Friday, May 02, 2014
My Ethical Hackers love it! No one would really be dumb enough to use the default settings, would they?
Popular Remote Management Tool Allows Login Without Authentication
A remote management tool used in some enterprises can be exploited by attackers to remotely connect to a host without needing any passwords, according to a Trustwave researcher.
Many organizations use the NetSupport software to remotely manage and connect to PCs and servers from a central location. These systems normally are set up with either Domain or local credentials, and shouldn't be accessible without the person logging in. However, if the system has NetSupport installed for remote desktop support, it most likely has the default configuration, which allows remote users to connect automatically without authentication, David Kirkpatrick, a principal consultant at Trustwave, wrote in a blog post. The software also leaks detailed information about the device, such as the hostname, version number, and the username.
Another Ethical Hacker perk. Stop and go driving wastes gas, so make certain tet you have green lights all the way to your destination!
Security Researcher Explains Ease of Hacking Traffic Control Systems
Hacking critical infrastructure looks extremely easy in movies, but up until now, there was some reassurance that it wasn't as simple as just typing a few keys. A security researcher has uncovered issues in devices that communicate with traffic control systems that make them highly vulnerable to attack.
Anyone could exploit the vulnerabilities to take complete control of these controllers and send fake data to connected traffic control systems, Cesar Cerrudo, CTO of research firm IOActive, wrote in a blog post. According to Cerrudo, the controllers lacked basic security features, such as encrypting communications and authentication, which means attackers could potentially monitor and modify what instructions were being sent to the systems.
"Basically anyone could cause a traffic mess by launching an attack with a simple exploit programmed on cheap hardware," Cerrudo said.
For my Statistics students. This seems to suggest that 70-75% of customers don't care if their data is stolen. Or perhaps the crooks only use 25-30% of customer's credit cards? It makes no difference to the company, they need to replace those customers.
Data Breaches Can Lead to Customer Drop-Off, Survey Finds
Customer churn can be one of the more painful and unpredictable parts of a data breach, and a new study from Javelin Strategy & Research offer some insight into how serious it can be.
According to a survey of people who had their information exposed in a breach, 33 percent of consumers will shop elsewhere if their retailer of choice is breached. In addition, 30 percent of patients will find new healthcare providers if their hospital/doctor's office is breached, and 25 percent of consumers will switch bank/credit card providers in the aftermath of a breach.
How big an “Oops!” could this have been? Will we see drones launching missiles at the wrong targets? (Oh wait, we've already done that haven't we.)
One of the downsides of all of the new gee-whiz identification technology law enforcement is adopting (usually with hefty federal subsidies) is that it never works quite as well as advertised. The FBI touts facial recognition software as the bad guy-tagging tool of the future, but you have to dig through documents to discover that the feds consider a false positive rate of 20 percent to be perfectly acceptable.
We don't really know what the false positive rate for license plate scanners is, but we do know it has one. At least, Mark Molner, a Prairie Village, Kansas, attorney knows it, because a scanner misread his BMW's license plate for that of a stolen Oldsmobile plate, and the next thing he knew, cops with guns in hand had him surrounded and wanted to know his business.
It seems this posture will force the use of subpoenas. Less formal requests result in notification. Perhaps another example of corporations changing/replacing government?
Craig Timberg reports that tech companies are finally finding their spine to stand up for and notify users when the government seeks users’ information:
Major U.S. technology companies have largely ended the practice of quietly complying with investigators’ demands for e-mail records and other online data, saying that users have a right to know in advance when their information is targeted for government seizure.
This increasingly defiant industry stand is giving some of the tens of thousands of Americans whose Internet data gets swept into criminal investigations each year the opportunity to fight in court to prevent disclosures. Prosecutors, however, warn that tech companies may undermine cases by tipping off criminals, giving them time to destroy vital electronic evidence before it can be gathered.
Read more on Washington Post.
“Clearly, my privacy is more important than your privacy.” Unfortunately, this is the wrong way to go about obtaining privacy. (see The Streisand Effect) Prosecutors should wear Headsman's Hoods when practicing their trade. If the prosecutor succeeds in getting his information locked out, should they also remove the information for the judge, jury, witnesses, court clerks, police officers, jailers, etc., etc.
Matt Reynolds reports:
Three people-search and background-check websites jeopardize the safety of a state prosecutor by listing his home address and telephone number, the prosecutor claims in court.
California Deputy Attorney General John Doe sued Radaris America and its principal Edgar Lopin, Instant Check Mate, and Inome dba Intelius, in Superior Court.
All three websites allow users to pay a fee to download people’s personal information, including criminal background checks, phone numbers, and court judgments.
Read more on Courthouse News.
Is this argument for the sake of an argument? Could Big Data discriminate? No, people discriminate. Perhaps there should be a law against discrimination. (Oh wait, there is!) Perhaps we should continue to analyze Big Data to determine if there is discrimination.
Tom Simonite reports:
When President Obama spoke in January about reforming U.S. surveillance, he also asked a panel of experts to spend 90 days investigating the potential consequences of the use of technology that falls under the umbrella term “big data.” The 68-page report was published today and repeatedly emphasizes that big data techniques can advance the U.S. economy, government, and public life. But it also spends a lot of time warning of the potential downsides, saying in the introduction that:
“A significant finding of this report is that big data analytics have the potential to eclipse longstanding civil rights protections in how personal information is used in housing, credit, employment, health, education, and the marketplace.”
Read more on MIT Technology Review.
Over on The Hill, Kate Tummarello reports:
The White House on Thursday released a sweeping review of “big data” practices that calls for an update to privacy laws.
Officials who conducted the review recommended that Congress enact legislation based on the “Consumer Privacy Bill of Rights” that President Obama first introduced in 2012.
The report also calls for a law to create notification requirements for companies that suffer data breaches and urges an update to a decades-old statute that allows warrantless access to emails.
Read more on The Hill.
(Related?) At last! Someone who realizes my students are terrorists!
Unless you're in the business of defense, you may never have heard of ISS. Intelligent Software Solutions' usual customers for data analysis solutions include the Department of Defense, the National Intelligence Community Agencies, NATO, the United States Coast Guard and other military organizations here in the U.S. and abroad. Its areas of expertise include coming up with systems for command and control, special ops, intelligence, counter-terrorism, homeland security and other disciplines straight from the Spy vs. Spy playbook.
Now it's pondering its prospects for a bright future in higher education. The idea: to apply its complex and sophisticated data integration, data analysis and data visualization environment in helping colleges and universities retain students.
The company, based in Colorado, already works with institutions such as Auburn University in a small business and university technology transition partnership program
What is this about? Is there some secret underground in Australia planning revolution? If so, shouldn't they be importing something more substantial? Is China now in the “annoying weapons” business? (and where can I get one?)
A weaponized iPhone? Aussie customs seizes fakes that deliver a shock
Australia's customs service on Thursday seized more than 6,000 weapons that arrived in the country from China, including a batch of fake iPhones that deliver electric shocks.
… The device looks similar to an older iPhone. Another photo published by customs showed the shocking mechanism on the top of the phone opposite the headphone jack.
The fake iPhones were among other weapons in the shipment, including brass knuckles, extendable batons and other shock devices, according to a press release.
Is a company a monopoly because a majority of users prefer them or do they actually have to do something like “charge monopoly prices?”
Antitrust lawsuit accuses Google of mobile and Internet search monopoly
More legal mud has been slung against Google, and this time it's an antitrust class action lawsuit over in the US which accuses the big G of holding an illegal monopoly over Internet and mobile search in America.
The suit, which was filed in Northern California by consumer and employee rights law outfit Hagens Berman, claims that this search monopoly has been driven by Google's purchase of Android. The law firm contends that by preloading its services and apps (Google Play and YouTube are named as examples) onto the mobile operating system via "secret" Mobile Application Distribution Agreements with smartphone vendors, Google has maintained (and indeed expanded) its search monopoly.
The suit further notes that this move by Google has pushed up prices for Android devices to the detriment of the consumer.
I shouldn't laugh, but I can't help it.
… The big huge major celebrity-filled edu news this week: comedian Louis CK tweeted in frustration about his kids’ math homework. And really that’s all we need to know: a famous parent questioned standardized testing and the Common Core.
… A Florida elementary school will no longer offer Mountain Dew to students pre-test. If their scores suffer, I hope some Dew-sponsored celebrity intervenes on Twitter. For justice’s sake.
[From the article:
The school had been giving students about three tablespoons of soda before the FCAT.
Officials at Brevard Public schools halted the practice after receiving complaints from a grandmother who was shocked at what her granddaughter said about her assessment test.
"She said every morning, they had Mountain Dew," Martha Thorp told News 13. "To me, it's a poor precedent. We're setting for young children that they should be hyped up before a test."
… The great LAUSD iPad saga continues: this time WiFi issues in the schools are getting in the way of testing. (Because clearly testing is the reason for buying all those expensive devices.)
… An FDA advisory panel has recommend that, yes, we should ban “aversive conditioning devices” – electric shock treatment still used in schools to manage and discipline students with disabilities.