Tuesday, December 16, 2014

Apparently, “thinking” has been banned at Sony. Follows “managing” into the dumpster.
Sony May Have Succumbed to DDoS Temptation
Sony has used Amazon Web Services to launch Distributed Denial of Service attacks on sites carrying files stolen from its network, according to Re/code.
… Amazon reportedly issued a statement to Re/code denying the claim, but the language it used was vague: "The activity being reported is not currently happening on AWS."
… NSA director Admiral Michael Rogers earlier this year warned against revenge hacking at a cybersecurity event hosted by the United States Chamber of Commerce.
The abundance of cloud infrastructure for hire makes it easier to launch DDoS attacks, Incapsula's Gaffan said, adding that it "wouldn't be hard for Sony to hire some serious power to initiate these attacks."

(Related) Dribs and drabs. It's how you keep the hack on the front page.
Steve Ragan reports:
In a breach notification letter sent to employees this week, Sony Pictures outlines the full scope of data that was compromised by attackers shortly before the Thanksgiving holiday.
[…]
“In addition, unauthorized individuals may have obtained (ix) HIPAA protected health information, such as name, Social Security Number, claims, appeals information you submitted to SPE (including diagnosis and disability code), date of birth, home address, and member ID number to the extent that you and/or your dependents participated in SPE health plans, and (x) health/medical information that you provided to us outside of SPE health plans.”
So HIPAA protections were supposed to be in place for some data, and this breach should be reported to HHS.
Read more on CSO. Sony’s notification to SPE employees is available on the web site of the California Attorney General’s Office (pdf).
[From the CSO article:
The group claims to have spent more than a year accessing Sony's network, and has been leaking batches of internal documents and communications since November 26. To date, the group has leaked more than 200GB of data, including pre-release movies, executive emails, sales and marketing data, and nearly everything from human resources.
… While not mentioned in the letter directly, the leaked data also included criminal background checks, offer letters (salary and job details), and records related to personnel reviews and opinions within HR.
A copy of the breach notification letter is here.

(Related) Covering up more than just a emails trading snarky comments about “stars.”
Thomas Fox-Brewster reports yet another Sony breach that was disclosed in the hackers’ email dump. Prior to the Brazil breach in February 2014 (also revealed in corporate emails and also not disclosed publicly by Sony at the time), there was apparently an incident involving their German web site in January:
… An email from Courtney Schaberg, VP of legal compliance at Sony Pictures, to general counsel Leah Weil, dated 16 January 2014, reported a compromise of the Sonypictures.de site. The website was swiftly taken down after it emerged the site had been hacked to serve up malware to visitors. Schaberg also expressed concern that email addresses and birthdates for 47,740 individuals who signed up to the site’s newsletter had been accessed by the attacker.
On Friday 17 January 2014, Schaberg told Weil that it was unclear whether personal information had been taken as an investigation by a third party would not start until the following Monday, but it was unlikely Sony would disclose the breach publicly.
Read more about this incident and Sony’s response to it on Forbes.
And this is exactly the kind of newsworthy reporting that this blogger thinks is justified, despite Sony’s semi-threatening warning to media outlets about using or disseminating the hacked material.


For my Computer Security students. “Told ya!”
Small Business Leaders Turn a Blind Eye to Data Risks
Most small and midsized businesses (SMBs) are swimming in financial data, but not all of them take steps to safeguard it, according to the 2014 State of Risk report (registration required) from Chicago-based IT security services provider Trustwave.
The company surveyed 476 IT and security professionals, three-quarters of which work at SMBs (up to 1,000 employees).
… Forty-five percent of businesses reported that their board or senior management plays only a partial role in data security. Nine percent said there was no involvement from higher-ups at all.
Small businesses struggle to track and control sensitive data, with 63 percent of respondents reporting they lack effective tools and procedures. Nineteen percent don't even bother.
… Seventy-one percent of respondents said they store and process intellectual property, while 58 percent revealed that they handle sensitive business-to-business data, all of which make tempting targets. "Theft of non-payment data has skyrocketed," said Rosenberg. "The market for these types of information has grown," giving hackers an incentive to grab information that has little, if anything, to do with cash.


What would it take to move beyond “Best Practices” to “So obvious, even really bad managers insist on it?” This paper seems to suggest that anything disclosed about a breach would be entirely new. My guess is that 99% of breaches could have been prevented, detected almost immediately, or drastically reduced in scope if adequate risk analysis followed by implementation of “generally accepted” security practices had occurred. (Where would the owners of the T. J. Hooper have been able to find that a “Marine Radio” could save them a barge full of money?)
Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis
CRS – Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis. N. Eric Weiss, Specialist in Financial Economics. December 11, 2014.
“Data breaches, such as those at Target, Home Depot, Neiman Marcus, and JPMorgan Chase, affecting financial records of tens of millions of households seem to occur regularly. Companies typically respond by trying to increase their cybersecurity by hiring consultants and purchasing new hardware and software. Policy analysts have suggested that sharing information about these breaches could be an effective and inexpensive part of improving cybersecurity. Firms share information directly on an ad hoc basis and through private-sector, nonprofit organizations such as Information Sharing and Analysis Centers (ISACs) that can analyze and disseminate information. Firms sometimes do not share information because of perceived legal risks, such as violating privacy or antitrust laws, and economic incentives, such as giving useful information to their competitors. A firm that has been attacked might prefer to keep such information private out of a worry that its sales or stock price will fall. Further, there are no existing mechanisms to reward firms for sharing information. Their competitors can take advantage of the information, but not contribute in turn. This lack of reciprocity, called “free riding” by economists, may discourage firms from sharing. In addition, the information shared may not be applicable to those receiving it, or it might be difficult to apply. Because firms are reluctant to share information, other firms suffer from vulnerabilities that could be corrected. Further, by not sharing information about effective cybersecurity products and techniques, the size and quality of the market for cybersecurity products suffer. Some industry leaders call for mandatory sharing of information concerning attacks. Other experts advocate a strictly voluntary approach, because they believe it could impose fewer regulatory costs on businesses and cost less for taxpayers. Several bills have been introduced in the 113th Congress to encourage information sharing. H.R. 624, the Cyber Intelligence Sharing and Protection Act, and S. 2588, the Cybersecurity Information Sharing Act of 2014, aim to increase information sharing by directing the Department of Homeland Security and the Department of Justice to develop procedures for receiving and sharing information and by providing liability protection for private entities acting in good faith for a cybersecurity purpose. H.R. 624 passed the House, and S. 2588 was reported out of the Senate Select Committee on Intelligence.”


This is in Canada. It would never, ever happen here. Would it?
Dan Dicks reports:
Merging medical information with your drivers license information. It’s all about increased concentration in this North American Union. Dan Dicks of Press For Truth talks to Kelly Scott Kolodiazny, a medical cannabis user who renewed his drivers license only to find his medical marihuana ID planted on the drivers’ license card. He can’t get answers as to why his drivers abstract now has his medical information.
Read more on Press for Truth.


If the Internet was a country, could we extradite data? Because if a company is constantly moving data from data center to data center (country to country) to balance the workload of its “Cloud servers,” we will need a way to grab it when necessary. (Or we could just ask the NSA to send us a copy.)
Hanni Fakhoury writes:
Microsoft has been battling with the federal government over the Department of Justice’s high profile attempt to get access to emails stored abroad in Ireland for the better part of 2014. The US government has claimed a US warrant is sufficient to get emails even when stored in another country, while Microsoft has resisted, arguing the US warrant power does not reach that far. The case has made business rivals into temporary allies and forced Ireland’s Minister for Foreign Affairs and Data Protection to ask the European Commission to formally support Microsoft.
Today we joined the Brennan Center for Justice, the ACLU, and The Constitution Project in a new amicus brief filed in the Second Circuit Court of Appeals supporting Microsoft. We warn the appeals court that two pieces of faulty logic in the lower court’s reasoning could have dangerous implications for digital privacy.
Read more on EFF.


Too big to fail? Perhaps Putin's ego is...
Russia has more problems than low oil prices
The ruble plunged by about 12% Monday, meaning it's lost nearly 50% against the dollar this year. Early Tuesday in Russia, the central bank hiked its key interest rate for a sixth time this year to 17% from 10.5%.
A double-whammy of collapsing oil prices and Western sanctions is driving up inflation. Cash is flooding out of the country and the risk that some Russian companies may default is increasing.
… President Vladimir Putin has already ordered government departments to cut their budgets by 5%, and more cuts could follow. Defense and national security has so far been spared the ax -- Russia is pumping trillions of rubles into modernizing its military.


Visit museums without leaving your recliner... Or at least avoiding Washington.
Freer and Sackler Galleries to Release Complete Digitized Collection Jan. 1, 2015
News release: “The Freer Gallery of Art and Arthur M. Sackler Gallery, the Smithsonian’s museums of Asian art, will release their entire collections online Jan. 1, 2015, providing unprecedented access to one of the world’s most important holdings of Asian and American art. The vast majority of the 40,000 artworks have never before been seen by the public, and more than 90 percent of the images will be in high resolution and without copyright restrictions for noncommercial use. The Freer and Sackler galleries are the first Smithsonian and the only Asian art museums to digitize and release their entire collections, and in so doing join just a handful of museums in the U.S. “We’re poised at a digital tipping point, and the nature of what it means to be a museum is changing,” said Julian Raby, the Dame Jillian Sackler Director of the Arthur M. Sackler Gallery and Freer Gallery of Art.
… In addition, some of the most popular images will also be available for download as free computer, smartphone and social media backgrounds.

(Related)
5 Sources To View Digitized Historical Collections


For my students to find that “perfect image.”
Seven Alternatives to Google Image Search - Comparison Chart
On a fairly regular basis I am asked for recommendations for alternatives to Google Image search. I've published lists of alternatives in the past. This chart is designed to provide a quick overview and comparison of good sources of images for students' slideshows and other multimedia projects. You can download the chart through the Box.com widget below or grab a Google Docs copy here.


Actually may be more than I really wanted to know about Wikipedia. But it does remind me that I wanted to create/claim a few pages. When they look up “(it's a secret)” my face will be there looking back at them. Dovetails with my plan to have students write their own textbook.
Everything You Need To Know About Wikipedia And More
… Wikipedia is an online encyclopedia in which anybody can start a page, or edit one, on any subject. The page is then examined by an editor who decides whether or not the page stays.


For my students who are learning to program.
Patent office issues new guidelines after court ruling
The new interim guidelines made available on Monday attempt to clarify when the office will grant patents on software ideas and when those patent applications will be denied for simply translating an abstract idea onto a computer.


For my students practicing their English.
Doulingo - The Most Downloaded Educational Android App of 2014
Last week Google revealed the most downloaded apps, games, movies, albums, and books of the year on Google Play. Duolingo was at the top of the education category for apps.
Duolingo is a free service designed to help students learn Spanish, English, French, Italian, Irish, Dutch, Danish, German, and Portuguese. The service can be used in your web browser, as an iOS app, and obviously as an Android app.
To learn a new language on Duolingo you read, listen to, and translate words and phrases. For example if I want to learn Spanish I'll be shown Spanish words with translations. I can can hear the words pronounced too. Then to practice I type and or speak translations. The activities start out with simple words and phrases. As I become more proficient, Duolingo gives me more challenging phrases.

No comments: