Friday, February 14, 2014
Start grabbing control of military computers by infecting individual users as they drop by public websites, let them carry the infection back to their secure computers.
New IE 10 Zero-Day Used in Watering Hole Attack Targeting U.S. Military
Security researchers from FireEye have discovered a new IE 10 Zero-Day exploit (CVE-2014-0322) being used in a watering hole attack on the US Veterans of Foreign Wars’ website.
… FireEye believes the attackers behind the campaign, thought to be operating out of China, are associated with two previously identified campaigns: Operation DeputyDog and Operation Ephemeral Hydra.
According to FireEye, attackers compromised the VFW website and added an iframe to the site’s HTML code that loads the attacker’s page in the background. When the malicious code is loaded in the browser, it runs a Flash object that orchestrates the remainder of the exploit.
“If we had to tell you about every surveillance tool, we'd never have time for donuts!”
Erica Meltzer reports:
Boulder has installed three cameras on the municipal campus and has been continuously videotaping the area between the municipal building and the Main Public Library and the area to the east of the municipal building since the beginning of the year.
Boulder Police Chief Mark Beckner agreed to discuss the cameras after the Camera filed a public records request in response to an accidental mention of them at a City Council meeting Tuesday.
Read more on Daily Camera.
This should be easy to implement, after all it's just “vehicle metadata,” it doesn't reveal anything about the “contents” of the car. (It could be a terrorist or a soccer mom.) Besides, we absolutely need this data because it could be a terrorist or a soccer mom!
Paul Joseph Watson writes:
The Department of Homeland Security is set to activate a national license plate tracking system that will be shared with law enforcement, allowing DHS officers to take photos of any license plate using their smartphone and upload it to a database which will include a “hot list” of “target vehicles”.
The details are included in a PDF attachment uploaded yesterday to the Federal Business Opportunities website under a solicitation entitled “National License Plate Recognition Database.”
Read more on Infowars.com.
(Related) Clearly there is big money in license plate readers. Perhaps their lobbyists convinced the DHS they need them? Perhaps lobbyists write DHS policy! (No one else seems to)
Jack Gillum of Associated Press reports:
The surveillance industry is fighting back. A company that makes automated license plate readers sued Utah’s government Thursday over a new law there intended to protect drivers’ privacy.
Digital Recognition Network Inc. of Fort Worth, which makes license-plate readers that rapidly scan the tags of passing vehicles, argues that a new state ban on license-plate scanning by private companies infringes on its free-speech rights to collect and disseminate the information it captures, and has effectively put it out of business there.
Read more on Telegram.com
(Related) If the same ratio holds, DHS could have 3.8 Billion records in 18 months! Some might even be useful!
As of the 2013 census, Vermont has a population of approximately 626,000.
And yet the Vermont State Police have a database of almost 8 million location records they collected during the period July 2012 – December 2013. The records were compiled from the 61 Automated License Plate Readers (ALPR) in the state, and the data can be requested by state, local, and federal agencies. Federal requests were mostly from the Border Patrol. [Keeping us safe from Canadians! Bob]
You can read more about Vermont’s law, its data retention provisions, and details of data requests and the reasons for them in this report filed by the State Police with the state legislature.
Perhaps the bill for discussing this with your lawyer would constitute “Harm?”
idRADAR reports that (no surprise) Neiman Marcus has moved to dismiss a potential class action lawsuit stemming from its recently disclosed data breach.
Unlike other lawsuits where lead plaintiffs haven’t even experienced any fraudulent use of their data, the plaintiff in this case had incurred fraudulent charges on her card – which she attributes to the Neiman Marcus breach. But because of the card issuer’s zero liability assurances, Neiman Marcus was able to argue in its motion to dismiss that she has not experienced any unreimbursed harm, and therefore has no standing.
There must be some sites/resources that already do this, right? Someone must be collecting “Best Practices” for lawyers.
One of the recurring themes by commenters on this blog is that they got a breach notification that offered them free credit monitoring services, but:
1. They can’t access the site they’re directed to;
2. They are alarmed that the site asks them for their personal information; and/or
3. They have no reason to trust that site or company because there’s nothing on the site that inspires that trust or confidence.
By now, I’d have hoped businesses would have addressed this in their planning and notification letters, but that doesn’t appear to have happened. So in the interest of getting the word out to law firms that help their clients write breach notification letters or entities who are otherwise involved in breach responses:
Try to see this process through the letter recipient’s eyes. Assume they have never heard of the credit monitoring service or company you have made arrangements with and tell the recipients why they should trust them.
Tell them that they will be required to provide that company with personal information such as date of birth and Social Security number – and explain that it really is necessary, and why.
Explain that you are not being lazy and would love to do this for them, but you cannot sign people up for the free service because [insert explanation here].
Ensure that the firm you have contracted with can handle the load on their site and server so that it doesn’t crash repeatedly and frustrate your customers or employees even more.
Ensure that the firm you have contracted with has a web site that explains who the firm is and their background in providing credit monitoring services. Is their contact information prominently posted so that nervous customers can call them easily? Even if it is, do include their phone number in your notification letter for inquiries.
Gee, I would have thought much of the above should be pretty obvious, but apparently it needs to be said – and repeated – until everyone gets the message.
(Related) Does “Notification” need to include “All” the details or just “You may be impacted, stay alert.”
Craig Hoffman and Charlie Shih write:
One of the first questions companies ask us when we are hired to help them respond to a new security incident is how fast they have to notify if the investigation shows that a “breach” occurred. Except for a couple of states that require notification to occur no later than 45 days after discovery, there is not a bright-line, objective answer. Most state breach notification laws require notification to occur as soon as reasonably possible and without undue delay subject to some qualifications.
Read more on Data Privacy Monitor.
For my Computer Security students. If you don't bother to measure, you may be asked in court why your security rated 18 on a scale of 0-100...
Introduction and Welcome - Security Metrics
This is the beginning of a series of postings I'll be doing on security metrics. It's a topic that I don't think we, as a community, have a particularly good grasp of – probably because security, as a field, is only just beginning to professionalize to the point where (in some markets) it's getting more than a nod as a necessary evil.
… During the course of this series I'm going to hit on a range of topics from why metrics are important and what they are, to bottom-up analysis of your business process, and top-down analysis of your mission, then the problems of normalization and data-sharing, as well as suggestions on how to present data.
For the Tools & Techniques folder...
Turn Windows Into A WiFi Hotspot & Share Your Internet Connection
The key component in this process is making sure that your Windows computer has a wireless network card. If you have that installed properly, then you can turn your Windows computer into a WiFi hotspot and share your Internet connection.
For my students.
– is an easy way to create beautiful presentations. Focus on your content. Slidebean handles the rest. Take your presentation ideas and structure your keynote. Select one of our beautiful presentation templates tailored to the needs of each audience. Present from any web browser on your computer, tablet or smartphone. Slidebean works seamlessly on desktop, tablet and mobile devices.
For some of my students (they know who they are) Also useful for prank calls at 2AM?
– is a service where you can schedule a wake-up call. This is useful if you don’t have an alarm clock, or if you need a guarantee that you will wake up on time for an important appointment. Just enter your phone number, the date and time you want the call, and even specify if you want a man or a woman’s voice! You can even be told the weather.
For my students
Hemingway Helps You Analyze Your Writing
Hemingway is a free tool designed to help you analyze your writing. Hemingway offers a bunch of information about the passage you've written or copied and pasted into the site. Hemingway highlights the parts of your writing that use passive voice, adverbs, and overly complex sentences. All of those factors are accounted for in generating a general readability score for your passage.
Hemingway is the kind of tool that I like to have students use before exchanging papers with classmates for peer editing. Hemingway acts as a kind of "virtual peer" before the peer editing process. I would also have students use Hemingway before turning in their final drafts for a grade.
StoryToolz offers a tool similar to Hemingway that you may also want to check out.
For teachers trying to “flip the classroom” and for my students who find that I don't know everything – that's pretty much all of them after the first week of class...
OpenEd Releases an iPad App for Finding and Sharing Educational Videos and Games
OpenEd.io is a free service that launched in October of 2013 for the purpose of offering a huge catalog of educational videos, games, and assessments. One of the services OpenEd.io offers is the option for teachers to create courses and collections of resources to share with their students. This week OpenEd released a free iPad app for teachers and students.
Teachers can use the free iPad app to locate videos, games, and assessments. Teachers can search for materials according to standard, content area, grade level, and material type.
Students can use the free OpenEd iPad app to log into the courses that they are members of and view the materials that their teachers have shared with them.
The OpenEd iPad app is a great complement to everything else that OpenEd offers. As a registered OpenEd user (registration is free and takes less than thirty seconds to complete) you can create courses and playlists of videos and other materials that you find in the OpenEd directory. You can align your courses and playlists to standards. Adding assessments to your courses could be a good way to provide your students with some self-study / self-quiz materials to review before coming into your classroom.
For my Math geeks: I make that enough to power 400,000 DeLorean time machines, since they use a mere 1.21 gigawatts! (Enter “1.21 gigawatts” into WolframAlpha.com)
High-Powered Lasers Deliver Fusion Energy Breakthrough
The power of the sun has edged a little closer to Earth. Under x-ray assault, the rapid implosion of a plastic shell onto icy isotopes of hydrogen has produced fusion and, for the first time, 170 micrograms of this superheated fusion fuel released more energy than it absorbed.
… Employing 1.9 megajoules in slightly more than a nanosecond, the lasers deliver 500 terawatts of power inside the hohlraum (a terawatt is a trillion watts).