Stonewalling is not a security technique. It does
suggest that the problem is greater than we know. When this
occurred, I suggested that the information the hacker obtained could
help someone place agents in secure positions. Is that what they are
hiding?
Elise Viebeck reports:
The number of individuals victimized in a cyberattack on a major background investigation service is higher than previously reported, the House Oversight Committee’s top Democrat said Wednesday.
Rep. Elijah Cummings (D-Md.) reported that the initial estimate of 27,000 federal employees compromised in the breach of government contractor USIS is now believed to be a “floor, not a ceiling.”
Read more on The
Hill.
Why are companies still allowed to get away with
not being more transparent?
“Unfortunately, investigating the USIS data breach has been particularly challenging because neither USIS nor its parent company, Altegrity, have fully complied with this committee’s requests for answers,” Cummings said.
I agree. Now, how do we educate judges (because clearly the plaintiff’s lawyers didn't)
Giora Engel of LightCyber writes:
The legal argument behind the $10 million Class Action lawsuit and subsequent settlement is a gross misrepresentation of how attackers operate.
Central to the recent Target data breach lawsuit settlement was the idea that cyber attacks are mechanistic and follow a prescribed course or chain of events. The judge hearing the case ruled that Target is liable for not mounting an adequate defense against the 2013 cyber attack that exposed some 40 million customer debit and credit card accounts. Unfortunately, the ruling also may have serious repercussions for many of us in the security profession.
In my opinion, Judge Paul A. Magnuson’s ruling is dangerously flawed and a gross misrepresentation of how attackers operate; it ignores the fact that the breach was conducted by actual people. Preventing one event in a supposed chain will not stop a breach. Attackers will simply find another way to achieve their goal. The challenge is to identify that a targeted attack is under way and then rip the attackers out of the network.
Read more on Dark
Reading.
For my IT students. Do you know what software you
use? All of it?
Compliance
and Server 2003
For many organizations, compliance might be the
most compelling reason to move from Windows Server 2003 to Windows
Server 2012 R2.
In a nutshell, depending on the jurisdiction that
your organization falls under, there is likely to be one or more bits
of legislation that dictate that you must be running a supported
operating system on certain systems. Depending
on the legislation, it could be just computers that host financial
data, or in some jurisdictions it could be every computer that is
used in the process of conducting business.
The key is that the wording of the legislation
usually says that the OS or the application needs to be supported.
This is why the name End of Extended Support is quite important.
It’s not just a technical term, it has legal meaning.
Social media as an asset of the company.
Martha Neil reports:
Jeremy Alcede personally maintained the Facebook and Twitter accounts for his former Texas gun store and shooting range.
He thought of them as his own, and didn’t hesitate to inject his political views as he publicized Tactical Firearms in Katy.
But a federal bankruptcy judge disagreed, and ordered Alcede to turn over the passwords to the new operator of the gun store, finding the social media accounts to be business assets even though Alcede has removed the Tactical Firearms moniker and substituted his own, according to the Houston Chronicle.
Read more on ABA
Journal.
For my Ethical Hacking students.
Apple iOS 8
Has Serious Bug, Makes Public WiFi Dangerous
iOS 8 has had a
tough time. Despite Apple’s
relentless release schedule that has seen no less than 8 updates in
just 6 months, concerns over major bugs has resulted in the slowest
adoption rate in iOS history. And now here’s another big one…
As reported by The
Register, professional hackers at SkyCure have unearthed
a major WiFi vulnerability in iOS 8 which makes iPads, iPhones and
iPod touches crash repeatedly and there’s almost nothing you can do
about it.
The Science
Dubbed ‘No iOS Zone’ it allows a malicious
WiFi hotspot to launch a DDoS (Distributed Denial-of-Service) attack
which renders devices unusable. It works by exploiting a flaw in the
SSL security
certificate of iOS 8 which leaves the device wide open:
“This is not a denial-of-service where you can’t
use your Wi-Fi – this is
a denial-of-service so you can’t use your device even in offline
mode,” explained SkyCure CEO Adi Sharabani in an
address to the RSA security conference in San Francisco.
Beyond Oops! (The name of my next blog?)
Marisa Kendall reports:
In a suit filed Monday against Intuit Inc., plaintiffs lawyers claim lax security protections in the company’s TurboTax software are to blame for a recent spike in fraudulent tax returns.
Intuit didn’t take adequate steps to stop criminals from using TurboTax to steal customers’ personal information, file false returns on their behalf and cash in their refunds, according to the complaint. The suit, filed less than a week after this year’s tax filing deadline, comes after an uptick in fraudulent state returns briefly shut down TurboTax’s service and reportedly prompted an FBI investigation.
Read more on The
Recorder.
With two
former employees filing whistleblower statements with the SEC, Intuit
may have its work cut out for it defending against this suit.
Although it may be difficult to prove that Intuit was the cause of
the tax refund fraud the two named plaintiffs experienced, I think
there’s enough alleged to make any motion to dismiss for lack of
standing a real uphill battle – particularly when there have been
so many cases of tax refund
fraud that states have linked to Intuit.
(Related) I wanted to know about those whistle
blowers...
TurboTax’s
Anti-Fraud Efforts Under Scrutiny
… Robert
Lee, a security business partner at Intuit’s
consumer tax group until his departure from the company in July 2014,
said he and his team at Intuit developed sophisticated fraud models
to help Intuit quickly identify and close accounts that were being
used by crooks to commit massive amounts of SIRF fraud.
But Lee said he was mystified when Intuit
repeatedly refused to adopt some basic policies that would make it
more costly and complicated for fraudsters to abuse the company’s
service for tax refund fraud, such as blocking the re-use of the same
Social Security number across a certain number of TurboTax accounts,
or preventing the same account from filing more than a small number
of tax returns.
… “We
found literally millions of accounts that were 100 percent used only
for fraud. But management explicitly forbade us from
either flagging the accounts as fraudulent, or turning off those
accounts.”
I think this was inevitable. Still, only someone
with real Internet clout (Google, Apple, Facebook) could start the
ball rolling.
Google Is
About to Make Your Wireless Carrier a Lot Less Relevant
Google’s new wireless phone service, Project
Fi, offers a long list of modern day perks. It automatically
moves phones between
traditional cellular networks and the WiFi wireless networks
inside homes and businesses. Once on WiFi, you can still make calls
and send texts. And you can pay for all this in small, flat, monthly
fees—avoiding the sort of inflated, strings-attached pricing that
so often accompanies our cell services.
… “The unique thing is that you’re no
longer tied to a network. You can go from a Sprint tower to a
T-Mobile tower and back to a Sprint tower. That’s groundbreaking.
… At the moment, Google’s service is only
available on the Nexus 6, the company’s flagship Android phone.
But it points to a new world where the big wireless carriers—Sprint,
T-Mobile, Verizon, AT&T, and the rest—are pushed even further
into the background of our daily lives.
(Related) Convergence: Your phone and one of the
most intrusive surveillance systems on the planet.
Facebook’s quest to conquer your phone continues
with Hello, a
new dialer app that replaces the one that comes natively
installed on your Android phone.
… But the new Facebook dialer app introduces
something you won’t get from any other: Even if you don’t have a
number saved on your phone, Facebook can go look at its databases and
see if its got a number match. If it does, it’ll tell you who is
calling and show you their photo, even if you’re not friends. It
also makes blocking numbers as easy as a tap.
For my Data Management students.
This Free
Tool Can Determine Your Most Valuable Followers on Instagram and
Twitter
Brands that focus exclusively on amassing huge
social followings may be overlooking the intrinsic value of their
existing audiences, according to social media analytics firm
SocialRank.
The company, which launched early last year, began
as a free web app for Twitter, enabling users to determine their
“most valuable” followers (the accounts with the most reach and
importance); their “most engaged” followers (based on retweets,
favorites and mentions); their “best” followers (a mix of reach
and engagement); and their most followed followers.
A brainchild of entrepreneurs Alexander Taub and
Michael Schonfeld, SocialRank
also allows users to filter
their Twitter followings based on keyword, location,
interests, activity and verification.
Now, the company is launching a
comparable tool for Instagram. Available
today for free, the product lets users sort their
followers based on engagement, bio keywords, location, follower count
and even hashtag use, according
to SocialRank.
Something to amuse my geeky students.
Lawmakers
ask programmers: Hack for Congress
Sen. John Thune (R-S.D.), Rep. Jared Polis
(D-Colo.) and other
congressional offices have submitted challenges to an upcoming
“hackathon” encouraging talented programmers to put their
talents to good use.
… Thune, for instance, would
love to see someone come up with a better way to share photos,
charts and slides with the world during a congressional hearing.
While members can easily pass out printed copies of those materials
to hand out to reporters at a hearing, it can be difficult to quickly
distribute them digitally.
… Polis, meanwhile, wanted to see an online
approval system to streamline the process of co-sponsoring a bill. He
also challenged computer wizards to come up with a way to more easily
build a list to distribute information to people depending on which
issues they are interested in, such as the environment.
An interesting question. The majority of my IT
students are female. The majority of my Computer Science and
Computer Security students are male.
When Women
Code
Code builds things: websites, games, this story
you're reading. But what code hasn't built, as the tech industry
proves again
and
again,
is gender parity among the coders themselves.
That's the central issue in CODE:
Debugging the Gender Gap, a documentary that premiered this
week at the Tribeca Film Festival. The film dives into why
deep-seated
cultural stereotypes have permeated an industry that's supposed
to think
different, to move
fast and break things.
[Also
see the resources listed at: http://shescoding.org/
Perspective. Yes, I remember the days (nights
really) when all we had were shadow puppets. (Good collection of
viral videos)
YouTube is
10 years old today, let’s celebrate by… watching some videos
… In celebration of the billions
of hours the world has wasted on YouTube in the past 10
years, here are some of Metro.co.uk‘s
favourite viral vids.
No comments:
Post a Comment