Nihilistic Security Questions

From McSweeney’s by way of Facebook.  This very nearly killed me.  For those who don’t know me, basic user security for staff where I work is one of the things that keeps me up at night …..

 

NIHILISTIC PASSWORD
SECURITY QUESTIONS.

BY

– – – –

What is the name of your least favorite child?

In what year did you abandon your dreams?

What is the maiden name of your father’s mistress?

At what age did your childhood pet run away?

What was the name of your favorite unpaid internship?

In what city did you first experience ennui?

What is your ex-wife’s newest last name?

What sports team do you fetishize to avoid meaningful discussion with others?

What is the name of your favorite canceled TV show?

What was the middle name of your first rebound?

On what street did you lose your childlike sense of wonder?

When did you stop trying?

One avenue of pursuit

UT Researchers Launch SpamRankings to Flag Hospitals Hijacked by Spammers
eWeek (06/08/11) Fahmida Y. Rashid

Researchers at the University of Texas at Austin’s Center for Research in Economic Commerce recently launched SpamRankings, a Web site that identifies the names and addresses of organizations that are helping send out spam.

The site will publicize spam havens–organizations that have been taken over by spammers.

The site’s creators are hoping the publicity will pressure organizations to improve their security and spam-prevention efforts. The researchers’ initial focus will be on health-care providers that have been infected by spam bots, with future versions of the project including banking and Web hosting providers.

Last month SpamRankings identified Belgium’s WIN Authonomous Systems as the biggest spam sender in the world.

“Nobody wants to do business with a bank or hospital or Internet hosting company that has been hijacked by spammers,” says center director Andrew Whinston. The researchers worked with Team Cyrmu, which tracks cybercrime activity to analyze and correlate Internet protocol addresses with organizations.

And they didn’t have to steal a laptop …

In one of the larger medical data thefts reported, personal health data for about 1.7 million New York City patients, hospital staffers and others was stolen on Dec. 23 from an unlocked van in Manhattan, the New York Times reports.

The electronic record files, which were stored on 20 years worth of magnetic tapes, contained personal information, protected health information or personally identifiable employee medical information on patients and workers, including names, addresses and Social Security numbers, according to the Wall Street Journal and the New York City Health and Hospitals Corporation. The van belonged to GRM Information Management Services, the city’s medical records vendor.

Those affected by this patient privacy breach include patients, contractors and vendors who were treated by and/or provided services over the last 20 years at Jacobi Medical Center, North Central Bronx Hospital or their offsite clinics which make up the North Bronx Healthcare Network.

“The loss of this data occurred through the negligence of a contracted firm that specializes in the secure transport and storage of sensitive data,” New York City’s Health and Hospitals Corporation wrote in its data theft notification. So far, there is no evidence that the patient information has been inappropriately accessed or misused. Accessing the files would require technical expertise, officials said, according to the Wall Street Journal.

Last Wednesday, HHC began mailing notification letters to victims in 17 languages including Bengali, Albanian and Urdu. It is offering free credit monitoring and fraud resolution services.

HHC has ended its relationship with GRM and filed a lawsuit Thursday against the company seeking to hold the vendor responsible for the costs of notifying those affected and any related damages.

Something new to worry about

Malware Aimed at Social Networks May Steal Your Reality
PC World (10/13/10) Darlene Storm

Researchers at Ben Gurion University, the Massachusetts Institute of Technology, and Deutsche Telekom Laboratories collaborated on “Stealing Reality,” a paper that predicts a new generation of malware based on social-networking data.

The researchers say the malware will target and extract information about relationships and record patterns of behavior in real-world social networks, a technique that will be more dangerous and harder to detect than traditional malware. A malware behavioral pattern attack can harvest a victim’s “rich identity” profile, which could be more valuable than the demographic information such as gender and age, according to the researchers.

“A Stealing Reality type of malware attack, which is targeted at learning the social communication patterns, could ‘piggyback’ on the user-generated messages, or imitate their natural patterns, thus not drawing attention to itself while still achieving its target goals,” the researchers write.

Such attacks could be particularly problematic because “the victim of a ‘behavioral pattern’ theft cannot easily change his or her behavior and life patterns.”

It’s a Party

Join TV geek Adam Savage, and a cast of EFF legends and luminaries at EFF’s 20th birthday party! Our birthday fundraiser on February 10th will celebrate two decades of digital freedom-fighting in San Francisco’s world-famous DNA Lounge.

Adam will present a unique look back and forward to the founding and the future of digital rights. DJs Adrian & the Mysterious D, the duo that founded the seminal, globe-trotting mashup party “Bootie,” will get people moving with their genre-mashing blend of tracks, with guest DJs dropping sets throughout the evening. It’s a once in a lifetime event for those who love freedom, technology, and celebration!

EFF’s 20th Birthday Fundraiser
with Adam Savage and Surprise Special Guests!

Wednesday, February 10, 2010, at 8 PM
DNA Lounge
375 Eleventh Street
San Francisco, CA 94103

We’ll be asking for a $30 donation at the door to fund our work defending your digital freedom. Purchase tickets in advance from the DNA Lounge!

This is an all ages event. Please RSVP to events@eff.org.

 

VIP Event with Adam Savage, John Perry Barlow, Mitch Kapor, John Gilmore, Mark Klein, Steve Jackson and more!

 

Join EFF for a special VIP event with Adam Savage, and EFF founders and lumanaries! For a special donation of $250, you’re invited to attend our VIP event before the birthday party, where you can meet many of the amazing people who helped EFF reach this historic milestone. Special VIP donors receive free admission to the birthday party, which starts immediately afterward, as well as a commemorative EFF 20th Anniversary poster. The VIP event begins at 7 PM.

For access to this special reception, visit the VIP Event page.

And another dumb thing

My credit union has a Facebook page.  Wants me to be a fan, because it’s good policy to tell everyone on the internet where you bank (especially if you do a lot of quizzes that have personal info on them).

Feh.  What are they thinking?

My Paranoiaz, watch them grow

Researchers Take Over Dangerous Botnet
Dark Reading (05/04/09) Higgins, Kelly Jackson

University of California-Santa Barbara (UCSB) researchers temporarily commandeered an infamous botnet known for stealing financial data and found that the threat it represents is even greater than had been originally assumed.

The Torpig/Sinowal/Anserin mini-botnet targets organizations and users to steal bank account information or other sensitive personal data. It is considered more dangerous than big-name botnets because of its small scale and stealthiness. Torpig uses drive-by download attacks as its initial mode of infection, and upon infection the botnet can unleash crafty phishing attacks that produce bogus but authentic-looking Web pages and forms that trick users into exposing their credentials.

The UCSB researchers accumulated approximately 70 GB of data for the 10 days they were in control of Torpig, and in that period the botnet stole banking credentials of 8,310 accounts from more than 400 financial institutions, including PayPal, Capital One, E-Trade, and Chase. Nearly half of the 1,660 stolen debit and credit card accounts the researchers counted belonged to victims in the United States.

“The level of sophistication, the amount of data that it is able to steal, and the fact that it has been active for more than three years is truly remarkable,” says UCSB researcher Brett Stone-Gross. The researchers’ disclosures provoked debate on whether the information they exposed about Torpig, its workings, and its victims could compromise efforts to eventually undo the botnet. “This [research] does create a road map … for the [botnet] criminals to fix, and not just for others to exploit,” says RSA’s Sean Brady.