[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

In September 2014, I wrote about receiving a package of $500 in counterfeit U.S. currency from an unknown sender, after mentioning in a blog post about a rash of funny money resellers flooding underground cybercrime markets. Last week, U.S. authorities announced the arrest of a Texas man charged with leading the international counterfeit currency operation from a location in the Republic of Uganda.

Counterfeit $100s and $50s from "Willy Clock," allegedly the online alias of a Texas man living in Uganda.

Counterfeit $100s and $50s from “Willy Clock,” allegedly the online alias of a Texas man living in Uganda.

U.S. prosecutors say 27-year-old Ryan Andrew Gustafson – a.k.a. “Jack Farrel” and “Willy Clock” — is a U.S. citizen currently residing in Kampala, Uganda. Gustafson was arrested on Dec. 16 by Ugandan authorities and charged with conspiracy, counterfeiting, and unlawful possession of ammunition.

The defendant and his alleged accomplices are suspected of passing approximately $270,000 in fake U.S. currency in Uganda. In total, Ugandan authorities say they seized some $1.8 million in funny money from Gustafson’s operation.

The U.S. Secret Service, which investigates currency counterfeiting, said the investigation began in December 2013 when agents were alerted to the passing of counterfeit notes at retail stores and businesses in the Pittsburgh area. A press release from the Justice Department outlines the rest of the investigation:

“Agents determined that an individual identified as J.G. had passed these notes and was renting a postal box at The UPS Store on Pittsburgh’s South Side.  On Feb 19, 2014, law enforcement learned that J.G. received three packages addressed from Beyond Computers, located in Kampala, Uganda.  Agents executing a search warrant on the packages found $7,000 in counterfeit $100, $50 and $20 FRNs located in two hidden compartments within the packaging envelopes.  A fingerprint on a document inside one of the packages was identified as belonging to Ryan Andrew Gustafson.”

Jack Farrel's Facebook page. The U.S. Secret Service alleges that Farrel is Gustafson, a.k.a. counterfeiter "Willy Clock."

Jack Farrel’s Facebook page. The U.S. Secret Service alleges that Farrel is Gustafson, a.k.a. counterfeiter “Willy Clock.”

“The Secret Service subsequently worked with Ugandan authorities to identify the source of the counterfeit [cash].  Their efforts led to A.B., who admitted to sending the packages, explaining that an American named “Jack Farrel,” and another person, provided him the counterfeit notes to ship.  Based on information provided by A.B., the Secret Service used facial recognition to identify Jack Farrel as Ryan Andrew Gustafson.”

The government says Gustafson sold the bills through the Tor Carding Forum, a cybercrime shop that is unreachable from the regular Internet. Rather, visiting the Tor Carding Forum requires the visitor to route his communications through Tor, a free software-based service that helps users maintain anonymity by obfuscating their true location online.

Willy Clock’s phony currency wasn’t only available via Tor. By the middle of 2014, ads for his funny money were showing up on regular, Internet-based cybercrime forums. One reseller of Willy Clock’s notes even set up his own sales thread on Reddit.

Once again, it appears that sloppy operational security contributed to an arrest of an alleged bad guy. According to the government’s complaint (PDF), the email address that Gustafson provided on his U.S. passport application was the same one he allegedly used to maintain a Facebook account under the Jack Farrel alias. Investigators found that Gustafson also used the same Internet address to access his real Facebook page and the Farrel account. Another Facebook page tied to the Jack Farrel identity says the accused was in Uganda as a project associate at the U.N. refugee shelter program.

[syndicated profile] cakewrecks_feed

Posted by Jen

You better watch out

 

You better not cry

 

Better not pout

I'm telling you why!

 

Ahem.

 

He sees you when you're sleeping!

 

He knows when you're awake

 

He knows if you've been bad or good

 

So be good

or he might just murder you!

Oh!

 

You better watch out
You better not cry!

(He'll hear you)

 

You better not pout
I'm telling you why

 

Thanks to Mark, Carissa B., Michelle H., Leah S., Eloise C., Vicki L., Christine K., Moe L., & Kristin B. for inspiring us to board up the fireplace come Christmas Eve.

*****

Thank you for using our Amazon links to shop! USA, UK, Canada.

Gang Hacked ATMs from Inside Banks

Dec. 22nd, 2014 01:00 pm
[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

An organized gang of hackers from Russia and Ukraine has broken into internal networks at dozens of financial institutions and installed malicious software that allowed the gang to drain bank ATMs of cash. While none of the victim institutions were in the United States or Western Europe, experts say the stealthy methods used by the attackers in these heists would likely work across a broad range of western banks.

robotrobkbMost cybercrime targets consumers and businesses, stealing account information such as passwords and other data that lets thieves cash out hijacked bank accounts, as well as credit and debit cards. But this gang specializes in hacking into banks directly, and then working out ingenious ways to funnel cash directly from the financial institution itself.

A number of the gang’s members are believed to be tied to a group of Eastern European hackers accused of stealing more than USD $2 million from Russian banks using a powerful, custom-made banking trojan known as Carberp. Eight men in Moscow were arrested in 2012 and accused of building and using Carberp, but sources say the core members of the gang were out of jail within hours after their arrest and have been busy rebuilding their crime machine ever since.

According to report released today by Fox-IT and Group-IB, security firms based in The Netherlands and Russia, respectively, the Carberp guys have since changed their tactics: Instead of stealing from thousands of bank account holders, this gang has decided to focus on siphoning funds right out of banks’ coffers. So far, the security firms report, the gang has stolen more than $15 million from Eastern European banks.

To gain a foothold inside financial institutions, this crime group — dubbed the “Anunak group” — sent bank employees targeted, malware-laced emails made to look like the missives were sent by Russian banking regulators. The phishing emails contained malicious software designed to exploit recently-patched security holes in Microsoft Office products.

Incredibly, the group also reportedly bought access to Windows PCs at targeted banks that were already compromised by opportunistic malware spread by other cyber criminals. Indeed, Fox-IT and Group-IB report that the Anunak gang routinely purchased installations of their banking malware from other cybercriminals who operated massive botnets (collections of hacked PCs).

Once inside a financial institution, the criminals typically abused that access to launch even more convincing spear-phishing attacks against other banks. They also gained access to isolated bank network segments that handled ATM transactions, downloading malicious programs made to work specifically with Wincor ATMs. The hackers used that malware — along with a modified legitimate program for managing ATM cash trays — to change the denomination settings for bank notes in 52 different ATMs.

As a result, they were able to make it so that when co-conspirators went to affected ATMs to withdraw 10 bills totaling 100 Russian rubles, they were instead issued 10 bank notes with the denomination of 5,000 rubles, the report notes.

The Anunak gang reportedly modified this legitimate program for managing bill denominations in ATMs.

The Anunak gang reportedly modified this legitimate program for managing bill denominations in ATMs.

It was bad enough that this group is believed to have hacked into more than 50 Russian banks, but nasty messages encoded into the malware tools employed by the thieves suggest they hold utter contempt for their targets. One malware component the group used to infect targeted systems carried inside of itself the text string “LOL BANK FUCKIUNG”. Another strain of malware deployed by this group’s targeted email campaigns and used to build their own botnet of more than a quarter-million PCs was encrypted with a key that is the MD5 hash of the string “go fuck yourself.”

While they appear to have developed a penchant for stealing directly from banks, these crooks aren’t above going after easy money: Sources tell KrebsOnSecurity that this group of hackers is thought to be the same criminal gang responsible for several credit and debit card breaches at major retailers across the United States, including women’s clothier Bebe Stores Inc., western wear store Sheplers, and office supply store Staples Inc.

A separate source previously told this author that there was a connection between the point-of-sale malware used in the breach at Michaels and the Staples incident, which means this group may also have been involved in the Michaels breach. In any case, Group-IB and Fox-IT note that the Anunak gang has hit a total of 16 retailers so far.

The attacks from Anunak showcase once again how important it is for organizations to refocus more resources away from preventing intrusions toward detecting intrusions as quickly as possible and stopping the bleeding. According to the report, the average time from the moment this group breaks into bank internal networks and the successful theft of cash is a whopping 42 days.

The full report on the Anunak group is available here (PDF).

Romania, Nov-Dec 2014

Dec. 22nd, 2014 01:00 pm
[syndicated profile] accidentallyincode_feed

Posted by Cate

I went to Romania to Cluj, to speak at iOSNext. Being footloose and fancy free, I decided to stay on for a while after and see Bucharest, and try out AirBnB [referral link].

In Cluj, we stayed at the Golden Tulip hotel which was pretty nice. I arrived late and was given a room with two single beds, and called reception for a change, and they gave me another room… which also had two single beds. I was exhausted though, so I just lived with it! It was only two nights, after all. Other than that it was comfortable and the hotel food was good. We also ate at Camino, which was nice.

I didn’t see that much of Cluj, just the view from the top of the hill at night, which was pretty, but so cold and coming down was a bit of an icy obstacle course.

We took a road trip to Bucharest which was a bit ridiculous. First up, I overslept and my devices hadn’t charged overnight. Then once we got going, we were stuck behind tanks for large parts of the way because of Romania Day celebrations. Then the windscreen wiper liquid stopped working. On the way, we stopped in Sibiu which is pretty, saw the Christmas market, and had lunch at this terrible cafe. We waited over an hour for food, and then when it arrived it was cold. And of course after that, we were running much later than planned! The final misadventure was stopping for a last break, and the trunk getting stuck… which contained my portable phone charger so I was running desperately low on battery and trying to confirm things with my AirBnB host which was a bit stressful!

But eventually we made it!

Bucharest I got to see more of, I stayed in this apartment which was really nice. I wondered around a lot, there are some pretty parks like Grădina Cișmigiu, and Hanul cu Tel is a cute little street of artisan shops. The Botanical Gardens were great, I really liked them, and would love to see them in the summer. I only  saw the end of the Romania Day celebrations, although I missed the parade – it was super cold, and had actually snowed. I ended up getting my Serious Canadian Winter Boots shipped out to me because what I had wasn’t cutting it!

Breakfast places I tried: Cafe Dolce Bacio (nice, but only pastries), Boutique du Pain (OK), Paul Bakery (much the same as anywhere else, I expect), Van Gogh Grand Cafe (terrible).

Dinner: Sushi Ko (meh), Caru’ cu Bere (traditional Romanian, better than average service), Hanu’ Berarilor Interbelic (more traditional Romanian) Stadio (meh, extra terrible service), Ad Hoc Bistro (nice, went with locals), Zen Sushi (OK), Champions (meh).

Honestly, I found the food in Bucharest to mostly be not good, and the service worse. However after a couple of days I found Chocolat which became my favourite, and they served vegetables (spinach!) which was great, I was starting to really miss vegetables, and elsewhere all I found was corgette, which I am not a fan of at the best of times, and definitely can’t eat a whole plate of. So after finding Chocolat I ate breakfast there every day, and I even – the shame! – ate at Pizza Hut more than once because it was super cheap and at least I went in expecting it to be terrible. Exploring thinking that I might have found somewhere good and being continually disappointed got to me.

The Muzeul Național de Artă al României was okay, I went on a free entry day, there were so many religious paintings that at first I was really glad I hadn’t had to pay to get in! But upstairs there was some more modern art, and a couple of pictures that I really liked.

I went to the Natural History museum which was… interesting. Animals made of plaster, and also stuffed animals, which were a bit… creepy. And an exhibit on… I’m not sure what it was about really, but there was a shrunken head that I wish I could forget.

The Muzeul Național de Istorie a României was interesting, series about Romanian Royalty starting with Carol I. The best bit, though, was the collection of jewellery, which was really cool.

The Muzeul Țăranului Român was a bit strange, the last exhibit in the basement, I think might have been something to do with Stalin, but it was untranslated so I am not sure. You aren’t allowed to take pictures, and in every room there is at least one person, sometimes more (!) who only seem to be there to stop you if you try. The first exhibits were super religious, which I had zero interest in. But once I got upstairs there was some more interesting stuff, including some structures they had built, which was a more interesting experience. There was also a room of tiny miniatures which were pretty cute.

All in all, not an abundance of food or culture, but there are things to do and see and I quite enjoyed my time there – it was peaceful. I went and did tourist things, but some days I just wondered around and that was fine, the architecture is the most impressive thing about Romania, I found. And some days I just curled up in my cosy apartment and got some work done, and that was pretty great, too.

This Week

Dec. 22nd, 2014 01:00 am
[syndicated profile] accidentallyincode_feed

Posted by Cate

I need a vacation, and by vacation I mean I need to move away and find a new job, on a beach, with rum.

Credit: Flickr / Lulu Hoeller

Life

Fun in Dubai, meeting up with a friend I did ski instructor training with – we’ve hung out in Canada, and Sydney, and now Dubai, but never the UK… despite us both being British! Then quick turnaround, headed to Berlin to hang out with another friend over from Australia, which was awesome, I’ve missed her so much. And got the keys to the apartment I’m subletting from the start of January. I’m excited to come live in Berlin and hopefully add to my 4 words of German…

This past week or so has ended up being a vacation, which I seem to have scheduled rather than planned. But still – I’ve taken so little time off this past year, a long weekend for the Luminale in Frankfurt, and a ski trip that I missed because I was stuck in NYC have been the extent of my vacation plans! So I feel refreshed and energised and excited to get coding again. Also, more clarity of thought than I feel like I’ve had lately – there’s something about stepping back from your day to day that helps you see it more clearly, I think.

Work

Just bits and pieces that couldn’t wait, and a couple of hours between naps and flights sorting out screenshots etc for the app store.

I am pretty psyched that I have nothing scheduled Jan/Feb and can just focus… since the iOS app is details away from shipping, I’m going to start porting to Android soon. Will be fun!

Media

Went a bit mad and bought 24 novels in one go. Maybe a fit of excitement after dwelling in the regency period for so long. Finished with Venetia, one of my faves. Read One Hundred Christmas Proposals, which is a (thankfully short) follow up to One Hundred Proposals which I had quite liked, but it was nauseating. Also read Saving Grace, by Jane Green, which was great, and The Woman Who Stole My Life by Marian Keyes which I loved, highly recommend, Keyes is such a great author (I wish I could find all her books for Kindle). Getting Rid of Matthew was OK, and Not Without You by Harriet Evans, I really, really liked.

Still plodding through The Black Swan. It seems to be about 10% content, and 90% random stuff about the guys life, which I am not particularly interested in.

Published

A new edition of Technically Speaking is out.

On The Internet

[syndicated profile] geekfeminism_feed

Posted by spam-spam

  • How user research woke me up to harassment in the design community | Medium (December 19): “But then I get a bad response, and then 2 more. My heart sank. […] My immediate reaction was to play down the comments in my head, after all it was only 2 people. But then I thought back to all the stories I’d read and the endless blog posts about sexism and harassment in the digital industry. Suddenly I was faced with the realisation that a huge group of my target market think it’s a good idea and want to use my product, but don’t feel safe enough to. It’s not just a business problem I’m facing, it’s a moral one.”
  • MIT Computer Scientists Demonstrate the Hard Way That Gender Still Matters | Wired (December 19): “The AMA became, to borrow one Reddit commenter’s phrase, “a parody of what it’s actually like to be a woman working in a STEM field.””
  • Why it’s so hard to stop online harassment | The Verge (December 8): “In her column last week, Jessica Valenti wrote, “If Twitter, Facebook or Google wanted to stop their users from receiving online harassment, they could do it tomorrow.” […] Valenti assumes here that Content ID works. But Content ID and other blunt, algorithmic tools in the service of copyright enforcement are documented trainwrecks with questionable efficacy and serious free speech ramifications. In other words, Content ID and its ilk are simultaneously too weak and too strong. Their suitability in addressing copyright infringement is already deeply suspect; their suitability in potentially addressing harassment should be questioned all the more.”
  • 2015 wall calendar of women in science | SmartyWomyn on Etsy (December 17)
  • [Warning for discussion of sexual assault] Defending the indefensible: gaming’s fondness for ‘rape’ | ABC Technology and Games (December 3): “It’s  true that adolescents around the world have co-opted [the word] as a term of comprehensive dominance for their online prowess. And yet despite the incredibly broad and increasingly diverse demographic that gaming has come to represent, […] there remains a staunch obsession to hold onto the uses of words like [these].”
  • Codecracker | CastillejaDPW on Youtube (December 15): [Video] “The Dance Production Workshop Class in collaboration with the 8th grade choreography class created Codecracker. This dance was created at the all girls school Castilleja in Palo Alto, CA. This dance combines coding, technology, art, and education. Enjoy!”
  • Hilarious Christmas Song Is the Feminist Rally Cry You’ve Been Waiting For | Identities.Mic (December 17): [Video] “the Doubleclicks, a musical duo made up of sisters Angela and Aubrey Webber. Hailing from Portland, Oregon, the sisters write songs “that are all at once snarky, geeky and sweet.” This holiday season, they’ve gifted all of us with their version of a Christmas carol, only instead of sleigh bells and Santa coming down the chimney, they sing about a magic weapon for ridding the world of sexists and a fervent hope that slut-shaming dudes will be long gone this holiday season.”

 


 

We link to a variety of sources, some of which are personal blogs.  If you visit other sites linked herein, we ask that you respect the commenting policy and individual culture of those sites.

You can suggest links for future linkspams in comments here, or by using the “geekfeminism” tag on Pinboard, Delicious or Diigo; or the “#geekfeminism” tag on Twitter. Please note that we tend to stick to publishing recent links (from the last month or so).

Thanks to everyone who suggested links.

Sunday Sweets: Merry & Bright

Dec. 21st, 2014 02:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

We're in the final stretch before Christmas, so here's hoping you can all kick back and relax with loved ones for the next few days.

The letters to Santa have been sent...

(By Cakes Decor member Cake Heaven)

 

The gifts have been wrapped...

(By Sandra Monger Cake Design)

 

The lights are all rigged...

(By Adorn Cake Design)

"Now why are they BLINKING?"

 

And if you're really lucky, you've even got time for a few crafts:

(By The Violet Cake Shop)

Anyone into quilling out there? Especially loving those flowers.

 

Or better yet, maybe you've got time for CAKE.

(By Queen B's Bakery, featured here)

I'd never think to add pink and blue with red and green, but it totally works!

 

Or how about a soft mint with pearl and silver accents?

(By Cakes Decor member Dolca Llepolia)

Love that snow texture on the middle tier.

 

Here's a funky modern design with hand-drawn ornaments:

(By Man Bakes Cake)

Fun!

 

And John thought this binging Santa was hilarious:

(Baker Unknown (anyone?), found here)

I would make a crack about fruitcake here, but I'm told it can actually be super delicious. Bring on the evidence, bakers; I'm willing to be convinced. ;)

 

This one looks like an abstract forest fairy, and I love it:

(By Blissfully Sweet)

Look at that skirt of leaves, and the little braided belt! SO SWEET.

 

A stunning stained glass design:

(By Hazel Wong Cake Design for Christmas in Frostington)

Ahhh, pretty as a greeting card.

 

And finally, for those of you celebrating Hanukkah, the prettiest Sweet I could find this year:

(By Rosebud Cakes)

Those colors! Take note, bakers: THIS is how you airbrush. Love it.

 

Well, whatever you're celebrating this season, here's hoping it's merry and bright - with extra sprinkles on top. ;)

Be sure to check out our Sunday Sweets Directory to see which bakers in your area have been featured here on Sweets!

*****

Thank you for using our Amazon links to shop! USA, UK, Canada.

[syndicated profile] epbot_feed

Posted by Jen

I love changing up all my tabletop holiday decor around the house each year, so here's a quick photo tour of the newly arranged sparklies at the Yates' place:
 
 
 

 







 


 


 



 




 (Note how I deftly avoid photographing the dining room table, which is perpetually buried in project materials. ;))




I've been waiting to wrap this chandelier in garland since the day we bought it:


There's also a convenient little knob in the middle for hanging one big ornament. :D






I don't think I've ever shown you guys this back bookcase, since it's always been covered in junk and spare parts. I finally cleaned it up, though, and found a nice use for my great-grandfather's old planer:


It makes a great display ledge for tiny treasures! In fact, most of that will be staying out year-round, including those great steampunk Mickey ear ornaments:


And here's the steampunk tree again:


John and I will be putting the finishing touches on the Harry Potter tree as soon as we're back from our trip, so final pics of that'll be coming up later. Hope you enjoyed the virtual visit, everyone! Here's to glittering up ALL the things!
[syndicated profile] geekfeminism_feed

Posted by spam-spam


We link to a variety of sources, some of which are personal blogs.  If you visit other sites linked herein, we ask that you respect the commenting policy and individual culture of those sites.

You can suggest links for future linkspams in comments here, or by using the “geekfeminism” tag on Pinboard, Delicious or Diigo; or the “#geekfeminism” tag on Twitter. Please note that we tend to stick to publishing recent links (from the last month or so).

Thanks to everyone who suggested links.

[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

Office supply chain Staples Inc. today finally acknowledged that a malware intrusion this year at some of its stores resulted in a credit card breach. The company now says some 119 stores were impacted between April and September 2014, and that as many as 1.16 million customer credit and debit cards may have been stolen as a result.

staplesKrebsOnSecurity first reported the suspected breach on Oct. 20, 2014, after hearing from multiple banks that had identified a pattern of credit and debit card fraud suggesting that several Staples office supply locations in the Northeastern United States were dealing with a data breach. At the time, Staples would say only that it was investigating “a potential issue” and had contacted law enforcement.

In a statement issued today, Staples released a list of stores (PDF) hit with the card-stealing malware, and the stores are not limited to the Northeastern United States.

“At 113 stores, the malware may have allowed access to this data for purchases made from August 10, 2014 through September 16, 2014,” Staples disclosed. “At two stores, the malware may have allowed access to data from purchases made from July 20, 2014 through September 16, 2014.”

However, the company did say that during the investigation Staples also received reports of fraudulent payment card use related to four stores in Manhattan, New York at various times from April through September 2014.

Aviv Raff, chief technology officer at Seculert, said the per-store minimum time to detect and respond to the breach was an average of 40 days.

“Once again, much like previous breaches, the statistics of the Staples’ breach shows the necessity of moving from trying to prevent an attack to try and detect and respond as quickly as possible,” Raff said.

Source: Seculert

Source: Seculert

It appears that the attackers responsible for the Staples break-in are not the same group thought to have hit Target and Home Depot. In November, I posted a story that cited sources close to the Staples investigation saying the breach at Staples impacted roughly 100 stores and was powered by some of the same criminal infrastructure seen in the intrusion disclosed earlier this year at Michaels craft stores.

[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

The FBI today said it has determined that the North Korean government is responsible for the devastating recent hack attack against Sony Pictures Entertainment. Here’s a brief look the FBI’s statement, what experts are learning about North Korea’s cyberattack capabilities, and what this incident means for other corporations going forward.

In a statement released early Friday afternoon, the FBI said that its investigation — along with information shared by Sony and other U.S. government departments and agencies — found that the North Korean government was responsible.

The FBI said it couldn’t disclose all of its sources and methods, but that the conclusion was based, in part, on the following:

-“Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.”

-“The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.”

-“Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.”

The agency added that it was “deeply concerned” about the destructive nature of this attack on a private sector entity and the ordinary citizens who work there, and that the FBI stands ready to assist any U.S. company that is the victim of a destructive cyber attack or breach of confidential information.

“Further, North Korea’s attack on SPE reaffirms that cyber threats pose one of the gravest national security dangers to the United States,” the FBI said. “Though the FBI has seen a wide variety and increasing number of cyber intrusions, the destructive nature of this attack, coupled with its coercive nature, sets it apart. North Korea’s actions were intended to inflict significant harm on a U.S. business and suppress the right of American citizens to express themselves. Such acts of intimidation fall outside the bounds of acceptable state behavior. The FBI takes seriously any attempt—whether through cyber-enabled means, threats of violence, or otherwise—to undermine the economic and social prosperity of our citizens.”

SPE was hit with a strain of malware designed to wipe all computer hard drives within the company’s network. The attackers then began releasing huge troves of sensitive SPE internal documents, and, more recently, started threatening physical violence against anyone who viewed the Sony movie “The Interview,” a comedy that involves a plot to assassinate North Korean leader Kim Jong Un. Not long after a number of top movie theater chains said they would not show the film, Sony announced that it would cancel the movie’s theatrical release.

Apparently emboldened by Sony’s capitulation, the attackers are now making even more demands. According to CNN, Sony executives on Thursday received an email apparently from the attackers said they would no longer release additional stolen Sony Pictures data if the company announced that it would also cancel any plans to release the movie on DVD, Netflix or elsewhere. The attackers also reportedly demanded that any teasers and trailers about The Interview online be removed from the Internet.

A ‘MAGIC WEAPON’

Little is publicly known about North Korea’s cyber warfare and hacking capabilities, but experts say North Korean leaders view cyber warfare capabilities as an important asymmetric asset in the face of its perceived enemies — the United States and South Korea. An in-depth report (PDF) released earlier this year by HP Security Research notes that in November 2013, North Korea’s “dear leader” Kim Jong Un referred to cyber warfare capabilities as a “magic weapon” in conjunction with nuclear weapons and missiles.

“Although North Korea’s limited online presence makes a thorough analysis of their cyber warfare capabilities a difficult task, it must be noted that what is known of those capabilities closely mirrors their kinetic warfare tactics,” HP notes. “Cyber warfare is simply the modern chapter in North Korea’s long history of asymmetrical warfare. North Korea has used various unconventional tactics in the past, such as guerilla warfare, strategic use of terrain, and psychological operations. The regime also aspires to create viable nuclear weapons.”

Sources familiar with the investigation tell KrebsOnSecurity that the investigators believe there may have been as many as several dozen individuals involved in the attack, the bulk of whom hail from North Korea. Nearly a dozen of them are believed to reside in Japan.

Headquarters of the Chongryon in Japan.

Headquarters of the Chongryon in Japan.

According to HP, a group of ethnic North Koreans residing in Japan known as the Chongryon are critical to North Korea’s cyber and intelligence programs, and help generate hard currency for the regime. The report quotes Japanese intelligence officials stating that “the Chongryon are vital to North Korea’s military budget, raising funds via weapons trafficking, drug trafficking, and other black market activities.” HP today published much more detail about specific North Korean hacking groups that may have played a key role in the Sony incident given previous such attacks.

While the United States government seems convinced by technical analysis and intelligence sources that the North Koreans were behind the attack, skeptics could be forgiven for having doubts about this conclusion. It is interesting to note that the attackers initially made no mention of The Interview, and instead demanded payment from Sony to forestall the release of sensitive corporate data. It wasn’t until well after the news media pounced on the idea that the attack was in apparent retribution for The Interview that we saw the attackers begin to mention the Sony movie.

In any case, it’s unlikely that U.S. officials relish the conclusion that North Korea is the aggressor in this attack, because it forces the government to respond in some way and few of the options are particularly palatable. The top story on the front page of the The Wall Street Journal today is an examination of what the U.S. response to this incident might look like, and it seems that few of the options on the table are appealing to policymakers and intelligence agencies alike.

The WSJ story notes that North Korea’s only connections to the Internet run through China, but that pressuring China to sever or severely restrict those connections is unlikely to work.

Likewise, engaging in a counter-attack could prove fruitless, or even backfire, the Journal observed, “in part because the U.S. is able to spy on North Korea by maintaining a foothold on some of its computer systems. A retaliatory cyberstrike could wind up damaging Washington’s ability to spy on Pyongyang…Another former U.S. official said policy makers remain squeamish about deploying cyberweapons against foreign targets.”

IMPLICATIONS FOR US FIRMS

If this incident isn’t a giant wake-up call for U.S. corporations to get serious about cybersecurity, I don’t know what is. I’ve done more than two dozen speaking engagements around the world this year, and one point I always try to drive home is that far too few organizations recognize how much they have riding on their technology and IT operations until it is too late. The message is that if the security breaks down, the technology stops working — and if that happens the business can quickly grind to a halt. But you would be hard-pressed to witness signs that most organizations have heard and internalized that message, based on their investments in cybersecurity relative to their overall reliance on it.

A critical step that many organizations fail to take is keeping a basic but comprehensive and ongoing inventory of all the organization’s IT assets. Identifying where the most sensitive and mission-critical data resides (identifying the organization’s “crown jewels”) is another essential exercise, but too many organizations fail to take the critical step of encrypting this vital information.

Over the past several years, we’ve seen a remarkable shift toward more destructive attacks. Most organizations are accustomed to tackling malware infestations within their IT environments, but few are prepared to handle fast-moving threats designed to completely wipe data from storage drives across the network.

As I note in my book Spam Nation, miscreants who were once content to steal banking information and blast out unsolicited commercial email increasingly are using their skills to hold data for ransom using malware tools such as ransomware. I’m afraid that as these attackers become better at situational awareness — that is, gaining a better understanding of who their victims are and the value of the assets the intruders have under their control — these attacks and ransom demands will become more aggressive and costly in the months ahead.

[syndicated profile] cakewrecks_feed

Posted by Jen

Part 2 of my Top 20 Literals in CW History!

LITERALLY.

 

 

 

 

 

 

 

 

 

"Hang on, this sounds complicated. Lemme write it down."

"GOT IT."

 

The quotations marks are "helping."

 

 

 

And last but not least, The Cake That Started It All:

 

Thanks to Kate L., Dana G., Cristina B., Emma C., Kathryn S., Melissa O., Naomi H., Anony M., Kristen H., & Abby G. for being the one to first send me that photo, which quite literally (zing!) inspired this whole silly little cakes blog.

*****

Thank you for using our Amazon links to shop! USA, UK, Canada.

[syndicated profile] accidentallyincode_feed

Posted by Cate

rose tinted glasses

Credit: Flickr / derekgavey

Helpful to take a step back and see where we are.

We all tend to view the world through rose tinted glasses. Depend to look through a lens that colours what we are seeing. Unless take them off, hard to see what the situation is.

Glasses worn by iOS is “we are indie devs”. Sense in community, the little guy, hacking away on the porch or in the evening. Stood for a long time, back when it was actually true. Now maintained even though probably one of the biggest communities of devs in the world.

Not unreasonable. Vast majority of companies producing apps are very small. Even “big” less than 30-40 people.

Is a sense of being small, see things through the lenses of being small.

When we look at Apple, relate to the apple that was Steve and Steve in their garage hacking. All about innovation, friendliness, camaraderie.

We see Apple, we like to see Apple. The Apple we want is the Apple of this 70s breakthrough, this small indie thing. However reality is, Apple is (depending on day of week and season of year) is one of the biggest companies in the world. No longer based in a garage somewhere in California. The thing that is most important to them is the stock price. This is true, because the law says it has to be. Has an obligation that every decision you make is in the best interest of your shareholders. If can be shown not, you can be imprisoned.

“How does this effect us as a public company” – reality, shareholders come first.

Not everyone. But Apple as a company, this has to be what it is about.

Have to ask, how can we make the best investment for investors. If you go to their website, clear they have done that by deciding to be a hardware manufacturer. Click around for a long time before any mention of software.

Chosen to make money through hardware. Strategy – build fanatical customers, who love the hardware. Carefully decided. Look at the presentations, the words they use.

“The every day man’s designer brand” – slightly more than most people than they can afford, but within reach.

Would never do a low end laptop, because it would destroy that brand. Target people with aspirations. Hence the margins on their laptops.

Strategic decisions are around these things. And nothing else. Desirable to customers. Maintain brand. Bottom line.

Apple are not the friendly garage of indie devs. They are a moneymaking machine.

Faster accept that, the easier it is to deal with reality.

Not going “developers developers developers”

Don’t hate developers. Just not their priority.

Do Developers Hate Developers?

Open source projects:

  • How many have considered users in code open sourced.
  • How many have sent money?
  • How many have contributed a significant fix or amount of code?

Argument hear again and again is “Apple should look after us as developers because we make significant contribution to their business”

Financially: tiny. So small they wouldn’t notice if it disappeared.

App ecosystem does enhance Apple’s attractiveness to customers. Will place some value for that reason. Because it creates value for customers who they want to be fanatical about their products.

As developers, the very people making that complaint, we don’t stop to think about people who are producing code that makes a significant contribution to the things that we make. Bit of a hypocrisy. If want that to be true, need to value people who make a contribution to people who help their code.

Don’t hate devs. Just value customers more than you.

Love

Love is not about what you feel, it’s about what you do. It’s in your actions and your deeds.

Sherlocked. Apple have Sherlocked a number of apps. (Replacing a dominant player in the market as an independent – Watson replaced by Sherlock).

Not mean, evil, but because they want to give something to their customers. Just a business decision. Just an attitude about them making better products.

Deprecated. Deprecation is a curtoursy to devs, could just remove the API altogether. Good for customers, because forces things to do things in a better, more efficient way.

Microsoft for many years refused to deprecate anything. People are still running things on XP because they thought they must never get rid of anything that breaks anything. So we all had to live with an OS that is full of crap. So much was there for legacy purposes. But it didn’t make a good product. Better for people who were no longer giving MSFT money than for people who were (buying).

Not about devs. About building a better product for customers.

Changed. That is exactly why things change.

How do Apple Love Developers?

Apple, iOS dev centre membership. $99. Charge again to do the Mac. How much does it cost Apple to provide with what they provide? $99 doesn’t cover it. Nowhere near.

Apple known for small teams, people often shocked by how few people work on something. Doesn’t matter. Have very clever, very expensive California devs working on things for your benefit. Subsidising your career. That is how much they love you.

Windows, you pay 1200GBP every year for Visual studio and MSDN subscription. And that is still a subsidised price.

Next time you complain about the App store pricing. Remember if going to do that, going to start charging a realistic price for tools.

Short while with Mac app store. Xcode was $4. Was like the world had ended. “How could they charge me $5 for the thing that I make my living from?”

Apple understand value of devs, charge very little for tools that allow you to do your job.

Not because love you, but because you create value.

WWDC videos. 2006 would wait months for vids, be delivered on DVD. Apple gained nothing by investing millions of dollars in ensuring you can get the videos on the same day. Investing in you, because it helps them. If you have the latest information, can upgrade your apps faster.

Whichever title. Reality is. They understand your value, and provide reasonable practical support without taking their focus off of their main business and their customers.

Hopefully just like you do.

Complex Solutions to a Simple Problem

Dec. 18th, 2014 02:26 pm
[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

My inbox has been flooded of late with pitches for new technologies aimed at making credit cards safer and more secure. Many of these solutions are exceedingly complex and overwrought — if well-intentioned — responses to a problem that we already know how to solve. Here’s a look at a few of the more elaborate approaches.

A promotion for the Siren Swipe technology.

A promotion for the Siren Swipe technology.

Some of these ideas may have benefited from additional research into where financial institutions actually experience most of their fraud losses. Hint: Lost-and-stolen fraud is minuscule compared to losses from other types of fraud, such as counterfeit cards and online fraud. Case in point: A new product called Safe Swipe. From their pitch:

“The basic premise of our solution, Safe Swipe…is a technology which ‘marries’ your smart mobile device, phone, tablet and or computer to your credit/debit card(s). We’ve developed a Geo-Locator software program which triangulates your location with the POS device and your mobile phone so that if your phone and credit card are not within a certain predetermined range of one another the purchase would be challenged. In addition, we incorporated an ON/OFF type switch where you can ‘Lock Down’ your credit/debit card from your mobile device making it useless should it ever be stolen.”

The truth is that you can “lock down” your credit card if it’s lost or stolen by calling your credit card company and reporting it as such.  Along these lines, I received multiple pitches from the folks who dreamed up a product/service called “Siren Swipe.” Check it out:

“The SIREN SWIPE system immediately notifies local police (via the local 911 center) of a thief’s location (ie merchant address) once heswipes a card that has already been reported stolen,” the folks at this company said in an email pitch to KrebsOnSecurity. “SIREN SWIPE has the potential to drastically impact the credit card fraud landscape because although card credentials being stolen is a forgone conclusion, which cards thieves decide to actually use is not.  For a thief browsing a site like Rescator, the knowledge that using certain banks’ cards could result in an immediate police response can make thieves avoid using these banks’ stolen cards over and over again.  And in the best case scenario, a carder site admin could just decide not to sell subscribing banks’ cards in the interest of customer service.”

The sad truth is that, for the most part, cops generally have more important things to do than chase around the street urchins who end up using stolen credit and debit cards, and they’re not going to turn on the dome lights and siren over something like this. Also, the signals for fraud are all backwards here: The fraudsters know to use criminal card-checking services before buying and/or using stolen cards, so they don’t generally end up using a pile of cards that have already been cancelled.

A diagram explaining Quantum Secure Authentication.

A diagram explaining Quantum Secure Authentication.

My favorite overwrought solution to making credit cards more secure comes from researchers in the Netherlands, who recently put out a paper announcing a card security idea they’re calling Quantum-Secure Authentication. According to its creators, this approach relies on “the unique quantum properties of light to create a secure question-and-answer exchange that cannot be spoofed or copied. From their literature:

“Traditional magnetic-stripe-only cards are relatively simple to use but simple to copy. Recently, banks have begun issuing so-called ‘smart cards’ that include a microprocessor chip to authenticate, identify & enhance security. But regardless of how complex the code or how many layers of security, the problem remains that an attacker who obtains the information stored inside the card can copy or emulate it. The new approach…avoids this risk entirely by using the peculiar quantum properties of photons that allow them to be in multiple locations at the same time to convey the authentication questions & answers. Though difficult to reconcile with our everyday experiences, this strange property of light can create a fraud-proof Q&A exchange, like those used to authorize credit card transactions.”

The main reason so many of these newfangled technologies are even being proposed is that the United States lags 20 years behind Europe and the rest of the world in adopting chip/smartcard technology in credit and debit cards. This is starting to change on both the card-issuing side (the banks) and the merchant side. Most of the biggest banks are already issuing chip cards, with smaller institutions following suit next year. In October 2015, merchants that haven’t yet installed card swipe terminals that accept chip cards will be liable for all of the fraud costs on any fraudulent transaction involving a chip card.

It’s unclear how much appetite there is for new technology to help banks fight card fraud, when so many financial institutions have yet to roll out chip cards. A payments fraud survey released this week by the Federal Reserve Bank of Minneapolis found that “high percentages of surveyed financial institutions report that fraud prevention costs exceed actual losses for many types of payments, especially wire, cash, and ACH payments. This trend is even more striking for non-financial respondents. In every payment category, a higher percentage of such firms responded that prevention costs exceed fraud losses.”

The Fed survey (PDF), which quizzed both banks and corporations, found that about half of the financial institutions that experienced payment fraud losses reported increases in those losses, while three quarters of the non-financial firms responded that loss rates had remained about the same over the prior year.

“In keeping with previous surveys, signature debit transactions are the payment type cited by the largest number of financial institutions as accounting for high levels of payments fraud losses (92% of financial service companies), while checks are cited by 75% of non-financial companies,” the Fed concluded. “While this finding could suggest that companies are overcompensating in prevention vis-à-vis likely losses, it is also possible that risk mitigation strategies and fraud prevention investments have indeed been effective.”

[syndicated profile] cakewrecks_feed

Posted by Jen

John asked me to pick my top 10 literal LOLs of all time, and I just couldn't do it, guys. There are too many! So instead, here are my top 20... in two parts. ENJOY.

Sorry, you can't have any.

 

But they never did. So sad.

 

 

 

 

 

 

 

 

 

 

And they say technology makes our lives easier:

 

"What flash drive?"

 

"Oh, must be this one:"

 

Thanks to Jessica P., Amanda M., JR, Ross E., Kimberly L., Caylin C., Eugene K., Gauhar, Johanna O. & Elisabeth R., with extra sprinkles on top.

*****

Thank you for using our Amazon links to shop! USA, UK, Canada.

[syndicated profile] epbot_feed

Posted by Jen

John and I wanted a Hogwarts Express for our Potter tree, but WOW are the official trains expensive. Plus, once I found this $30 train set that snaps INTO your tree, I knew we'd find a way to make a passable Hogwarts Express out of it.

Here's what we started with:

Good thing it's cheap, because wow does it look it.

 And here's our finished product:


This mod is pretty tedious, since you pretty much have to disassemble the entire train, paint the individual pieces, and then remember how to put it all together again.

In addition to painting, we removed a lot of extraneous pieces like the front smoke stack, bell, and the extra railings and ladders on the coal car. I also cut out the speaker, since the sound effects were terrible - and loud.

We completely re-built the front end of the engine, which looked like this after we cut off the big lantern, gold trim, and cowpoke (oops) cowcatcher.


That center screw is just decorative, so I covered the front hatch with epoxy putty, which allowed us to drill a new hole down low for the headlight:


(Sorry the headlight's not on here; it only lights while the train is running.)

Obviously it's not perfect, but I think we got the general idea across!


(Just realized the side railing isn't gold on the Express. OOPS. Looks like I have some touch-up painting to do!)

We found and printed some of the world's tiniest decals, which I applied with even tinier spots of clear glue.

The red spray paint we used was a little richer and had a slight texture to it, which makes the train look more like metal:

And again, this is what we started with:

Now the other two cars:

Before:
 


After:



Before:


After:


And yes, that IS a tiny dementor on the back:


This was entirely John's idea, but I think it's hilarious.


Plus the way he positioned the wire makes the dementor really seem like it's flying as the train rounds the tree:

ACTION SEQUENCE... GO!



Hee!

I like to think the dementor is something a Slytherin would stick on the train as a joke, so it still fits with my "tree that Hogwarts' kids made" theme.

Hope you guys aren't getting TOO Pottered out this month, since I still have a few more goodies to share. Stay tuned for winged keys, potion bottles, and parchment scrolls with levitating quill pens!

And if you're just catching up, here's what I've shared from the tree so far:

- DIY Golden Snitches
- Floating Candles
- Cauldron Base
- Mini Quidditch Brooms

Quick hit: #ThisTweetCalledMyBack

Dec. 17th, 2014 04:00 pm
[syndicated profile] geekfeminism_feed

Posted by Tim Chevalier

Who gets to claim the title “activist”, and who quietly does the work that’s needed for activist movements to succeed while getting simultaneously derided and appropriated from?

A collective of, in their own words, “Black Women, AfroIndigenous and women of color” have issued a statement on how they’re being treated by white feminism, academia, the mainstream media, and the rest of the social-justice-industrial complex:

As an online collective of Black, AfroIndigenous, and NDN women, we have created an entire framework with which to understand gender violence and racial hierarchy in a global and U.S. context. In order to do this however, we have had to shake up a few existing narratives, just like K. Michelle and her infamous table rumble on Love & Hip Hop.

The response has been sometimes loving, but in most cases we’ve faced nothing but pushback in the form of trolls, stalking. We’ve, at separate turns, been stopped and detained crossing international borders and questioned about our work, been tailed and targeted by police, had our livelihoods threatened with calls to our job, been threatened with rape on Twitter itself, faced triggering PTSD, and trudged the physical burden of all of this abuse. This has all occurred while we see our work take wings and inform an entire movement. A movement that also refuses to make space for us while frequently joining in the naming of us as “Toxic Twitter.”

Read the statement from @tgirlinterruptd, @chiefelk, @bad_dominicana, @aurabogado, @so_treu, @blackamazon, @thetrudz, as well as #ThisTweetCalledMyBack on Twitter, for a critical perspective on the role of intersecting racism and sexism in how activist work is valued. If you’ve ever been dismissed as “just an Internet activist” or told to get off your computer and out in the streets, then you need to read this essay. If you’ve ever dismissed someone else as all talk, and no action, not like those real activists who are running big street protests, then you need to read this essay. And if both are true for you, then you need to read this essay.

[syndicated profile] cakewrecks_feed

Posted by Jen

Welcome, my fellow gutter-minded malcontents! Prepare to get your juvenile giggles on, because today, we are all 12-year-old boys.

Oh, the irony.

[insert Peter Pan joke here]

 

"AARG! HULK TENSE! HULK... TRY RELIEVE TENSION."

 

I bet this is the last time BJ's Wholesale Club abbreviates its name:

 

Anyone else getting kind of a dirty vibe off this butterfly?

(No seriously, why is the end dirty??)

 

IT'S NOT WHAT YOU THINK:

Unless you think that's supposed to be a bronze pear statue. Which it is. Allegedly.

 

Baby, You're A Firework!

...in need of medical attention.

 

The Girls' Night Out:

No, I mean literal girls. They're babies. In bed. With unusually pert pacifiers.

 

This was supposed to say, "Germany, here we come!"

Looks like "Germany" will be smacking the ceiling with a broom tonight.

 

A Very Happy Butterfly:

 

And an even happier frog:

THAT IS SO NOT RIGHT.

 

A Cake Wrecks classic, and one of my earliest posts:

I love that someone - either the customer or the decorator - felt that "sexual harassment" needed to be illustrated. And I realize the decorator can't be expected to be Picasso or anything, but check out how far the girl's feet are off the ground. Either that was the Spank Heard 'Round the World, or she's on an invisible step while Chuckles there digs for gold.

 

And finally, one older still:

GOOD LUCK IN CHINA!

If you haven't read the full back story by Scott of Basic Instructions - who has since become both a dear friend and an excellent author, btw - grab a tissue for the tears of laughter, and go check it out.
Good stuff.

 

Thanks to Melissa M., Mark F., Steve S., Lesley W., Diana M., Elisabeth M., Gina C., Sarah R., Bijan P., & Melanie D. for making so many people giggle-snort as quietly as possible while at work. (YOU KNOW WHO YOU ARE.)

*****

Thank you for using our Amazon links to shop! USA, UK, Canada.

[syndicated profile] accidentallyincode_feed

Posted by Cate

Jeddah Marriott no women sign

Credit: Wikimedia

I sent my initial Corporate Feminism and Thankless Emotional Labour post to someone for feedback, and they suggested I add some action items to help. I think some of them are in our bingo card, but it’s worth breaking out.

Really it comes down to: 1) ask for less. 2) give back more. 3) recognise and appreciate.

Ask for Less

  • Prioritise more impactful requests, and explain why the initiative is impactful in the ask: E.g. “can someone give a presentation at [school]” becomes “We would love to send someone to give a presentation at [school], they currently have [% female students] up from [change] and have [some recent achievement that highlights why they are worth supporting].”
  • Do the research on what is required: e.g. “can someone give a presentation in [location] on [date]” becomes “can someone give a presentation of [time] minutes to an audience of  [audience description], suitable topics would be [list of high level topics]. The event is based in [location], travelling from [office location] will get you there in [timeframe, suggested transport].”
  • Provide admin or events support: it seems some organisations think it is “scrappy” for engineers to do this. In my opinion, this is typically not “scrappy”, but inefficient. If it is at all cost effective, it is only because your engineers are working extra hours they would not otherwise on this, and very few engineers make good event planners (myself included). This was one of the things I really appreciated at IBM, and at a recent event at Facebook I noticed the engineers running it had a ton of help, which was great.

Give Back More

  • Beyond the pipeline: provide events and support for the women who are there, rather than just asking them to take on the extra job of pipeline work. Cisco and Facebook have annual internal conferences for the women who work there. Extra training, mentorship and sponsorship programs are also good. The data’s pretty clear – stuff happens. But I think it’s easier to handle that in a company that shows they are committed to retention rather than one where they seem determined to pretend the pipeline is the main, even the only, problem.
  • Coaching and training: the #1 reason I have heard from women who don’t want to speak at events is fear. I have never seen any offer to help with this beyond “we have a slide deck someone else prepped that you can just use” (I always imagine that would lead to a terrible talk). This means that the burden falls disproportionately on the women who are not too terrified to speak, but some investment in training might go a long way to addressing this. E.g. “if you are not comfortable speaking, haven’t spoken before, or haven’t spoken in a while, we can arrange coaching with [expert] who will help you prepare.” – added bonus for the volunteer and their manager, these skills will almost certainly help elsewhere, too.
  • Book travel and take care of expense reports: not everyone will want this, but the offer will build goodwill, it is also really helpful for engineers with managers who are not supportive.

Recognition and Appreciation

  • Say thank you: I can’t believe I need to include this here. A timely “thanks for your participation in this event, here is some positive feedback we received, which I will share with your manager” goes a long way.
  • If hiring, recognise like hiring: If there are stats on things like: interviews conducted, resumes submitted, etc, include “external events” or “talks” as well and recognise in line with other hiring metrics.
  • If leadership, recognise like leadership: When considering promotion, or project allocation, if considering someone who planned and led an event or a program, consider that leadership not niceness.

Christmas Shipping Deadline

Dec. 17th, 2014 05:00 am
[syndicated profile] xkcd_feed
The US Christmas shipping deadline for the xkcd store is December 19th! If you want to get anyone xkcd Christmas presents, you should order by then.

The xkcd store features body slipcovers, secret passageway concealers, picture tape, and more!

Banks: Park-n-Fly Online Card Breach

Dec. 16th, 2014 06:04 pm
[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

Multiple financial institutions say they are seeing a pattern of fraud that indicates an online credit card breach has hit Park-n-Fly, an Atlanta-based offsite airport parking service that allows customers to reserve spots in advance of travel via an Internet-based reservation system. The security incident, if confirmed, would be the latest in a string of card breaches involving compromised payment systems at parking services nationwide.

park-n-flyIn response to questions from KrebsOnSecurity, Park-n-Fly said it recently engaged multiple outside security firms to investigate breach claims made by financial institutions, but so far has been unable to find a breach of its systems.

“We have been unable to find any specific issues related to the cards or transactions reported to us and by the financial institutions,” wrote Michael Robinson, the company’s senior director of information technology, said in an emailed statement. “While this kind of incident is rare for us based on our thousands of daily transactions, we do take every instance very seriously. Like any reputable company involved in e-commerce today we recognize that we must be constantly vigilant and research every claim to root out any vulnerabilities or potential gaps.”

Park-n-Fly’s statement continues:

“While we believe that our systems are very secure, including SLL encryption, we have recently engaged multiple outside security firms to identify and resolve any possible gaps in our systems and as always will take any action indicated. We have made all necessary precautionary upgrades and we just upgraded on 12/9 to the latest EV SSL certificate from Entrust, one of the leading certificate issuers in the industry.”

Nevertheless, two different banks shared information with KrebsOnSecurity that suggests Park-n-Fly — or some component of its online card processing system — has indeed experienced a breach. Both banks saw fraud on a significant number of customer cards that previously  — and quite recently — had been used online to make reservations at a number of more than 50 Park-n-Fly locations nationwide.

Unlike card data stolen from main street retailers, which can be encoded onto new plastic and used to buy stolen goods in physical retail stores — cards stolen from online transactions can only be used by thieves for fraudulent online purchases. However, most online carding shops that sell stolen card data in underground stores market both types of cards, known in thief-speak as “dumps” and “CVVs,” respectively.

The CVVs stolen that bank sources traced back to Park-and-Fly are among thousands currently for sale in four large batches of card data (dubbed “Decurion”) being peddled at Rescator[dot]cm, the same crime shop that first moved cards stolen in the retail breaches at Home Depot and Target. The card data ranges in price from $6 to $9 per card, and include the card number, expiration date, 3-digit card verification code, as well as the cardholder’s name, address and phone number.

Cards that banks traced back to Park-n-Fly were all for sale at Rescator's shop.

Cards that banks traced back to Park-n-Fly were all for sale at Rescator’s shop.

Last month, SP Plus — a Chicago-based parking facility provider — said payment systems at 17 parking garages in Chicago, Philadelphia and Seattle that were hacked to capture credit card data after thieves installed malware to access credit card data from a remote location. Card data stolen from those SP+ locations ended up for sale on a competing cybercrime store called Goodshop.

In Missouri, the St. Louis Parking Company recently disclosed that it learned of breach involving card data stolen from its Union Station Parking facility between Oct. 6, 2014 and Oct. 31, 2014.

[syndicated profile] cakewrecks_feed

Posted by Jen

Picking my 10 favorite ugly wedding cakes is like picking my 10 favorite children, only way easier since I don't have any kids.

BEGIN.

 

 

 

 

 

 

 

 

 

And because nothing tops fried eggs and entrails:

Mmm. Shiny.

 

Thanks to Anita R., Julie R., Joshua P., Anony M., Frank W., Gina H., Michelle C., Miranda R., & Tracy C. for having the guts to send that last one in.

*****

Thank you for using our Amazon links to shop! USA, UK, Canada.

My New & Improved Steampunk Tree!

Dec. 16th, 2014 09:00 am
[syndicated profile] epbot_feed

Posted by Jen

I've been spending all my time crafting the Harry Potter tree this month, but in order to make room for it I had to combine last year's two trees into one - so I thought you'd like to see!

I mixed together elements of the steampunk tree - which had lots of jewel tones, copper, and amber lights:


 ...with my not-really-themed-but-sort-of-classic-reds-and-vintage-paper tree:


The result is a mix of copper, bronze, red, paper, and gold - and for something thrown together in an afternoon, I'm kind of liking the new Franken Tree:


The steampunk elements are smaller (I plan to add larger gear ornaments & goggled top hats, but sweet StayPuft, where is the time going?!) but once you get closer you can see all the copper wire spirals, clock-hand snowflakes, hot air balloons, etc.


 You readers have sent me lots of goodies on the tree, from little steampunk robots to laser engraved pins from the museum exhibit that featured my Lady Vadore costume in 2012: 



 The clock-hand snowflakes were a gift last year from my friend Sharyn, who made them herself. Aren't they gorgeous? She also made me this fun steampunk pinecone from faux leather:

John and I don't have sentimental ornaments from our childhoods or early years together, so it's fun building up a cache with memories attached. Whether it's a gift or something we made ourselves, I like that now more and more of our trees actually means something.

Happy to say that after three years our balloons are still holding up great, as is my homemade tree flocking!


 

Oh, and that paper garland I made last year? I packed it in rows of three in a long skinny box, so it didn't take up much room at all - and it's still in perfect condition after a year packed away:


I think (hope?) the vintage book paper adds to the Victorian vibe, along with these glass birds:
 
 

 It was hard leaving all the shiny fuchsia and teal ornaments packed away this year, but worth it, I think, to make room for Potter.

Oh, and the final touch:


Because Trekkie forever.

 :)
[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

Over the weekend I received a nice holiday letter from lawyers representing Sony Pictures Entertainment, demanding that I cease publishing detailed stories about the company’s recent hacking and delete any company data collected in the process of reporting on the breach. While I have not been the most prolific writer about this incident to date, rest assured such threats will not deter this reporter from covering important news and facts related to the breach.

A letter from Sony's lawyers.

A letter from Sony’s lawyers.

“SPE does not consent to your possession, review, copying, dissemination, publication, uploading, downloading, or making any use of the Stolen information, and to request your cooperation in destroying the Stolen Information,” wrote SPE’s lawyers, who hail from the law firm of Boies, Schiller & Flexner.

This letter reminds me of one that I received several years back from the lawyers of Igor Gusev, one of the main characters in my book, Spam Nation. Mr. Gusev’s attorneys insisted that I was publishing stolen information — pictures of him, financial records from his spam empire “SpamIt” — and that I remove all offending items and publish an apology. My lawyer in that instance called Gusev’s threat a “blivit,” a term coined by the late, great author Kurt Vonnegut, who defined it as “two pounds of shit in a one-pound bag.”

For a more nuanced and scholarly look at whether reporters and bloggers who write about Sony’s hacking should be concerned after receiving this letter, I turn to an analysis by UCLA law professor Eugene Volokh, who posits that Sony “probably” does not have a legal leg to stand on here in demanding that reporters refrain from writing about the extent of SPE’s hacking in great detail. But Volokh includes some useful caveats to this conclusion (and exceptions to those exceptions), notably:

“Some particular publications of specific information in the Sony material might lead to a successful lawsuit,” Volokh writes. “First, disclosure of facts about particular people that are seen as highly private (e.g., medical or sexual information) and not newsworthy might be actionable under the ‘disclosure of private facts’ tort.”

Volokh observes that if a publication were to publish huge troves of data stolen from Sony, doing so might be seen as copyright infringement. “The bottom line is that publication of short quotes, or disclosure of the facts from e-mails without the use of the precise phrasing from the e-mail, would likely not be infringement — it would either be fair use or the lawful use of facts rather than of creative expression,” he writes.

Volokh concludes that Sony is unlikely to prevail — “either by eventually winning in court, or by scaring off prospective publishers — especially against the well-counseled, relatively deep-pocketed, and insured media organizations that it’s threatening,” he writes. “Maybe the law ought to be otherwise (or maybe not). But in any event this is my sense of the precedents as they actually are.”

This is actually the second time this month I’ve received threatening missives from entities representing Sony Pictures. On Dec. 5, I got an email from a company called Entura, which requested that I remove a link from my story that the firm said “allowed for the transmission and/or downloading of the Stolen Files.” That link was in fact not even a Sony document; it was a derivative work — a lengthy text file listing the directory tree of all the files stolen and leaked (at the time) from SPE. Needless to say, I did not remove that link or file.

Here is the full letter from SPE’s lawyers (PDF).

Top 12 Mean-But-Funny Cakes

Dec. 15th, 2014 02:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

I'm not saying it's right.
I'm just saying we laughed.

 

 

 

 

 

 

 

 

 

 

 

 

Thanks to Beth H., Eileen, Erin K., Michelle H., Wendy B., Sherrie, Cody W., Jennifer H., Birdy, Janna, Lynne R., & Erin W. for the slice of snark.

*****

Thank you for using our Amazon links to shop! USA, UK, Canada.

Some Thoughts About Harassment

Dec. 15th, 2014 01:00 pm
[syndicated profile] accidentallyincode_feed

Posted by Cate

aliens see no evil hear no evil speak no evil

Credit: Flickr / Aaron Logan

I don’t like to talk about the online harassment I experience, not least out of guilt, because I seem to get off lightly.

The past couple of weeks though, have been hard. There were two lists, and my name was on the short one. People I know, and like, were exclaiming “lol I’m on this list” and I was privately messaging people to say, not lol. Be careful. It got to me.

And then we have the 25th anniversary of the École Polytechnique. It hits close to home, following that, and Canada, where I lived for years. Where I felt safe. In part because of the after-effects of such an event.

Then I’ve noticed a slight uptick in the kind of… snide comments. A little extra mansplaining. They’re not harassment, but they are not exactly nice either. If everything I said online got such a response, no doubt it would really start to get to me.

I am not, in general, a fearful person. People have sometimes described me as brave, (or stupid!). I have travelled all over the world, sometimes alone, sometimes to countries that are not popular tourist destinations. I have been at times physically intrepid, particularly when attached to a pair of skis.

But there are some things I have come to find anxiety inducing.

I have come to be wary of most nerdy boys, and fearful of some.

I am panicky faced with the prospect of sitting next to a strange man on an overnight flight.

I am afraid of online harassment going offline, and the likelihood it being a woman I know, a woman who I am friends with, or would like to be.

All of these things, have very real impact on my life. When I decided to leave my tech job I worried about normal things – could I get another one, if I wanted? The prospect of failure. The general misogyny of the tech industry and it being no better elsewhere. And I worried about getting harassed more, what I would do if it stepped up.

It did, once I removed the name of my former employee from my twitter profile. But it is still manageable. I am still lucky.

So I still write code (although of late I manage to avoid nerdy boys), I still fly, I still speak my mind,

I brace myself, though, before I hit tweet, before I hit “schedule” on a blogpost (and after, frankly). Whenever I get some extra attention. I wonder, is this going to be the time when they come after me?

So far, so lucky.

There is no winning. I have little empathy for the men (and women) who seek to perpetuate a culture of misogyny, but they subjugate and constrain themselves. For me, silencing myself is, at least right now, not the way I choose to lose.

It’s nearly 2015… didn’t we all think, that we would be doing better than this?

 

how hard is this final going to be???

Dec. 14th, 2014 10:30 pm
[syndicated profile] evopropinquitous_feed

Ah, final exam time.

My dear, sweet, student… although I appreciate that you took the time to find my tumblr, and that you are reaching out to me in this time of great intellectual fervor and foment we’ve come to know colloquially as Dead Week (RRR week, for the purposes of campus politesse), I cannot give you this information here as it would unfairly disadvantage my 280+ other dear, sweet students in your class.

I will, however, reiterate what I said in lecture: study hard but with an intelligent eye towards the types of details that were expected on the second exam, go to office hours tomorrow (the schedule is on the course site), study broadly as the exam is comprehensive but with some depth regarding the topics that were implied to be most important (e.g., know the biological systems we learned from gene to phenotype well enough to repeat them without prompt, and remember that there will be some emphasis on the topics covered since the second exam).

And as the fabulous ball-goer above asserts: don’t be gaggin.

Let’s recontextualize this to mean: don’t stress too much (and take dance breaks).

Good luck on Tuesday!

Profile

terriko: (Default)
terriko

December 2014

S M T W T F S
 1234 56
78910111213
14151617181920
21222324252627
28293031   

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Dec. 22nd, 2014 09:16 pm
Powered by Dreamwidth Studios