Thursday, March 20, 2014
So hackers now have an “off the shelf” Advanced Persistent Threat tool? We're all doomed! (We can't even agree on an APT definition.)
Target's Data Breach: The Commercialization of APT
Target's breach should mark the watershed line of the enterprise's security. Not just because of the immense volumes of stolen data (40M credit cards details), or the financial damage that Target may be subject to (Target reported 61M in costs related to the breach until February 1st), but because of the APT techniques used in that process by non-state backed hackers on a strictly commercial target (pardon the pun). The attack should serve as a wakeup call for enterprises: Enterprise should consider themselves as a target to APT-like campaigns and prepare their defense accordingly.
Warning! (And I get lots of student links)
New Phishing Scam Uses Scarily Accurate Google Login Page
… Here’s how it worked: victims got emails with the subject line “Documents.” The email itself contained what looked to be a link to the a Google Doc – complete with an actual “Google.com” domain – and pointed users to what looks like a legitimate Google login screen.
It’s not uncommon for users to need to sign in before seeing a Google Doc, so many dutifully typed their passwords. They were re-directed to an actual Google Doc, but their username and password weren’t used by Google: criminals recorded them instead.
Google claims all such pages have since been taken down, but it’s still worth being vigilant. Don’t click links to Google Docs if you’re not sure of the sender. If you must, check that you’re logged into Google Docs before clicking through the link.
Could the NSA use this technology to silence critics? (Yes, that's an attempt at humor.)
Google won't face email privacy class action
Google Inc won a significant legal victory as a U.S. judge decided not to combine several lawsuits that accused the Internet search company of violating the privacy rights of hundreds of millions of email users into a single class action.
In a Tuesday evening decision, U.S. District Judge Lucy Koh in San Jose, California, said the claims, including those on behalf of users of Google's popular Gmail service, were too dissimilar to be grouped together. She also said the plaintiffs cannot pursue their broad-based class action again.
… Gmail users accused Google of violating federal and state privacy and wiretapping laws by scanning their messages so it could compile secret account profiles and target advertising.
Claims were also raised on behalf of students at schools that use Gmail, and people who do not use Gmail but communicate by email with people who do.
Google has said its software simply looks for keywords that can lead to the tailored advertisements.
(Related) Perhaps more laws?
From the ACLU of Northern California:
Imagine the government is constantly monitoring you: keeping track of every person you email or meet, every place you go, every item you buy, and more. And when you challenge them, they claim you have no right to expect this kind of information to be private, so they can collect as much of it as they want, even without a search warrant. Besides, they’re not actually listening to your calls or reading your email, so what’s the big deal anyhow?
Unfortunately, this scenario is more real than imaginary. The NSA, local police, and others have taken advantage of uncertain legal protections for metadata (descriptive information about our communications and activities) to sweep up vast amounts of data about innocent Americans without a warrant. And new technology is demonstrating just how sensitive metadata can be: how friend lists can reveal a person’s sexual orientation, purchase histories can identify a pregnancy before any visible signs, and location information can expose individuals to harassment for unpopular political views or even theft and physical harm.
Our new policy paper, Metadata: Piecing Together a Privacy Solution, examines how outdated laws and new technologies combine to put personal privacy at risk—and highlights efforts to change that. Lawmakers and the Supreme Court both have begun to recognize the sensitivity of metadata and the need to upgrade its privacy protections. This paper proposes a way forward to ensure that sensitive data of any type gets the protection it deserves.
Download a pdf of Metadata: Piecing Together a Privacy Solution.
One of those “Best Practices” that become quite obvious after the breach.
Improving Security via Proper Network Segmentation
Recent headlines around data breaches have highlighted a common security mishap – improper network segmentation.
Let’s face it, there is no such thing as being 100% secure. If an attacker really wants to get into your network, they will find a way. So you don’t want a single point of failure. Once unauthorized access is gained, network segmentation or “zoning” can provide effective controls to mitigate the next step of a network intrusion and to limit further movement across the network or propagation of a threat.
… Standards such as PCI-DSS provide guidance on creating clear separation of data within the network – in the case of PCI, cardholder data should be isolated from the rest of the network, which contains less sensitive information. An example would be to ensure that Point-of-Sale (PoS) systems and databases are completely separated from areas of the network where third parties have access. [Hear that, Target? Bob]
It gets back to this question: “Do we buy or rent our phones?”
Is It Illegal To Root Your Android or Jailbreak Your iPhone?
Probably a wise move. We're still in the “expand the user base” phase. However, “In Country” storage may become a premium service.
Brazil to drop requirement that Internet firms store data locally
Brazil’s lawmakers have agreed to withdraw a provision in a proposed Internet law, which would have required foreign Internet companies to host data of Brazilians in the country.
The provision was backed by the government in the wake of reports last year of spying by the U.S. National Security Agency, including on communications by the country’s President Dilma Rousseff.
The legislation, known as the “Marco Civil da Internet,” will be modified to remove the requirement for foreign companies to hold data in data centers in Brazil, according to a report on a website of the Brazilian parliament.
What does Google get out of this? Will their logo be on every search? Probably. Best reward may be increasing influence in all areas of government. (They already have ears in the White House.)
White House Launches Climate Data Initiative
by Sabrina I. Pacifici on March 19, 2014
News release: “…we are launching the Climate Data Initiative, an ambitious new effort bringing together extensive open government data and design competitions with commitments from the private and philanthropic sectors to develop data-driven planning and resilience tools for local communities. This effort will help give communities across America the information and tools they need to plan for current and future climate impacts… For example, Esri, the company that produces the ArcGIS software used by thousands of city and regional planning experts, will be partnering with 12 cities across the country to create free and open “maps and apps” to help state and local governments plan for climate change impacts. Google will donate one petabyte—that’s 1,000 terabytes—of cloud storage for climate data, as well as 50 million hours of high-performance computing with the Google Earth Engine platform. The company is challenging the global innovation community to build a high-resolution global terrain model to help communities build resilience to anticipated climate impacts in decades to come. And the World Bank will release a new field guide for the Open Data for Resilience Initiative, which is working in more than 20 countries to map millions of buildings and urban infrastructure.”
Cable is out, Internet TV is in?
Fewer viewers paying for wider menu of cable channels
The number of Americans who pay for TV through cable, satellite or fiber services fell by more than 250,000 in 2013, the first full-year decline, according to research firm SNL Kagan.
… The decline is small so far. Video subscribers across the entire pay-TV industry, which includes Comcast, DirecTV and Verizon, dropped by 251,000 last year to about 100 million,
A Blog can be about anything that interests you. Perhaps my Criminal Justice students would like to cover Denver?
I have one spiritual ritual in my life: every morning I check the Los Angeles Times' Homicide Report blog to learn who was killed in Los Angeles County while I slept.1
The Homicide Report addresses two questions every newspaper covering a major metropolis should answer: who was killed last night, and why?
… The Homicide report is anchored by a single reporter, Nicole Santa Cruz, an Arizona-born Latina, with glasses, pretty Etsy jewelry and a sweet voice. Nicole makes a round of phone calls every morning to the coroner, the LAPD, and sheriff’s department to find out who died last night. In the weeks and months that follow she attempts to answer the question ‘why?’
Mainly for my Computer Security students, but it is the first Virtual Job Fair that looked like more than a gimmick.
National Cybersecurity Career Fair in June Will Connect Employers to Entry Level Cybersecurity Workers
… Coming up this June 18 and 19, 2014, Cyber Aces is presenting the first National Cybersecurity Career Fair (NCCF). NCCF is an innovative virtual meeting place for the top cybersecurity employers and cybersecurity jobseekers in the United States.
… The virtual job fair takes place June 18 and 19. Job seekers can register to participate for free at http://www.nationalcybersecuritycareerfair.com/. Once they register, they can fill out a personal profile and upload a resume.
Companies looking to recruit entry or mid level workers also can visit http://www.nationalcybersecuritycareerfair.com/ to reserve “booth” space.
Though the career fair spans two days, people can come and go for the activities they prefer to attend. The main page of the website will direct participants into a networking lounge. From there they can look at a national job board, apply for jobs, and check the schedule for employer web and video chats. Employer participants have their own booth where they can meet virtually with candidates for employment, show videos about the company, and post materials specific to the organization or their available jobs.
As a special incentive to get people to participate in the NCCF, SANS Institute is giving each job candidate the opportunity to stand out by taking the SANS Cyber Talent exam for free. This exam usually costs $2500 and is a way to measure a person’s aptitude for work as a cybersecurity professional. People who take the exam prior to the career fair can post their scores to their online profile.
To get more information, to register as a participant, or to reserve an employer booth, visit http://www.nationalcybersecuritycareerfair.com/.
Perhaps this will help me interpret student papers.
What’s Your Acronym IQ?