So hackers now have an
“off the shelf” Advanced Persistent Threat tool? We're all
doomed! (We can't even agree on an APT definition.)
Target's
Data Breach: The Commercialization of APT
Target's
breach should mark the watershed line of the enterprise's security.
Not just because of the immense volumes of stolen data (40M credit
cards details), or the financial damage that Target may be subject to
(Target reported
61M in costs related to the breach until February 1st), but because
of the APT techniques used in that process by non-state backed
hackers on a strictly commercial target (pardon the pun). The attack
should serve as a wakeup call for enterprises: Enterprise should
consider themselves as a target to APT-like campaigns and prepare
their defense accordingly.
Warning! (And I get
lots of student links)
New
Phishing Scam Uses Scarily Accurate Google Login Page
… Here’s how it
worked: victims got emails with the subject line “Documents.”
The email itself contained what looked to be a link to the a Google
Doc – complete with an actual “Google.com” domain – and
pointed users to what looks like a legitimate Google login screen.
It’s not uncommon for
users to need to sign in before seeing a Google Doc, so many
dutifully typed their passwords. They were re-directed to an actual
Google Doc, but their username and password weren’t used by Google:
criminals recorded them instead.
Google claims all such
pages have since been taken down, but it’s still worth being
vigilant. Don’t click links to Google Docs if you’re not sure of
the sender. If you must, check that you’re logged into Google Docs
before clicking through the link.
Could the NSA use this
technology to silence critics? (Yes, that's an attempt at humor.)
Google
won't face email privacy class action
Google Inc won a significant legal victory as a U.S. judge decided
not to combine several lawsuits that accused the Internet search
company of violating the privacy rights of hundreds of millions of
email users into a single class action.
In a Tuesday evening decision, U.S. District Judge Lucy Koh in San
Jose, California, said the claims, including those on behalf of users
of Google's popular Gmail service, were too dissimilar to be grouped
together. She also said the plaintiffs cannot pursue their
broad-based class action again.
… Gmail users accused Google of violating federal and state
privacy and wiretapping laws by scanning their messages so it could
compile secret account profiles and target advertising.
Claims were also raised on behalf of students at schools that use
Gmail, and people who do not use Gmail but communicate by email with
people who do.
Google has said its software simply looks for keywords that can
lead to the tailored advertisements.
(Related) Perhaps more
laws?
From the ACLU of
Northern California:
Imagine
the government is constantly monitoring you: keeping track of every
person you email or meet, every place you go, every item you buy, and
more. And when you challenge them, they claim you have no right to
expect this kind of information to be private, so they can collect as
much of it as they want, even without a search warrant. Besides,
they’re not actually listening to your calls or reading your email,
so what’s the big deal anyhow?
Unfortunately,
this scenario is more real than imaginary. The NSA, local police,
and others have taken advantage of uncertain legal protections for
metadata (descriptive information about our communications and
activities) to sweep up vast amounts of data about innocent Americans
without a warrant. And new technology is demonstrating just how
sensitive metadata can be: how friend lists can reveal a person’s
sexual orientation, purchase histories can identify a pregnancy
before any visible signs, and location information can expose
individuals to harassment for unpopular political views or even theft
and physical harm.
Our
new policy paper, Metadata:
Piecing Together a Privacy Solution, examines how outdated laws
and new technologies combine to put personal privacy at risk—and
highlights efforts to change that. Lawmakers and the Supreme Court
both have begun to recognize the sensitivity of metadata and the need
to upgrade its privacy protections. This paper proposes a way
forward to ensure that sensitive data of any type gets the protection
it deserves.
Download
a pdf of Metadata:
Piecing Together a Privacy Solution.
One of those “Best
Practices” that become quite obvious after the breach.
Improving
Security via Proper Network Segmentation
Recent headlines around
data breaches have highlighted a common security mishap – improper
network segmentation.
Let’s face it, there
is no such thing as being 100% secure. If an attacker really wants
to get into your network, they will find a way. So you don’t want
a single point of failure. Once unauthorized access is gained,
network segmentation or “zoning” can provide effective controls
to mitigate the next step of a network intrusion and to limit further
movement across the network or propagation of a threat.
… Standards such as
PCI-DSS provide guidance on creating clear separation of data within
the network – in the case of PCI, cardholder data should be
isolated from the rest of the network, which contains less sensitive
information. An example would be to ensure that Point-of-Sale (PoS)
systems and databases are completely separated from areas of the
network where third parties have access. [Hear that,
Target? Bob]
It gets back to this
question: “Do we buy or rent our phones?”
Is
It Illegal To Root Your Android or Jailbreak Your iPhone?
Probably a wise move. We're still in the “expand the user base”
phase. However, “In Country” storage may become a premium
service.
Brazil
to drop requirement that Internet firms store data locally
Brazil’s lawmakers
have agreed to withdraw a provision in a proposed Internet law, which
would have required foreign Internet companies to host data of
Brazilians in the country.
The provision was
backed by the government in the wake of reports last year of spying
by the U.S. National Security Agency, including on communications by
the country’s President Dilma Rousseff.
The legislation, known
as the “Marco Civil da Internet,” will be modified to remove the
requirement for foreign companies to hold data in data centers in
Brazil, according to a report
on a website of the Brazilian parliament.
What does Google get
out of this? Will their logo be on every search? Probably. Best
reward may be increasing influence in all areas of government. (They
already have ears in the White House.)
White
House Launches Climate Data Initiative
by Sabrina
I. Pacifici on March 19, 2014
News
release: “…we are launching the Climate
Data Initiative, an ambitious new effort bringing together
extensive open government data and design competitions with
commitments from the private and philanthropic sectors to develop
data-driven planning and resilience tools for local communities.
This effort will help give communities across America the information
and tools they need to plan for current and future climate impacts…
For example, Esri,
the company that produces the ArcGIS
software used by thousands of city and regional planning experts,
will be partnering with 12 cities across the country to create free
and open “maps and apps” to help state and local governments plan
for climate change impacts. Google
will donate one petabyte—that’s 1,000 terabytes—of
cloud storage for climate data, as well as 50 million hours of
high-performance computing with the Google
Earth Engine platform. The company is challenging the global
innovation community to build a high-resolution global terrain model
to help communities build resilience to anticipated climate impacts
in decades to come. And the World
Bank will release a new field guide for the Open
Data for Resilience Initiative, which is working in more than 20
countries to map millions of buildings and urban infrastructure.”
Cable is out, Internet
TV is in?
Fewer
viewers paying for wider menu of cable channels
The number of Americans
who pay for TV through cable, satellite or fiber services fell by
more than 250,000 in 2013, the first full-year decline, according to
research firm SNL Kagan.
… The decline is
small so far. Video subscribers across the entire pay-TV industry,
which includes Comcast, DirecTV and Verizon, dropped by 251,000 last
year to about 100 million,
A Blog can be about
anything that interests you. Perhaps my Criminal Justice students
would like to cover Denver?
I have one spiritual
ritual in my life: every morning I check the
Los Angeles Times' Homicide Report blog to learn who was
killed in Los Angeles County while I slept.1
The Homicide Report
addresses two questions every newspaper covering a major metropolis
should answer: who was killed last night, and why?
… The Homicide
report is anchored by a single reporter, Nicole
Santa Cruz, an Arizona-born Latina, with glasses, pretty Etsy
jewelry and a sweet voice. Nicole makes a round of phone calls every
morning to the coroner, the LAPD, and sheriff’s department to find
out who died last night. In the weeks and months that follow she
attempts to answer the question ‘why?’
Mainly for my Computer
Security students, but it is the first Virtual Job Fair that looked
like more than a gimmick.
… Coming up this
June 18 and 19, 2014, Cyber
Aces is presenting the first National
Cybersecurity Career Fair (NCCF). NCCF is an innovative virtual
meeting place for the top cybersecurity employers and cybersecurity
jobseekers in the United States.
… The virtual job
fair takes place June 18 and 19. Job seekers can register to
participate for free at
http://www.nationalcybersecuritycareerfair.com/.
Once they register, they can fill out a personal profile and upload
a resume.
Companies looking to
recruit entry or mid level workers also can visit
http://www.nationalcybersecuritycareerfair.com/
to reserve “booth” space.
Though the career fair
spans two days, people can come and go for the activities they prefer
to attend. The main page of the website will direct participants into
a networking lounge. From there they can look at a national job
board, apply for jobs, and check the schedule for employer web and
video chats. Employer participants have their own booth where they
can meet virtually with candidates for employment, show videos about
the company, and post materials specific to the organization or their
available jobs.
As a special incentive
to get people to participate in the NCCF, SANS Institute is giving
each job candidate the opportunity to stand out by taking the SANS
Cyber Talent exam for free. This exam usually costs $2500 and is a
way to measure a person’s aptitude for work as a cybersecurity
professional. People who take the exam prior to the career fair can
post their scores to their online profile.
To get more
information, to register as a participant, or to reserve an employer
booth, visit http://www.nationalcybersecuritycareerfair.com/.
Perhaps this will help
me interpret student papers.
What’s
Your Acronym IQ?
Answers:
http://main.makeuseoflimited.netdna-cdn.com/wp-content/uploads/2014/03/acronym-iq-answers.jpg
No comments:
Post a Comment