“We are completely incompetent when
it comes to Computer Security and we always will be.” NOTE: I
searched http://www.mandiant.com/
for information on “the Hand” but found none. Must be new or top
secret or imaginary...
Haley:
SCDOR hacking may not have been preventable
Gov. Nikki Haley says new layers of
security are being added in the wake of a massive security breach,
but she said at a news conference Wednesday that even
with what is now known, there is "no way to say it could have
been prevented."
The massive security breach at the
South Carolina Department Revenue could earn the hackers as much as
$360 million by using just 1 percent of the affected taxpayers
returns, the State newspaper is reporting. [Equally
fantastic... Bob]
… Investigators believe that a
hacker tricked someone at the Department of Revenue into opening
a file that gave the hacker access to the system. [the Password
file? Bob]
At the news conference, Haley said that
she has issued a second executive order that calls for cabinet
agencies to be monitored 24-7. The monitoring will require the
addition of four fulltime employees, with the cost of their salaries
split by five cabinet agencies.
She said another layer of security will
be provided by a piece of equipment called The Hand that is being
purchased from the computer forensics and security company Mandiant
at a cost of $160,300. She said the Hand will detect
any movement of large files and will shut any effected machines down
immediately and contact Department
State Information Technology.
… DSIT will also monitor traffic
patterns in real time to be sure no data is taken from the network.
This letter certainly comes with an
abundance of something, but it doesn't smell like caution.
Delayed
breach notification letter from law firm raises more questions than
it answers
November 14, 2012 by admin
Here’s another notification
letter submitted to the California Attorney General’s Office
that left me scratching my head. It’s from the law firm of
Sprechman & Associates, P.A. in Miami, a firm
that specializes in collections. My comments and questions are
inserted in italics:
Dear XXXXXX:
I am writing to
advise you that your personally identifiable information
(“Information”) may have been viewed by a former
employee of Sprechman & Associates without permission.
Specifically, the former employee may have viewed your name, address,
date of birth, driver’s license number, and/or social security
number.
“May have?” Why don’t you
know? Don’t you maintain logs?
Sprechman &
Associates learned of this incident in July 2012, but was unable to
notify you until now because notification at that time may have
interfered with a law enforcement investigation and the
best known contact information for potentially affected individuals
was not known until October 2012. [Why would that be? Bob]
How did you learn
of it? And when did the improper access
occur, if it occurred? How long was this problem going on for? Was
there any indication of misuse of anyone’s information? Did law
enforcement actually ask you not to disclose this sooner or did you
just make that decision on your own? If they asked you to delay
notification, when did they tell you that you could go ahead and
notify?
Although we cannot
be sure that your Information was in fact used in an inappropriate
manner, in an abundance of caution we are informing you that such
viewing of your information may have occurred.
What Information
May Have Been Viewed, When and By Whom?
One of our
employees may have performed unauthorized searches on you. This
information may have included your name, address, date of birth,
driver’s license number, and social security number. We are
advising you of this matter in an abundance of caution, but we stress
that we cannot be sure that your Information was in fact used in an
inappropriate manner. In fact, we cannot even be sure that your
Information was actually viewed, but we are providing this notice out
of an abundance of caution.
You can’t be sure it was viewed
and/or misused, but you can’t be sure it wasn’t viewed and/or
misused, right? So why aren’t you offering free credit protection
and restoration services?
How Have We
Responded to This Issue
Nonetheless, we
certainly understand that this may be cause for concern. Additional
information and support resources are available through the
non-profit Identity Theft Resource Center at www.idtheftcenter.org,
by calling (858) 693-7935, or via e-mail at itrc@idtheftcenter.org.
Other Steps You
Can Take:
[...]
So you haven’t actually done
anything to respond to this issue other than notify law enforcement
and send out this notification letter? How about hardening your
security and access to records? How about improving auditing so you
can tell who’s accessed what? How about offering affected
individuals some services?
If the law firm would like to provide
additional information, I’ll be happy to post it or update this
entry, but overall, I find their notification and response
inadequate. They do provide a phone number to call if recipients
have questions, but the letter isn’t even signed by an individual –
only by “Notice Department.”
For the new generation, it's not really
war, it's a video game.
Israel
Kills Hamas Leader, Instantly Posts It to YouTube
The Israel Defense Forces didn’t just
kill Hamas military leader Ahmed al-Jabari on Wednesday as he was
driving his car down the street in Gaza. They killed him and then
instantly posted the strike to YouTube. Then they tweeted a warning
to all of Jabari’s comrades: “We recommend that no Hamas
operatives, whether low level or senior leaders, show their faces
above ground in the days ahead.”
The Jabari hit is part of the biggest
assault the IDF has launched in more than three years on Gaza, with
more
than 20 targets hit. And it’s being accompanied
by one of the most aggressive social media offensives ever launched
by any military. Several
days before Jabari’s elimination, the IDF began liveblogging
the rocket attacks on southern Israel coming from Gaza. Once
“Operation Pillar of Defense” began, the IDF put up a Facebook
page, a Flickr feed, and, of course, a stream of Twitter taunts —
all relying on the same white-on-red English-language graphics.
“Ahmed
Jabari: Eliminated,” reads a tweet from 2:21 p.m. Eastern time
on Wednesday.
(Related) What are the rules here? I
can see keeping HOW we will respond secret, but we should be
announcing (not leaking) that we WILL respond.
Obama
signs secret directive to help thwart cyberattacks
President Obama has signed a secret
directive that effectively enables the military to act more
aggressively to thwart cyber attacks on the nation’s web of
government and private computer networks.
Presidential Policy Directive 20
establishes a broad and strict set of standards to guide the
operations of federal agencies in confronting threats in cyberspace,
according to several U.S. officials who have seen the classified
document and are not authorized to speak on the record. The
president signed it in mid-October.
… An example of a defensive
cyber-operation that once would have been considered an offensive
act, for instance, might include stopping a computer attack by
severing the link between an overseas server and a targeted domestic
computer. [That's nonsense, unless the severing is
done with explosives on foreign soil. Bob]
“That was seen as something that was
aggressive,” said one defense official, “particularly by some at
the State Department” who often are wary of actions that might
infringe on other countries’ sovereignty and undermine U.S.
advocacy of Internet freedom. Intelligence agencies are wary of
operations that may inhibit intelligence collection. The Pentagon,
meanwhile, has defined cyberspace as another military domain —
joining air, land, sea and space — and wants flexibility to operate
in that realm.
… But repeated efforts by officials
to ensure that the Cyber Command has that flexibility have met with
resistance — sometimes from within the Pentagon itself — over
concerns that enabling the military to move too freely outside its
own networks could pose unacceptable risks. A major concern has
always been that an
action may have a harmful unintended consequence, such as shutting
down a hospital generator.
… Officials say they expect the
directive will spur more nuanced debate over how to respond to
cyber-incidents. That might include a cyberattack that wipes data
from tens of thousands of computers in a major industrial company,
disrupting business operations, but doesn’t blow up a plant or kill
people.
The new policy makes clear that the
government will turn first to law enforcement or traditional network
defense techniques before asking military cyberwarfare units for help
or pursuing other alternatives, senior administration officials said.
Looks like things are back to normal in
New Jersey for at least one group. I wonder what the “It fell
off-a da truck” price will be?
Thieves
Grab 3,600 iPad Minis Worth $1.5M In JFK Airport Heist
Apple’s iPad
mini seems to be a success, and that has attracted the criminal
element’s attention. According to the New
York Post, a shipment of Apple’s iPad mini, numbering 3,600
devices and with a total value of $1.5 million, was taken from JFK
airport from the same location that a group stole $5 million in cash
and $900,000 in jewelry in 1978. [Now we can film
“i-Goodfellas” the sequel Bob]
Probably not going to happen.
Investigate
the FBI
November 15, 2012 by Dissent
Trevor Timm of EFF has a great
commentary on the FBI investigation that mushroomed and mushroomed
and mushroomed. Here’s a snippet:
Congress is now
demanding to know why it wasn’t informed by the Justice
Department about the details of the Petraeus affair earlier.
Lawmakers should instead be worried about why the public was informed
of these details at all, given that no crime was committed. And
instead of investigating one man’s personal life, they should
investigate how to strengthen our privacy laws so this does not
happen to anyone else.
The U.S.
government has so far been unable to keep its colossal surveillance
state in check. Now that it is so bloated it is eating itself, one
hopes more people will finally pay attention.
Read more on ForeignPolicy.com.
Not only does Congress need to
investigate what happened, but the DOJ OIG needs to investigate this
and issue a report to the public promptly. Did the FBI act lawfully
at all times or did they misuse their tools and authority? How does
a complaint by someone about a few mean emails – which may be
protected speech and not criminal at all – result in an
investigation that looks into the communications between a ranking
general and others? If it’s not even clear any crime was
committed, should our government be able to snoop so extensively
without judicial oversight? If a court granted the FBI a warrant,
well, to be blunt, what the hell was the judge thinking or what was
the judge told to justify the privacy invasion?
Trevor emphasizes the fact that the
public never should have been told about this investigation at all.
It’s a fair point, but would we really rather not know that our
government can do these things to us?
Some of us have been saying for years
that ECPA needs to be updated and more privacy protections need to be
incorporated. Some of us have also been saying for years that
providers need to shorten their data retention periods. If you don’t
retain it, the FBI can’t get it from you. NOW will you
listen to us? How many more lives or careers will be ruined until
Congress and providers take steps to genuinely protect the privacy of
our electronic communications?
Reporting on their grasp of the
obvious? I remember a Great Aunt telling me about soldiers guarding
at each bridge along a minor spur railroad in central New Jersey.
Perhaps this would be a job stimulus if we let the TSA provide
similar security for pipelines and the power grid?
November 14, 2012
Terrorism
and the Electric Power Delivery System
"The electric power delivery
system that carries electricity from large central generators to
customers could be severely damaged by a small number of
well-informed attackers. The system is inherently
vulnerable because transmission lines may span hundreds of
miles, and many key facilities are unguarded. This vulnerability is
exacerbated by the fact that the power grid, most of which was
originally designed to meet the needs of individual vertically
integrated utilities, is being used to move power between regions to
support the needs of competitive markets for power generation.
Primarily because of ambiguities introduced as a result of recent
restricting the of the industry and cost pressures from consumers and
regulators, investment to strengthen and upgrade the grid has lagged,
with the result that many parts of the bulk high-voltage system are
heavily stressed. Electric systems are not designed to withstand or
quickly recover from damage inflicted simultaneously on multiple
components. [New Jersey found that out recently...
Bob] Such an attack could be carried out by knowledgeable
attackers with little risk of detection or interdiction. Further
well-planned and coordinated attacks by terrorists could leave the
electric power system in a large region of the country at least
partially disabled for a very long time. Although there are many
examples of terrorist and military attacks on power systems elsewhere
in the world, at the time of this study international terrorists have
shown limited interest in attacking the U.S. power grid. However,
that should not be a basis for complacency. Because all parts of the
economy, as well as human health and welfare, depend on electricity,
the results could be devastating. Terrorism
and the Electric Power Delivery System focuses on measures that
could make the power delivery system less vulnerable to attacks,
restore power faster after an attack, and make critical services less
vulnerable while the delivery of conventional electric power has been
disrupted."
Anyone taking bets? I imagine each
discovery request would want “each and every contact” with
everyone involved. Should make for lots of jobs for my Data Mining
students...
"The Salt Lake Police
department will be much more transparent with their law enforcement.
A program is being rolled out to require officers wear glasses
equipped
with a camera to record what they see. Of course, there are
several officers opposed to this idea, who will resist the change.
One of the biggest shockers to me is that the police chief is in
strong support of this measure: 'If Chief Burbank gets his way, these
tiny, weightless cameras will soon be on every
police officer in the state.' With all the
opposition of police officers being recorded by citizens that we are
seeing
throughout
the country,
it is quite a surprise that they would make a move like this. The
officers would wear them when they are investigating crime scenes,
serving warrants, and during patrols. Suddenly Utah isn't looking
like such a bad place to be. Now we just need to hope other states
and departments would follow suit. It sure will be nice when there
is video evidence to show the real story."
It's not only the Air Force that trys
to do everything is one “swell foop.” This is much too large a
project to control. What do they actually need that could be
developed in six months or less?
"The U.S. Air Force has decided
to scrap a major ERP (enterprise resource planning) software project
after
spending $1 billion, concluding that finishing it would cost far
too much more money for too little gain. Dubbed the Expeditionary
Combat Support System (ECSS), the project has racked up $1.03 billion
in costs since 2005, 'and has not yielded any significant military
capability,' an Air Force spokesman said in a statement. 'We
estimate it would require an additional $1.1B for about a quarter of
the original scope to continue and fielding would not be until 2020.
The Air Force has concluded the ECSS program is no longer a viable
option for meeting the FY17 Financial Improvement and Audit Readiness
(FIAR) statutory requirement. Therefore, we are canceling the
program and moving forward with other options in order to meet both
requirements.'"
Perspective
… Numbers wise, in the third
quarter of this year, mobile phone owners sent an average of 678
texts per month, which is down from 696 texts a month in the previous
quarter. This isn’t a huge decline, but it’s the first ever
decline that has been recorded. And it’s not a big concern for
users, and it’s also not a big deal for carriers, since a bulk of
their revenue comes from data plans.
I use LightShot myself, but each App is
slightly different so you have to try them to see which “feel”
best...
ScreenSnag is a downloadable desktop
application that lets you easily take a photo of your computer
screen. You can capture an an entire screen, region of the screen, a
window, or an element on the window with single hotkey or a click.
It has a Timer option
to perform screen captures at your defined intervals. It
has many configuration settings depending on the situation. Save
different settings’ combinations into profiles for quicker access
later on.
To see all the available features of
the app, download it for free from their
website.
Pinterest with a focus?
Wednesday, November 14, 2012
Learnist,
which I've described in the past as Pinterest
for learning, announced today that you no longer have to use
Facebook or Twitter to register and use their service. You can now
register for and use Learnist with an email account. The service is
still available only to people who request a beta invite, but it
seems that beta invites come quickly.
… Learnist provides another
professional learning community in which you collaborate on the
collation of resources that are beneficial to you and your students.
One of my smarter friends (Dr. Michelle
Post) just published a couple of eBooks. I expect she'll be writing
one a week soon.
Heaven Has Tea
Parties,
http://www.amazon.com/dp/B00A78LD2E,
is about the loss of my mother and God's healing in this loss. All
proceeds from the sale of the book will be donated to the American
Parkinson Disease Association in memory of my mother, Annie.
Building Your
Adjunct Platform,
http://www.amazon.com/dp/B00A7HDV6Q,
is a "how to" book for anyone looking to become a
college/university Adjunct Instructor.
No comments:
Post a Comment