Tuesday, February 25, 2014

For my Ethical Hackers. Anyone can get hacked. Make sure you can blame someone else!
Rich McCormick reports:
The EC-Council, a US professional organization that offers a respected certification in ethical hacking, was itself hacked this weekend. Passport and photo ID details of more than 60,000 security professionals who have obtained or applied for the EC-Council’s Certified Ethical Hacker certification are at risk after the breach, many of whom work in sensitive political and military positions. They include members of the US military, FBI, United Nations, and National Security Agency.
Among their number is Edward Snowden, whose passport and application email for the certification were used to deface the EC-Council’s homepage, alongside the message “Defaced again? Yep, good job reusing your passwords morons.”
Read more on The Verge. See also Ars Technica coverage.
[from The Verge article:
The US Department of Defense has the EC-Council's Certified Ethical Hacker qualification as a mandatory standard for its Computer Network Defense Service Providers. According to Steve Ragan of CSO, the EC-Council's website — which is currently inaccessible — was found to have vulnerabilities to various methods of attack last year. This specific defacement is reportedly a DNS redirect, controlled by an IP that was implicated in an attack on Flash-based co-operative shooter Realm of the Mad God earlier this month.

“If you like something, we do that. If you don't like something, we don't do that.” Marketing 101 “We even don't do lots of stuff you didn't know you didn't like.” Marketing 201
Jack Clark reports:
A former White House security advisor has suggested that you, dear reader, are naive if you think hosting data outside of the US will protect a business from the NSA.
“NSA and any other world-class intelligence agency can hack into databases even if they not in the US,” said former White House security advisor Richard Clarke in a speech at the Cloud Security Alliance summit in San Francisco on Monday. “Non-US companies are using NSA revelations as a marketing tool.”
But the takeaway quote of his talk has to be this:
“The United States government has to get out of the business – if it were ever in the business – has to get out of the business of fucking with encryption standards,” Clarke said.
Read more on The Register.

We have the precedent of mandatory health insurance for healthy people to lower the cost to sick people, why not make secure companies pay to lower the cost to incompetents? (Note: This does not “spread the risk” – I'm still less likely to get hacked than the average company.)
David Navetta writes:
The BIG 2014 security stories concerning the Target, Neiman Marcus and Michaels payment card breaches of have highlighted the significant criminal hacking and fraudulent payment card activity that goes on in the retail space. Of course, it was not so long ago that the Heartland Payment Systems breach (2008; 100 million cards exposed) and the TJX breach in (2007; 45 million card exposed) dominated the news cycle. The reactions in the media and with the population then were very similar to those today. The latest round of mega breaches occurred, however, despite the existence of the Payment Card Industry Data Security Standard for a decade. In fact, according to the Verizon 2014 PCI Compliance Report, only 11.1% of the organizations it audited between 2011 and 2013 satisfied all 12 PCI requirements. In other words, just under 90% of the businesses Verizon audited as a PCI Qualified Security Assessor failed. This begs the question, despite aggregate expenditures by merchants likely in the hundreds of millions of dollars (if not over a billion) over the last decade: has anything really changed?
Read more on InfoLawGroup, where David argues that just as states require automobile insurance, they could similarly require cyberinsurance for breaches. Alternatively, and as David seems to prefer, the card brands at the top of the pyramid could make it a contractual requirement for businesses that want to accept their cards.
As a side note, I need to point out that David mentions the reports of Michaels Stores being breached. As of a few days ago when I reached out to them. Michaels Stores has not confirmed that they have had any breach. That’s not to say that they may not have had a breach, but just to point out that it’s possible that we will hear that there’s been no breach in that case.

(Related) and some Perspective.
Telecompaper reports:
Dutch ISP XS4ALL and the law firm Brinkhof have awarded their annual Internet Thesis prize to a masters student researching required disclosure of data breaches. The research found that any such legal requirement would likely not meet its objectives. The thesis was based on the number of disclosures in the US before and after implementation of legal requirements. While the number increased after the requirement was imposed, the impact was minimal: over the research period of eight years, only 0.05 percent of businesses in the US reported a data leak, while British research had already shown that around 80 percent of security managers have dealt with data breaches.

(Related) There ought to be a law!
AG Holder Urges Congress to Create National Standard for Reporting Cyberattacks
by Sabrina I. Pacifici on February 24, 2014
“In a video message released today, Attorney General Eric Holder called on Congress to create a strong, national standard for quickly alerting consumers whose information may be compromised by cyberattacks. This legislation would strengthen the Justice Department’s ability to combat crime, ensure individual privacy, and prevent identity theft, while also helping to bring cybercriminals to justice. [Not sure I completely agree Bob] “Late last year, Target – the second-largest discount retailer in the United States – suffered a massive data breach that may have compromised the personal information of as many as 70 million people, in addition to credit and debit card information of up to 40 million customers. The Department of Justice is currently investigating this breach, in close coordination with the U.S. Secret Service. And we are moving aggressively to respond to hacking, cyberattacks, and other crimes that harm American consumers – and expose personal or financial information to those who would take advantage of their fellow citizens.” As we’ve seen – especially in recent years – these crimes are becoming all too common. And they have the potential to impact millions of Americans every year. Just days after the Target breach was made public, another major retailer – Neiman Marcus – reported that it also suffered a suspected cyberattack during the holiday season. And although Justice Department officials are working closely with the FBI and prosecutors across the country to bring cyber criminals to justice, it’s time for leaders in Washington to provide the tools we need to do even more: by requiring businesses to notify American consumers and law enforcement in the wake of significant [A truly flexible term... Bob] data breaches. “Today, I’m calling on Congress to create a strong, national standard for quickly alerting consumers whose information may be compromised. This would empower [? Bob] the American people to protect themselves if they are at risk of identity theft. It would enable law enforcement to better investigate these crimes – and hold compromised entities accountable [Is this new? Do any existing laws go after breached entities like Target? Bob] when they fail to keep sensitive information safe. And it would provide reasonable exemptions for harmless breaches, to avoid placing unnecessary burdens on businesses that do act responsibly.

That's not funny.
Google's Schmidt: We don't (yet) have a connection inside your brain
When I heard that Google's Eric Schmidt had sat down to chat with a curiously trendy-looking Glenn Beck, I was hoping for questions like: "C'mon, Eric. Are you a commie?"
Instead, what ensued was a conversation about man and machine achieving perfect harmony, something that Lenin spectacularly failed to master.
Some might suspect that, in Google's eyes, such harmony would involve Google being able to control your arm as it reaches to scratch your head.
Schmidt, though, was at pains to put that concept to rest.
He said: "Google does not have a connection inside of your brain."
… Indeed, Schmidt then offered this follow-up: "We're not that good. Maybe yet. Maybe never."

For my students (not many use WhatsApp because of security concerns – should fit right in to Facebook.)
4 Slick WhatsApp Alternatives that Guard Your Privacy
… Facebook isn’t exactly known for its information privacy successes — in fact, its security gaffs have been some of the biggest tech news over the past few years, and its arcane security settings are infamous. We had to write a guide to help you figure them out.
Fortunately, if you no longer feel comfortable sending data through WhatsApp, you have some secure alternatives.

No comments: