Wednesday, July 16, 2014
Local: Another “we don't need no stinking encryption” breach. Also note that one of the first things we teach our Computer Security students is how to bypass “password protection.” (Who write these headlines? Did the laptop really cause the breach?)
Stolen laptop causes security breach for DougCo schools
… The district sent a letter to all of its employees recently stating the stolen computer contained some workers' Social Security numbers and bank account information.
The district said the computer was password protected but were notifying employees out of an "abundance of caution."
(Related) One of many, many encryption options.
Bring-Your-Own-Encryption: Is It the Right Choice for Your Enterprise?
Following the recent issues surrounding encryption and encryption tools, some organizations are turning to Bring-Your-Own-Encryption (BYOE), but experts warn that there are some aspects that need to be take into consideration before making the move.
To learn more about the advantage, disadvantages and the challenges posed by BYOE, SecurityWeek reached out to several experts in the field.
BYOE is a cloud computing security model that enables organizations [NOT indoviduals. Bob] to use their own encryption software and manage their own encryption keys. This is done by deploying a virtualized instance of the encryption software alongside applications hosted in the cloud to securely encrypt data.
Did you think you were immune?
1 in 6 Say Their Organization Had At Least 5 Significant Security Incidents in Past Year: Survey
A new report from ForeScout Technologies described a challenging world for IT security - one where one in six IT pros say their organization has had five or more significant security incidents in the past year.
The research, titled the '2014 Cyber Defense Maturity Report', was conducted by IDG Connect and features responses from 1,600 IT information security decision makers in organizations with more than 500 employees across five industries in the U.S. and Europe.
… Ninety-six percent of the 1,600 respondents said their organizations had at least one significant security event in the last 12 months, while 39 percent said there had been two or more. Though the majority of those surveyed said they were aware that some of their security measures were immature or ineffective, just 33 percent had high confidence their organizations would improve those controls.
"The top five sources of compromise recorded by survey respondents were phishing attacks, compliance policy violations, unsanctioned device use, unsanctioned application use and [unauthorized] data access, with as much as 25 percent of organizations across all vertical sectors experiencing five or more instances of phishing specifically in the past 12 months," according to the report (PDF).
This should be obvious. Apparently, it isn't.
Why Prompt Breach Notification Is Important
… According to a 2014 Identity Fraud Report by Javelin, nearly 1 out of 3 data breach victims in 2013 suffered identity fraud, compared with 1 in 9 in 2010. Obviously the connection between data breaches and fraud is growing. But the good news is that consumer awareness of breaches – and the potential for fraud on their accounts – is on the rise, too. This is probably because so many people have been notified one or more times about their personal data being compromised.
But notification is a good thing because it often prompts consumers to sign up for email or mobile alerts about their credit or checking accounts or to put fraud alerts on their credit reports. This makes data breach victims 15% less likely to suffer multiple fraud events compared with all fraud victims (i.e., the fraud doesn’t necessarily stem from a breach).
Tools & Techniques. Security for every small business. Something like this might work for lawyer-client communication... Just thinking...
Wireless Live CD Alternative: ZeusGard
I’ve long recommended that small business owners and others concerned about malware-driven bank account takeovers consider adopting a “Live CD” solution, which is a free and relatively easy way of temporarily converting your Windows PC into a Linux operating system. The trouble with many of these Live CD solutions is that they require a CD player (something many laptops no longer have) — but more importantly – they don’t play well with wireless access. Today’s post looks at an alternative that addresses both of these issues.
… The device I’ll be looking at today is not free, nor is the the tiny dongle that enables its ability to be used on a wireless network.
… The device, called ZeusGard, is a small, silver USB flash drive that boots into a usable browser within about 30 seconds after starting the machine. The non-writeable drive boots directly into the browser (on top of Debian Linux), and if your system is hard-wired to your router with an Ethernet connection, you should be good to go.
… At $24.95 for the basic ZeusGard and $14.95 for the wireless adapter, this device is likely to be more appealing to small businesses than the average Internet user.
Self-surveillance – 'cause you don't know where you've been?
– automatically records any walking, cycling, and running you do. You can view the distance, duration, steps, and calories burned for each activity. The app is always on, so there’s no need to start and stop it. Just keep your phone in your pocket or your bag. The app consumes battery power, so nightly charging is recommended.
– With visits you can browse your location histories and explore your trips and travels. The unique map timeline visualization shows the places you have visited and how long you have stayed there. Add photos from Flickr to your visits and share your journey with your family and friends. Visits works with geo-tagged Flickr albums, data from Openpaths and Google Location Histories.
The “Right to be Forgotten” falls on hard times. I told you there would be a market for this service.
What Has Been Hidden From Google?
Hidden From Google is a new effort to track search results being hidden from Google as a result of the “right to be forgotten.” There are currently only a handful of examples of articles that have disappeared from Google search results, but Afaq Tariq, who created Hidden From Google, is asking for more tip-offs from eagle-eyed users.
As a rather fitting irony, the original articles are once again appearing in search results as a consequence of appearing on Hidden From Google. And people’s attentions are more likely to be drawn to them now than they were previously. The Streisand Effect strikes yet again.
One of those, “what's going on here” moments. Strangely, it looks like Western Union (and other “currency exchanges?”) sell the city stickers.
Clerk’s Office Extends Deadline For City Stickers After Outages
… Major outages with the city’s computer system led to long delays at currency exchanges throughout the city as Chicagoans raced to meet the original deadline of midnight Tuesday.
Another reason to move my students into the Cloud. (Does this mean Amazon gets to arm their drones?)
The partnership between the CIA and Amazon will revolutionize intelligence
The intelligence community is about to get the equivalent of an adrenaline shot to the chest. This summer, a $600 million computing cloud developed by Amazon Web Services for the Central Intelligence Agency over the past year will begin servicing all 17 agencies that make up the intelligence community. If the technology plays out as officials envision, it will usher in a new era of cooperation and coordination, allowing agencies to share information and services much more easily and avoid the kind of intelligence gaps that preceded the Sept. 11, 2001, terrorist attacks.
… For the risk-averse intelligence community, the decision to go with a commercial cloud vendor is a radical departure from business as usual.
Another opportunity for my Ethical Hackers.
Google On Quest To Hire Elite Zero-Day Hackers
… On Tuesday Google said it would create a new, “well-staffed” security team called Project Zero with the objective to significantly reduce the number of people harmed by targeted attacks.
“You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications,” Chris Evans, Researcher Herder at Google wrote in a blog post Tuesday. “Yet in sophisticated attacks, we see the use of “zero-day” vulnerabilities to target, for example, human rights activists or to conduct industrial espionage.”
This needs to stop, Evans said.
… Under Project Zero, Google says it will be committed to transparency, explaining that every bug they find will be entered in an external database.
– is described as a “browser for the HTML5 era”. Everything in the browser is a module, a web-app running in its own process. Construct your own browsing experience by selecting the right modules for you. The entire technological stack is open-source. Modify existing modules and create your owns to extend the behavior of Breach.
Al may be Weird, but he's also a genius.
Weird Al Details ‘Word Crimes’
Weird Al’s latest song, Word Crimes, tackles the tricky subject of bad grammar, particularly on the Internet. Word Crimes is a cover of Blurred Lines by Robin Thicke, but the original misogynistic lyrics have been replaced by examples of common grammatical errors.
As a grammar Nazi who has previously argued that typos need to be eradicated, I love Weird Al for writing this song. Let’s just hope people take notice of Word Crimes and stop making the ridiculous mistakes he rallies against.