Wednesday, October 15, 2014
For my Ethical Hackers. I repeat, technically sophisticated hacks are fun, but the real money is in the huge volume of simple, low skill hacks that are available. (Note that management should be a bit concerned with their Security manager if they hear things like this.)
Byron Acohido reports;
Ethical hacker Bryan Seely of Seattle-based Seely Security showed how MBIA has long been exposing details of municipal bond and investment management accounts in a way that made it easy for criminals to transfer funds from existing accounts into newly created ones they control. There’s no evidence any theft took place, only because the bad guys appear to have overlooked this freebie.
Seely says he has identified more than 8,000 other servers that are similarly misconfigured and likewise exposing sensitive accounts on the open Internet. These are accounts that should be kept under lock and key.
Seely has been on a one-man campaign to notify organizations, and a few have listened to him.
Read more on Credit.com
[From the article:
“In the case of MBIA, it was not at risk because of a flaw in Oracle,” Seely says. “This was simply because the customer did not configure the server correctly when they deployed it, and it caused private banking records to be exposed to the Internet.”
(Related) Not hearing about security weaknesses is even worse. (Not to mention, pretending to not hear)
Did MCCCD leadership shut their eyes to a database security assessment for plausible deniability in litigation?
A former Maricopa County Community College District employee alleges executive leadership closed their eyes to a report on their database security conducted after their massive data breach in 2013 so they would have plausible deniability in any litigation. As a result, the employee alleges, the findings were never shared with those tasked with securing MCCCD’s data assets.
In November 2013, Maricopa County Community College District (MCCCD) disclosed that they had been informed by the FBI that 14 databases with personal information had been found up for sale on the Internet. The potential compromise of 2.5 million students’, employees’ and vendors’ personal and financial information currently stands as the largest breach ever in the education sector.
As part of its continuing investigation into that breach, DataBreaches.net recently disclosed parts of a report issued by Stach & Liu in 2011 after an earlier hacking incident. Failure to properly remediate that breach had been cited as a factor in the 2013 breach. Of special relevance now, MCCCD’s external counsel had asserted that MCCCD administration at the highest levels never even knew of the report’s existence until after the 2013 breach. [Apparently they don't read the local newspaper or watch local TV news. Bob] Their claim was disputed by former employee Earl Monsour, who stated he had delivered the report to the Vice Chancellor for ITS.
[I suggest you read the full article! Bob]
Is this because they have crazy people just across the boarder?
Cho Mu-hyun reports:
The shocking figure of over 106 million privacy breaches was unveiled by a report of data leaks between 2010 to 2014 filed by the Korea Communication Commission (KCC) to the National Assembly during the yearly government audit of ministries.
The figure means that each person has, on average, had his or her personal information leaked 2.1 times during the past four years in a country with a population of 50 million.
Read more on ZDNet.
For my Computer Security students. Should I add this to my “Stalker's Toolbox?”
How Anyone Can Find Your Personal Details Via Twitter With Tinfoleak
… There’s a free script called Tinfoleak which can pull an alarming amount of information about any Twitter user based simply on their profile and their tweets. Let me show you how it works.
Take that, Steve Jobs! (Could I follow this business model here in the US?)
… Xiaomi, the four-year-old Chinese smartphone manufacturer, has found just such a sweet spot, and as a result is taking the smartphone industry by a storm. Pundits claim that Xiaomi is just a Chinese copycat of Apple, and not without some reason. Some point to Xiaomi’s product introductions, which are eerily just like Apple’s. Others point out the strong similarities between Xiaomi’s operating system (named MIUI) and Apple’s iOS. What’s more, Xiaomi’s products rank among the best in the industry in terms of performance. All these cues might lead us to believe that it is competing head to head with the leading smartphone manufacturers.
However, looking at the full extent of Xiaomi’s business model reveals just how different – and how disruptive — it is. For starters, unlike Apple, Xiaomi is not targeting premium customers; it’s mostly teens buying those high-quality phones, and hardly at a premium, since Xiaomi’s prices are at least 60% lower. A neat trick. How does Xiaomi pull that off?
For my Ethical Hackers. Think of the fun possible by driving through a neighborhood, unlocking doors as you go!
August Smart Lock Gets Key Exposure in Apple Stores
The August Smart Lock will become available for purchase at Apple retail stores in the United States starting this week, the company announced on Tuesday.
Priced at US$249.99, the smart device uses Bluetooth and a mobile app to create a virtual key.
The August Smart Lock replaces the interior portion of users' existing deadbolt locks but does not require users to change their exterior door hardware; their physical, metal keys will work with the deadbolt as well.
The device is powered by four AA batteries [Why you need to keep the key Bob] and can be installed in about 10 minutes, August said.
Once in place, the smart lock allows users to control access to their home via smartphone. They can provide temporary or ongoing access to select others at will, including creating invited guest lists from their contacts for a party or event, for example.
Log records show who has entered and exited.
It's sad to think we need to buy hardware, install special software, or go to any extra effort at all to secure our communications. The amount of “over-subscription” ($7,500 asked, $500,000+ pledged) suggests we do want security and recognize the need to pay for it.
Cassandra Khaw reports:
On the internet, everyone is susceptible to invasions of privacy. But, a group of developers is hoping to change this by kickstarting a one-stop solution for anyone looking to peruse the internet without having their personal information harvested.
Anonabox hinges on open source software known as Tor, which encrypts user activities on the World Wide Web. While some amount of technical knowledge is usually needed to implement Tor, Anonabox will purportedly offer plug-and-play usability.
Read more on The Verge.
Clearly I'm pleased to see that Harvard clearly wants to clearly clarify the clutter surrounding the Internet of Things. Definitely worth a read!
The Internet of Things is definitely becoming a Thing, in the same way that big data’s a Thing or the sharing economy’s a Thing. And the thing about a thing that becomes a Thing is, it’s easy to lose sight of the things that made it a thing before everyone declared it the Next Big Thing that will change everything.
Got it? Good. We’ll start there. With the hype over the Internet of Things behind us. Because whether or not it’s a Thing, the internet of things is already a lot of things.
… But before you read anything else, I suggest you check out Michael Porter’s new opus of an article on the Internet of Things and strategy.
It’s quite a thing.
(Related) Also mentioned in the previous article.
Search engine for the Internet of Things
“Thingful® is a search engine for the Internet of Things, providing a unique geographical index of connected objects around the world, including energy, radiation, weather, and air quality devices as well as seismographs, iBeacons, ships, aircraft and even animal trackers. Thingful’s powerful search capabilities enable people to find devices, datasets and realtime data sources by geolocation across many popular Internet of Things networks, and presents them using a proprietary patent-pending geospatial device data search ranking methodology, ThingRank®. If you are concerned about asthma, find out about any air quality monitors in your neighbourhood; somebody working with a Raspberry Pi can find others round the corner using the same computing platform; if you notice a ship moored nearby, discover more about it by tracking it on Thingful, or get notified of its movements; a citizen concerned about flooding in a new neighbourhood can look up nearby flood monitors or find others that have been measuring radiation. You might even watch the weekly movements of a shark as it explores the oceans. The possibilities are unbounded! Thingful also enables people and companies to claim and verify ownership of their things using a provenance mechanism, thereby giving them a single web page that aggregates information from all their connected devices no matter what network they’re on, in categories that include health, environment, home, transport, energy and flora & fauna. Users can also add objects to a Watchlist in order to keep track of them, monitor their realtime status and get notifications when they change.”
They talk statistics, I'm looking for immediate (hardware or software) feedback.
Training Students to Extract Value from Big Data
“As the availability of high-throughput data-collection technologies, such as information-sensing mobile devices, remote sensing, internet log records, and wireless sensor networks has grown, science, engineering, and business have rapidly transitioned from striving to develop information from scant data to a situation in which the challenge is now that the amount of information exceeds a human’s ability to examine, let alone absorb, it. Data sets are increasingly complex, and this potentially increases the problems associated with such concerns as missing information and other quality concerns, data heterogeneity, and differing data formats. The nation’s ability to make use of data depends heavily on the availability of a workforce that is properly trained and ready to tackle high-need areas. Training students to be capable in exploiting big data requires experience with statistical analysis, machine learning, and computational infrastructure that permits the real problems associated with massive data to be revealed and, ultimately, [I'm gunning for “immediately” Bob] addressed. Analysis of big data requires cross-disciplinary skills, including the ability to make modeling decisions while balancing trade-offs between optimization and approximation, all while being attentive to useful metrics and system robustness. To develop those skills in students, it is important to identify whom to teach, that is, the educational background, experience, and characteristics of a prospective data-science student; what to teach, that is, the technical and practical content that should be taught to the student; and how to teach, that is, the structure and organization of a data-science program. Training Students to Extract Value from Big Data summarizes a workshop convened in April 2014 by the National Research Council’s Committee on Applied and Theoretical Statistics to explore how best to train students to use big data. The workshop explored the need for training and curricula and coursework that should be included. One impetus for the workshop was the current fragmented view of what is meant by analysis of big data, data analytics, or data science. New graduate programs are introduced regularly, and they have their own notions of what is meant by those terms and, most important, of what students need to know to be proficient in data-intensive work. This report provides a variety of perspectives about those elements and about their integration into courses and curricula.”
Demographics and Big Data. Summarizing by Zip Code.
Big Data Can Guess Who You Are Based on Your Zip Code
In the era of Big Data, your zip code is a window into what you can afford to buy, but it also reveals how you spend time—and, in essence, who you are.
That's according to software company Esri, which mapped zip codes across the United States and linked them to one of 67 profiles of American market segments.
… The level of detail is striking and—from what I could tell based on cross-referencing some of my own last several zip codes of residence—pretty accurate, too. Anyone can plug a zip code into Esri's database, which makes for an addicting game of "guess my identity."
… In the United States, where there are virtually no regulations on data collection, someone trying to profile you can fairly easily learn how much money you make, your education level, whether you own a home, who you voted for, how many kids you have, how much credit card debt you're carrying, even what you thought of the series finale of How I Met Your Mother.
Dilbert nails it again. This is exactly what happens when I assign Group Projects.