Start
grabbing control of military computers by infecting individual users
as they drop by public websites, let them carry the infection back to
their secure computers.
New
IE 10 Zero-Day Used in Watering Hole Attack Targeting U.S. Military
Security
researchers from FireEye have discovered a new IE 10 Zero-Day exploit
(CVE-2014-0322) being used in a watering hole attack on the US
Veterans of Foreign Wars’ website.
… FireEye
believes the attackers behind the campaign, thought to be operating
out of China, are associated with two previously identified
campaigns: Operation
DeputyDog and Operation Ephemeral Hydra.
According to FireEye,
attackers compromised the VFW website and added an iframe to the
site’s HTML code that loads the attacker’s page in the
background. When the malicious code is loaded in the browser, it
runs a Flash object that orchestrates the remainder of the exploit.
“If we had to tell
you about every surveillance tool, we'd never have time for donuts!”
Erica Meltzer reports:
Boulder
has installed three cameras on the municipal campus and has been
continuously videotaping the area between the municipal building and
the Main Public Library and the area to the east of the municipal
building since the beginning of the year.
Boulder
Police Chief Mark Beckner agreed to discuss the cameras after the
Camera filed a public records request in response to an
accidental mention of them at a City Council meeting
Tuesday.
Read more on Daily
Camera.
This
should be easy to implement, after all it's just “vehicle
metadata,” it doesn't reveal anything about the “contents” of
the car. (It could be a terrorist or a soccer mom.) Besides, we
absolutely need this data because it could be a terrorist or a soccer
mom!
Paul Joseph Watson
writes:
The
Department of Homeland Security is set to activate a national license
plate tracking system that will be shared with law enforcement,
allowing DHS officers to take photos of any license plate using their
smartphone and upload it to a database which will include a “hot
list” of “target vehicles”.
The
details are included in a PDF attachment uploaded yesterday to the
Federal
Business Opportunities website under a solicitation entitled
“National License Plate Recognition Database.”
Read more on
Infowars.com.
(Related) Clearly
there is big money in license plate readers. Perhaps their lobbyists
convinced the DHS they need them? Perhaps lobbyists write DHS
policy! (No one else seems to)
Jack Gillum of
Associated Press reports:
The
surveillance industry is fighting back. A company that makes
automated license plate readers sued Utah’s government Thursday
over a new law there intended to protect drivers’ privacy.
Digital
Recognition Network Inc. of Fort Worth, which makes license-plate
readers that rapidly scan the tags of passing vehicles, argues that a
new state ban on license-plate scanning by private companies
infringes on its free-speech rights to collect and
disseminate the information it captures, and has
effectively put it out of business there.
Read more on
Telegram.com
(Related)
If the same ratio holds, DHS could have 3.8 Billion records in 18
months! Some might even be useful!
As of the 2013 census,
Vermont has a population of approximately 626,000.
And yet the Vermont
State Police have a database of almost 8 million location records
they collected during the period July 2012 – December 2013. The
records were compiled from the 61 Automated License Plate Readers
(ALPR) in the state, and the data can be requested by state, local,
and federal agencies. Federal requests were mostly from the
Border Patrol. [Keeping us safe from Canadians! Bob]
You can read more about
Vermont’s law, its data retention provisions, and details of data
requests and the reasons for them in this
report filed by the State Police with the state legislature.
Perhaps the bill for
discussing this with your lawyer would constitute “Harm?”
idRADAR reports
that (no surprise) Neiman Marcus has moved to dismiss a potential
class action lawsuit stemming from its recently
disclosed
data
breach.
Unlike other lawsuits
where lead plaintiffs haven’t even experienced any fraudulent use
of their data, the plaintiff in this case had incurred fraudulent
charges on her card – which she attributes to the Neiman Marcus
breach. But because of the card issuer’s zero liability
assurances, Neiman Marcus was able to argue in its motion to dismiss
that she has not experienced any unreimbursed harm, and therefore has
no standing.
There
must be some sites/resources that already do this, right? Someone
must be collecting “Best Practices” for lawyers.
One of the recurring
themes by commenters on this blog is that they got a breach
notification that offered them free credit monitoring services, but:
1. They can’t access
the site they’re directed to;
2. They are alarmed
that the site asks them for their personal information; and/or
3. They have no reason
to trust that site or company because there’s nothing on the site
that inspires that trust or confidence.
By now, I’d have
hoped businesses would have addressed this in their planning and
notification letters, but that doesn’t appear to have happened. So
in the interest of getting the word out to law firms that help their
clients write breach notification letters or entities who are
otherwise involved in breach responses:
Try
to see this process through the letter recipient’s eyes. Assume
they have never heard of the credit monitoring service or company you
have made arrangements with and tell the recipients why they should
trust them.
Tell
them that they will be required to provide that company with personal
information such as date of birth and Social Security number – and
explain that it really is necessary, and why.
Explain
that you are not being lazy and would love to do this for them, but
you cannot sign people up for the free service because [insert
explanation here].
Ensure
that the firm you have contracted with can handle the load on their
site and server so that it doesn’t crash repeatedly and frustrate
your customers or employees even more.
Ensure
that the firm you have contracted with has a web site that explains
who the firm is and their background in providing credit monitoring
services. Is their contact information prominently posted so that
nervous customers can call them easily? Even if it is, do include
their phone number in your notification letter for inquiries.
Gee, I would have
thought much of the above should be pretty obvious, but apparently it
needs to be said – and repeated – until everyone gets the
message.
(Related) Does
“Notification” need to include “All” the details or just “You
may be impacted, stay alert.”
Craig Hoffman and
Charlie Shih write:
One
of the first questions companies ask us when we are hired to help
them respond to a new security incident is how fast they have to
notify if the investigation shows that a “breach” occurred.
Except for a couple of states that require notification to occur no
later than 45 days after discovery, there is not a bright-line,
objective answer. Most state breach notification laws require
notification to occur as soon as reasonably possible and without
undue delay subject to some qualifications.
Read more on Data
Privacy Monitor.
For
my Computer Security students. If you don't bother to measure, you
may be asked in court why your security rated 18 on a scale of
0-100...
Introduction
and Welcome - Security Metrics
This is the beginning
of a series of postings I'll be doing on security metrics. It's a
topic that I don't think we, as a community, have a particularly good
grasp of – probably because security, as a field, is only just
beginning to professionalize to the point where (in some markets)
it's getting more than a nod as a necessary evil.
… During
the course of this series I'm going to hit on a range of topics from
why metrics are important and what they are, to bottom-up analysis of
your business process, and top-down analysis of your mission, then
the problems of normalization and data-sharing, as well as
suggestions on how to present data.
For
the Tools & Techniques folder...
Turn
Windows Into A WiFi Hotspot & Share Your Internet Connection
The
key component in this process is making sure that your Windows
computer has a wireless network card. If you have that installed
properly, then you can turn your Windows computer into a WiFi hotspot
and share your Internet connection.
For
my students.
– is
an easy way to create beautiful presentations. Focus on your
content. Slidebean handles the rest. Take your presentation ideas
and structure your keynote. Select one of our beautiful presentation
templates tailored to the needs of each audience. Present from any
web browser on your computer, tablet or smartphone. Slidebean works
seamlessly on desktop, tablet and mobile devices.
For
some of my students (they know who they are) Also useful for prank
calls at 2AM?
– is
a service where you can schedule a wake-up call. This is useful if
you don’t have an alarm clock, or if you need a guarantee that you
will wake up on time for an important appointment. Just enter your
phone number, the date and time you want the call, and even specify
if you want a man or a woman’s voice! You can even be told the
weather.
For
my students
Hemingway
Helps You Analyze Your Writing
Hemingway
is a free tool designed to help you analyze your writing. Hemingway
offers a bunch of information about the passage you've written or
copied and pasted into the site. Hemingway highlights the parts of
your writing that use passive
voice, adverbs, and overly complex sentences. All of those factors
are accounted for in generating a general readability score for your
passage.
Hemingway
is the kind of tool that I like to have students use before
exchanging papers with classmates for peer editing. Hemingway acts as
a kind of "virtual peer" before the peer editing process. I
would also have students use Hemingway before turning in their final
drafts for a grade.
StoryToolz
offers a tool similar to Hemingway that you may also want to check
out.
For
teachers trying to “flip the classroom” and for my students who
find that I don't know everything – that's pretty much all of them
after the first week of class...
OpenEd
Releases an iPad App for Finding and Sharing Educational Videos and
Games
OpenEd.io
is a free service that launched in October of 2013 for the purpose of
offering a huge catalog of educational videos, games, and
assessments. One of the services OpenEd.io offers is the option for
teachers to create courses and collections of resources to share with
their students. This week OpenEd
released a free iPad app for teachers and students.
Teachers can use the
free iPad app to locate videos, games, and assessments. Teachers can
search for materials according to standard, content area, grade
level, and material type.
Students can use the
free OpenEd
iPad app to log into the courses that they are members of and
view the materials that their teachers have shared with them.
The OpenEd
iPad app is a great complement to everything else that OpenEd
offers. As a registered OpenEd user (registration is free and takes
less than thirty seconds to complete) you can create courses and
playlists of videos and other materials that you find in the OpenEd
directory. You can align your courses and playlists to standards.
Adding assessments to your courses could be a good way to provide
your students with some self-study / self-quiz materials to review
before coming into your classroom.
For
my Math geeks: I make that enough to power 400,000 DeLorean time
machines, since they use a mere 1.21 gigawatts! (Enter “1.21
gigawatts” into WolframAlpha.com)
High-Powered
Lasers Deliver Fusion Energy Breakthrough
The power of the sun
has edged a little closer to Earth. Under x-ray assault, the rapid
implosion of a plastic shell onto icy isotopes of hydrogen has
produced fusion and, for the first time, 170 micrograms of this
superheated fusion fuel released more energy than it
absorbed.
… Employing 1.9
megajoules in slightly more than a nanosecond, the lasers deliver 500
terawatts of power inside the hohlraum (a terawatt is a
trillion watts).
No comments:
Post a Comment