Thursday, December 04, 2014
Sony: perhaps it's worse than they know. It looks like Sony will be the model for “Big Data” security breaches for a some time to come.
Kevin Roose reports:
Yesterday, I reported on a spreadsheet apparently taken from Sony Pictures Entertainment, one of the largest and most powerful studios in Hollywood, by a group of hackers calling themselves Guardians of Peace. The document, which listed the names, titles, and salaries of more than 6,000 Sony Pictures employees including senior executives (and may have revealed a gender pay discrepancy), appears to be part of an enormous data breach that hit the studio last week, forcing them to shutter computer systems, move employees to paper and pencils, and call in the FBI and private security researchers to investigate the hack.
Here are just a few of the revelations I found in the leaked archives – most in normal, unencrypted Excel and Word files, labeled as plain as day:
A spreadsheet listing the names, birth dates, and social security numbers of 3,803 Sony Pictures employees, including all of the company’s top executives. (Happy birthday, Wendy!)
A spreadsheet listing the division-by-division Sony Pictures payroll, as well as breaking down costs for raises and other pay changes. (The company’s total salaries, as of May, were listed at $454,224,070.)
A spreadsheet listing Sony Pictures employees who were fired or laid off in 2014 as part of the company’s reorganization, along with the reasons for their termination. Also on this spreadsheet: estimates of “TOTAL COST TO SEVER,” or the amount Sony Pictures calculated it had to pay to terminate each person’s employment, including severance pay, COBRA health benefits, and outplacement costs.
Read more on Fusion.
Today, the Hollywood Reporter reports:
Sony Pictures Entertainment chiefs Michael Lynton and Amy Pascal have released a memo to staff addressing a recent hack against the company. The memo, which was sent to all of Sony’s approximately 6,600 employees, is an apparent admission that information leaked online this week is accurate.
Acknowledging that “a large amount of confidential Sony Pictures Entertainment data has been stolen by the cyber attackers, including personnel information,” Lynton and Pascal sent a message to the company’s employees reassuring them that “the privacy and security of our employees are of real concern to us” and offering them identity protection services.
Read more on Yahoo!
Once again, it seems, Sony is playing catch-up in communications. Given recent revelations by Brian Krebs and Kevin Roose, it needs to get its PR team in high gear to issue a press release that confirms what it already knows.
(Related) Another peek at the Sony data.
Unprecedented leak of Sony Pictures internal personal data
“After sifting through almost 40GB of leaked internal data, one thing is clear: Sony Pictures appears to have suffered the most embarrassing and all-encompassing hack of internal corporate data ever made public. The data dump, which was reviewed extensively by BuzzFeed News, includes employee criminal background checks, salary negotiations, and doctors’ letters explaining the medical rationale for leaves of absence.
… And there is extensive documentation of the company’s operations, ranging from the script for an unreleased pilot written by Breaking Bad creator Vince Gilligan to the results of sales meetings with local TV executives. The documents made public this weekend, covering the company’s human resources, sales, and marketing teams, among others, are just a fraction of approximately 100TB of data the hackers claim to have taken from Sony.
(Related) Are we finally getting facts? This is probably the malware. More testing required. Neither the article or the very detailed blog post blames North Korea.
Researchers Analyze Data-Wiping Malware Used in Sony Attack
Researchers from Trend Micro say they have identified the piece of malware that appears to have been used in the recent cyberattack targeting the corporate network of Sony Pictures.
… Trend Micro detects the threat as BKDR_WIPALL. Researchers have determined that the attack starts with BKDR_WIPALL.A, which is the main installer and is disguised as an executable file named "diskpartmg16.exe."
The threat uses an encrypted set of usernames and passwords to log into the targeted organization's shared network. The goal is to grant full access to everyone that accesses the system root, researchers explained in a blog post.
Interesting. I would expect the average customer to agree with the judge.
Missy Baxter reports:
In a much-anticipated court ruling, a Minnesota federal judge said Tuesday that Target Corp. had a duty to protect debit and credit card information from cyberthieves.
U.S. District Judge Paul Magnuson rejected Target’s attempt to dismiss claims filed by a group of financial institutions seeking damages related to the retailer’s data breach in late 2013, court documents said.
The judge ruled that the plaintiffs, which include the $282 million CSE Federal Credit Union of Lake Charles, La., have a plausible case for negligence because Target played a key role in allowing cyberthieves to hack into computer systems and obtain card data and possibly personal information of card holders, the documents said.
Magnuson agreed to allow three of four claims made by plaintiffs to move forward, but dismissed one count that claimed negligent misrepresentation by omission, which was related to Target’s security system, the documents said.
Read more on Credit Union Times.
An interesting collection of guesses? An easy article to write if you call you largest advertisers...
Cybersecurity Threats 2015: More Espionage, More Apple Malware
… Until now, Russia, China and the United States have dominated the cyberespionage scene, but their success will start to attract new players to the practice.
"We can expect some of the developing economies -- countries forecasted for high economic growth -- to engage in these activities to protect their growth status," Carl Leonard, a senior manager at Websense Security Labs, told TechNewsWorld.
… Russian cyberattacks on the West, as a form of retaliation for political actions taken against the Kremlin, will continue, forecast SentinelOne.
A lack of accountability within the Beijing regime will allow China's cyberespionage efforts to continue unabated, the firm also said.
… Pakistan may be in the forefront of a trend SentinelOne predicted for 2015: Attacks as a Service.
Instead of shopping here and there to gather the tools for an attack, SentinelOne explained, an attacker will be able to go to a website, choose malware, choose what to steal -- banking credentials, healthcare records, credit card numbers and such -- request a number of infections, and pay for the package.
While most cyberespionage has been directed at computer systems, cyberspies increasingly will target mobile devices, predicted Michael Shaulov, CEO of Lacoon Mobile Security.
… The Internet of Things also will become an attack surface in 2015.
Printers, smart TVs, appliances, wearable computers -- a whole host of cloud connected devices will be a new source of cyberthreats in the coming year, predicted Willy Leichter, global director of cloud security for CipherCloud.
Interesting to see their calculation of the probability of war.
Slovakia Warns of Danger of Wider Ukraine Conflict
Slovakia’s prime minister Tuesday said that clashes between Ukrainian government forces and pro-Russian separatists may still expand into a broader war involving other nations and that Europe should push forcefully for peace talks.
“There’s a 70% probability of a military conflict in Ukraine and not only there,” Robert Fico told an economic conference in the Slovak capital.
How poorly must you manage a program to attract FBI attention?
LA School District's $1.3B iPad Contract Goes Up In Smoke Following FBI Raid
The ambitious, deeply troubled effort by the Los Angeles, Calif. school district to provide every student with an iPad ended this week with FBI agents seizing documents under a federal subpoena. Federal officials are investigating questions regarding the $1.3 billion contract. Ramon C. Cortines, the superintendent for L.A. schools, put an end to the contract yesterday citing controversy surrounding the failed plan. Agents reportedly removed about 20 boxes of documents during the raid.
… The review’s findings suggested that the deployment of the iPads focused on delivering the tablets to classrooms, with not enough resources being dedicated to providing teachers with training. The report also suggested that some teachers were unhappy with the curriculum.
Genius! This App alone could sell millions of iPhones!
Avoid the coffee line: First look at Starbucks’ order-ahead mobile feature
Starbucks launched a major new initiative today, allowing people to place orders from their iPhone for pick-up at a nearby store.
… For now, the pilot program is running only in 152 Starbucks cafes in Portland...
… Starbucks will continue the rolling out the service to more cities in 2015, with the aim of being nationwide by the end of the year.
Free seems to be the way to go.
Nature makes all articles free to view
News release: “All research papers from Nature will be made free to read in a proprietary screen-view format that can be annotated but not copied, printed or downloaded, the journal’s publisher Macmillan announced on 2 December. The content-sharing policy, which also applies to 48 other journals in Macmillan’s Nature Publishing Group (NPG) division, including Nature Genetics, Nature Medicine and Nature Physics, marks an attempt to let scientists freely read and share articles while preserving NPG’s primary source of income — the subscription fees libraries and individuals pay to gain access to articles. ReadCube, a software platform similar to Apple’s iTunes, will be used to host and display read-only versions of the articles’ PDFs. If the initiative becomes popular, it may also boost the prospects of the ReadCube platform, in which Macmillan has a majority investment. Annette Thomas, chief executive of Macmillan Science and Education, says that under the policy, subscribers can share any paper they have access to through a link to a read-only version of the paper’s PDF that can be viewed through a web browser. For institutional subscribers, that means every paper dating back to the journal’s foundation in 1869, while personal subscribers get access from 1997 on. Anyone can subsequently repost and share this link. Around 100 media outlets and blogs will also be able to share links to read-only PDFs. Although the screen-view PDF cannot be printed, it can be annotated — which the publisher says will provide a way for scientists to collaborate by sharing their comments on manuscripts. PDF articles can also be saved to a free desktop version of ReadCube, similarly to how music files can be saved in iTunes.”
It might be fun to tell my students they can't use PowerPoint, but I want slides! This is for younger students.
Many Ways to Create and Share Digital Stories
Earlier today I read Alan Levine's blog post Always Be Attributing. In that post he referenced a resource that anyone with an interest in digital storytelling should bookmark. 50 Web Ways to Tell a Story is a wiki of tools for creating digital stories. On the wiki you will find pages of tools arranged by output type (slides, audio, collage, video) and a page of tools that offer features for teachers (student account management).
Applications for Education
50 Web Ways to Tell a Story is more than just a list of tools. The wiki includes a page about developing story ideas. The Story Ideas page offers excellent story starter suggestions that can be used in almost any classroom setting.