It's
not just the breachee that pays the price. (Is “breachee” a word
or should I call the Oxford dictionary people?)
Nicholas
Ballasy reports:
The Home Depot data breach cost credit unions almost $60 million,
nearly twice as much as the Target breach, according to survey
results released by CUNA Thursday.
In the survey conducted from Oct. 1 to Oct. 24, 835 credit unions
reported that 7.2 million credit union debit and credit cards were
affected by the breach.
CUNA said the average cost for each violation was $8.02 per card due
to fraud, reissuing cards and related costs.
Read
more on CreditUnion
Times.
It's
not strange that drones are flying over their reactors, it's strange
that they can't locate the pilots!
France
Investigates Mystery Drones
France
is currently investigating who has been flying
drones over its nuclear power plants. Unmanned aerial vehicles
(UAVs) have been spotted buzzing seven of France’s state-owned
power plants in recent weeks, and the authorities don’t currently
have a clue who is responsible.
The
drones are commercial models, meaning this could literally be anyone.
Greenpeace was accused of being involved, but has vehemently denied
it’s behind the stunt. This raises security concerns for obvious
reasons, but unless these drones
are shot on sight it seems there is very little that can be done
to stop them.
Tools
for my Ethical Hackers. Of course this is easily prevented, but most
organizations won't take that extra step.
"AirHopper"
Malware Uses Radio Signals to Steal Data from Isolated Computers
A
proof-of-concept malware developed by researchers at the Ben Gurion
University in Israel shows that an attacker can transmit sensitive
information from isolated computers to nearby mobile phones by using
radio signals.
Numerous
organizations have resorted to what is known as "air gapping"
to secure their most sensitive information. This
security method can be efficient because the protected devices are
isolated from the Internet, which makes them difficult to
compromise.
…
The
researchers have demonstrated that data exfiltration from an isolated
device is possible via radio signals captured by a mobile device.
The proof-of-concept malware they have created, dubbed "AirHopper,"
uses the infected computer's graphics
card to emit electromagnetic signals to a nearby mobile phone
that's set up to capture the data.
…
The
attack has four main steps: getting the piece of malware onto the
isolated computer, installing malicious code on one or more mobile
phones, setting up a command and control (C&C) channel with the
infected mobile device, and transmitting signals emanated by the
isolated computer back to the attacker.
For
my Computer Forensics students. Won't work on all encryption (not at
all on Codes) but might prove useful.
Cora
Currier and Morgan Marquis-Boire report:
When Apple and Google unveiled new encryption schemes last month, law
enforcement officials complained
that they wouldn’t be able to unlock evidence on criminals’
digital devices. What they
didn’t say is that there are already methods to bypass encryption,
thanks to off-the-shelf digital implants readily available to the
smallest national agencies and the largest city police forces —
easy-to-use software that takes over and monitors digital devices in
real time, according to documents obtained by The Intercept.
We’re publishing
in full, for the first time, manuals explaining the prominent
commercial implant software “Remote Control System,” manufactured
by the Italian company Hacking Team. Despite FBI director James
Comey’s dire
warnings about the impact of widespread data scrambling —
“criminals and terrorists would like nothing more,” he declared —
Hacking Team explicitly promises on its website that its software can
“defeat encryption.”
Read
more on The
Intercept.
(Related)
How big a problem is encryption? Encryption was used in (41/3576)
1.15% of the wiretaps, and kept the message secure in (9/41) about
22% of the time. So encryption was a real concern (9/3576) 0.25% of
the time. One quarter of 1 percent!
Wiretap
Report 2013
…
The number of federal and state wiretaps reported in 2013 increased
5 percent from 2012. A
total of 3,576 wiretaps were reported as authorized in
2013, with 1,476 authorized by federal judges and 2,100 authorized by
state judges.
…
The number of state wiretaps
in which encryption was encountered increased from 15 in 2012 to 41
in 2013. In nine of these wiretaps, officials were unable to
decipher the plain text of the messages.
Encryption was also reported for 52 state wiretaps that were
conducted during previous years, but reported to the AO for the first
time in 2013. Officials were able to decipher the plain text of the
communications in all 52 intercepts.
This
could impact several areas of Computer Security.
NIST
Releases Guide for Threat Intelligence Sharing Efforts
The
National Institute of Standards and Technology (NIST) is seeking
public comment on a draft paper outlining ways to help organizations
improve threat intelligence sharing.
The
paper, titled 'Guide to Threat Information Sharing', is aimed at
providing guidance for improving the effectiveness of cyber-security
efforts through strong information sharing practices.
…
"When
deciding what incident-related information to share with other
organizations, the following factors should be considered: risk of
disclosure; operational urgency and need for sharing; benefits gained
by sharing; sensitivity of the information; trustworthiness of the
recipients; [and the] methods and ability to safeguard the
information," the report notes.
One
to watch...
http://www.securityweek.com/200-organizations-take-part-largest-european-cybersecurity-exercise-date
200
Organizations Take Part in Largest European Cybersecurity Exercise to
Date
Today,
the European Union Agency for Network and Information Security
(ENISA) is conducting the biggest and most complex European
cybersecurity exercise to date.
According
to the agency, more than 200 organizations and 400 experts from a
total of 29 European Union and EFTA countries will participate in
Cyber
Europe 2014, a large-scale event that's organized every two
years. The exercise takes place at several centers all over Europe
and is coordinated from a central control center.
…
Participants
will be presented with over 2,000 incidents, including defacements,
data theft, denial-of-service (DoS), intelligence and media reports
on malicious cyber operations, and attacks on critical
infrastructure. The goal is to test not only the procedures and
capabilities of each participant, but also the effectiveness of
cooperation in the European Union.
Here's
another example Scott
Peppet (CU
Law Professor)
can
add to his list.
Jennifer
Baker reports:
In response to public outcry via Twitter and personal blogs on
Wednesday, the Samaritans have announced an
opt-out function for their stalker-friendly app Samaritans Radar.
Samaritans Radar automatically scans the tweets of anyone the user
follows and alerts subscribers to potentially suicidal tweets based
on “trigger phrases”. However well-meaning the intention, many
Twitter users were quick to point out that there were huge privacy
implications, not to mention the creepy effect: “The people you
follow won’t know you’ve signed up to it and all alerts will be
sent directly to your email address,” according to the Samaritans
website.
Read
more on The
Register.
Perspective.
(and a business opportunity!)
The
False Promise of Anonymity – CDT
Sarah
St.Vincent and Alex Bradshaw: “In recent weeks, multiple apps
promising “secret” messaging have had sensitive data exposed by
breaches
and the apps’ not-so-secret
data-sharing practices. This news makes one thing clear: the
term “anonymity,” as used by apps that ostensibly enable
individuals to post updates anonymously, often promises too much.
Many applications promising anonymity collect highly specific user
data despite representations to the contrary. Often, this data is
monetized through sharing with third-parties and it is almost always
susceptible to unauthorized access. The Whisper incident is an
example of this misrepresentation of anonymity. After the Guardian
reported that popular messaging app Whisper shares
users’ IP addresses with government entities, Whisper
conceded that this was true. However the
app maintains that the service “does not collect nor store any
personally identifiable information (PII) from users and is
anonymous.”
This position is puzzling for two reasons: first, Whisper’s
exclusion of IP addresses from its
definition of PII directly contradicts federal authorities’
interpretation of the term – NIST
includes IP address in its definition of PII – and secondly,
despite how “PII” is defined, simply refraining from collecting
PII does not guarantee anonymity.”
Ethical
problems or merely bad public relations? I read this as “Cool it!
You're making it difficult for us to give you the 'Big Brother'
powers you've been asking for.”
The
head of the Senate Judiciary Committee is “increasingly concerned”
with the way that federal agents are carrying out investigations, he
told Attorney General Eric Holder on Thursday.
Sen.
Patrick Leahy (D-Vt.) wrote to Holder in response to news that the
Drug Enforcement Administration (DEA) used a woman’s identity to
create a Facebook profile without her knowledge and that the FBI
planted a fake Associated Press article on a phony Seattle Times
website.
“Such
tactics carry ethical and legal risks,” the longtime senator told
Holder.
“Tactics
such as these may ultimately prove counter-productive if they erode
the public’s trust in the judgment and integrity of law enforcement
officers.”
…
On Thursday, he also said that officials should commit not to
impersonate news organizations, days after news
emerged that the FBI used a fake AP story to insert a bug into
the computer of a teenager suspected of calling in bomb threats at
their school.
…
In his letter, Leagy noted that news about the controversial
investigations come as the FBI is seeking
to expand its ability to hack into people’s computers.
…
The recent stories are not helping the FBI’s case in that matter,
Leahy indicated.
Amusing.
Does not seems to work exactly as advertised.
WSJ
Database for consitutents to explore composition of Congressional
representation
“The
U.S. House of Representatives was envisioned as a house of the
people, directly elected by voters and reflecting their will. But
what if Congress also reflected its constituents’ demographics?
Explore
how members of the House compare with residents of each of the
435 congressional districts, based on the predominant characteristics
within each. Then see how your district stacks up.”
Perspective.
The
United States lags behind other nations when it comes to Internet
speeds and prices, according to a Thursday report.
The
Open Technology Institute's report
evaluated prices and speeds of home broadband Internet from 24 cities
around the world, including eight in the United States.
The
study, which tracks with past studies and other recent data, found
similar gaps for mobile broadband service as well.
…
The report found that U.S. cities with publically owned networks,
like Chattanooga or Lafayette, have speeds far exceeding cities with
only traditional Internet service providers like Verizon, AT&T or
Comcast. [I've advocated
public networks for years! Bob]
Was
this their strategy all along? With a Starbucks on every corner,
delivery will be no big deal. (Thing of the British “Tea lady”)
Starbucks
to deliver food and coffee in 2015: Howard Schultz calls it
‘e-commerce on steroids’
…
Starbucks CEO Howard Schultz announced that the company plans to
begin delivering food and beverages in select cities in the second
half of next year, part of a larger effort by the Seattle coffee
company to conquer the mobile payments arena.
“Imagine
the ability to create a standing order of Starbucks delivered hot or
iced to your desk daily,” Schultz said in a conference call with
analysts.
Might
be fun for our Design students. (I doubt Obama as the Grinch would
win)
The
White House is hosting a 3D printing contest to see who can design
the best holiday ornament.
The
contest will run through Nov. 10 and only requires contestants to
submit a design rather than create and print out their entry, the
White House Office of Science and Technology Policy said Thursday,
announcing the contest.
No comments:
Post a Comment