Wednesday, January 07, 2015

How would you determine that hackers claiming to be ISIS maniacs are really teenagers playing at hacking?
I can’t remember whether I’ve ever seen parents keep their children home from school as a result of a school web site defacement, but that’s what happened in Yorkshire when the defacement suggested an Islamist group.
Kenny Toal reports:
A local authority has advised all public bodies and organisations to make sure their security software is up to scratch after hackers, claiming to be from an Islamist group, targetted a primary school website.
Some parents at Sowerby Community Primary, in Thirsk, kept their children off school today after the security breach last night.
But police say while they are investigating there is no threat to the school or its pupils. [A bit too far to the “no worries” side. Bob]
Read more on ITV.

For my Ethical Hackers (and my friends in the banking world)
Thieves Jackpot ATMs With ‘Black Box’ Attack
Previous stories on KrebsOnSecurity about ATM skimming attacks have focused on innovative fraud devices made to attach to the outside of compromised ATMs. Security experts are now warning about the emergence of a new class of skimming scams aimed at draining ATM cash deposits via a novel and complex attack.
At issue is a form of ATM fraud known as a “black box” attack. In a black box assault, the crooks gain physical access to the top of the cash machine. From there, the attackers are able to disconnect the ATM’s cash dispenser from the “core” (the computer and brains of the device), and then connect their own computer that can be used to issue commands forcing the dispenser to spit out cash.
… If you liked this story, check out my ongoing series about ATM skimmers.

For my Ethical Hackers. Could work like a “Stingray for Wifi”...
Wi-Fi Password Phishing Attacks Automated With New Tool
Wifiphisher attacks work in three stages. In the first stage, victims are deauthenticated from their access point with the aid of deauthentication packets sent to the broadcast address, from the client to the access point, and from the access point to the client.
In the second phase, the victim access point’s settings are copied and a rogue access point is set up. Because the legitimate access point is jammed, clients will connect to the rogue access point. In this stage, the tool also sets up a NAT/DHCP server and forwards the right ports, the developer explained.
In the final phase, a man-in-the-middle (MitM) attack is launched by using a minimal Web server that responds to HTTP and HTTPS requests, and victims are presented with a fake router configuration page when they try to access a website. This configuration page informs users that a firmware update is available for the device and instructs them to enter their WPA password.

Why does the education community fail to understand parental concerns? Do they view the entire world as children? reports:
Concern is being expressed about a new Primary Online Database being established by the Department of Education.
Under the plan, all children’s PPS numbers along with details of their religion and ethnic backgrounds will be included on the database, which the Department said will be used to develop education policy into the future.
[From the article:
… Parents of all primary school children are being sent letters outlining how the new POD will work and what information will be stored, the letter states that the information will be kept until the child reaches the age of 30.
… "They themselves say they will be sharing the data with the Department of Social Protection and other agencies," McGarr said.
… The Department of Education's website says the scheme "has been thoroughly piloted with a selection of schools" [So they are already doing this? Bob] and "extensively discussed with the education partners and management bodies." [But not parents. Bob]
… The Department also reports that only information on ethnic and religious background requires the consent of a parent of guardian.
"All other information… was deemed by the Data Protection Commissioner as nonsensitive personal data and therefore does not require written permission from parents for transfer of the information to the Department," the letter to parents says.

Why, exactly? An infographic.
These 50 Apps Will Track Everything. And We Mean Everything
When we say these apps let you track anything, we’re not kidding. If you can think of it, your phone can track it.
One of the coolest (and creepiest) uses of a device that’s always connected is the ability to keep track of things. We can track our sleep, movement, money, and so much more thanks to these incredibly powerful devices that are at our sides 24 hours a day, seven days a week.
Of course, in order to take advantage of all of this tracking, you’ll need the right apps. Here’s 50 apps that track everything you could ever imagine.

Why? Does James Bond need sensors disguised as buttons on his tux? Does everyone need a wear-it-on-your-wrist selfie-taking-camera?
Intel CEO shows off wrist-worn drone, pledges to employ more women
Chief Executive Brian Krzanich demonstrated a tiny computer built into the button of his jacket and a wristband that was capable of transforming into a flying camera at the 2015 Consumer Electronics Show in Las Vegas on Tuesday.
Intel, known more for its computer chips, is attempt to expand into the area of smart gadgets that you can wear. Krzanich said during his keynote that Intel was pushing to create computerized apparel and other gadgets equipped with sensors, an area that Intel hopes is rife with growth as the demand for smartphones and tablets begins to taper off, according to a Reuters report.
… The drone on his wrist is called Nixie, and it can be launched into the air equipped with a camera and is capable of navigating around obstacles.

(Related) Better late than never I suppose. Note that Ramirez never suggested that the FTC would do anything.
Top regulator fears 'smart-home hacking'
The head of the Federal Trade Commission (FTC) raised alarms on Tuesday about the potential hazards to people’s privacy that come with the rise of connected bracelets, cars and other devices.
The billions of “smart” devices on the so-called “Internet of Things” pose serious threats to personal privacy, Chairwoman Edith Ramirez said at the Consumer Electronics Show in Las Vegas, even while they may help with daily tasks or improve people’s health.
… To counter the concerns, Ramirez told companies to “build security into their devices from the very outset.”
Device developers should also limit the data they collect to that which is necessary for a specific purpose and then get rid of it when it is no longer needed, she suggested, and make sure that users are fully aware of what it collected and why.

A Big Data tool. Any change should be investigated and explained. (That's my inner auditor speaking.)
Twitter Releases Anomaly Detection Tool
AnomalyDetection is a package for R, the free software environment for statistical computing and graphics. Twitter has been using the tool to detect anomalies such as spikes caused by user engagement on the social media platform during breaking news, major sporting events and holidays.
From a security standpoint, AnomalyDetection can be utilized to detect activities associated with bots and spam, which may cause anomalies in the number of followers and favorites. Anomalies can also be detected in system metrics after the release of new software, Twitter said.
An anomaly can be positive or negative. An example of a positive anomaly is a point-in-time increase in number of Tweets during the Super Bowl. An example of a negative anomaly is a point-in-time decrease in QPS (queries per second). Robust detection of positive anomalies serves a key role in efficient capacity planning. Detection of negative anomalies helps discover potential hardware and data collection issues,” Twitter software engineer Arun Kejariwal explained in a blog post.
The social media giant has released AnomalyDetection as open source to give the community the chance to contribute to improving the tool. The R package is available on GitHub.

Dang copyright! Not the diagnostic codes but the parts! Don't you need the part information to order the proper replacements?
Ford Tries to Shut Down Independent Repair Tool with Copyright
EFF – “…The Ford Motor Company…recently sued Autel, a manufacturer of third-party diagnostics for automobiles, for creating a diagnostic tool that includes a list of Ford car parts and their specifications. Ford claims that it owns a copyright on this list of parts, the “FFData file,” and thus can keep competitors from including it in their diagnostic tools. It also claims that Autel violated the anti-circumvention provisions of the Digital Millennium Copyright Act by writing a program to defeat the “encryption technology and obfuscation” that Ford used to make the file difficult to read. We’re pretty skeptical of Ford’s claims. Mere facts and data cannot be copyrighted, but sometimes a “compilation” of data can be—if the selection and arrangement are sufficiently creative. It seems unlikely that Ford broke new creative ground when deciding which parts to include in the database and the order in which they would appear. Ford does allege that it included fictitious part descriptions in the database, but that’s probably not enough to pass muster. After all, similar fictions were included in the phonebook that the Supreme Court found to lack originality in the leading case defining the limits of copyrightability for compilations, Feist v. Rural. Feist, the Supreme Court explained that compiling the names, towns, and phone numbers of all of a company’s telephone subscribers in alphabetical order was not sufficiently original for the compilation to be copyrighted. It explained that alphabetical ordering was “commonplace,” and that the “selection” of all current subscribers and basic information about them was not a creative decision. Without seeing the FFData compilation, we can’t be sure whether or not it is creative enough for copyright coverage. Of course, even if we had a copy of the file, under Ford’s theory we couldn’t look at it without running afoul of the DMCA. And that points to a deeper problem. When the Supreme Court recognized the copyrightability of creative data compilations, it noted that people are free to copy the facts out of such a work as long as they don’t copy the creative elements of selection and arrangement. But because the DMCA restricts access to a work in the first place, this important limitation on copyright’s scope does not apply in circumvention cases, according to most courts’ interpretation of the DMCA. If a data compilation is copyrightable, then people are not free to extract non-copyrightable facts from the work, look at the work to figure out whether it is copyrightable, or access the work for other legitimate purposes such as news reporting, scholarship, and remix.”

For my gamer students.
Play Thousands Of MS-DOS Games For Free
You can now play thousands of classic (and not-so-classic) MS-DOS games online and directly in your Web browser for free. This is thanks to the latest release from the Internet Archive, which has compiled the collection and made them available to play within the DOSBox emulator running on a virtual machine.
This is the latest addition to the Internet Archive, which already contains hundreds of classic video games offered through the Internet Arcade. Look out for a longer article exploring the MS-DOS collection later this week.

No comments: