Friday, October 31, 2014
It's not just the breachee that pays the price. (Is “breachee” a word or should I call the Oxford dictionary people?)
Nicholas Ballasy reports:
The Home Depot data breach cost credit unions almost $60 million, nearly twice as much as the Target breach, according to survey results released by CUNA Thursday.
In the survey conducted from Oct. 1 to Oct. 24, 835 credit unions reported that 7.2 million credit union debit and credit cards were affected by the breach.
CUNA said the average cost for each violation was $8.02 per card due to fraud, reissuing cards and related costs.
Read more on CreditUnion Times.
It's not strange that drones are flying over their reactors, it's strange that they can't locate the pilots!
France Investigates Mystery Drones
France is currently investigating who has been flying drones over its nuclear power plants. Unmanned aerial vehicles (UAVs) have been spotted buzzing seven of France’s state-owned power plants in recent weeks, and the authorities don’t currently have a clue who is responsible.
The drones are commercial models, meaning this could literally be anyone. Greenpeace was accused of being involved, but has vehemently denied it’s behind the stunt. This raises security concerns for obvious reasons, but unless these drones are shot on sight it seems there is very little that can be done to stop them.
Tools for my Ethical Hackers. Of course this is easily prevented, but most organizations won't take that extra step.
"AirHopper" Malware Uses Radio Signals to Steal Data from Isolated Computers
A proof-of-concept malware developed by researchers at the Ben Gurion University in Israel shows that an attacker can transmit sensitive information from isolated computers to nearby mobile phones by using radio signals.
Numerous organizations have resorted to what is known as "air gapping" to secure their most sensitive information. This security method can be efficient because the protected devices are isolated from the Internet, which makes them difficult to compromise.
… The researchers have demonstrated that data exfiltration from an isolated device is possible via radio signals captured by a mobile device. The proof-of-concept malware they have created, dubbed "AirHopper," uses the infected computer's graphics card to emit electromagnetic signals to a nearby mobile phone that's set up to capture the data.
… The attack has four main steps: getting the piece of malware onto the isolated computer, installing malicious code on one or more mobile phones, setting up a command and control (C&C) channel with the infected mobile device, and transmitting signals emanated by the isolated computer back to the attacker.
For my Computer Forensics students. Won't work on all encryption (not at all on Codes) but might prove useful.
Cora Currier and Morgan Marquis-Boire report:
When Apple and Google unveiled new encryption schemes last month, law enforcement officials complained that they wouldn’t be able to unlock evidence on criminals’ digital devices. What they didn’t say is that there are already methods to bypass encryption, thanks to off-the-shelf digital implants readily available to the smallest national agencies and the largest city police forces — easy-to-use software that takes over and monitors digital devices in real time, according to documents obtained by The Intercept.
We’re publishing in full, for the first time, manuals explaining the prominent commercial implant software “Remote Control System,” manufactured by the Italian company Hacking Team. Despite FBI director James Comey’s dire warnings about the impact of widespread data scrambling — “criminals and terrorists would like nothing more,” he declared — Hacking Team explicitly promises on its website that its software can “defeat encryption.”
Read more on The Intercept.
(Related) How big a problem is encryption? Encryption was used in (41/3576) 1.15% of the wiretaps, and kept the message secure in (9/41) about 22% of the time. So encryption was a real concern (9/3576) 0.25% of the time. One quarter of 1 percent!
Wiretap Report 2013
… The number of federal and state wiretaps reported in 2013 increased 5 percent from 2012. A total of 3,576 wiretaps were reported as authorized in 2013, with 1,476 authorized by federal judges and 2,100 authorized by state judges.
… The number of state wiretaps in which encryption was encountered increased from 15 in 2012 to 41 in 2013. In nine of these wiretaps, officials were unable to decipher the plain text of the messages. Encryption was also reported for 52 state wiretaps that were conducted during previous years, but reported to the AO for the first time in 2013. Officials were able to decipher the plain text of the communications in all 52 intercepts.
This could impact several areas of Computer Security.
NIST Releases Guide for Threat Intelligence Sharing Efforts
The National Institute of Standards and Technology (NIST) is seeking public comment on a draft paper outlining ways to help organizations improve threat intelligence sharing.
The paper, titled 'Guide to Threat Information Sharing', is aimed at providing guidance for improving the effectiveness of cyber-security efforts through strong information sharing practices.
… "When deciding what incident-related information to share with other organizations, the following factors should be considered: risk of disclosure; operational urgency and need for sharing; benefits gained by sharing; sensitivity of the information; trustworthiness of the recipients; [and the] methods and ability to safeguard the information," the report notes.
One to watch...
200 Organizations Take Part in Largest European Cybersecurity Exercise to Date
Today, the European Union Agency for Network and Information Security (ENISA) is conducting the biggest and most complex European cybersecurity exercise to date.
According to the agency, more than 200 organizations and 400 experts from a total of 29 European Union and EFTA countries will participate in Cyber Europe 2014, a large-scale event that's organized every two years. The exercise takes place at several centers all over Europe and is coordinated from a central control center.
… Participants will be presented with over 2,000 incidents, including defacements, data theft, denial-of-service (DoS), intelligence and media reports on malicious cyber operations, and attacks on critical infrastructure. The goal is to test not only the procedures and capabilities of each participant, but also the effectiveness of cooperation in the European Union.
Here's another example Scott Peppet (CU Law Professor) can add to his list.
Jennifer Baker reports:
In response to public outcry via Twitter and personal blogs on Wednesday, the Samaritans have announced an opt-out function for their stalker-friendly app Samaritans Radar.
Samaritans Radar automatically scans the tweets of anyone the user follows and alerts subscribers to potentially suicidal tweets based on “trigger phrases”. However well-meaning the intention, many Twitter users were quick to point out that there were huge privacy implications, not to mention the creepy effect: “The people you follow won’t know you’ve signed up to it and all alerts will be sent directly to your email address,” according to the Samaritans website.
Read more on The Register.
Perspective. (and a business opportunity!)
The False Promise of Anonymity – CDT
Sarah St.Vincent and Alex Bradshaw: “In recent weeks, multiple apps promising “secret” messaging have had sensitive data exposed by breaches and the apps’ not-so-secret data-sharing practices. This news makes one thing clear: the term “anonymity,” as used by apps that ostensibly enable individuals to post updates anonymously, often promises too much. Many applications promising anonymity collect highly specific user data despite representations to the contrary. Often, this data is monetized through sharing with third-parties and it is almost always susceptible to unauthorized access. The Whisper incident is an example of this misrepresentation of anonymity. After the Guardian reported that popular messaging app Whisper shares users’ IP addresses with government entities, Whisper conceded that this was true. However the app maintains that the service “does not collect nor store any personally identifiable information (PII) from users and is anonymous.” This position is puzzling for two reasons: first, Whisper’s exclusion of IP addresses from its definition of PII directly contradicts federal authorities’ interpretation of the term – NIST includes IP address in its definition of PII – and secondly, despite how “PII” is defined, simply refraining from collecting PII does not guarantee anonymity.”
Ethical problems or merely bad public relations? I read this as “Cool it! You're making it difficult for us to give you the 'Big Brother' powers you've been asking for.”
The head of the Senate Judiciary Committee is “increasingly concerned” with the way that federal agents are carrying out investigations, he told Attorney General Eric Holder on Thursday.
Sen. Patrick Leahy (D-Vt.) wrote to Holder in response to news that the Drug Enforcement Administration (DEA) used a woman’s identity to create a Facebook profile without her knowledge and that the FBI planted a fake Associated Press article on a phony Seattle Times website.
“Such tactics carry ethical and legal risks,” the longtime senator told Holder.
“Tactics such as these may ultimately prove counter-productive if they erode the public’s trust in the judgment and integrity of law enforcement officers.”
… On Thursday, he also said that officials should commit not to impersonate news organizations, days after news emerged that the FBI used a fake AP story to insert a bug into the computer of a teenager suspected of calling in bomb threats at their school.
… In his letter, Leagy noted that news about the controversial investigations come as the FBI is seeking to expand its ability to hack into people’s computers.
… The recent stories are not helping the FBI’s case in that matter, Leahy indicated.
Amusing. Does not seems to work exactly as advertised.
WSJ Database for consitutents to explore composition of Congressional representation
“The U.S. House of Representatives was envisioned as a house of the people, directly elected by voters and reflecting their will. But what if Congress also reflected its constituents’ demographics? Explore how members of the House compare with residents of each of the 435 congressional districts, based on the predominant characteristics within each. Then see how your district stacks up.”
The United States lags behind other nations when it comes to Internet speeds and prices, according to a Thursday report.
The Open Technology Institute's report evaluated prices and speeds of home broadband Internet from 24 cities around the world, including eight in the United States.
The study, which tracks with past studies and other recent data, found similar gaps for mobile broadband service as well.
… The report found that U.S. cities with publically owned networks, like Chattanooga or Lafayette, have speeds far exceeding cities with only traditional Internet service providers like Verizon, AT&T or Comcast. [I've advocated public networks for years! Bob]
Was this their strategy all along? With a Starbucks on every corner, delivery will be no big deal. (Thing of the British “Tea lady”)
Starbucks to deliver food and coffee in 2015: Howard Schultz calls it ‘e-commerce on steroids’
… Starbucks CEO Howard Schultz announced that the company plans to begin delivering food and beverages in select cities in the second half of next year, part of a larger effort by the Seattle coffee company to conquer the mobile payments arena.
“Imagine the ability to create a standing order of Starbucks delivered hot or iced to your desk daily,” Schultz said in a conference call with analysts.
Might be fun for our Design students. (I doubt Obama as the Grinch would win)
The White House is hosting a 3D printing contest to see who can design the best holiday ornament.
The contest will run through Nov. 10 and only requires contestants to submit a design rather than create and print out their entry, the White House Office of Science and Technology Policy said Thursday, announcing the contest.