You
can't rely on those “assurances” released with initial details of
a breach. It seems the damage is always worse than initially
suspected. Another way to look at it: How can they even hit that
they know the extent of the breach if they are still analyzing?
Aliya
Sternstein reports:
Compensation files for U.S. Postal Service workers might also have
been breached during a recent hack that exposed the Social Security
numbers and other personal data on about 800,000 USPS employees, a
postal inspector said Wednesday.
[...]
“We’re still conducting
forensic analysis of the impacted servers,” said Randy
Miskanic, incident commander on the case and the USPS secure digital
solutions vice president. “There is the possibility of additional
compromise, specifically as it relates to some workers’
compensation files.”
Read
more on NextGov.
Big
Data must include Big Breaches.
RiskBased
Security reports:
We have been so busy here at Risk Based Security recently that we
neglected to release
our latest Data Breach QuickView report to the public last month!
The report already shows that 2014
is the highest year ever for exposed records. The 1,922
incidents reported during the first nine months of 2014 exposed over
904 million records. While 60.2% of breaches exposed only
between 1 and 1,000 records, twenty breaches exposed one million or
more records with four finding a place on the Top 10 All Time Breach
List.
About the Data Breach QuickView Report
The Data Breach QuickView report is intended to be an executive level
summary of the key findings from RBS’ analysis of 2014’s data
breach incidents. Contact Risk Based Security for your customized
analysis of the 2014 data breaches.
You can view the 2014 Data Breach QuickView report here:
https://www.riskbasedsecurity.com/reports/2014-Q3DataBreachQuickView.pdf
Unfortunately,
this response also fits the facts exactly: “Of course we can't
talk about it. We are doing something so illegal that the case would
get thrown out.” Looks like they tossed all of their evidence.
Good luck with the prosecution.
Justin
Fenton reports:
Baltimore prosecutors withdrew key evidence in a robbery case Monday
rather than reveal details of the cellphone tracking technology
police used to gather it.
The surprise turn in Baltimore Circuit Court came after a defense
attorney pressed a city police detective to reveal how officers had
tracked his client.
City police Det. John L. Haley, a member of a specialized phone
tracking unit, said officers did not use the controversial device
known as a stingray. But when pressed on how phones are tracked, he
cited what he called a “nondisclosure agreement” with the FBI.
“You don’t have a
nondisclosure agreement with the court,” Baltimore
Circuit Judge Barry G. Williams replied. Williams threatened to hold
Haley in contempt if he did not respond. Prosecutors decided to
withdraw the evidence instead.
Read
more on Baltimore
Sun.
[From
the article:
Law
enforcement officials in Maryland and across the country say they are
prohibited from discussing the technology at the direction of the
federal government, which has argued that knowledge
of the devices would jeopardize investigations.
…
Some critics say the use of such technology might be appropriate,
with court approval, to help law enforcement locate a suspect. But
in the secrecy surrounding its use, they say, it's not always clear
that law enforcement officials have secured the necessary approval,
or stayed within their bounds.
…
Police say phone records show that the phone that was used to call
in the delivery was also used to make and receive hundreds of calls
to and from Taylor's phone. [If
the defendant had called Mom, would she now be a “co-defendant?”
Bob]
…
Finally, Seidel said prosecutors would drop all evidence found
during the search of the home — including, authorities have said,
a .45-caliber handgun and the cellphone. The prosecutor
said the state would continue to pursue the charges.
Wessler,
of the ACLU, said Williams was right to ignore the nondisclosure
agreement with the FBI.
"You
can't contract out of constitutional disclosure obligations,"
Wessler said. "A secret written agreement does not invalidate
the Maryland public records law [and] does not invalidate due process
requirements of giving information to a criminal defendant."
A
Hypothetical: All it took was a handshake in the middle east and we
have something far better than sanctions to put pressure on Russia.
(It's easy to out maneuver a country that thinks it does not need to
cooperate with anyone.)
Russia
has little to offer in oil price war
… Russian wells will freeze if they stop pumping oil, and the
country cannot store the output it would otherwise export.
… But despite needing oil prices of $100 a barrel to balance its
budget, Russia has changed little since 2008 when the Organization of
the Petroleum Exporting Countries urged Moscow to join forces to cut
supply to shore up prices.
Then and now, the world's biggest producer lacks the ability to
increase or turn down its own production.
… Some experts argue that Russia could even need oil prices as
high as $115 to balance the budget, since social and military
spending have soared, while Western sanctions over Ukraine
have cut off Moscow from funds it borrows in Western financial
markets.
“Default
is de-stupid way!”
Thousands
Of People Worldwide With Home Security Cameras Are Being Spied On By
A Russian Website
The
UK government has warned that Russian website Insecam is collecting
the feeds of thousands of webcams worldwide, allowing any internet
user to see into private homes.
The
Daily Mail reports that the site works by collecting the feeds of
webcams that have either poor or non-existent security.
It's
common for people to purchase internet-connected security cameras to
monitor their houses and businesses. But what they often don't
realise is that the default
security settings on those devices can leave them wide open to for
anyone on the internet to view them.
Might
be fun to try. What happens if you hit a false positive?
This
New Tool Tells You If The Government Is Spying On Your Computer
…
Amnesty International release
the product today in a fight back against "repressive
governments" who are misusing spyware against society.
Detekt
scans computers for traces of major spyware and sends alerts to users
if something is picked up.
Perhaps
learning to “govern data” begins at home? But if your house is
“smarter” than you are, your house may flash “12:00,” just
like your old VCR.
Wink
Connects and Simplifies Your Smart Home
The
smart home
market is currently full of innovative companies, all working to
create the best way to make your home more powerful and more
efficient, but they don’t always work together well.
…
you can buy the Wink
hub, a $50 smart home controller that unifies all of your
wireless devices — most of which had no way to communicate with
each other before. The hub allows them to “speak the same wireless
language,” letting you do some pretty cool things that involve
multiple devices (which we’ll get to below). Wink also offers a
$300
touchscreen relay controller that replaces a light switch in your
home; you can then control all of your connected devices from the
single relay point.
…
By using the Wink hub to link all of your devices together, you can
create sets of actions – a bit like your own private If
This Then That system for your home.
One
example that Wink gives on its website is having your lights and air
conditioning turn on whenever you unlock your front door. In
addition to combining these behaviors, you can also set timers for
various activities, so the blinds will go up and the kitchen lights
will turn on when you get up in the morning.
(Related)
Battle
of the Smart Home Hubs: What’s Out There and What’s Coming?
I've
been asking my students and they all say, “Save yourself!” The
logic will certainly become an issue in any lawsuit.
A
large truck speeding in the opposite direction suddenly veers into
your lane.
Jerk
the wheel left and smash into a bicyclist?
Swerve
right toward a family on foot?
Slam
the brakes and brace for head-on impact?
[Force
the truck to have 'self-driving' software? Bob]
It's
relatively easy to write computer code that directs the car how to
respond to a sudden dilemma. The hard part is deciding what that
response should be.
Legal
arguments – you try explaining them to my students. Think of the
poor cellphone user who worries that an ex-wife or the NSA will guess
his password, and so sets up security such that the fingerprint
confirms that he is the one entering the password. Is the
fingerprint protected in that circumstance?
A
couple of weeks back, there was a flurry of media coverage of a
Virginia state court opinion where the judge granted an order to
compel a defendant’s fingerprint to unlock his cellphone while
simultaneously denying a request to compel the defendant to turn over
his passcode. We requested a copy of the decision from the court,
which we’re posting for you today below.
In
his opinion, the judge addressed whether a cellphone’s passcode
and/or fingerprint authentication are testimonial
communication, and thereby covered by the Fifth
Amendment’s privilege against self-incrimination. In the end, the
judge determined that a defendant “cannot be compelled to ‘divulge
through his mental processes’ the passcode for entry” to data on
a locked cellphone. Disclosure of the fingerprint, however, “does
not require the witness to divulge anything through his mental
processes.” As a result, the judge ordered the defendant to
provide his fingerprint to unlock his cellphone.
Coming
soon to a classroom near me.
How
IoT Will Change Big Data Analytics
What
do SAS, Cisco, Duke Energy and AT&T have in common? They are all
big proponents of the Internet of Things (IoT), also often called the
Industrial Internet.
The
central idea behind IoT
is that sensors and microchips can be placed anywhere and everywhere
to create a collective network that connects devices and generates
data. Instead of that data sitting in an information silo where it
is accessible to only a few specialists, it becomes part of a Big
Data "lake" where it can be analyzed in the context of
other information.
"The
Internet of Things means everything will have an IP address,"
said Jim Davis, executive vice president and chief marketing officer,
SAS.
He
laid out the value proposition for oil
rigs which generate eight terabytes of data per day. IoT
could open the door to greater productivity and more effective
predictive maintenance. If something breaks down, it can lead to
millions in losses. By placing sensors on rigs and monitoring them,
it is possible to better understand what’s happening and keep the
equipment running.
Not
All IoT Data Is Important
…
A key challenge with IoT,
he believes, is data management: determining what type of
data is important, what should be transmitted immediately, what
should be stored and for how long, and what information should be
discarded. Otherwise, you could end up with an almost infinite pile
of data to analyze, when only a relatively small portion is of real
importance.
"Some
data just needs to be read and thrown away," Khan said.
(Related)
...and here's why we analyze!
Finding
the Money in the Internet of Things
For
the Security toolkit. (I ask my students to look at articles like
this and to their horror they discover that they have security and
privacy vulnerabilities. Imagine that.)
5
Best Open Source Web Browser Security Apps
No comments:
Post a Comment