Friday, December 14, 2012

A truly great “Bad Example.” See if you can find even more “Worst Practices” in the article.
FBI Memo: Hackers Breached Heating System via Backdoor
… The company used the Niagara system not only for its own HVAC system, but also installed it for customers, which included banking institutions and other commercial entities, the memo noted. An IT contractor who worked for the company told the FBI that the company had installed its own control system directly connected to the internet with no firewall in place to protect it.
Although the system was password protected in general, the backdoor through the IP address apparently required no password and allowed direct access to the control system. “[Th]e published backdoor URL provided the same level of access to the company’s control system as the password-protected administrator login,” said the memo.
The backdoor URL gave access to a Graphical User Interface (GUI), “which provided a floor plan layout of the office, with control fields and feedback for each office and shop area,” according to the FBI. “All areas of the office were clearly labeled with employee names or area names.”


Preparing for a “false flag” attack? Or just trying to find information on how to stabalize satellites?
"A new targeted attack campaign with apparent Korean ties has been stealing email and Facebook credentials and other user-profile information from Russian telecommunications, IT, and space research organizations. The attackers are grabbing email user accounts and passwords from Outlook, as well as information about the victims' email server."
[From the DarkReading article:
Researchers didn't specify whether it's either North or South Korea, but say that around 80 percent of the victims in the attacks are Russian organizations.
Ali Islam, security researcher for FireEye, says it's possible that Korea is being used as a proxy for the attack


The other meaning of “swipe”
New 'Dexter' malware strikes point-of-sale systems
Retailer point-of-sale systems may be at risk of malware that steals credit card data.
Israel-based security firm Seculert has identified a strain of malware, dubbed Dexter, which it asserts has infected hundreds of point-of-sale (POS) systems across 40 countries in the past two to three months. English-speaking countries appear to be a prime target, with 30 percent of infections in the U.S., 19 percent in the U.K., and 9 percent in Canada.


Perhaps now I can develop that “Electronic Bounty Hunter” course I've been talking about.
"Japanese police are looking for an individual who can code in C#, uses a 'Syberian Post Office' to make anonymous posts online, and knows how to surf the web without leaving any digital tracks — and they're willing to pay. It is the first time that Japan's National Police Agency has offered a monetary reward for a wanted hacker, or put so much technical detail into one of its wanted postings. The NPA will pay up to $36,000, the maximum allowed under its reward system. The case is an embarrassing one for the police, in which earlier this year 4 individuals were wrongly arrested after their PCs were hacked and used to post messages on public bulletin boards. The messages included warnings of plans for mass killings at an elementary school posted to a city website."

(Related) A new toolset...
SpyPhone: Pentagon Spooks Want New Tools for Mobile ‘Exploitation’
… The DIA wants “technical exploitation” tools that can efficiently access the data of people the military believes to be dangerous once their spies collect it.
That’s according to a request for information the DIA sent to industry on Wednesday. The agency wants better gear for “triage and automation, advanced technical exploitation of digital media, advanced areas of mobile forensics, software reverse engineering, and hardware exploitation, reverse engineering, and mobile applications development & engineering.” [Reads like a list of Ethical Hacker classes Bob] If the DIA runs across digitized information, in other words, it wants to make rapid use of it.


In the tradition of “Double Secret Probation” citizens are now members of the Animal House.
Attorney General Secretly Granted Gov Ability to Develop and Store Dossiers on Innocent Americans
December 13, 2012 by Dissent
Kim Zetter reports:
In a secret government agreement granted without approval or debate from lawmakers, the U.S. attorney general recently gave the National Counterterrorism Center sweeping new powers to store dossiers on U.S. citizens, even if they are not suspected of a crime, according to a news report.
Earlier this year, Attorney General Eric Holder granted the center the ability to copy entire government databases holding information on flight records, casino-employee lists, the names of Americans hosting foreign-exchange students and other data, and to store it for up to five years, [and then start a “new” dossier? Bob] even without suspicion that someone in the database has committed a crime, according to the Wall Street Journal, which broke the story.
Read more on Threat Level.

(Related) Is this simply a coincidence or a “massive government conspiracy?”
"Hotmail and Yahoo Mail are apparently sharing [or have been given... Bob] a secret blacklist of domain names such that any mention of these domains will cause a message to be bounced back to the sender as spam. I found out about this because — surprise! — some of my new proxy site domains ended up on the blacklist. Hotmail and Yahoo are stonewalling, but here's what I've dug up so far — and why you should care."
Read on for much more on how Bennett figured out what's going on, and why it's a hard problem to solve.

(Related) Apparently, Harvard Law lets you skips the “How a Law is Made” class in favor of the “Expanding Executive Powers” class.
Obama Administration Rushes “Creepy Black Box” Mandate on All New Car Buyers
December 14, 2012 by Dissent
National Center Adjunct Fellow Horace Cooper is condemning the decision by the Obama Administration to bypass Congress and implement its automobile “black box” mandate administratively.
The Department of Transportation has announced a proposed rule to require Event Data Recorders (EDRs) in 100% of all light vehicles sold in the United States. EDRs are more commonly known as “black boxes,” such as those carried by aircraft.
Last year a similar proposal was killed by the House of Representatives when it was included in a Senate-passed bill to fund the nation’s transportation needs.
Not only will this new requirement give new resources and data to the DOT to support more economically-damaging regulations in the future; this mandate itself represents an unprecedented breach of privacy for Americans. Operating more like a surveillance camera than a tool for accident investigation, this DOT rule-making is the embodiment of Orwellian monitoring,” Cooper explained.
Contrary to what is now being claimed, EDRs can and will track the comings and goings of car owners and even their passengers,” Cooper said. “EDRs not only provide details necessary for accident investigation, they also track travel records, passenger usage, cell phone use and other private data. Who you visit, what you weigh, how often you call your mother and more is captured by these devices. Mandating that they be installed and accessible by the DOT is a terrible idea.”
This decision to bypass Congress and adopt this change administratively demonstrates a reckless disregard for the privacy rights of the American people,” Cooper argued. “Claiming that the data collected will only be for the time period immediately surrounding the crash is no protection when the system itself will be running whenever the engine is on. In the digital era, we know that even if the programs were simply overwriting after each start, the underlying data remains there to be accessed. In this case, we don’t even have that assurance.”
It is axiomatic that before the government can surreptitiously search a citizen or his car, it needs approval from a judge. Pretending that that protection goes away when the search is carried out electronically not only threatens the liberties of all Americans, it rejects our founders’ clear understanding of the limitations on the government,” Cooper concluded.


New Jersey, a leader in Privacy? Things had been going down hill since Uncle Foster was Governor, are we seeing a reversal?...
New Jersey Restricts Colleges’ Access to Students’ Personal Accounts, Considers Similar Protections for Employees
December 13, 2012 by Dissent
Michael Beder writes:
New Jersey earlier this month became the latest state to bar college and university officials from demanding access to students’ or applicants’ personal online accounts. Gov. Chris Christie signed the law, which takes effect immediately, on Dec. 3.
Under the new law, which applies to public and private higher-education institutions, schools cannot require a student or applicant to “in any way provide access” to “a personal account or service through an electronic communications device,” nor may schools “in any way inquire as to whether a student or applicant” has a social-media account.
Read more on Inside Privacy.


Interesting. Even though they use the financial area for their example, doesn't this suggest that Congress is ignorant? (Yes, Bob, it sure does.)
Effective Regulation Requires Information Richness
… We appreciate the efforts of thousands of good, well-meaning people who are dedicating large portions of their careers to resolving the issues, especially in light of conflicting political demands.
But as investors, citizens, and taxpayers, we find the lack of progress troubling, to say the least.
We suggest a new way of thinking about regulatory effectiveness to help inform honest debate, crystallize the issues, and break the stalemate. Actually, this new thinking is not so new. It stems directly from cybernetics, quality control, and information theory, all with roots at least 60 years old.
The most important principle (with some restatement on our part) comes from Stafford Beer in The Heart of Enterprise: "The complexity of the regulator must match the complexity of the regulated."


At last, someone is listening to me!
"Enthusiasm about Google's Kansas City fiber project is overwhelming. But in the Emerald City, the government doesn't want to wait. They have been stringing fiber throughout the city for years, and today announced a deal with company Gigabit Squared and the University of Washington to serve fiber to 55,000 Seattle homes and businesses with speeds up to a gigabit. The city will lease out the unused fiber, but will not have ownership in the provider nor a relationship with the end customers. [Exactly the model I suggested 20 years ago! Bob] The service rollout is planned to complete in 2014. It is the first of 6 planned university area network projects currently planned by Gigabit Squared."


The education model has changed – keep up or become obsolete?
UK Universities Forge Open Online Courses Alliance: FutureLearn Consortium Will Offer Uni-Branded MOOCs Starting Next Year
… Today’s news means even more MOOCs will be offered next year, as 12 UK universities are getting together to form a new company that will offer the online courses — under the brand name of FutureLearn Ltd. The universities are: Birmingham, Bristol, Cardiff, East Anglia, Exeter, King’s College London, Lancaster, Leeds, Southampton, St Andrews and Warwick, along with UK distance-learning organization The Open University (OU).


For my Data Analytics class
Mixpanel Launches A Site For Analytics Education, With Video Lectures From YouTube, BranchOut, And Others
Analytics startup Mixpanel has launched a new page on its website that co-founder Suhail Doshi described as “TED for analytics.”
The goal, he said, is to help companies get a better understanding of what kind of data to collect and how to use it. To that end, Mixpanel invites experts to its office for six weeks or so for an “office hours” event where they deliver lectures to customers and other friends of the company. Now Mixpanel is sharing those videos with a larger audience.
… You can browse the videos here.

No comments: