Thursday, November 15, 2012
“We are completely incompetent when it comes to Computer Security and we always will be.” NOTE: I searched http://www.mandiant.com/ for information on “the Hand” but found none. Must be new or top secret or imaginary...
Haley: SCDOR hacking may not have been preventable
Gov. Nikki Haley says new layers of security are being added in the wake of a massive security breach, but she said at a news conference Wednesday that even with what is now known, there is "no way to say it could have been prevented."
The massive security breach at the South Carolina Department Revenue could earn the hackers as much as $360 million by using just 1 percent of the affected taxpayers returns, the State newspaper is reporting. [Equally fantastic... Bob]
… Investigators believe that a hacker tricked someone at the Department of Revenue into opening a file that gave the hacker access to the system. [the Password file? Bob]
At the news conference, Haley said that she has issued a second executive order that calls for cabinet agencies to be monitored 24-7. The monitoring will require the addition of four fulltime employees, with the cost of their salaries split by five cabinet agencies.
She said another layer of security will be provided by a piece of equipment called The Hand that is being purchased from the computer forensics and security company Mandiant at a cost of $160,300. She said the Hand will detect any movement of large files and will shut any effected machines down immediately and contact Department State Information Technology.
… DSIT will also monitor traffic patterns in real time to be sure no data is taken from the network.
This letter certainly comes with an abundance of something, but it doesn't smell like caution.
Delayed breach notification letter from law firm raises more questions than it answers
November 14, 2012 by admin
Here’s another notification letter submitted to the California Attorney General’s Office that left me scratching my head. It’s from the law firm of Sprechman & Associates, P.A. in Miami, a firm that specializes in collections. My comments and questions are inserted in italics:
I am writing to advise you that your personally identifiable information (“Information”) may have been viewed by a former employee of Sprechman & Associates without permission. Specifically, the former employee may have viewed your name, address, date of birth, driver’s license number, and/or social security number.
“May have?” Why don’t you know? Don’t you maintain logs?
Sprechman & Associates learned of this incident in July 2012, but was unable to notify you until now because notification at that time may have interfered with a law enforcement investigation and the best known contact information for potentially affected individuals was not known until October 2012. [Why would that be? Bob]
How did you learn of it? And when did the improper access occur, if it occurred? How long was this problem going on for? Was there any indication of misuse of anyone’s information? Did law enforcement actually ask you not to disclose this sooner or did you just make that decision on your own? If they asked you to delay notification, when did they tell you that you could go ahead and notify?
Although we cannot be sure that your Information was in fact used in an inappropriate manner, in an abundance of caution we are informing you that such viewing of your information may have occurred.
What Information May Have Been Viewed, When and By Whom?
One of our employees may have performed unauthorized searches on you. This information may have included your name, address, date of birth, driver’s license number, and social security number. We are advising you of this matter in an abundance of caution, but we stress that we cannot be sure that your Information was in fact used in an inappropriate manner. In fact, we cannot even be sure that your Information was actually viewed, but we are providing this notice out of an abundance of caution.
You can’t be sure it was viewed and/or misused, but you can’t be sure it wasn’t viewed and/or misused, right? So why aren’t you offering free credit protection and restoration services?
How Have We Responded to This Issue
Nonetheless, we certainly understand that this may be cause for concern. Additional information and support resources are available through the non-profit Identity Theft Resource Center at www.idtheftcenter.org, by calling (858) 693-7935, or via e-mail at firstname.lastname@example.org.
Other Steps You Can Take:
So you haven’t actually done anything to respond to this issue other than notify law enforcement and send out this notification letter? How about hardening your security and access to records? How about improving auditing so you can tell who’s accessed what? How about offering affected individuals some services?
If the law firm would like to provide additional information, I’ll be happy to post it or update this entry, but overall, I find their notification and response inadequate. They do provide a phone number to call if recipients have questions, but the letter isn’t even signed by an individual – only by “Notice Department.”
For the new generation, it's not really war, it's a video game.
Israel Kills Hamas Leader, Instantly Posts It to YouTube
The Israel Defense Forces didn’t just kill Hamas military leader Ahmed al-Jabari on Wednesday as he was driving his car down the street in Gaza. They killed him and then instantly posted the strike to YouTube. Then they tweeted a warning to all of Jabari’s comrades: “We recommend that no Hamas operatives, whether low level or senior leaders, show their faces above ground in the days ahead.”
The Jabari hit is part of the biggest assault the IDF has launched in more than three years on Gaza, with more than 20 targets hit. And it’s being accompanied by one of the most aggressive social media offensives ever launched by any military. Several days before Jabari’s elimination, the IDF began liveblogging the rocket attacks on southern Israel coming from Gaza. Once “Operation Pillar of Defense” began, the IDF put up a Facebook page, a Flickr feed, and, of course, a stream of Twitter taunts — all relying on the same white-on-red English-language graphics. “Ahmed Jabari: Eliminated,” reads a tweet from 2:21 p.m. Eastern time on Wednesday.
(Related) What are the rules here? I can see keeping HOW we will respond secret, but we should be announcing (not leaking) that we WILL respond.
Obama signs secret directive to help thwart cyberattacks
President Obama has signed a secret directive that effectively enables the military to act more aggressively to thwart cyber attacks on the nation’s web of government and private computer networks.
Presidential Policy Directive 20 establishes a broad and strict set of standards to guide the operations of federal agencies in confronting threats in cyberspace, according to several U.S. officials who have seen the classified document and are not authorized to speak on the record. The president signed it in mid-October.
… An example of a defensive cyber-operation that once would have been considered an offensive act, for instance, might include stopping a computer attack by severing the link between an overseas server and a targeted domestic computer. [That's nonsense, unless the severing is done with explosives on foreign soil. Bob]
“That was seen as something that was aggressive,” said one defense official, “particularly by some at the State Department” who often are wary of actions that might infringe on other countries’ sovereignty and undermine U.S. advocacy of Internet freedom. Intelligence agencies are wary of operations that may inhibit intelligence collection. The Pentagon, meanwhile, has defined cyberspace as another military domain — joining air, land, sea and space — and wants flexibility to operate in that realm.
… But repeated efforts by officials to ensure that the Cyber Command has that flexibility have met with resistance — sometimes from within the Pentagon itself — over concerns that enabling the military to move too freely outside its own networks could pose unacceptable risks. A major concern has always been that an action may have a harmful unintended consequence, such as shutting down a hospital generator.
… Officials say they expect the directive will spur more nuanced debate over how to respond to cyber-incidents. That might include a cyberattack that wipes data from tens of thousands of computers in a major industrial company, disrupting business operations, but doesn’t blow up a plant or kill people.
The new policy makes clear that the government will turn first to law enforcement or traditional network defense techniques before asking military cyberwarfare units for help or pursuing other alternatives, senior administration officials said.
Looks like things are back to normal in New Jersey for at least one group. I wonder what the “It fell off-a da truck” price will be?
Thieves Grab 3,600 iPad Minis Worth $1.5M In JFK Airport Heist
Apple’s iPad mini seems to be a success, and that has attracted the criminal element’s attention. According to the New York Post, a shipment of Apple’s iPad mini, numbering 3,600 devices and with a total value of $1.5 million, was taken from JFK airport from the same location that a group stole $5 million in cash and $900,000 in jewelry in 1978. [Now we can film “i-Goodfellas” the sequel Bob]
Probably not going to happen.
Investigate the FBI
November 15, 2012 by Dissent
Trevor Timm of EFF has a great commentary on the FBI investigation that mushroomed and mushroomed and mushroomed. Here’s a snippet:
Congress is now demanding to know why it wasn’t informed by the Justice Department about the details of the Petraeus affair earlier. Lawmakers should instead be worried about why the public was informed of these details at all, given that no crime was committed. And instead of investigating one man’s personal life, they should investigate how to strengthen our privacy laws so this does not happen to anyone else.
The U.S. government has so far been unable to keep its colossal surveillance state in check. Now that it is so bloated it is eating itself, one hopes more people will finally pay attention.
Read more on ForeignPolicy.com.
Not only does Congress need to investigate what happened, but the DOJ OIG needs to investigate this and issue a report to the public promptly. Did the FBI act lawfully at all times or did they misuse their tools and authority? How does a complaint by someone about a few mean emails – which may be protected speech and not criminal at all – result in an investigation that looks into the communications between a ranking general and others? If it’s not even clear any crime was committed, should our government be able to snoop so extensively without judicial oversight? If a court granted the FBI a warrant, well, to be blunt, what the hell was the judge thinking or what was the judge told to justify the privacy invasion?
Trevor emphasizes the fact that the public never should have been told about this investigation at all. It’s a fair point, but would we really rather not know that our government can do these things to us?
Some of us have been saying for years that ECPA needs to be updated and more privacy protections need to be incorporated. Some of us have also been saying for years that providers need to shorten their data retention periods. If you don’t retain it, the FBI can’t get it from you. NOW will you listen to us? How many more lives or careers will be ruined until Congress and providers take steps to genuinely protect the privacy of our electronic communications?
Reporting on their grasp of the obvious? I remember a Great Aunt telling me about soldiers guarding at each bridge along a minor spur railroad in central New Jersey. Perhaps this would be a job stimulus if we let the TSA provide similar security for pipelines and the power grid?
November 14, 2012
Terrorism and the Electric Power Delivery System
"The electric power delivery system that carries electricity from large central generators to customers could be severely damaged by a small number of well-informed attackers. The system is inherently vulnerable because transmission lines may span hundreds of miles, and many key facilities are unguarded. This vulnerability is exacerbated by the fact that the power grid, most of which was originally designed to meet the needs of individual vertically integrated utilities, is being used to move power between regions to support the needs of competitive markets for power generation. Primarily because of ambiguities introduced as a result of recent restricting the of the industry and cost pressures from consumers and regulators, investment to strengthen and upgrade the grid has lagged, with the result that many parts of the bulk high-voltage system are heavily stressed. Electric systems are not designed to withstand or quickly recover from damage inflicted simultaneously on multiple components. [New Jersey found that out recently... Bob] Such an attack could be carried out by knowledgeable attackers with little risk of detection or interdiction. Further well-planned and coordinated attacks by terrorists could leave the electric power system in a large region of the country at least partially disabled for a very long time. Although there are many examples of terrorist and military attacks on power systems elsewhere in the world, at the time of this study international terrorists have shown limited interest in attacking the U.S. power grid. However, that should not be a basis for complacency. Because all parts of the economy, as well as human health and welfare, depend on electricity, the results could be devastating. Terrorism and the Electric Power Delivery System focuses on measures that could make the power delivery system less vulnerable to attacks, restore power faster after an attack, and make critical services less vulnerable while the delivery of conventional electric power has been disrupted."
Anyone taking bets? I imagine each discovery request would want “each and every contact” with everyone involved. Should make for lots of jobs for my Data Mining students...
"The Salt Lake Police department will be much more transparent with their law enforcement. A program is being rolled out to require officers wear glasses equipped with a camera to record what they see. Of course, there are several officers opposed to this idea, who will resist the change. One of the biggest shockers to me is that the police chief is in strong support of this measure: 'If Chief Burbank gets his way, these tiny, weightless cameras will soon be on every police officer in the state.' With all the opposition of police officers being recorded by citizens that we are seeing throughout the country, it is quite a surprise that they would make a move like this. The officers would wear them when they are investigating crime scenes, serving warrants, and during patrols. Suddenly Utah isn't looking like such a bad place to be. Now we just need to hope other states and departments would follow suit. It sure will be nice when there is video evidence to show the real story."
It's not only the Air Force that trys to do everything is one “swell foop.” This is much too large a project to control. What do they actually need that could be developed in six months or less?
"The U.S. Air Force has decided to scrap a major ERP (enterprise resource planning) software project after spending $1 billion, concluding that finishing it would cost far too much more money for too little gain. Dubbed the Expeditionary Combat Support System (ECSS), the project has racked up $1.03 billion in costs since 2005, 'and has not yielded any significant military capability,' an Air Force spokesman said in a statement. 'We estimate it would require an additional $1.1B for about a quarter of the original scope to continue and fielding would not be until 2020. The Air Force has concluded the ECSS program is no longer a viable option for meeting the FY17 Financial Improvement and Audit Readiness (FIAR) statutory requirement. Therefore, we are canceling the program and moving forward with other options in order to meet both requirements.'"
… Numbers wise, in the third quarter of this year, mobile phone owners sent an average of 678 texts per month, which is down from 696 texts a month in the previous quarter. This isn’t a huge decline, but it’s the first ever decline that has been recorded. And it’s not a big concern for users, and it’s also not a big deal for carriers, since a bulk of their revenue comes from data plans.
I use LightShot myself, but each App is slightly different so you have to try them to see which “feel” best...
ScreenSnag is a downloadable desktop application that lets you easily take a photo of your computer screen. You can capture an an entire screen, region of the screen, a window, or an element on the window with single hotkey or a click.
It has a Timer option to perform screen captures at your defined intervals. It has many configuration settings depending on the situation. Save different settings’ combinations into profiles for quicker access later on.
To see all the available features of the app, download it for free from their website.
Pinterest with a focus?
Wednesday, November 14, 2012
Learnist, which I've described in the past as Pinterest for learning, announced today that you no longer have to use Facebook or Twitter to register and use their service. You can now register for and use Learnist with an email account. The service is still available only to people who request a beta invite, but it seems that beta invites come quickly.
… Learnist provides another professional learning community in which you collaborate on the collation of resources that are beneficial to you and your students.
One of my smarter friends (Dr. Michelle Post) just published a couple of eBooks. I expect she'll be writing one a week soon.
Heaven Has Tea Parties, http://www.amazon.com/dp/B00A78LD2E, is about the loss of my mother and God's healing in this loss. All proceeds from the sale of the book will be donated to the American Parkinson Disease Association in memory of my mother, Annie.
Building Your Adjunct Platform, http://www.amazon.com/dp/B00A7HDV6Q, is a "how to" book for anyone looking to become a college/university Adjunct Instructor.