Google is the first, it seems, to embed a chip for NFC in a cell phone for the American market. The Official Google Blog says NFC comes with the Nexus S.

It also features…NFC (near field communication) hardware that lets you read information from NFC tags. NFC is a fast, versatile short-range wireless technology that can be embedded in all kinds of everyday objects like movie posters, stickers and t-shirts.

Actually, it will also come in handy as a payment system to replace or improve on payment cards, as I have mentioned before.

Barbie is now a surveillance tool. “Video Girl” has a video camera embedded.

I am a real working video camera

The FBI Memo About Newest Barbie Doll, which you might have seen coming, appears to be directed only at the risk of abuse of children by adults.

An internal cyber crime alert from the Sacramento office obtained by CBS13 warns:

“Law enforcement is encouraged to be aware of unconventional avenues for the possible production and possession of child pornography, such as Barbie Video Girl.”

The memo goes to warn that the toy’s technology can capture 30 minutes of video that can be played back on the tiny LCD screen, or downloaded and shared.

The Barbie also could be used by a child to expose adult behavior or secrets. The FBI is unlikely to warn about this “unconventional avenue” of exposure by a $50 spy camera in a doll, but I am sure it also crossed their minds.

The camera has a USB interface and runs on two AAA batteries. Enterprising children may find it easy to modify and use with other decoys or toys. That is why I also suspect this doll could give many children an early sense that they are being watched and recorded; anything anywhere now might be a spy camera. It could lead to adaptive behavior (anti-Barbie Doll measures?) and end up making a new generation far more aware than their parents of surveillance risks.

Although the leaked 2009 State Department wire message will bring scrutiny to Chinese hackers, three things stood out.

First, language in the wire looks familiar:

CNITSEC enterprises was said to has recruited Chinese hackers in support of nationally-funded “network attack scientific research projects.”

China is not the only country to recruit hackers. Remember when the press release announced “Hacker ‘Mudge’ gets DARPA job”? He was quoted as saying “I want to be at the sharp pointy end of the stick.” Imagine if a Chinese hacker had said that to the press…actually, imagine if anyone going into a military role said that in any country.

The point here, no pun intended, is that countries frequently recruit experts from industry, and have done so for quite a while (as LinkedIn members often boast).

Even more to the point, the US military has only just announced cybersecurity as part of basic training, as explained in “US Air Force Recruits Train to Become Cyber Warriors”. With the Air Force only just starting to train from within, it likely will be years before they can avoid hiring from outside.

The Chinese hiring outside hackers is probably taken by many to be a sign of intent or motive, but to me it signals more that they lack talent within.

Second, the timing is interesting:

From June 2002 to March 2003, TOPSEC employed a known Chinese hacker, Lin Yong (a.k.a. Lion and owner of the Honker Union of China), as senior security service engineer to manage security service and training. Venus Tech, another CNITSEC enterprise privy to the GSP, is also known to affiliate with XFocus, one of the few Chinese hacker groups known to develop exploits to new vulnerabilities in a short period of time, as evidenced in the 2003 release of Blaster Worm (See CTAD Daily Read File (DRF) April 4, 2008)

March 2003 was only a month after Bill Gates signed major trade agreements with China. It also was about half a year before Microsoft gave the Chinese access to its source code for “security” purposes.

Chinese hacker and company “affiliations” with Microsoft could sound ominous in some ways, but in 2003 the company openly traded and gave access to Chinese security experts. That gives a different spin to the wire and again emphasizes that China lacked talent within. They relied on experts in the field with unusually close ties to Microsoft.

Third, although this is a wire leak and not a press-release, I am reminded of when the Japanese media were said to be using reports of Honker (hacking group said to be nationally affiliated with China) activity and threats to “make China look bad”.

I often emphasize in my security breaches presentations that retailers get a lot of attention yet they represent a small percentage of the overall number of breaches.

A story by Oregon’s KCBY about a Secret Service investigation in Seattle is a good example of this. They call it “cyber attack larger than first thought”:

…the U.S. Secret Service tells KOMO News we’re dealing with a much bigger crime than first expected. Agency spokesman Bob Kierstead says the total number of accounts compromised could be in the high hundreds.

“It could go over a thousand,” said Kierstead. “We are very close to pinpointing the actual person or persons who perpetrated this crime.”

The fraud is real and the harm should not be discounted. This story does a good job emphasizing the importance of a breach of hundreds or thousands out of the community that has eaten at or lives near the Broadway Grill.

However, it does not pull in any industry data, financial services names, or even a national view to put this breach in perspective.

News sources, taken together, suggest that a back-end servers were storing card data after authorization. They also suggest sniffers were used to pull data processed in the clear from other retail locations. I hardly see either of these as a new attack vector for retailers. It has been a known problem, and the subject of breach reports, since the beginning of the PCI DSS compliance standard over six years ago.

Capital Hill news points out that the restaurant used Action Systems’ Restaurant Manager software and and may have been on a version at least four years old.

Restaurants using Restaurant Manager v15.0 or earlier have been notified repeatedly that they must upgrade to a more current version of the software before they will be able to operate as a PCI Compliant business.

It is the restaurant’s responsibility to act on these repeated warnings.

Although this points readers back into the retail operation, the reality of the hack is that the restaurant was an entry-point but not the true target. The attackers moved from the restaurant system into the transaction processing system where they hoped to collect a large stream of card data. Even though they hit a sensitive area their breach achieved far less than the exposures we have seen in the past few years. The numbers indicate the risk and impact of retail breaches have declined. Compare it with what other industries experience now — ones that lack a compliance standard like PCI DSS — and “into the 1,000” could be seen as part of an overall downward trend in risk.