Saturday, November 01, 2014
Sometimes it's a challenge to explain how companies detect a breach. For example, this seems to suggest the hackers took advantage of employees using the same passwords on both secure business and insecure non-business websites.
J.P. Morgan Found Hackers Through Breach of Road-Race Website
J.P. Morgan Chase & Co. discovered one of the biggest known cyber attacks to hit a U.S. bank in part due to a foot race the bank sponsors.
… because the intruders had used some of the same offshore servers to hack both the bank and the website of the J.P. Morgan Corporate Challenge, according to people familiar with the matter.
… But the new material also raises fresh concerns about the ability of companies and law-enforcement officials to fend off hackers driven to steal the personal financial details of consumers. Hackers were in the bank’s network for about two months undetected, only revealing themselves because of an apparent slip-up by the hackers and a report by a security vendor in early August.
… J.P. Morgan and its security vendors discovered the cache included information from the Corporate Challenge website, which is managed by an outside company and isn’t connected to the bank’s network. The bank says it doesn’t believe that the corporate challenge website was an entry point for hackers into the bank’s servers.
In August, bank executives led by Chief Operating Officer Matt Zames and Chief Information Security Officer Greg Rattray linked the race website breach back to several overseas I.P. addresses. Then they queried J.P. Morgan’s own network logs to see if there had been any communication with those addresses.
There were. The bank discovered that hackers had been in its system since at least June.
Luck Played Role in Discovery of Data Breach at JPMorgan Affecting Millions
… the intrusion at the nation’s largest bank could have gone on for longer if not for a critical discovery by a Milwaukee security consulting firm that helped JPMorgan uncover the full extent of its breach. That firm, Hold Security, uncovered a repository of a billion stolen passwords and usernames that it said had been pilfered by a loose-knit gang of Russian hackers. The hackers, according to the consulting firm, had infiltrated more than 420,000 websites.
… The criminal database also included the certificate for the website of the Corporate Challenge site’s vendor, Simmco Data Systems, indicating a serious breach that allowed hackers to pose as the race website operator and intercept traffic, such as race participants’ login credentials, said a person briefed on the data the security firm collected.
… More disturbing, the stolen Simmco Data certificate was first compromised in April, suggesting that the hackers could have begun their attack on the bank at least four months before the bank noticed any unusual activity within its own network.
… The bank spends $250 million annually on security defense. But after the attack, Jamie Dimon, JPMorgan’s chief executive, said he was considering doubling that amount — an indication of the increasing threat from the attacks. [Spending vast amounts for half-vast security? Bob]
(Related) Could the same technique be used here? (Yes Bob, it could.) Definately worth a read.
Feedback Friday: Hackers Infiltrate White House Network - Industry Reactions
… An unclassified computer network at the White House was breached recently and the main suspects are hackers allegedly working for the Russian government.
… Experts have pointed out that while the attackers breached an unclassified network, it doesn't necessarily mean that they haven't gained access to some useful data, even if it's not classified. They have also outlined the methods and strategies used by both the attackers and the defenders in such a scenario.
And I just finished explaining to my Computer Security students that there are three ways you can securely identify people trying to access your systems. 1) by what they know, like a password. 2) by what they have, like a key or dongle. 3) by what they are, like fingerprints, facial recognition, etc. Looks like this ruling wipes out number 3.
Judge Rules Suspect Can Be Required To Unlock Phone With Fingerprint
… A Virginia Circuit Court judge ruled Tuesday that police officers cannot force criminal suspects to divulge cellphone passwords, but they can force them to unlock the phone with a fingerprint scanner.
If applied by other courts, the ruling could become important as more device makers incorporate fingerprint readers that can be used as alternatives to passwords.
… The Fifth Amendment to the U.S. Constitution gives people the right to avoid self-incrimination. That includes divulging secret passwords, Judge Steven C. Frucci ruled. But providing fingerprints and other biometric information is considered outside the protection of the Fifth Amendment, the judge said.
If Google says it, it must be true! I may want to add this to my Statistics class.
Google thinks it’s found a way to gather data on people using its products while also protecting their privacy.
… The project, called the “Randomized Aggregatable Privacy-Preserving Ordinal Response” or RAPPOR, “enables learning statistics about the behavior of users’ software while guaranteeing client privacy,” said Google security researcher Úlfar Erlingsson in a blog post.
RAPPOR uses a trick that randomly sends incorrect data from some users. The false data makes it difficult for Google to identify individual users, while still gathering general information.
Essentially, Google will be able to look at “the forest of client data … without permitting the possibility of looking at individual trees,” according to a paper Google will present on the project at a conference next week.
(Related) The Google Blog...
… We believe that RAPPOR has the potential to be applied for a number of different purposes, so we're making it freely available for all to use. We'll continue development of RAPPOR as a standalone open-source project so that anybody can inspect test its reporting and analysis mechanisms, and help develop the technology. We’ve written up the technical details of RAPPOR in a report that will be published next week at the ACM Conference on Computer and Communications Security.
“It's not a bug, it's a feature!” Just ask any salesman.
Craig Timberg reports:
After security researcher Jeffrey Paul upgraded the operating system on his MacBook Pro last week, he discovered that several of his personal files had found a new home – on the cloud. The computer had saved the files, which Paul thought resided only on his own encrypted hard drive, to a remote server Apple controlled.
“This is unacceptable,” thundered Paul, an American based in Berlin, on his personal blog a few days later. “Apple has taken local files on my computer not stored in iCloud and silently and without my permission uploaded them to their servers – across all applications, Apple and otherwise.”
He was not alone in either his frustration or surprise. Johns Hopkins University cryptographer Matthew D. Green tweeted his dismay after realizing that some private notes had found their way to iCloud. Bruce Schneier, another prominent cryptography expert, wrote a blog post calling the automatic saving function “both dangerous and poorly documented” by Apple.
Read more on Washington Post.
If Orin Kerr is right, there is a lot we don't know about new types of warrants.
Orin Kerr writes:
The Electronic Frontier Foundation published a report earlier this week alleging an astonishing increase in the use of sneak-and-peek search warrants. Sneak-and-peek searches are sometimes known as “covert searches” or “black bag jobs.” The government breaks into a home, conducts a covert search, and leaves no sign of entry until days or weeks later. According to the EFF report, such searches have become routine in the last few years:
First, the numbers: Law enforcement made 47 sneak-and-peek searches nationwide from September 2001 to April 2003. The 2010 report reveals 3,970 total requests were processed. Within three years that number jumped to 11,129. That’s an increase of over 7,000 requests. Exactly what privacy advocates argued in 2001 is happening: sneak and peak warrants are not just being used in exceptional circumstances—which was their original intent—but as an everyday investigative tool.
Sounds pretty bad, right? Well, not so fast. I fear EFF’s report may just misunderstand the significance of the annual “delayed notice warrant” report published by the Administrative Office of the U.S. Courts (AO). I suspect the numbers don’t mean what EFF thinks they mean.
Read more on WaPo The Volokh Conspiracy.
When does free speech become propaganda? If I give you a forum, is that “material support?”
Over the past several months, there has been increasing focus on terrorist use of social media. In the immediate aftermath of the execution of reporter James Foley by ISIL in July, the State Department acknowledged that, along with the Department of Defense, it reached out to social media sites, specifically Twitter and YouTube, to alert them to accounts posting the execution video and related images in violation of the sites’ “own usage polic[ies].”
… 18 U.S.C. § 2339B, however, could provide the requisite legal authority, assuming the inquiry is limited only to accounts that purport to be or are clearly linked to FTOs (i.e. HSM Press, which is al-Shabaab’s media wing, or Andalus Media, the media wing of al-Qaeda in the Islamic Maghreb). Section 2339B outlaws “knowingly provid[ing] material support or resources to a foreign terrorist organization.”
(Related) Connecting a post to terrorists isn't going to be easy.
… The social media giant on Friday announced that it was launching a way for people on Tor, an online network that allows users to navigate the Web anonymously, to check their Facebook accounts. Facebook created a website with a “.onion” domain to allow anonymous Web servers to connect to the social network.
… “It’s important to us at Facebook to provide methods for people to use our site securely,” Muffett wrote in a Facebook post.
These will look like the sky darkening swarms of passenger pigeons, but they will be much harder to drive to extinction.
Here Come the Swarming Drones
… Vijay Kumar, and the researchers in his General Robotics, Automation, Sensing, and Perception Lab (GRASP) are developing "swarms" of unmanned aerial vehicles (UAVs) that work in concert. These devices take hundreds of measurements each second, calculating their position in relation to each other, working cooperatively toward particular missions, and just as important, avoiding each other despite moving quickly and in tight formations. Kumar and his colleagues are using intel from Pratt's lab, particularly around how ants communicate and cooperate without any central commander, to make swarming UAVs even more autonomous.
I suspect there will be an entire industry built to mentor and support small businesses. Integration of tools like this will be fundamental as everyone with a mobile device asks, “What should I know about these guys before I do business with them?”
Respond to Reviews Instantly with 'Google My Business' App
Too busy to respond to customer reviews? Google wants to help. For busy business owners who use Google+ Local, there's now an easier way to connect with customers on the go.
Google announced this week new updates to the Google My Business app, which now lets businesses better engage with customers by allowing owners to respond to reviews anytime, anywhere from their mobile devices.
(Related) Do they all have similar Apps?
5 Influential Review Sites That Matter to Your Reputation
Are we that lonely? That desperate for companionship? That unable to put down the mobile device and talk to a real person?
The Typical Tinder User Spends 77 Minutes Tinding Every Day
… The average Tinder user spends an astonishing 77 minutes a day on the app, a spokesperson for the company told The Huffington Post. That's a lot of time, especially considering the app moves fast. Users are presented with dating profile after profile, and they swipe left if they're not interested and right if they are. If two people swipe right on each other, they match and connect via the app's chat function.
… By comparison Instagram users spend an average of 21 minutes a day on the photo-editing and sharing app.
Humor for me.
… The US Department of Education released the latest version of its “gainful employment” rules this week, pleasing nobody. No longer will career training programs be held accountable for their student loan default rates. They’ll just be judged on graduates’ debt-to-earnings ratios. About 1400 programs, mostly at for-profit schools, will be affected, meaning that if they don't meet these new guidelines, their students will not be eligible for federal financial aid. (More on this over on Educating Modern Learners. Free subscription required.)
… Stanford University and Dartmouth College issued an apology to Montana voters after a mailer they sent out about candidates on the state’s ballot.
… The upcoming E-learning and Digital Cultures MOOC has a “teacher bot” that is “is programmed to automatically respond to tweets sent to the course hashtag, and designed to offer help and advice, or engage in conversation.” [Automating teachers? Bob]
… The ACLU and EFF are accusing a Tennessee school district of violating students’ rights with its new policy that “ allows school officials to search any electronic devices students bring to campus and to monitor and control what students post on social media sites.”
… Francis Schmidt, who teaches at Bergen Community College, will not lose his job because of a photo he took of his daughter wearing a Games of Thrones t-shirt saying “I will take what is mine with fire & blood.” The school apparently interpreted this as a threat and in turn put him on leave, made him see a mental health counselor, then threatened him with suspension or termination.
… MIT’s Les Perelman, one of the leading critics of automated essay graders, writes that “The Educational Test Service (ETS) won’t let me continue to test a product that they are trying to sell to schools and colleges across America. Specifically, the company will not allow me access to the Automated Scoring Engine (AES) unless I agree to let them censor my findings.”
For all my students. (Includes a guide to TOR) Not yet(?) available for download as a PDF or eBook.
Journey Into the Hidden Web: A Guide For New Researchers
Amazing! Scott Adams has been in one of my classes! Must have been!