Wednesday, 14 January 2015

Crayola's Facebook Page Got Hacked, Brand apologizes for 'offensive content'

Photo: Getty Images
If any brand is less deserving of an adult-themed paint job, it's Crayola.
Yes, the crayon company is synonymous with childlike innocence. But it was anything but on Sunday, when its Facebook page was hacked by unknown deviants. Once inside the brand's account, the perpetrators shared click-baity links to R-rated sites throughout the day, sending poor Crayola into a panic. 
Below are images of some of the posts. While most are relatively tame—containing dirty drawings and innuendo—some of the images are NSFW. 

Crayola eventully took back control of the page and posted this update on Twitter:

Park 'N Fly Confirms Data Breach -- Payment Card Information Exposed

Park 'N Fly Confirms Data Breach
Park 'N Fly is notifying an undisclosed number of customers that their payment card information was exposed following a compromise of the company's e-commerce website.
The data breach follows a security incident at parking facility provider SP+, formerly Standard Parking Corp., which involved the compromise of a POS system vendor and exposed payment card details (see: 
Airport parking lots are attractive targets for fraudsters because they are often used by business travelers utilizing business or commercial credit cards, says one card issuer who asked not to be named. "These cards are favored by fraudsters because of high lines, low decline rates and less scrutiny on a day-to-day basis by cardholders," the issuer says.
Park 'N Fly, an offsite airport parking operator based in Atlanta, says that it has hired data forensics experts to assist with its investigation of the breach, which has been contained.
"While the investigation is ongoing, it has been determined that the security of some data from certain payment cards that were used to make reservations through PNF's e-commerce website is at risk," the company says in a Jan. 13 statement.
Compromised information includes card numbers, cardholder names, billing addresses, card expiration dates and security codes. Other loyalty customer data that may have been exposed includes e-mail addresses, Park 'N Fly passwords and telephone numbers.
Impacted customers are being offered free credit monitoring and identity protection services for one year. Park 'N Fly says it's working with law enforcement and credit card brands to investigate the incident.
"PNF is committed to protecting its customers and their information and will continue a comprehensive response to thoroughly investigate and respond to the incident and improve its data security," the company says.
The company did not immediately respond to a request for comment. News of a possible breach at Park 'N Fly was first reported by security blogger Brian Krebs

Warning: Using encrypted email in Spain? Do not pass go, go directly to jail

Seven people have been detained for, among other allegations, using encrypted email, a civil-rights group has said.
Spanish cops investigating bomb attacks raided 14 homes and businesses across the country last month and arrested 11 people: seven women and four men, aged 31 to 36, from Spain, Italy, Uruguay, and Austria.
Since then, four people have been released, and the remaining seven were charged with belonging to a "criminal organization of an anarchist nature with terrorist ends."
That organization has been linked to explosives placed at cash machines, and in the Almudena Cathedral in Madrid and the Pilar Basilica in Zaragoza last year, according to Spanish journalists.
Lawyers defending the accused said investigating Judge Javier Gómez Bermúdez partly chose to further detain the seven due to their use of “emails with extreme security measures” – specifically, freedom-fighting’s email servers.
Civil liberties group Access said this decision is tantamount to criminalizing encrypted communications.
“The suggestion that somehow protecting one’s privacy is akin to a terrorist act is a new low,” said Josh Levy, advocacy director at Access. “Using it as an indicator of criminality is disingenuous at best, and at worst an attack on anyone who depends on digital security to operate safely.” is a Seattle-based, volunteer-run service that provides web hosting, mailing lists, email accounts, among other things. Unlike some email providers, it does not log users’ connecting IP addresses, and all mail is stored in encrypted form. On its website it also vows to “actively fight any attempt to subpoena or otherwise acquire any user information or logs.”
Access says the investigative judge's move to “criminalise people for using privacy tools” could have wide-reaching consequences since all email providers have “an obligation to protect the privacy of its users.” Many of the “extreme security measures” used by RiseUp are best-practices for online security that everyone should follow.
"Encryption is a vital technology for all people to maintain their privacy and security,” said Jamie Tomasello, tech director at Access. “We cannot allow Spain to criminalize the use of basic digital security practices that are relied upon every day by users and corporations alike."
Meanwhile, in the UK, Prime Minister David Cameron has said governments must be able to easily read citizens' email, post, electronic messages and other communications to keep people safe – implying he will strip or backdoor encryption in software if reelected

Australia tries to ban crypto research – by ACCIDENT

While the world is laughing at UK PM David Cameron for his pledge to ban encryption, Australia is on the way to implementing legislation that could feasibly have a similar effect.
Moreover, the little-debated Defence Trade Control Act (DCTA) is already law – it's just that the criminal sanctions it imposes for sending knowledge offshore without a license are being phased in, and don't come into force until May 2015.
As noted in Defence Report, the lack of an academic exclusion in the law, which passed parliament under the previous Labor government in 2012, could mean “an email to a fellow academic could land you a 10 year prison sentence”.
The control of defence research isn't new or surprising, and in fact this law was put into place to align Australia's regime with that of the USA (the International Traffic in Arms Regulations), but the haste with which it was implemented means someone forgot that academic researchers routinely discuss sensitive technologies.
While consumer-grade encryption is excluded from control by the Defence and Strategic Goods List (the 350 page-plus regulation that describes what's prohibited by the DCTA), researchers are warned off 512-bits-plus key lengths, systems “designed or modified to perform cryptanalytic functions, or “designed or modified to use 'quantum cryptography'” (the latter, in an explanatory note, also covering quantum key distribution).
Hence after May, the various quantum labs in Australian universities will have to think twice before collaborating with overseas partners.
At least systems protecting personal data are allowable, so long as the users have no control over the cryptographic capability (section 5A002 of the strategic goods list).
As Defence Report notes:
"Without the exclusion for academics, as enjoyed by the US and UK, university researchers would need prior permission from a Minister at the Department of Defence (DoD) to communicate new research to foreign nationals or to publish in any research journals."
Was the government warned that it was making a mistake? Apparently so: Vulture South has had its attention drawn to several submissions made to the Senate committee overseeing the bill's implementation.
Air Power Australia's Peter Moon and retired Air Commodore Edward Bushell describe the bill as “clearly defective”. Even the ITAR regime has been problematic for researchers, they note, since academics have to partition conferences according to whether or not they're ITAR-compliant.
Even though “public domain” technologies are exempted, the Moon/Bushell submission notes, a defendant is required to prove that the technology they're discussing is in the public domain, rather than the regulator having to do the research for themselves.
The law, they write, represents “censorship controls on all publishing on all topics covered by the DTCA, embracing:
  • All open-sourced research on any topic related to DSGL technologies.
  • All open-sourced research on any topic impinging upon military operations.
  • All open-sourced research impinging upon military technological strategy, as this cannot be conducted in the absence of capability analysis.
  • All applied research in areas of DSGL and related technologies.
  • All submissions to parliamentary inquiries covering any matters involving defence operations, strategy or technologies.
Universities Australia was no less critical in its submission, saying the bill as it now stands would impact everything from what universities are allowed to teach (and who may teach them) through to whom researchers can contact and what they're allowed to publish