Friday, September 12, 2014
For my Ethical Hackers. Twice the potential for attacks, but one solution works for both?
Chinese Attack Groups Operate in Parallel in Cyber Espionage Campaigns: FireEye
Researchers at FireEye have discovered two attack campaigns being orchestrated by different groups in separate regions of China that appear to be operating in parallel.
The attack campaigns are focused on different targets. According to a team of FireEye researchers, the first group - which has been named Moafee - appears to operate from the Guangdong Province and is targeting military and government organizations in countries with interests in the South China Sea. This includes targets within the defense industry in the United States.
The second group, known as DragonOK, is focused on high-tech and manufacturing companies in Japan and Taiwan with the likely goal of economic espionage, according to the researchers.
Retailers: you should be paranoid; they are out to get you.
Report Puts PoS Malware Under the Microscope
If you think there has been a rise in point-of-sale malware lately, you are not imagining things.
In a new paper released today, Trend Micro examines the continued growth of point-of-sale (PoS) malware.
… Businesses in the United States have been the biggest targets of PoS malware. According to Trend Micro, roughly 74 percent of PoS malware detections between April and June have been in the U.S.
… The report recommends PoS system operators follow best practices for security, including the use of multitier firewalls to protect networks and restricting access to the Internet on PoS systems.
(Related) Where does “Best Practice” stop and “Excessive” begin?
Alden Abbott writes:
Over the past decade, the Federal Trade Commission, the federal government’s primary consumer protection agency, has pursued over 50 enforcement actions against companies that it deemed had “inadequate” data security practices. However, data security costs due to FTC actions will be passed on at least in part to consumers [Cost per consumer should be negligible. Bob] and should be weighed against the benefits in reduced data breaches. The FTC should carefully consider whether its current policies in this area are cost-beneficial and whether specific reforms would advance the public interest in enhancing data protection in a less burdensome, more welfare-enhancing fashion. The focus should be on punishing data thieves, not on imposing excessive regulatory burdens on legitimate businesses—burdens that could weaken the private sector and impose unwarranted [??? Bob] costs on consumers.
Read more on Heritage Foundation.
A Privacy lesson for my Computer Security class.
Metadata – The Information About Your Information
… What if someone could tell that you were going to have credit problems before you knew? Could they deny your loan or quote you higher interest rates? What if someone knew that you were having medical problems even before you knew? Could they use that to deny you insurance? What if you’ve been talking with someone who DOES have something to hide? Could you get lumped in with them if they get arrested?
… You know the answers to those questions. It’s yes. Now you’re wondering, “How could anyone possible know that about me without searching through my mail, e-mail, or phone calls? They need a warrant for that!”
You are correct, they do need a warrant. But they don’t need a warrant to get information, or metadata, about your mail, e-mail, or phone calls. You WILL be surprised what someone can tell you about you just from something as seemingly insignificant as who sent you an e-mail, to whom you sent an e-mail, when the e-mails were sent and how many e-mails there are between you and your contact. All that information is available without a warrant.
… If you don’t believe that someone can tell intimate details about you from simple metadata, test it out for yourself. MIT has developed a program called Immersion that, only with your permission, gathers metadata about your e-mail account. The metadata is pretty limited too; there’s more that could be collected.
I don't think these are related, other than by an “everyone is doing it” meme. What can Mom & Dad do to prevent it?
Jim Holt reports:
Two Saugus High School students were arrested for posting “inappropriate photos” on social media, a spokeswoman for the William S. Hart Union School District said Thursday.
The ages and identities of the suspects arrested Wednesday were not disclosed, said district spokeswoman Gail Pinsker, citing student privacy laws.
Sheriff’s Special Victims Bureau detectives have investigated reports about Santa Clarita Valley teens posting nude photographs of each other on social media since July.
In mid-July, Hudson said some Santa Clarita Valley teens were identified in nude photographs posted on a Twitter account. The investigation centered around a Twitter account called SCV Purge.
Read more on SIGNALscv.com
[From the article:
“Anytime we have pictures of children that are nude, it’s child porn,” Hudson said. [Really? Bob]
Evan Lambert reports:
Two teens were cited for sexting after police said they shared a nude photo of a girl while in class at West Port High School in Marion County.
The boys, 14 and 15, were cited under Florida’s sexting statute, which makes a first-time offense a civil infraction and not a crime for minors.
Read more on ClickOrlando.
The girl whose picture was involved reportedly told police that it had been edited via Photoshop. So what are the police doing about the fact that a minor’s nude photo was on Instagram, edited? Is this harassment or “revenge porn?” Is this child porn?
And is 8 hours of community service really a deterrent compared to teenage curiosity and hormones?
I’m glad that children’s lives won’t be ruined by criminal charges on their records for somewhat normal teen curiosity/behavior, but is this approach likely to be effective? I tend to doubt it.
[From the article:
The boys, 14 and 15, were cited under Florida's sexting statute, which makes a first-time offense a civil infraction and not a crime for minors.
… The first teen was cited for possessing and distributing the nude photo, while the second was cited for distributing it. Police said since the photo was sent to his mother's phone he wasn't charged with possession.
I can't wait for the government to take over health care records and make it absolutely impossible for this to happen. (Yes, that was sarcasm.) I should have my Computer Security students read this.
If you read only one thing today, read this.
Shannon Pettypiece and Jordan Robertson report:
Dan Abate doesn’t have diabetes nor is he aware of any obvious link to the disease. Try telling that to data miners.
The 42-year-old information technology worker’s name recently showed up in a database of millions of people with “diabetes interest” sold by Acxiom Corp. (ACXM), one of the world’s biggest data brokers. One buyer, data reseller Exact Data, posted Abate’s name and address online, along with 100 others, under the header Sample Diabetes Mailing List. It’s just one of hundreds of medical databases up for sale to marketers.
Read more on Bloomberg.
Should be interesting. My first reaction was that the answer would be along the lines of: “Hey, I not in buying mode.” That may be a bit simplistic. I hope they release the results.
Facebook wants your feedback about ads it delivers. So that it can deliver more ads
Facebook wants users to weigh in on the ads shown on their news feeds, which is why the social network has rolled out a new tool that lets users provide specific feedback on why they hide ads.
The tool builds upon an earlier feature that allows Facebook users to hide specific ads on their news feeds. But with more than 1.5 million advertisers on Facebook's advertising network, it is important for the social network to come up with more ways to let them deliver more relevant ads to users. Thus, it came up with a new feedback-generating tool that prompts users to choose from a list of reasons why they opted a certain ad.
(Related) Interesting question? Could be viewed as a “psych profile.” Would that make it a medical record?
Éloïse Gratton writes:
The Economist published a great piece on behavioral advertising today: “Getting to know you: Everything people do online is avidly followed by advertisers and third-party trackers”. The article discusses the fact that gathering information about users and grouping them into sellable “segments” has become important for the $120 billion online advertising economy.
The article raises an interesting point: industry players often take the position that since they do not know the users’ names, what they are collecting is not in fact “personal information”. They identify users by numbers, and build up detailed profiles about them. In Canada, the Office of the Privacy Commissioner has closed the door on the issue in its 2012 Policy Position on Online Behavioural Advertising and usually considers profiles created for behavioral marketing as “personal information”:
Read more on Éloïse Gratton.
1500 pages doesn't sound like much in a world of billions of searches per day...
Yahoo Faced Big U.S. Fines Over User Data
A secret legal battle between the U.S. government and Yahoo Inc. over requests for customer data became so acrimonious in 2008 that the government wanted to charge the Internet company $250,000 a day if it didn't comply.
Yahoo made the threat public Thursday after a special federal court unsealed 1,500 pages of legal documents from a once-classified court battle over the scope of National Security Agency surveillance programs. The documents shed new light on tensions between American technology companies and the intelligence community long before former NSA contractor Edward Snowden began leaking in 2013.
… Court documents don't reveal exactly what the government wanted from Yahoo. In one brief, Yahoo states the main issue of the case is whether the Constitution protects the communications of U.S. citizens or legal residents believed to be outside the U.S.
I always ask, “What strategy would you adopt for intelligence?” If the response is a variation of, “Gentlemen do not read another gentleman's mail.” I label them idiots and stop listening.
Glyn Moody writes:
Although the scale of the surveillance being carried out by the NSA and GCHQ is daunting, digital rights groups are starting to fight back using the various legal options available to them. That’s particularly the case for the UK, where activists are trying to penetrate the obsessive secrecy that surrounds GCHQ’s spying activities. Back in December, we wrote about three groups bringing an action against GCHQ in the European Court of Human Rights (ECHR), and how Amnesty International is using the UK’s Investigatory Powers Tribunal (IPT) to challenge the spying.
Another organization that filed a complaint against the UK government at the IPT is Privacy International. But not content with that, it has now taken further legal action, this time in order to obtain information about GCHQ’s role in the “Five Eyes” system, the global surveillance club made up of the US, UK, Canada, Australia and New Zealand:
Read more on TechDirt.
For my students. New features creates a need for new Apps.
The Next Great Gold Rush: Apps and Accessories for the Apple Watch
Every time Apple modifies a connector, changes a form factor, or launches a new gadget, it impacts countless companies. There’s a robust third-party market for anything and everything that attaches to or wraps around the iPhone, one that’s constantly adapting to the evolving shapes, sizes, and specs of new handsets.
Now that the Apple Watch is official, we’re going to see an entirely new frontier of accessories and apps.
It’s fitting that even as Apple announced the Watch, it killed the iPod Classic. The iPod was the device that created the initial wave of third-party iAccessories, from alarm clocks to speaker docks and, of course, protective cases.
… Sure, it has Siri and heart rate and motion sensors. And a really cool UI. But it doesn’t have a camera, it doesn’t have a headphone jack and there aren’t any connectivity options. In fact, beyond its magnetic induction-charging surface, it doesn’t appear to have any physical I/O ports at all.
… But the main appeal of the Apple Watch likely will come through its built-in accelerometer and bite-sized third-party apps. Though the watch will have its own suite of fitness apps, Apple will share workout data with other apps. The accelerometer will be used to do more than track fitness, too: Apple hinted you’ll be able to control the Apple TV with it. Down the line, that kind of wrist-mounted motion sensor might be used for everything from Leap Motion-like iPad or Mac navigation to a means of moving through Oculus Rift games.
(Related) How popular is the new iPhone?
Hit for 6: iPhone 6 pre-order demand crashes networks
… At the time of writing, Vodafone's is the only network with a working pre-order page. O2's online shop is down under the demand for the new phone, while EE's entire website is offline. EE has yet to confirm whether that's a result of increased traffic from customers interested in buying the iPhone from the network with the widest 4G coverage.
Meanwhile Three will open pre-orders this afternoon. Virgin Mobile is also selling the new phones, but pre-orders aren't open yet and no expected time has been given.
(Related) If you can only make “millions,” lots of companies won't be interested.
Jasper Hamill reports:
Tech firms are set to experience a biometric bonanza – as long as they can persuade ordinary folk to give up worrying about their privacy.
That’s the claim in a briefing note from “growth consulting firm” Frost & Sullivan, which suggested the number of smartphones equipped with biometric gubbins will soar from 43 million to 471 million by 2017.
This, according to the beancounters, means the biometric revenue from smart phones will soar from increase from $53.6m in 2313 to $396.2m in 2019, amounting to an annual growth rate of 39.6 per cent.
Read more on The Register.
Another great talk for my Statistics class.
Hans and Ola Rosling: How not to be ignorant about the world
If the iPad can do this, imagine what the iPhone6 can do! (Yes, I am easily amused.)
iPad Magician Blows Kids’ Minds With LEGO
Also amusing, but much geekier.
Bach’s Music on a Moebius Strip