Sally Beauty hack: tremendously under-reported

The number of cards compromised is at least 10x the number reported (fewer than 25,000), according to Brian Krebs. An analysis has been done of the zip codes of the cards stolen that are available for sale, and it looks like every SB store in the USA was compromised, just like Target.

A similar analysis was done on the Target breech cards, matching the zip codes of the stores with the zip codes of the site selling the cards, they found that the selling site had the zip code of the card, with a 99%+ correlation between store zip and customer zip. The reason for also including the zip code information is that the banks didn't want to inconvenience their customers so close to Christmas, so they geo-fenced the cards, meaning that the stolen card info could be used within the customer's home zip code area.

http://krebsonsecurity.com/2014/03/zip-codes-show-extent-of-sally-beauty-breach/

New Humble Bundle eBook sale

There's only six days left to purchase it, the current bundle includes eleven books: Tithe: A Modern Fairy Tale (Holly Black), Mogworld (Yahtzee Croshaw), Jumper (Steven Gould), Arcanum 101 (Mercedes Lackey and Rosemary Edghill), To Be or Not To Be (Ryan North), Bleeding Violet (Dia Reeves), The God Engine (John Scalzi), Uglies (Scott Westerfield), The Happiest Days of Our Lives (Wil Wheaton) and Zombies vs Unicorns, an Anthology (various authors). These books are available in multiple eBook formats, including Mobi and Epub, they have no DRM on the files, and you can pay whatever you want for them. If you pay $15 or more, you also get the audio book of Cory Doctorow's Homeland, read by Wil Wheaton.

The money that you pay is distributed, at the rate that you decide, between the authors, a charity to help authors with medical crisis, or a tip to Humble Bundle.

https://www.humblebundle.com/?ebookbundle3

From A Demon's Nest of Sentiments

When you indulge any president who willfully repudiate his bounden oath to country and constitution, you no longer get a deserving person -- you get the person you deserve.

http://www.gocomics.com/pibgorn/2014/03/23

I think Obama has violated the Constitution by perpetuating the domestic spying programs that Bush put in place, aside from that I think Bush again violated it by his unfounded invasion of Iraq.

An interesting computer exploit through Microsoft Word and RTF documents

RTF was a standardized document format almost before Word existed, it was developed by the U.S. Navy as a way to give vendors a standard to code for to ensure the ability for documents to move between computers. It has the advantage of the document being pure text with internal formatting codes.

Well, trust Microsoft to screw it up. Their implementation allowed malicious code to be imbedded so that attackers could gain system access equal to the that of the poor sap who opened the document. If said poor sap was a system administrator, guess what.... Even if they aren't an admin, the malware could phone home and pull down exploit packages that might let them escalate privileges to gain admin access.

One technique would be to ban all RTF file extensions, but it is a valid extension and Word knows to look at the header codes rather than rely on the file extension to determine how to read the doc, so that wouldn't work.

Fortunately the problem doesn't seem to affect any other word processing programs except Microsoft Word.

http://it.slashdot.org/story/14/03/25/0156203/microsoft-word-zero-day-used-in-targeted-attacks


In an ideal environment in the Real World, those who have the need to be system administrators should not run the workstation that they use for day-to-day work at their admin account level. The best way, IMO, is give them dual big monitors and have a virtual machine that they can start up and sign on with their admin account, said machine does not have Microsoft Office or anything else not directly related to administering the network. If they can pull it off, the admin account should not even have internet access.