the TechCrunch50 conference.
Thoora is a new tool that clusters and aggregates news.
… Insttant, on the other hand, cuts out traditional news sources entirely and uses Twitter's public stream instead. It takes these tweets and turns them into an interactive news page that covers people, places, and companies, including a way to track trending topics and user sentiment. All of this goes on a front page, which can be reordered and personalized with topics the user wants to see.
Global Warming! Global Warming! “We're pretty sure that global warming is important, we're unsure this will help, but we're definitely gonna raise taxes!”
http://news.cnet.com/8301-13578_3-10354179-38.html?part=rss&subj=news&tag=2547-1_3-0-20
Obama administration: Cap and trade could cost families $1,761 a year
by Declan McCullagh September 15, 2009 6:12 PM PDT
The Obama administration has privately concluded that a cap and trade law would cost American taxpayers up to $200 billion a year, the equivalent of hiking personal income taxes by about 15 percent.
A previously unreleased analysis prepared by the U.S. Department of Treasury says the total in new taxes would be between $100 billion to $200 billion a year. At the upper end of the administration's estimate, the cost per American household would be an extra $1,761 a year.
Tools & Techniques For when faces turn green?
http://www.makeuseof.com/tag/use-calibrize-to-color-calibrate-your-monitor-windows/
Use Calibrize To Color Calibrate Your Monitor (Windows)
Sep. 16th, 2009 By Karl L. Gechlik
