Bad Sears, BAD!

The sick thing about this story is that the spyware wasn't a hack against these companies, but was planned and sanctioned by the companies.

Between April 2007 and January 2008, visitors to the Kmart and Sears web sites were invited to join an "online community" for which they would be paid $10 with the idea they would be helping the company learn more about their customers. It turned out they learned a lot more than participants realized or that the feds thought was reasonable. To join the "My SHC Community," users downloaded software that ended up grabbing some members' prescription information, emails, bank account data and purchases on other sites. Sears called the group that participated "small" and said the data captured by the program was at all times secure and was then destroyed.

Remember that there are no laws currently to protect against the abusive data collection and sharing practices that many companies employ. Be careful with your data and don't trust even the most reputable-seeming companies to choose your privacy over the almighty dollar.

The police probably shouldn't have their keys hanging visible to the world.

I found this today online (thanks Bruce!). This story is about a guy who managed to duplicate the key used by Dutch police for their handcuffs.

The first main point to learn from this is that you have to be really careful when you walk around in public with identity badges or keys visible. They can be photographed at great distance and be duplicated at leisure (as in the example a while back where a researcher photographed a key on the ground from over 200 feet away and was able to make a working duplicate of it).

Second, he used a 3D printer to create the key from plastic instead of metal which was cheaper, easier and something most anyone can do (if they have or can get access to a 3D printer). It's worse because the key is plastic and won't trip a metal detector. But the issue that no one has talked about yet is the danger of the photo used to show off the key.

Here is the key, but something else important as well.

The person holding it (which I assume was the creator of the key) has fully visible fingers with ridge detail clear enough to possibly create a false fingerprint (just like he did with the key). In other words, by posting a photo showing his fingerprints, he may have just made the same mistake that the police did when they left their keys in the open to be photographed and copied.

Remember to always be careful when posting photos online.

(Image is in the Public Domain)

Simply put, media should be media, programs should be programs. Putting code or commands into media like movies, music, e-mail etc allows for viruses or worse and no one should have to worry about that. Well, worry.

If you put the new Blu-ray Iron Man movie into your computer it will try to connect to the Internet and download something (some horrible DRM program probably?).

(Image is in the Public Domain)

Sarah Palin's Yahoo account has been broken into and e-mails found there posted to Wikileaks. I would say this was a pretty rotten thing to do, but the perpetrators claim they did it to prove that Palin has been using her private e-mail to circumvent recordkeeping laws about government business. If that's true, then perhaps this needed to happen.

(Image is in the Public Domain)

It isn't bad enough that Countrywide was engaging in questionable loan practices , but now they've lost the data on millions of customers as well.

And, as usual, the completely worthless response:

The company nevertheless promised to provide two years of free credit monitoring to affected individuals through the ConsumerInfo.com division of the Experian credit bureau.

*Sigh*

(Image used under: Creative Commons 2.0 [SRC])

The website includes very loose information about what makes this chip so "uncloneable", but I highly doubt that it's true. An RFID chip is read by radio waves and as long as you can make a chip, computer, or anything else that transmits replicate the signal that the original chip did, you can clone it.

If they mean that you can't make one of these chips copy the data from another of these chips, I can see that as being possible, but what difference does that make in the end if I can use a different brand chip to open your secure door or travel the world in your name?

Digital Pickpocketing

(Image used under: Creative Commons 2.0 [SRC])

There's a small device that when plugged into many cellphone brands (and the list is growing) that can copy all data on the phone. In other words, if someone wanted to know every bit of data you have on your phone, they could ask to "borrow it for second", plug this thing in when you weren't looking and hand it back.

While designed for law enforcement, this device is available to the public for only ~$200

The rule: if your phone contains sensitive data, do not leave it unattended. If you loan it to someone to use because they tell you theirs is not working, make sure you actually see them using the phone and there is nothing connected to it.

(Image is in the Public Domain)

Bruce Schneier explains how easy it is to get past security and fly on a plane even if you're on the supposed "no fly list"

Buy a ticket in some innocent person's name. At home, before your flight, check in online and print out your boarding pass. Then, save that web page as a PDF and use Adobe Acrobat to change the name on the boarding pass to your own. Print it again. At the airport, use the fake boarding pass and your valid ID to get through security. At the gate, use the real boarding pass in the fake name to board your flight.

His article on why the no-fly-list and photo ID checks are useless against terrorists here.

Bad security is worse than none in some case

(Image used under: Creative Commons 2.0 [SRC])

This is hardly surprising. The wireless toll systems use RFID and there isn't an RFID system yet that hasn't been hacked that I know of. Anyway, by cloning anyone's transponder, you can pass through the tolls while the other sucker pays the bill. Also useful for committing crimes in someone else's name.

Data breaches are about negligence; every time

(Image is in the Public Domain)

Details of how to access the information - which included home addresses, place of employment and credit card details - were sold through an underground network operated by the Russian mafia.

And, again, if these companies would stop holding our credit card numbers far past the date that we used them, we wouldn't be having this problem.

Update

Best Western is contradicting the story saying that it's exaggerated. More importantly this:

Most importantly, whereas the reporter asserted the recent compromise of data for past guests from as far back as 2007, Best Western purges all online reservations promptly upon guest departure.

If this is true, then how did they lose anything? Did they? The details are unclear.