Even a casual observer of tech news probably noticed that a big chunk of the Fruit Pad’s early adopters of  had their email addy’s hacked. Many of those were privileged  social elites who Apple has carefully cultivated as users adding a feel of exclusivity  to membership in its product cult.

A group of hackers exploited a hole in an AT&T Web site to get e-mail addresses of about 114,000 iPad users, including what appears to be top officials in government, finance, media, technology, and military.

The leak could have affected all iPad 3G subscribers in the U.S., according to Gawker, which broke the story on Wednesday. Among the iPad users who appeared to have been affected were White House Chief of Staff Rahm Emanuel, journalist Diane Sawyer, New York Mayor Michael Bloomberg, movie producer Harvey Weinstein, and New York Times CEO Janet Robinson. (Cnet)

One again, AT&T demonstrates that it is willing to under invest in providing service ,while constantly looking to invest in expanding its footprint. While it’s a demonstration of how truly pathetic AT&T is at secuity, what really amazes me is how Apple remains unscathed. Do you really think Steve Jobs (the world’s biggest control freak) would enter into any arrangement with AT&T where Apple  did not have involvement in the management of the network?  Even if this can be made to stick entirely to AT&T, why did Jobs and Co. select it as the exclusive wireless carrier for a second high volume product when it’s network continues to leave it’s current iPhone users waiting? At the very least BOTH companies need to be taken to task for delivering a flawed product.

I predict that all of the elites who lost a bit of privacy will carry on using Apple’s products while bashing AT&T mightyly. The tech press will pass lots of  “big, bad AT&T gas” whole remaining loyal fruit cult members. I wonder: Has Apple bought off the press or simply brainwashed them? Does any rational person really want a portable “cloud” device / service can’t even lock down an email list? AND…please tell me the .gov types weren’t using these devices for official communications.

Between compliance with a constantly growing list of government policies, doing today’s jobs with yesterday’s infrastructure while trying to cut spending, IT manager s don’t have an easy job. Add to that supporting users and dealing with the damage they can do and the job becomes daunting. That gets even worse when you find a growing portion of your staff is working from the other side of the planet while you sleep. How bad is the malware problem?

The results of Bit9’s “2010 What’s Running on Your Users’ Desktops?” survey, released Monday, uncovered PCs with a significant amount of non-business software, including games, toolbars, and torrent software. Of greater concern, IT pros surveyed also discovered malware, such as ransom-ware, Trojans, and Chinese spyware.

Among the 1,282 IT professionals questioned for the survey, 68 percent of them said they have software restrictions in place, but 45 percent said they still found unauthorized software on more than half of their client PCs.

Specifically, 46 percent of the IT folks surveyed said that spyware, malware, and unlicensed software continue to pose a problem by getting past traditional security methods. They also found that unauthorized or malicious software caused up to 25 percent of user downtime and calls to the help desk, leading to a drop in productivity. But 39 percent of the respondents also admitted they don’t have a software usage policy that specifically prohibits employees from downloading their own software.

As a result, only 32 percent of the IT pros surveyed said they felt confident their businesses would be safe from damage caused by unauthorized or malicious software this year. (Cnet)

Sure there are a few easy fixes that can lighten the malware load, but even a mis keyed version of a URL like “Google” can lead to sites that install malware without any other user action. Even if we step up enforcement, perpetrators are hard to locate, and are most often geographically outside of the reach of authorities.

Switching users to Linux or Mac is a short term fix. When either platform gains enough users, the bad guys will certainly find a way to compromise them as well. Until someone comes up with a magic bullet, the trend will probably continue. Sadly, we will all shoulder the cost.

Facebook’s disregard for user privacy and so what attitude has users fleeing the site. Even the devoted may be beginning to have doubts about the usefulness of a poorly secured site that shares all with the highest bidder.

According to figures from Google, the largest search engine, global queries for “delete Facebook account” have more than doubled in the past week, reaching a high.

Most of those searches came from the US, where the phrase was in Google’s top ten “hot trends” on Friday. (FT.com)

Troubled? You can just delete your Facebook  account, right? Actually, it’s a little more complicated to completely remove it: (You’ll find step by step directions here)

Facebook makes it pretty easy to deactivate your account which will temporarily hide your information. However, if you want to permanently remove your information, the “permanent delete” option is much harder to find. This article will cover two easy ways to erase your Facebook account so you can Quit Facebook forever. (Wikihow)

Meanwhile Facebook announced new privacy tools to help thwart hackers:

The new security features, unveiled Thursday, include giving members the ability to approve which devices they commonly use to log on to Facebook — a home computer or a mobile phone, for example — through an “Account Settings” page.

“Once you’ve done this, whenever someone logs in to your account from a device not on this list, we’ll ask the person to name the device,” Facebook software engineer Lev Popov said in a blog post. (Yahoo)

Unfortunately Facebook has done nothing to address the issue of the company itself selling user data. That problem is not unique to Facebook, but the silver lining to its arrogance and blunders may be illuminating how common this deplorable business practice is in corporate America.

As the keeper of all an organizations information, IT as a business has been the target of increasing compliance demands from every imaginable government entity.  The attacks come not just from the “series of tubes” folks in the US senate, but from states as well. Massachusetts has launched a new salvo that is likely to impact almost every business in the country. If you have customers in MA, you’re compelled to comply or suffer the consequences:

Google “Massachusetts data security law, 201 CMR 17.00” and you’ll find plenty of facts about the new law. I also encourage you to read InformationWeek’s “States’ Rights Come to Security Forefront: Massachusetts’ new data protection law reaches beyond its borders. Are you ready?” It’s one of the best summaries I’ve seen. But even it falls short of helping you understand the profound impact of this law.

Here are the basics of the new law. If you have personally identifiable information (PII) about a Massachusetts resident, such as a first and last name, then you have to encrypt that data on the wire and as it’s persisted. Sending PII over HTTP instead of HTTPS? That’s a big no no. Storing the name of a customer in SQL Server without the data being encrypted?  No way, Jose. You’ll get a fine of $5,000 per breach or lost record. If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being encrypted that’s $5,000,000. Yikes.

Perhaps just as much fun is the fact that to be compliant with the law your company will also need to maintain a Written Information Security Plan (WISP) and file it with the state of Massachusetts. The WISP must address and outline your business’s “technical, administrative, and physical safeguards” that are in place to protect the data. If you lost a laptop without a WISP being filed with Massachusetts, you’re potentially on the hook for a cool million even if the data was encrypted. Yikes again. (SQL Mag)

Is encrypting customer data a good idea? Of course! In fact, I’ll bet the largest organizations will easily comply if they aren’t already up to snuff. After all, the bigger the database, the more attractive to criminals. For the small and medium sized business where the risks of stolen data are much  lower, the costs of compliance could be prohibitive. The internet really is the great equalizer. It’s enabled a single state to make demands on every IT organization in the world.

When Google says “do no evil”, I suppose it also grants to itself to be the sole judge of what is “evil”. For example, street view’s visually revealing nature  has been under fire in the UK for many months now. The true irony is that the UK has more surveillance camera in place than any other nation on the planet. Maybe big brother just doesn’t like competition?

Now, in the former land of Nazi transmitter finder trucks, Google is alleged to be recoding Wifi information while recording imagery in it’s street view vehicles.

Google’s roving Street View spycam may blur your face, but it’s got your number. The Street View service is under fire in Germany for scanning private WLAN networks, and recording users’ unique Mac (Media Access Control) addresses, as the car trundles along.

Germany’s Federal Commissioner for Data Protection Peter Schaar says he’s “horrified” by the discovery.

“I am appalled… I call upon Google to delete previously unlawfully collected personal data on the wireless network immediately and stop the rides for Street View,” according to German broadcaster ARD.  (The Register)

Sure, your Wifi SSID and MAC address are pretty much public information anyway, but is it OK for a purveyor of location based services to be collecting them in mass along with other location specific data? Does anyone else see this as a big problem?

I have a love / hate relationship with Gmail. I started using it when I became tired of updating my personal and business contacts every time I switch ISP’s. On the plus side, it’s free, reliable and offers what amounts to more storage than I will ever use.  Onthe minus side, I see eerie ads that parrot the content of messages on the sidebar, and I know Google’s official stand on privacy is that there is none within it’s walls. What can be especially scary is what happens when an activist government armed with the Patriot Act may extrapolate from the content of messages.

It has been telling to watch some of our peers in the press work the controversy over Senator Conroy’s criticism of Google’s privacy record on ABC radio last week as he was questioned on his internet filtering policy.

The headlines only illustrated the ferocity of opposition to Conroy’s nanny-state filter and just how well marketed Google’s “do no evil” mantra is. Scribes just couldn’t believe a minister would have the nerve to question Google.

Like or loathe his policy, the Senator has grounds to point out the contradiction Google is in. The search company condemns the Chinese Government for censoring its results and Australia for planning to do the same while it breaks faith with its users around the world by sharing their data with the US Government.

The Patriot Act introduced by President Bush - which allows US authorities to search telecommunications and email communications to fight the ‘war on terror’ - was not designed by Google. But complying with it places the company in an awkward position. (IT News)

If the misuse of information by the Bush administration worried you, there’s even more to be concerned about today. Our current attorney general who has stated that American Citizens are viewed as the greatest terror threat. That means Citizens messages could be scrutinized with prejudice.

Should you shift to another free provider like Yahoo? I’m sure other email services will share with the feds just as readily as Google. Let this serve as a reminder that the messages on any public email service are not secure - from criminals or the feds.

I’ve seen no statements from either Senator Rockefeller or Snowe that convinces me that they are any better informed than their former colleague who professed the Internet was “a  series of tubes”. Never the less these two elitists are determined to prepare us for Cyberwar. Unfortunately, their proposal declares war on corporate IT, while securing very little.

Sens. Jay Rockefeller (D-W. Va.) and Olympia Snowe (R-Maine) have formulated a new cybersecurity bill that they described in Friday’s Wall Street Journal. (Use Google news to get to the full article.) The bill as proposed will be very disruptive to the operations of every business and will do essentially nothing to prepare the U.S. for cyberwar. (Forbes)

Dear Senators: We already have a dizzying array of regulation on the books. Some might even be good. Why not get someone who actually understands the subject matter (like myself or my partner) to review them and tell you which of them could be beneficial if strongly enforced. All we ask in return is that you get rid of the rest. Until that is done, lets not add more of that brown stuff to the pile.

Folks, listen up. If you have a wireless modem provided by Time Warner Cable you might want to have a look at it. No it won’t catch fire. But some 65,000 of them have a security hole –

Time Warner acknowledged the problem to Threat Level on Tuesday, and says it’s in the process of testing replacement firmware code from the router manufacturer, which it plans to push out to customers soon.

“We were aware of the problem last week and have been working on it since,” said Time Warner spokesman Alex Dudley.

The vulnerability lies with Time Warner’s SMC8014 series cable modem/Wi-Fi router combo, made by SMC. The device is one of several options Time Warner offers to customers who don’t want to install their own modem and router to use with the company’s broadband service. The device is installed with default configurations, which customers can alter only slightly through its built-in web server. The most customers can do through this page is add a list of URLs they want their router to block.

But blogger David Chen, writing at chenosaurus.com, recently discovered he could easily gain remote access to an administrative page served by the router that would allow him greater control of the device.

Chen, founder of a software startup called Pip.io, said he was trying to help a friend change the settings on his cable modem and discovered that Time Warner had hidden administrative functions from its customers with Javascript code. By simply disabling Javascript in his browser, he was able to see those functions, which included a tool to dump the router’s configuration file.

If you have a SMC8014 in your home network PROVIDED by TWC you might want to inquire with TWC as to whether your particular device has had a patch applied. Oh, and don’t take their word for it. Ask for the work order record. If they don’t have one for your account they probably did not do it. Keep in mind that somebody could drive up to your curb and be manipulating your device. Do not take this issue lightly.

Linky.

Above all, though, Weigman is still a teenager. While he expresses remorse over his swatting attacks, he takes giddy pleasure in recounting his other exploits — whether punking celebrities or playing the phone companies like an Xbox. “The phone system and infrastructure is just weak,” he says. “I had access to the entire AT&T and Verizon networks at times. I could have shut down an entire area.” Then he segues into an earnest pitch for a future job. “I’d love to work for a phone company, just doing what I do legally,” he says. “It’s not about power. I know the phone and telecommunication systems and can be a crucial part of any company.”

This is one graph out of a very interesting phreaking story here. Most that read this board probably know what a phreak is — someone who manipulates the PSTN network for fun. Please do read the whole thing, its interesting.

But the sobering side shows just how vulnerable our telecommunications on PSTN is at two levels. A) That it can be socially engineered around. B) That the infrastructure itself is very naive.

The latter first. Back in the 60’s two things happened. The Bells figured out how to design a computer that could operate like the old mechanical stepper CO switches without all the support issues. The second was the development of FSK keying better know to the public as touchtone. Both developments design at a time when shall we say the world that America operated in was one of innocence. The thoughts were, why would anybody muck with the phone systems? Its dull boring stuff that even those in the companies found only peripherally interesting. It never occurred to anyone that Bell could represent a ‘respectable’ challenge to manipulate.

Consider touchtone® its basically a two tone modulated signaling system. Barely a step up from Morse code. Its weak link is that it is in the human audio range. From a security perspective probably the worst set of choices one could make. Tones can be recorded. Tones can be generated to overcome the system (a blue box.) Compared to systems to day, its a security nightmare.

Then there are the companies themselves. For years, even while I was there, if you were ‘in the Bell loop’ you were a trusted entity. The companies are vast and diverse. If you work there you live on the phone, conduct most business via long distance and for the most part rarely if ever physically meet the people you interoperate with on a daily basis. It worked quite well so long as parties worked on the knowledge that their peers could be trusted. And why not? You were an employee!

That breaks down when outsiders can mimic the technobabble that is used in the industry. Even though employees are trained to spot interlopers, a 10% failure rate in that regard opens a large bundle of opportunity. Security training is required yearly at most Telcos. They still do it. But here is the interesting thing. To my knowledge none of them have implemented the simplest of measures for providing secure lines for fraud, security, and collection departments. Its one of the prime reasons that phreaking works.

Still sound droll, even with a possible threat of a swatting attack going wrong? Well then think about this before you go to bed tonight — What could Weigman have done had he been hired by terrorists?

If you live in Florida and you want to sell or trade a video game, you have to provide a thumb print now. Since Oct the Florida Legislature has criminalized you for being a gamer and selling your own property. –

I called back and talked to Gamestop manager Carlos Rivera, who said every video game store in Broward County got a visit from a deputy back in October. The deputy told them to start collecting thumb prints from people who return games.

So what did the good folks at Gamestop do? Break out a BFG9000?

“They have guns,” Rivera said. “I don’t argue with people with guns.”

Broward County Sheriff’s Office spokeswoman Kayla Concepcion said the new requirement comes straight from the Florida Legislature, which enacted a law on October 1 of last year that treated video games like second-hand goods sold at pawn shops. Now any store buying used video games has to collect the thumb prints, along with a bunch of other personal info about the seller.

Rivera told me most video-game-returning customers don’t really care, he said, but a few have turned around and walked out. “Haven’t had any fights over it yet,” Rivera said.

Next thing you know they will be asking for thumbprints when you buy groceries at the store.

Linky.