Posted by Russ Ray on November 20, 2009
From Threat Level:
A vulnerability in a Time Warner cable modem and Wi-Fi router deployed to 65,000 customers would allow a hacker to remotely access the device’s administrative menu over the internet, and potentially change the settings to intercept traffic, according to a blogger who discovered the issue. Blogger David Chen, writing at chenosaurus.com, recently discovered he could easily gain remote access to an administrative page served by the router that would allow him greater control of the device.
A hacker who wanted to target a specific router and change its settings could access a customer’s admin panel from anywhere on the net through a web browser, log in with the master password, and then start tinkering. Among the possibilities, the intruder could alter the router’s DNS settings — for example, to redirect the customer’s browser to malicious websites — or change the Wi-Fi settings to open the user’s home network to the neighbors.
An evil hacker could easily automate a scanning tool to sweep through Time Warner’s address space and hack every SMC8014 it finds. “From within your own network, an intruder can eavesdrop on sensitive data being sent over the internet and even worse, they can manipulate the DNS address to point trusted sites to malicious servers to perform man-in-the-middle attacks,” Chen wrote on his blog. “Someone skilled enough can possibly even modify and install a new firmware onto the router, which can then automatically scan and infect other routers automatically.”
Posted in ADM 316, Internet, Networks, Security | Leave a Comment »
Posted by Russ Ray on November 19, 2009
Do you think everything you publish on the internet is private? Think again…
Two Indiana teenagers have sued their school district after they were punished for posting suggestive photos on MySpace. The girls, 10th-graders at Churubusco High School in Churubusco, Indiana, say they were humiliated after the school banned them from fall semester extracurricular activities and forced them to apologize to the all-male Athletics Board (composed of varsity coaches). The girls also had to attend three counseling sessions.
The American Civil Liberties Union has filed the proposed class-action suit on behalf of the girls and all present and future students at the school who participate or may participate in extracurricular activities. The ACLU argues the district violated the girls’ First Amendment rights and should not have punished them for activities conducted outside school. The suit names the girls’ high school, school district and principal.
According to the complaint, the photos in question were taken at a slumber party that occurred during the summer school break. The girls were photographed “pretending to kiss or lick a large multi-colored lollipop shaped (like a) phallus.” Other pictures showed them in lingerie with dollar bills tucked into the underwear. The girls each posted the pictures to their MySpace pages. Only “friends” could view the photos on their pages. But after someone copied the images, they found their way to the school principal.
According to the school’s student handbook, the principal “may exclude any student-athlete from representing Churubusco High School if his/her conduct in or out of school reflects discredit” upon the school or creates a “disruptive influence on the discipline, good order, moral, or educational environment” at the school.
There are a lot of interesting comments attached to this article. Many of them get back to the age-old argument of whether or not the school has a right to suspend a student for something that happened off-campus. Even more interesting, the idea that these students (and whoever leaked the photos to the principal) could have been charged with distributing child pornography for posting pictures of themselves while underage and committing what would appear to be sex acts.
I’m pretty sure that when Al Gore invented the internet, he never considered anything like this would happen. Hat tip to Threat Level.
Posted in ADM 316, Internet, Law, Mass Media, Networks, Privacy | Leave a Comment »
Posted by Russ Ray on November 18, 2009
While HIPAA protects your personal healthcare data and mandates that you approve the release of said data to other healthcare professionals and your insurer, it appears that what these outside data management companies are doing is legal, even if it sounds distasteful.
When patients visit a physician or hospital, they know that anyone involved in providing their health care can lawfully see their medical records. But unknown to patients, an increasing number of outside vendors that manage electronic health records also have access to that data, and are reselling the information as a commodity.
The revelation comes in a recent New York Times article about how so-called “scrubbed” patient data isn’t as anonymous as people think. The piece focuses primarily on how anonymized data can be cross-bred with other publicly available databases, such as voting records, which subverts the anonymity. Buried near the end of the article is the news that medical data is collected, anonymized and sold, not by insurance agencies and health care providers, but by third-party vendors who provide medical-record storage in the cloud.
As part of their contracts with the vendors, doctors are agreeing to let some vendors access and collect the patient data, scrub it of personally identifying information, and sell it in bulk to pharmaceutical companies and other buyers, the Times reports.
George Hill, an analyst at Leerink Swann, a health care investment bank, told the Times that the market for health record systems is $8 billion to $10 billion annually. About 5 percent of this income comes not from the sale of information systems but from the sale of data and analysis. As more physicians and hospitals — spurred by federal incentives — switch to electronic recordkeeping, revenue from the sale of health data could grow to $5 billion, Hill said.
Vendors say they re-sell the data for research purposes and scrub it of identifying information first to protect patient privacy. But in 1997, Latanya Sweeney, director of the Data Privacy Lab at Carnegie Mellon University, showed how she was able to pick out the medical records of William Weld (then the governor of Massachusetts) from scrubbed medical information published by the state’s insurance commission by simply correlating the anonymized data with birthdays, ZIP codes and gender information published in the state’s voter-registration rolls.
According to Sweeney, 87 percent of the U.S. population can be uniquely identified simply from their birthdate, gender and zip code. Patient advocate groups have called for greater oversight and regulation of the electronic health-record industry to control what software vendors can access and what they can do with the data.
Hat tip to Threat Level. This link also has an image indicating who really has access to patient data, courtesy of PatientPrivacyRights.org.
Posted in ADM 316, Law, Privacy, Security | Leave a Comment »
Posted by Russ Ray on November 12, 2009
All of Germany was bamboozled Thursday by a bizarre scheme that tricked the country’s main wire service into reporting an attempted suicide bombing in a California town — an attack supposedly perpetrated by a non-existent rap group called the “Berlin Boys.”
The work of German filmmakers peddling a satirical movie called Short Cut to Hollywood, the elaborate hoax involved at least two faked websites, a faked Wikipedia entry and California phone numbers for “public safety” officials that were actually being answered by hoaxsters in Germany using Skype.
The hoax has transfixed this country. It prompted a 1,000-word tome on the website of Frankfurter Allgemeine Zeitung, Germany’s most respected newspaper, and even a press conference denouncing the incident by the DPA – the German wire service responsible for first disseminating the news about the “attack.”
The hoax’s effect was felt thousands of miles away, as a flood of concerned phone calls from Germany jammed the switchboards at the San Bernardino County Sheriff’s office, which has jurisdiction over the supposed bombing site in California.
“This is frustrating and a waste of our resources,” said office spokesman Arden Wiltshire, who was awakened at 5 a.m. Thursday to try and sort out the crisis. Wiltshire worries that dispatchers could have missed important calls to deal with the Germans.
“We’re sorry for what happened; we, too, were victimized,” said Justus Demmer, a DPA spokesman.
More details here… just shows you the power of the internet in media these days. Too bad that sometimes being fastest to the story means that you have the wrong story or no story at all.
Posted in ADM 316, Communication, Mass Media, Networks, Security | Leave a Comment »
Posted by Russ Ray on November 11, 2009
Last month, hackers impersonated a national advertiser, broke into the New York Times online advertising operation and substituted their ads for fake virus warning pop-ups.
Readers who clicked on the ad found their browsers hijacked while a fake virus-scan was displayed. If they allowed the malicous website to serve its executable payload, they’d be stuck with a fake scareware program that badgers them into buying supposed anti-virus software.
Eastern European cybercrooks have been running an identical scam all month using search engine optimization techniques to promote their scammy websites to the top of Google search results on popular queries… The Times declined to identify the “national advertiser” the scammers originally impersonated.
Which is more alarming: the NYT has such an insecure advertising feed network or that the NYT was duped into thinking these guys were a national advertising account?
Posted in ADM 316, Internet, Networks, Security | Leave a Comment »
Posted by Russ Ray on November 10, 2009
You may have heard the name of Lori Drew in the news. She was the mother accused of running a cyberbullying scheme against a 13-year-old girl who was a rival of her daughter. Drew created a fake MySpace profile of a teenage boy who pretended to have a romantic attraction to Megan Meier. When Drew (as the fake profile) broke off their relationship, Meier committed suicide. The government argued that violating MySpace’s terms of service amounted to computer hacking, but the judge overturned the jury verdict and deemed she was not guilty. The prosecution is now considering an appeal.
HR 1966 (introduced by Linda Sanchez of California) would ban hostile or harassing speech in e-mail, instant messaging, blogs, websites, telephones and text messages with the intent to cause emotional distress. If the bill were liberally interpreted, I’m assuming that would open up about 85% of the internet to Federal indictments.
Posted in ADM 316, Communication, Internet, Law, Mass Media, Networks | Leave a Comment »
Posted by Russ Ray on November 9, 2009
Here’s a Monday morning funny, courtesy of GraphJam:
Posted in ADM 316, COM 110, COM 115, MGT 205, Visual Aids | Leave a Comment »
Posted by Russ Ray on November 6, 2009
Sounds like the definition of a classic phishing scheme:
The indictment charges that cyberthieves located in Egypt used classic phishing tactics to direct victims to phony Web sites, where they entered passwords, account numbers, and other data. That info was used to hack into accounts at two banks. Money was transferred from the compromised accounts to fraudulent accounts created by “runners” recruited by the U.S.-based co-conspirators.
Posted in ADM 316, Internet, Privacy, Security | Leave a Comment »
