Tuesday, December 24, 2013

Something my Ethical Hackers should consider. Will we look back at Syria as the first true “Digital Battlefield,” even though it is very one sided (that we can prove) and targeted at non-combatants as well as the “rebels.” No violation of the “laws of war” (Is it?) but how do you counter?
Social Engineering and Malware in Syria: EFF and Citizen Lab’s Latest Report on the Digital Battlefield
by Sabrina I. Pacifici on December 23, 2013
“More than two years into the Syrian conflict, the violence continues both on the ground and in the digital realm. Just as human rights investigators and weapons inspectors search for evidence of chemical weapons, EFF, and the University of Toronto’s Citizen Lab have been collecting, dissecting, and documenting malicious software deployed against the Syrian opposition. Citizen Lab security researchers Morgan Marquis-Boire and John Scott-Railton and EFF Global Policy Analyst Eva Galperin today published their latest technical paper, Quantum of Surveillance: Familiar Actors and Possible False Flags in Syrian Malware Campaigns. The report outlines how pro-government attackers have targeted the opposition, as well as NGO workers and journalists, with social engineering and “Remote Access Tools” (RAT).”

Very nice summary.
Really really helpful post over on 451 Security. Here’s the intro:
I’ve written this post for two reasons. First, the recent Target breach has led to some confusion, which I will try to clear up here. Second, I wanted to create an easily referenced educational resource on how credit cards are designed to work. I’m hoping this will help people understand the intricacies of credit card fraud and how some credit card features attempt to limit it.
Here is the TL;DR version: CVV codes were compromised and should not be stored post-authorization, but the CVV codes compromised are not the codes printed on the card that we get asked for when making online purchases. There are actually two separate security codes: one to prove possession of the card when it is swiped (stored on the magnetic strip) and another printed on the card, to prove possession of the card when it is used in card-not-present transactions, like e-commerce or over the phone. The same value is not used for both codes.
Read more on 451 Security.
[From the article:
Based on what we know about the breach, it sounds like track data was either potentially stored by Target (against PCI DSS rules), was captured in transit or was captured pre-authorization (PCI says you can’t store track data after authorization). If full track data was compromised, the primary threat of consumer fraud from this breach will be for stolen data to be copied to fake credit cards and used in-person.

Just up the road, but also available globally via Live Stream.
This sounds like a not-to-be-missed event. Wish I could get there to attend, but I’ll have to console myself with watching the live stream.
Friday, January 17, 2014; 9:00 AM – 5:30 PM
@ University of Colorado Law School, Room 101
Live Stream: to view, click here
What harms are privacy laws designed to prevent? How are people injured when corporations, governments, or other individuals collect, disclose, or use information about them in ways that defy expectations, prior agreements, formal rules, or settled norms? How has technology changed the nature of privacy harm?
These questions loom large in debates over privacy law. Often, they are answered skeptically. The President of the United States justifies massive NSA surveillance programs by arguing that non-content surveillance is not very harmful. Advertisers resist calls for aggressive forms of Do Not Track by arguing that the way they track online behavior creates little risk of harm. Judges dismiss lawsuits brought by users suing services that suffer massive data breaches, for lack of harm.
Meanwhile, many privacy law scholars and advocates do not speak consistently, if they speak at all, about privacy harm. Some prefer to talk about “problems” or “conflicts” not harms. Others point primarily to abstract, societal harms such as chilling effects or harms to dignity or individual autonomy. Many of these people have tried to move the conversation away from harm and what they see as crabbed, tort-centric approaches to privacy protection.
It is time to revisit old conversations about harm. New practices and technologies raise new threats of harm. [Or automate existing ones? Bob] The fear of Big Data techniques (for example in the public debate over the pregnancy prediction program of the retailer Target) have inspired new theories of harm. Economists and computer scientists have developed new ways of measuring privacy harm. Regulators have adopted new ways of talking about harm.
Join the Silicon Flatirons Center for Law, Technology, and Entrepreneurship on Friday, January 17, 2014, from 9:00 AM – 4:15 PM as we venture into the New Frontiers of Privacy Harm. We will assemble thought leaders and top practitioners and regulators for a diverse and rich set of conversations about privacy harm.
You can see the great line-up of presenters and discussants, and access the day’s schedule here.

(Related) Interesting article!
From a recent article by Woodrow Hartzog in Ohio State Law Journal, Vol. 74, p. 995, 2013:
As online social media grow, it is increasingly important to distinguish between the different threats to privacy that arise from the conversion of our social interactions into data. One well-recognized threat is from the robust concentrations of electronic information aggregated into colossal databases. Yet much of this same information is also consumed socially and dispersed through a user interface to hundreds, if not thousands, of peer users.
In order to distinguish relationally shared information from the threat of the electronic database, this essay identifies the massive amounts of personal information shared via the user interface of social technologies as “social data.” The main thesis of this essay is that, unlike electronic databases, which are the focus of the Fair Information Practice Principles (FIPPs), there are no commonly accepted principles to guide the recent explosion of voluntarily adopted practices, industry codes, and laws that address social data.
This essay aims to remedy that by proposing three social data principles — a sort of FIPPs for the front-end of social media: the Boundary Regulation Principle, the Identity Integrity Principle, and the Network Integrity Principle. These principles can help courts, policymakers, and organizations create more consistent and effective rules regarding the use of social data.
You can download the full article from SSRN. You may also wish to see the other articles in the same issue of the Ohio State Law Journal

I doubt most people even think about why privacy is of concern to magazines like Forbes.
Over on Forbes, Kashmir Hill writes:
Forget “twerking” and “selfies.” Dictionary.com dubbed “privacy” the word of the year in 2013. Here at The Not-So Private Parts, it feels a little like the unknown indie band we’ve been obsessed with for years just won best album at the Grammys. So why did the plight of our personal data achieve Arcade Fire-level fame this year?
Read more on Forbes.

(Related) Illogical or merely ignorant?
Liz Gannes reports:
When asked to choose which is more important to them, protecting their personal information online or protecting their online behavior, respondents to a recent survey said hacking is a bigger concern than tracking.
Some 75 percent of those surveyed said they are worried about hackers stealing their personal information, while 54 percent are worried about their browsing history being tracked by advertisers.
Read more on AllThingsD.

These are common failings in all industries. Managers do not like to spend money or resources on things like logs that are only useful in the unlikely event they are breached. Rational or irrational?
From the Executive Summary of a newly released report:
Nearly all hospitals with EHR technology had RTI-recommended audit functions in place, but they may not be using them to their full extent. In addition, all hospitals employed a variety of RTI-recommended user authorization and access controls. Nearly all hospitals were using RTI-recommended data transfer safeguards. Almost half of hospitals had begun implementing RTI-recommended tools to include patient involvement in anti-fraud efforts. Finally, only about one quarter of hospitals had policies regarding the use of the copy-paste feature in EHR technology, which, if used improperly, could pose a fraud vulnerability.
We recommend that audit logs be operational whenever EHR technology is available for updates or viewing. We also recommend that ONC and CMS strengthen their collaborative efforts to develop a comprehensive plan to address fraud vulnerabilities in EHRs. Finally, we recommend that CMS develop guidance on the use of the copy-paste feature in EHR technology. CMS and ONC concurred with all of our recommendations.
You can access the full report here (pdf, 30 pp.)

Sign up an you can be among the first to know you've been had. Possibly even before the breachee.
Have you been pwned? Now you can be automatically told when you are!
Just under three weeks ago now, I launched Have I been pwned? which could tell you if you owned one of 154 million email addresses that had been caught up in recent data breaches. Subsequently, the site turned out to be wildly popular and as with such things, a lot of good ideas came up in terms of features people would like to see.
Without doubt, the number one request was for notifications. Searching for accounts that may have been pwned up to the current date is one thing, but the real value is in being automatically notified when you get pwned in the future. So I built it – oh and I’ve made it a free service.
Signing up for notifications
Let me talk you through it: First of all, jump over to haveibeenpwned.com and search for your email address. You can always just hit the “Notify me” link in the nav but I suspect most people will want to kick off by looking at whether they’ve already been compromised.
This is pretty much business as usual, except now you’ve got a “Notify me if my address gets pwned in the future” hyperlink just above the social media icons. Click that guy and you’ll get a little window:

I like lists like this, because I always try to steal learn from the best! Many more blogs listed at the site.
Announcing the 2013 Blawggie Awards – Tenth Edition
2013 Blawggie Award Categories and Winners.
1. Best Overall Law-Related Blog – 3 Geeks and a Law Blog
2. The “Marty Schwimmer” Best Practice-Specific Legal Blog – Sharon Nelson’s Ride the Lightning
3. Best Law Practice Management Blog – Adam Smith, Esq.
4. Best Law-related Blog Category – Law Librarian Blogs BeSpacific Blog
5. The “Kennedy-Mighell Report” Best Legal Podcast – The Return of the Legal Talk Network
6. The “Sherry Fowler” Best Writing on a Blawg Award – Sharon Nelson’s Ride the Lightning
7. Best Law Professor Blog – Legal Skills Prof Blog
8. The “DennisKennedy.Blog” Best Legal Technology Blog – V. Mary Abraham’s Above and Beyond KM
9. Best New Blawg – Jerry Lawson’s NetLawTools

For my Apple toting students...
Year in Review: 5 Most Notable New iOS Apps of 2013

For my Ethical Hackers
… why not steal away by yourself for a few hours and work on the SANS Institute’s 10th annual Holiday Hacking Challenge?
… The learning opportunity comes into play when you don’t already understand something you encounter in the packet capture file. You are expected to do your own research to understand the artifact well enough to explain it in your response. Given that this year’s scenario is based on a virtual city’s critical infrastructure, Skoudis says there will be some protocols that network professionals probably aren’t familiar with. It’s a chance to stretch your knowledge a bit and build some in-demand skills in a fun way.
Since this is the 10th year for the competition, some of the previous years’ challenges and answers are posted online.
… For a look at the 2012 Holiday Hacking Challenge and the winning and honorable mention responses, click here.
Details about the Holiday Hacking Challenge, which is now live, can be found here. You have until January 6, 2014 to send your results to HolidayChallenge@counterhackchallenges.com. Good luck!

No comments: