When: Saturday May 28th – Sunday May 29th
Where: Los Angeles, CA
Where: 116 Federal St., Sunny Pittsburgh, PA.
When: June 10, 2011
Where: Meriden, Connecticut
When: June 11, 2011
Where: Meriden, Connecticut
When: June 11-12, 2011
http://excon.eventbrite.com (email email@example.com for more info)
Begins after BSidesCT Registration cost is $50.00
2nd Annual AIDE conference
When: July 11th – 15th, 2011
Where: Marshall University Forensic Science Center, Huntington, WV
OISF July Anniversary Event
When: July 16th, 2011
Where: Dayton, Ohio
Adrian Will be there
When: Sept 19-22, 2011
Where: Brussels, Belgium
When: September 30th – October 2, 2011
Where: Louisville, KY
2011 Fall Information Security Conference
When: November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
CFP open now through June 3, 2011! Email submissions to Conference@gaissa.org
The ISD Podcast has entered entered into a contest to see who can raise the most money for the Electronic Frontier Foundation. For those who don’t know, the EFF is a non-profit group of lawyers, policy analysts, activists, and technologists who fight for digital rights and have helped countless hackers and security researchers get out of hot water as well as exposing injustices caused by ignorant legislation and bad judgements. Please click the following link to donate to a vitally important cause:
A Chicago consumer affected by the Michaels card breach has filed a federal lawsuit against the crafts retailer, claiming it should have better protected customers' cards from breach and compromise.
Brandi F. Ramundo had more than $1,300 withdrawn from her checking account, after reportedly making a debit purchase worth less than $20 at Michaels. Her five-count suit seeks class-action status, a jury trial, compensatory damages, and consequential and statutory damages. It also includes an order for Michaels to pay for card-fraud monitoring services for consumers hit by the scam, as well as compensation and punitive damages for costs associated with the suit.
Ramundo's suit raises questions about liability after a card breach fraud. What role should merchants play, when it comes to ensuring transactional security, and how should financial institutions, as card-issuers, fall into the fray?
Attorney Randy Sabett, partner and co-chair of the Internet and Data Protection practice at law firm SNR Denton LLP, says the liability lines are often blurred and hard to define after a breach. Despite that card fraud usually occurs outside banking institutions' control, banks and credit unions, as the card issuers, usually absorb losses and expenses associated with breach recovery.
Sony expects the hack of the PlayStation Network and will cost it ¥14 billion (US$170 million) this financial year, it said Monday.
Unknown hackers hit the network gaming service for PlayStation 3 consoles in April, penetrating the system and stealing personal information from the roughly 77 million accounts on the PlayStation Network and sister Qriocity service. A second attack was directed at the Sony Online Entertainment network used for PC gaming.
Sony responded to the attacks by taking the systems offline. It called in several computer security companies to conduct forensic audits and rebuilt its security system.
Users in many countries are being offered a year-long identity-theft protection program and free games. The cost estimate includes those actions and associated legal costs, said Masaru Kato, Sony's CFO, at a Tokyo news conference.
"To date, we have not confirmed any misuse of personal information or credit cards," said Kato.
The costs will be booked in Sony's current financial year, which will end on March 31.
Sony said it made the announcement because it expects to record a net loss of ¥260 billion for the financial year just ended due to charges associated with U.S. GAAP (generally accepted accounting practices) rules.
The March 11 earthquake and tsunami occurred just three weeks before the end of the financial year and didn't have a large impact on the company's global financial performance for the year, but it did push Sony's Japanese operations into a loss.
Those Japanese operations had lost money the previous two years but Sony, anticipating a profit in the year just ended, had recorded tax credits it intended to carry forward. However, GAAP rules say tax credits cannot be recorded for three years in a row, so Sony is recording a non-cash charge for the credits it had taken.
The earthquake hit Sony's domestic operations and led to a sharp fall in consumer demand in Japan in the last weeks of March, but its effect on the results for Sony's electronics business was limited because it occurred so close to the end of the financial year. Sony estimates that resulted in a ¥22 billion drop in sales and ¥17 billion in quake-related costs.
Overall, the company said sales in the previous year were around ¥7.2 trillion.
The company will report an operating profit of around ¥200 billion, but the GAAP-related charge will help push Sony to a net loss of around ¥260 billion. Operating income more closely tracks the company's performance in its core areas and excludes many one-off charges.
Sony will report actual results for the financial year from April 2010 to March 2011 on Thursday.
Geordy’s comments: This number seems way too low. That’s less than $1.70 per person/record. In Ponemon’s most recent study, the AVERAGE number was $214 per record. While Ponemon’s study does state that US breaches tend to cost companies more than foreign ones, I call shenanigans…
It took all of three minutes for the hacker to break into the small accounting firm's computer system.
The virtual open window into the system turned out to be a computer equipped with outdated software. It provided access to the office network and the hacker was able to get files that included private financial information.
"That was a shock," said Lynne Leavitt, a partner at the four-person Los Angeles firm, Brakensiek Leavitt Pleger. "I thought we had good security. I thought we were safe."
Luckily, it was just a test. The hacker had been employed by a security company to test the accountants' digital defenses. As a result, the firm put in new software and adopted new security procedures.
Cyber security is not just for big businesses. "That's one of the myths we come across — 'I am too small,'" said Stan Stahl, head of a Los Angeles cyber-security company Citadel Information Group Inc. and president of the Los Angeles chapter of the Information Systems Security Assn., a trade group.
In January 2010 when Army intelligence analyst Bradley Manning was allegedly contemplating leaking thousands of classified documents to WikiLeaks, he visited friends in Boston, who brought him to a party at
Boston University’s BUILDS hacker space.
Frontline, which is airing a documentary about Manning and WikiLeaks on May 24, has obtained a video showing Manning at the party.
At the time of the party, Manning was on a two-week leave from his assignment in Iraq. It was at one point during this trip that he told friend Tyler Watkins that he’d gotten his hands on classified information that he was thinking about leaking, according to Watkins. “He wanted to do the right thing,” Watkins said in an interview with Threat Level last June. ”That was something I think he was struggling
The video shows Manning at the BUILDS party, small in stature compared to the hackers around him, leaning against a table while chatting with friend Danny Clark (in a red t-shirt at Manning’s left).
Oak Ridge National Laboratory has become America's hub for scientific supercomputing, hosting the Department of Energy's top supercomputer (Jaguar) as well as the top-rated machines of the National
Science Foundation (Kraken) and the National Oceanic and Atmospheric Administration (Gaea, Mother Earth).
Now it appears that a push to expand the Oak Ridge role could bring U.S. security agencies into the fold.
During a recent visit to Oak Ridge, DOE science chief William Brinkman said security agencies are supporting a plan, currently under review at the U.S. Office of Management and Budget, to use private financing for construction of a major new computer center at ORNL.
"They want to put some of their own computers down here," he said.
The man who threw a shoe at the architect of China's Internet censorship systems on Thursday, said he did so because the censorship has made his life inconvenient.
"I spend money to buy all this official software, but I can't use it (because of the censorship). This has made me really unhappy," the man said in an email message. He did not specify what software he is using.
Chinese microblogs have been abuzz with postings about Fang Binxing, often called "Father of China's Great Firewall", being hit with a shoe while speaking at Wuhan University. The assailant tweeted about the acton his Twitter account, adding that he also threw eggs at Fang, which missed.
No official information has been released about the incident, although some Chinese news reports on the shoe-throwing have made it online. The assailant, whose Twitter account is at @hanunyi, confirmed that he had committed the act in his e-mail.
The man, who didn't reveal his identity when asked, said he hadn't planned on throwing the shoe, believing that Fang would be speaking at a large event. But upon arriving, he found it to be a "small reception". His Twitter post mentioned only 30 people were in attendance.
Since throwing the shoe, the assailant has received praise on Chinese microblogs, with some users calling him a hero. Many others have said Fang deserved it.
The assailant said he was surprised by the response.
"I didn't think it would have such a big impact," he said. "Maybe a lot of people are the victim of a bad system."
China deploys an extensive Internet censorship system that blocks sites like Twitter, Facebook and YouTube in an attempt to clamp down on politically sensitive content.
The system goes as far to prevent certain politically sensitive queries on Chinese search engines and microblogs, with Internet censors even deleting posts made on social networking sites in the country.
In the past months, the country's censorship has reached new levels, following an online protest call urging the Chinese people to hold a "Jasmine Revolution" against the government.
In March, Google reported the Chinese government was blocking Gmail access. Companies offering virtual private networks (VPNs), which allow users to view sites and content blocked by Chinese Internet censors, also reported that their services were facing access problems in the country.
Fang, the president of Beijing University of Posts and Telecommunications, has been at the receiving end of criticism from Chinese netizens before. In December, Fang set up a Chinese microblogging account operated by Sina. Users on the site, however, slammed Fang via posts on the microblog, for developing China's Internet censorship systems. Fang's postings, as well as the comments left behind, were removed from the account. The account continues, but is no longer searchable on the microblogging site.
LinkedIn site has security vulnerabilities-expert
LinkedIn's professional networking website has security flaws that makes users' accounts vulnerable to attack by hackers who could break in without ever needing passwords, according to a security researcher who identified the problem.
News of the vulnerability surfaced over the weekend, only days after LinkedIn Corp (LNKD.N) went public last week with a trading debut that saw the value of its shares more than double, evoking memories of the dot.com investment boom of the late 1990s. [ID:nN1939946]
Rishi Narang — an independent Internet security researcher based near New Delhi, India, who discovered the security flaw — told Reuters on Sunday that the problem is related to the way LinkedIn manages a commonly used type of data file known as a cookie.
After a user enters the proper username and password to access an account, LinkedIn's system creates a cookie "LEO_AUTH_TOKEN" on the user's computer that serves as a key to gain access to the account.
Lots of websites use such cookies, but what makes the LinkedIn cookie unusual is that it does not expire for a full year from the date it is created, Narang said.
He detailed the vulnerability in a posting on his blog at www.wtfuzz.com on Saturday.
Most commercial websites would typically design their access token cookies to expire in 24 hours, or even earlier if a user were to first log off the account, Narang said.
There are some exceptions: Banking sites often log users off after 5 or 10 minutes of inactivity. Google gives its users the option of using cookies that keep them logged on for several weeks, but it lets the user decide first.
The long life of the LinkedIn cookie means that anybody who gets hold of that file can load it on to a PC and easily gain access to the original user's account for as much as a year.
The company issued a statement saying that it already takes steps to secure the accounts of its customers.
"LinkedIn takes the privacy and security of our members seriously," the statement said.
"Whether you are on LinkedIn or any other site, it's always a good idea to choose trusted and encrypted WiFi networks or VPNs (virtual private networks) whenever possible."
The company said that it currently supports SSL, or secure sockets layer, technology for encrypting certain "sensitive" data, including account logins.
But those access token cookies are not yet scrambled with SSL. That makes it possible for hackers to steal the cookies using widely available tools for sniffing Internet traffic, Narang said.
LinkedIn said in its statement that it is preparing to offer "opt-in" SSL support for other parts of the site, an option that would cover encryption of those cookies. The company said it expected that to be available "in the coming months."
But LinkedIn officials declined to respond to Narang's critique of the company's use of a cookie with a one-year expiration.
Narang said that problem is particularly acute because LinkedIn's users are not aware of the problem and have no idea that they should be protecting those cookies.
He said he found four cookies with valid LinkedIn access tokens had been uploaded to a LinkedIn developer forum by users who were posting questions about their use.
He said he downloaded those cookies and was able to access the accounts of the four LinkedIn subscribers.