‘Massive’ credit card data breach involves all major brands
This breach has already been confirmed by the big processors, and seems to be larger in scope than prior breaches.
VIA http://money.cnn.com/2012/03/30/technology/credit-card-data-breach/?source=cnn_bin
There’s an app for that: How researchers pwned your mind
Researchers turn smartphone users into unwitting minions with a simple app
With mobile users becoming more reliant on their devices and accompanying applications, researchers from Northwestern University have discovered the ease with which user’s mobility can be “soft” controlled.
As smartphone apps become further and further integrate into our daily lives, you have to wonder if we’re in control of our desires or if mobile applications are starting to controlling us.
To discover the ease with which app users can be manipulated, researchers from the McCormick School of Engineering at Northwestern University underwent a study to determine whether they could change the habits of a smartphone user’s mobility through gaming and social-networking applications. The goal was to compel them to visit areas less frequented.
How can an application affect on our decisions on a daily basis?
Like with advertising, we can be compelled by Foursquare to achieve or maintain our “Mayor” standing at a particular restaurant or venue. We might be manipulated, for instance, to travel not to the local pizza shop, but instead to the Chinese food store that we’ve been visiting repeatedly for the last month.
The research was conducted by John Rula and Fabián E.
Bustamant and titled, “Crowd (Soft) Control Moving Beyond the Opportunistic.” They used four foundational elements that work together offer individuals incentives:
- Location: The location desired stated in terms of latitude and longitude, and optionally altitude and heading.
- Action: The type of action to be triggered at the particular location and time.
- Expiration Time: The time when the request is no longer valid; this is used to control the timing and relevancy of actions.
- Ranking: The relative importance of the location. This can be used by the game to differentiate incentives by priority Rula and Bustamant created an Android-based augmented reality game titled, “Ghost Hunter,” which required users to chase monsters and ghosts throughout the neighborhood. The objective of the game was to “zap” the ghosts and monsters by capturing the augmented image on their mobile phone’s camera. But what users were not aware of was the researcher’s underlying intent.
The researchers had positioned the ghosts in exact locations, around a predetermined building. The resulting photographs of the “ghosts” enabled the researchers to create a 3D picture of the building from the collected images. While the photographic modeling of the building was successfully crowdsourced by the unsuspecting “Ghost Hunter” gamers, what the researchers had also discovered was the ability to compel users to capture images of the building from angles and locations typically not frequented, as the image below indicates.
While mobile users are concerned about their privacy, the ease with which they can be “soft” controlled raises a whole new issue altogether. Games and social networks not only offer a means of learning more about the people who use them, they can potentially offer a way to control their actions. Manipulating users into conducting illegal acts or luring them to dangerous locations is very much a reality.
Only days ago, three Japanese tourists were mislead by their GPS into the Moreton Bay in Australia during a low tide and became trapped in the thick mud. With the tide rising, they were forced to abandon their waterlogged rental car.
Ultimately, users will have to decide for themselves where they draw the line. As the research reiterates, “As augmented reality gamers can be trusted to exercise their best judgment during play, users of extended location based applications should be trusted to judge the suggestions made through CSC (Crowd Soft Control).”
FBI’s most wanted smartphone
FBI Can't Crack Android Pattern-Screen Lock | Threat Level | Wired.com
Pattern-screen locks on Android phones are secure, apparently so much so that they have stumped the Federal Bureau of Investigation.
The bureau claims in federal court documents that forensics experts performed “multiple attempts” to access the contents of a Samsung Exhibit II handset, but failed to unlock the phone.
An Android device requires the handset’s Google e-mail address and its accompanying password to unlock the handset once too many wrong swipes are made. The bureau is seeking that information via a court-approved warrant to Google in order to unlock a suspected San Diego-area prostitution pimp’s mobile phone. (For details on the pimp investigation, check out Ars Technica‘s story on the case.)
Locking down a phone is even more important today than ever because smart phones store so much personal information.
What’s more, many states, including California, grant authorities the right to access a suspect’s mobile phone, without a warrant, upon arrest for any crime.
Forensic experts and companies in the phone-cracking space agreed that the Android passcode locks can defeat unauthorized intrusions.
“It’s not unreasonable they don’t have the capability to bypass that on a live device,” said Dan Rosenberg, a consultant at Boston-based Virtual Security Research.
A San Diego federal judge days ago approved the warrant upon a request by FBI Special Agent Jonathan Cupina. The warrant was disclosed Wednesday by security researcher Christopher Soghoian, In a court filing, Cupina wrote: (.pdf)
Failure to gain access to the cellular telephone’s memory was caused by an electronic ‘pattern lock’ programmed into the cellular telephone. A pattern lock is a modern type of password installed on electronic devices, typically cellular telephones. To unlock the device, a user must move a finger or stylus over the keypad touch screen in a precise pattern so as to trigger the previously coded un-locking mechanism. Entering repeated incorrect patterns will cause a lock-out, requiring a Google e-mail login and password to override. Without the Google e-mail login and password, the cellular telephone’s memory can not be accessed. Obtaining this information from Google, per the issuance of this search warrant, will allow law enforcement to gain access to the contents of the memory of the cellular telephone in question.
Rosenberg, in a telephone interview, suggested the authorities could “dismantle a phone and extract data from the physical components inside if you’re looking to get access.” However, that runs the risk of damaging the phone’s innards, and preventing any data recovery.
Linda Davis, a spokeswoman for forensics-solutions company Logicube of suburban Los Angeles, said law enforcement is a customer of its CellXtract technology, which it advertises as a means to “fast and thorough forensic data extraction from mobile devices.” But that software, she said in a telephone interview, “is not going to work” on a locked device.
All of which is another way of saying those Android screen locks are a lot stronger than one might suspect.
It was not immediately clear whether the iPhone’s locking system is as powerful as its Android counterpart. But the iPhone’s passcode has been defeated with simple hacks, the latest of which was revealed in October 2010.
Clearly, the bureau is none too happy about having to call in Google for help. The warrant requires Google to turn over Samsung’s “default code” in “verbal” or “written instructions for overriding the ‘pattern lock’ installed on the Samsung model SGH-T679.” Google spokesman Chris Gaither would not say if Google would challenge any aspect of the warrant. Google, he said, does not comment on “specific cases.” “Like all law-abiding companies, we comply with valid legal process. Whenever we receive a request we make sure it meets both the letter and spirit of the law before complying,” he said in an e-mail. “If we believe a request is overly broad, we will seek to narrow it.” Photo: Mike Dent/Flickr
Via http://www.wired.com/threatlevel/2012/03/fbi-android-phone-lock/
Scare Tactics: Dam Lies!
What is the world coming to when our leaders use scare tactics to get what they want? (Rhetorical question, of course.) But that's exactly what happened when backers of the so-called "Internet Kill Switch" evoked images of foreign hackers opening flood gates and drowning citizens.
“We are very concerned about an electronic control system that could cause the floodgates to come open at the Hoover Dam and kill thousands of people in the process,” said Brandon Milhorn, staff director of the Senate Homeland Security and Governmental Affairs Committee. ”That’s a significant concern.”
Not only is that not a significant concern, it turns out not even to be an insignificant concern. But the false information was no insignificant matter to the Bureau of Reclamation, which runs the power-generating facility on the Arizona-Nevada border.
“I’d like to point out that this is not a factual example, because Hoover Dam and important facilities like it are not connected to the internet,” Peter Soeth, a spokesman for the bureau, said in an e-mail. “These types of facilities are protected by multiple layers of security, including physical separation from the internet, that are in place because of multiple security mandates and good business practices.”
Yesterday we posted a poll to get your opinion on this issue. Please take a moment to make your voice heard.
Similar Blog & News Articles
POLL: Do You Think An Internet “Kill Switch” Is An Effective Way To Protect National Security?
In the aftermath of Egypt and Tunisia's government-imposed Internet shut-downs, there has been a lot of talk this week about the U.S. Senate's Internet "Kill Switch" bill. No one argues that our networks are vulnerable to attack. Senators say they have committed to this power only to protect against "external cyber attacks". This raises several questions and deserves serious debate:
- In a global network, is there really a distinction between internal and external threats?
- Under what circumstances would the President use this power, and with what oversight?
- Could the financial damage of isolating U.S. commerce from foreign customers outweigh the potential damage from attack?
- Does the risk of an "Egyptian-style" shut-down really exist in Western Democracies, and if it does, is it a fair trade-off for national security?
That leads to today's poll question:
Loading ...Of course, there are few perfect Yes/No answers in this world. Please feel free to share your comments below, and we encourage you to use the "Like" and "Share" buttons to elicit more opinions from others.
Similar Blog & News Articles
- Internet Kill Switch Seen As Good Idea By US Government? :: The Blog Herald
- Internet 'kill switch'--help or hindrance? (poll) :: CNET News.com
- Internet 'Kill Switch' Bill Hits Congress Again :: SlashGear
- What could go wrong with an Internet kill switch? :: Cave Views
- Senators decry link between Egypt, 'kill switch' bill :: CNET News.com
- Egypt's 'Internet Kill Switch', Democracy via WikiLeaks & Terror 'Made in the U.S.A.' :: The BRAD BLOG
- U.S. Senators Say Cyber-Security Bill Different From Egypt`s Web A'Kill Switch` :: eWeek - RSS Feed
Similar Wikipedia Articles
Senators Deny Similarities Between Egypt’s Internet Blocking & USA’s “Kill Switch” Bill
Some have suggested that our legislation would empower the president to deny U.S. citizens access to the Internet. Nothing could be further from the truth.
-Joseph Lieberman (I-Conn.)
In a statement issued this week, Senators' Joseph Lieberman (I-Conn.), Susan Collins (R-Maine), and Tom Carper (D-Del.) said that their intent was to allow the president "to protect the U.S. from external cyber attacks," not to shut down the Internet.
Aside from the obvious civil liberties concerns, the problem I see is largely a mechanical one, and it demonstrates the Senators' lack of fundamental understanding when it comes to the world in which they legislate: By the time a cyber attack is apparent, it's no longer likely an "external" threat. The most effective attacks known today are distributed amongst a multitude of machines in various locations, making it impossible to protect citizens without shutting down the Internet -- if such a thing could even be accomplished in this country.
The U.S. network infrastructure is much more complex and diverse than that of Egypt. In part, that has to do with the shear differences in scale. But, perhaps surprisingly, it also has to do with the age of our network. Parts of our interconnected network go back five decades. Some interconnected networks predate the Internet itself. And these are interconnected with new infrastructure being added every day without the need for government knowledge or consent.
Most importantly, when the Advanced Research Projects Agency Network (ARPANET) was conceived, it was specifically designed to survive and reroute against an outage. That means, depending on the final draft, the law would likely be either ineffective, dangerous, or both.
Similar Blog & News Articles
- Senators decry link between Egypt, 'kill switch' bill :: CNET News.com
- U.S. Senators Say Cyber-Security Bill Different From Egypt`s Web A'Kill Switch` :: eWeek - RSS Feed
- Internet 'kill switch' bill will return :: CNET News.com
- What could go wrong with an Internet kill switch? :: Cave Views
- Internet Kill Switch Reintroduced as Egypt Shuts Down the 'Net :: Thoughts Of A Conservative Christian
Internet Explorer Flaw Could Disclose Passwords
Via MSNBC:
A recently discovered flaw in Internet Explorer could allow criminals to collect passwords and banking information. Microsoft is warning Windows users to be aware of the problem, with a manual work-around available, but there is no downloadable software fix available yet. So far, Microsoft says it “has not seen any indications of active exploitation of the vulnerability.”
Read the article: http://technolog.msnbc.msn.com/_news/2011/02/01/5967710-ie-flaw-could-mean-access-to-passwords
Security Minded: Drive Encryption
The Need
Where do I begin? Even before (maybe especially before) storage devices were portable, they were still vulnerable to theft, due more to their high resale value than the questionable value of their contents. Today, the market value of even a brand-new desktop computer may not be worth the potential consequences of being caught. But, the lucrative identity theft trade has given rise to an entirely different motive for computer, tablet, and cellphone theft. In this case, the device is simply a means to an end.
But theft and the obvious concern over losing such easily and commonly misplaced devices as thumb drives are far from the only reason to encrypt hard drive data. Today, for instance, international travelers may be subject to the copy and search of their hard drives, as authorized by the Department of Homeland Security's U.S. Customs and Border Enforcement's "Policy Regarding Border Search of Information" (July 16, 2008), which, among other things, allows Customs Agents broad discretion to detain "electronic devices, or copies thereof, for a reasonable period of time to perform a thorough border search." Regardless of your motivation, encrypting mobile data storage should be high on your list of priorities. Like my AmericanExpress card, I never leave home with out it.
Note to attorneys, medical professionals, or anyone with a fiduciary responsibility: Unlike most professionals, you may have a legal, if not ethical, responsibility to protect your clients' data. Even if a standard for "reasonableness" has previously been applied to "locks" and other 20th century security practices, it may not apply to devices removed from a secure space. Check with your respective associations and/or licensing boards for more information. ... CONTINUE READING »
Mixed Messages: US Govt. Tells Companies to Collect User Data, But Not To Use It
Last month the US Federal Trade Commission testified before Congress in order to establish "Do Not Track" legislation, challenging companies to either self-regulate, or face potentially stiff laws prohibiting the tracking of Internet users. This week the US Department of Justice testified before congress to establish regulations requiring data retention for the purposes of investigation and prosecution.
"Data retention is fundamental to the department's work in investigating and prosecuting almost every type of crime," US deputy assistant attorney general Jason Weinstein told a congressional subcommittee on Tuesday. "In some ways, the problem of investigations being stymied by a lack of data retention is growing worse." Weinstein acknowledged that greater data retention requirements raise legitimate privacy concerns but "any privacy concerns about data retention should be balanced against the needs of law enforcement to keep the public safe."
Emphasizing the vast disparity between the testimony of these two Federal organizations is the following statement from the FTC's own prepared statement to Congress expressing a principal of "reasonable security and limited retention for consumer data" among companies collecting sensitive data.
"A key to protecting privacy is to minimize the amount of data collected and held by ISPs and online companies in the first place," according to John Morris, general counsel at the non-profit Center for Democracy & Technology. "Mandatory data retention laws would require companies to maintain large databases of subscribers' personal information, which would be vulnerable to hackers, accidental disclosure, and government or other third party access."
The DOJ's request would require "an entire industry to retain billions of discrete electronic records due to the possibility that a tiny percentage of them might contain evidence related to a crime," says Kate Dean, executive director of the Internet Service Provider Association. "We think that it is important to weigh that potential value against the impact on the millions of innocent Internet users' privacy."
Similar Blog & News Articles
- US Justice Department wants Internet, cell records held longer :: PhysOrg.com - latest science and technology news stories
- CNET: Justice Dept. to ask Congress for ISP data retention law :: Between the Lines Blog RSS | ZDNet
- US Government Pushing Pro And Anti-Privacy Internet Rules At The Same Time :: Techdirt
- House Considers Mandating Internet Data Retention For Crime Solving :: ABC News: Politics
Similar Wikipedia Articles
McAfee Predicts Mobile Devices May Be Corporate America’s Real Trojan Horse
If security firm McAfee is right, 2011 may be the tablet computer takes over corporate America. Or more specifically, the year the tablet takes over corporate networks. McAfee predicts that the onslaught of consumer-owned and lent smartphone and tablet devices entering and exiting the office space may pose a new unanticipated threat to corporate security. Their concern is that, not only is the consumer largely ill-prepared to secure devices that may amount to a hole in the Trojan wall big enough to drive a wooden horse into, but that the lack of comprehensive security tools designed around the likes of iPhones, iPads and Android devices, leaves them ill-equipped, even if they were prepared. Potentially, this could mean that personal gadgetry may become the host du jour for new infectious computer viruses, malware, and most alarmingly, remote access to the network the form of "Trojan horses".
While McAfee, one of the world's largest anti-virus software manufacturers, is understandably concerned about the interconnection of consumer-maintained -- and largely unsecured -- devices to more secure corporate networks, I think they may be missing an even bigger threat. While for years USB "thumb drives" have been cheap and affordable, and available in sizes small enough to swallow, they still required the physical removal of data from the premises. This meant exhaustively copying and then walking data out of the building. (See "sneakernet".) And, while every year these storage devices hold more and more data, so does the average corporate server. It's unlikely that portable media will ever quite catchup.
On the other hand, the prevalence of high-powered personal computing devices (yes, I'm talking about your average smartphone) connected to the corporate network allows, not only for the immediate transmission of data off-the-premises, but potentially even the cheapest, least sophisticated, pre-paid Android phone, left "cradled" overnight to a desktop computer, (the same cradle used to charge the battery, and synchronize contacts and calendar events,) could allow for unrestricted unauthorized remote network access over a hard-to-trace personal cellular data connection. Not only is this possible today, but it doesn't require a sophisticated computer virus to accomplish.
Read more at http://www.technewsworld.com/story/71541.html
Similar Blog & News Articles
- Malware infected apps threatening Android devices (Digital Trends) :: Yahoo! News: Most Viewed
- Who's Keeping Tabs on Tablet Security? :: TechNewsWorld
- 5 Cyberthreats to Watch For in 2011 :: Livescience.com - Technology
Similar Wikipedia Articles
Log In
Join the conversation...
- Loading...
