Thursday, April 23, 2015

Stonewalling is not a security technique. It does suggest that the problem is greater than we know. When this occurred, I suggested that the information the hacker obtained could help someone place agents in secure positions. Is that what they are hiding?
Elise Viebeck reports:
The number of individuals victimized in a cyberattack on a major background investigation service is higher than previously reported, the House Oversight Committee’s top Democrat said Wednesday.
Rep. Elijah Cummings (D-Md.) reported that the initial estimate of 27,000 federal employees compromised in the breach of government contractor USIS is now believed to be a “floor, not a ceiling.”
Read more on The Hill.
Why are companies still allowed to get away with not being more transparent?
“Unfortunately, investigating the USIS data breach has been particularly challenging because neither USIS nor its parent company, Altegrity, have fully complied with this committee’s requests for answers,” Cummings said.

I agree. Now, how do we educate judges (because clearly the plaintiff’s lawyers didn't)
Giora Engel of LightCyber writes:
The legal argument behind the $10 million Class Action lawsuit and subsequent settlement is a gross misrepresentation of how attackers operate.
Central to the recent Target data breach lawsuit settlement was the idea that cyber attacks are mechanistic and follow a prescribed course or chain of events. The judge hearing the case ruled that Target is liable for not mounting an adequate defense against the 2013 cyber attack that exposed some 40 million customer debit and credit card accounts. Unfortunately, the ruling also may have serious repercussions for many of us in the security profession.
In my opinion, Judge Paul A. Magnuson’s ruling is dangerously flawed and a gross misrepresentation of how attackers operate; it ignores the fact that the breach was conducted by actual people. Preventing one event in a supposed chain will not stop a breach. Attackers will simply find another way to achieve their goal. The challenge is to identify that a targeted attack is under way and then rip the attackers out of the network.
Read more on Dark Reading.

For my IT students. Do you know what software you use? All of it?
Compliance and Server 2003
For many organizations, compliance might be the most compelling reason to move from Windows Server 2003 to Windows Server 2012 R2.
In a nutshell, depending on the jurisdiction that your organization falls under, there is likely to be one or more bits of legislation that dictate that you must be running a supported operating system on certain systems. Depending on the legislation, it could be just computers that host financial data, or in some jurisdictions it could be every computer that is used in the process of conducting business.
The key is that the wording of the legislation usually says that the OS or the application needs to be supported. This is why the name End of Extended Support is quite important. It’s not just a technical term, it has legal meaning.

Social media as an asset of the company.
Martha Neil reports:
Jeremy Alcede personally maintained the Facebook and Twitter accounts for his former Texas gun store and shooting range.
He thought of them as his own, and didn’t hesitate to inject his political views as he publicized Tactical Firearms in Katy.
But a federal bankruptcy judge disagreed, and ordered Alcede to turn over the passwords to the new operator of the gun store, finding the social media accounts to be business assets even though Alcede has removed the Tactical Firearms moniker and substituted his own, according to the Houston Chronicle.
Read more on ABA Journal.

For my Ethical Hacking students.
Apple iOS 8 Has Serious Bug, Makes Public WiFi Dangerous
iOS 8 has had a tough time. Despite Apple’s relentless release schedule that has seen no less than 8 updates in just 6 months, concerns over major bugs has resulted in the slowest adoption rate in iOS history. And now here’s another big one…
As reported by The Register, professional hackers at SkyCure have unearthed a major WiFi vulnerability in iOS 8 which makes iPads, iPhones and iPod touches crash repeatedly and there’s almost nothing you can do about it.
The Science
Dubbed ‘No iOS Zone’ it allows a malicious WiFi hotspot to launch a DDoS (Distributed Denial-of-Service) attack which renders devices unusable. It works by exploiting a flaw in the SSL security certificate of iOS 8 which leaves the device wide open:
“This is not a denial-of-service where you can’t use your Wi-Fi – this is a denial-of-service so you can’t use your device even in offline mode,” explained SkyCure CEO Adi Sharabani in an address to the RSA security conference in San Francisco.

Beyond Oops! (The name of my next blog?)
Marisa Kendall reports:
In a suit filed Monday against Intuit Inc., plaintiffs lawyers claim lax security protections in the company’s TurboTax software are to blame for a recent spike in fraudulent tax returns.
Intuit didn’t take adequate steps to stop criminals from using TurboTax to steal customers’ personal information, file false returns on their behalf and cash in their refunds, according to the complaint. The suit, filed less than a week after this year’s tax filing deadline, comes after an uptick in fraudulent state returns briefly shut down TurboTax’s service and reportedly prompted an FBI investigation.
Read more on The Recorder.
With two former employees filing whistleblower statements with the SEC, Intuit may have its work cut out for it defending against this suit. Although it may be difficult to prove that Intuit was the cause of the tax refund fraud the two named plaintiffs experienced, I think there’s enough alleged to make any motion to dismiss for lack of standing a real uphill battle – particularly when there have been so many cases of tax refund fraud that states have linked to Intuit.

(Related) I wanted to know about those whistle blowers...
TurboTax’s Anti-Fraud Efforts Under Scrutiny
Robert Lee, a security business partner at Intuit’s consumer tax group until his departure from the company in July 2014, said he and his team at Intuit developed sophisticated fraud models to help Intuit quickly identify and close accounts that were being used by crooks to commit massive amounts of SIRF fraud.
But Lee said he was mystified when Intuit repeatedly refused to adopt some basic policies that would make it more costly and complicated for fraudsters to abuse the company’s service for tax refund fraud, such as blocking the re-use of the same Social Security number across a certain number of TurboTax accounts, or preventing the same account from filing more than a small number of tax returns.
… “We found literally millions of accounts that were 100 percent used only for fraud. But management explicitly forbade us from either flagging the accounts as fraudulent, or turning off those accounts.”

I think this was inevitable. Still, only someone with real Internet clout (Google, Apple, Facebook) could start the ball rolling.
Google Is About to Make Your Wireless Carrier a Lot Less Relevant
Google’s new wireless phone service, Project Fi, offers a long list of modern day perks. It automatically moves phones between traditional cellular networks and the WiFi wireless networks inside homes and businesses. Once on WiFi, you can still make calls and send texts. And you can pay for all this in small, flat, monthly fees—avoiding the sort of inflated, strings-attached pricing that so often accompanies our cell services.
… “The unique thing is that you’re no longer tied to a network. You can go from a Sprint tower to a T-Mobile tower and back to a Sprint tower. That’s groundbreaking.
… At the moment, Google’s service is only available on the Nexus 6, the company’s flagship Android phone. But it points to a new world where the big wireless carriers—Sprint, T-Mobile, Verizon, AT&T, and the rest—are pushed even further into the background of our daily lives.

(Related) Convergence: Your phone and one of the most intrusive surveillance systems on the planet.
Facebook’s quest to conquer your phone continues with Hello, a new dialer app that replaces the one that comes natively installed on your Android phone.
… But the new Facebook dialer app introduces something you won’t get from any other: Even if you don’t have a number saved on your phone, Facebook can go look at its databases and see if its got a number match. If it does, it’ll tell you who is calling and show you their photo, even if you’re not friends. It also makes blocking numbers as easy as a tap.

For my Data Management students.
This Free Tool Can Determine Your Most Valuable Followers on Instagram and Twitter
Brands that focus exclusively on amassing huge social followings may be overlooking the intrinsic value of their existing audiences, according to social media analytics firm SocialRank.
The company, which launched early last year, began as a free web app for Twitter, enabling users to determine their “most valuable” followers (the accounts with the most reach and importance); their “most engaged” followers (based on retweets, favorites and mentions); their “best” followers (a mix of reach and engagement); and their most followed followers.
A brainchild of entrepreneurs Alexander Taub and Michael Schonfeld, SocialRank also allows users to filter their Twitter followings based on keyword, location, interests, activity and verification.
Now, the company is launching a comparable tool for Instagram. Available today for free, the product lets users sort their followers based on engagement, bio keywords, location, follower count and even hashtag use, according to SocialRank.

Something to amuse my geeky students.
Lawmakers ask programmers: Hack for Congress
Sen. John Thune (R-S.D.), Rep. Jared Polis (D-Colo.) and other congressional offices have submitted challenges to an upcoming “hackathon” encouraging talented programmers to put their talents to good use.
… Thune, for instance, would love to see someone come up with a better way to share photos, charts and slides with the world during a congressional hearing. While members can easily pass out printed copies of those materials to hand out to reporters at a hearing, it can be difficult to quickly distribute them digitally.
… Polis, meanwhile, wanted to see an online approval system to streamline the process of co-sponsoring a bill. He also challenged computer wizards to come up with a way to more easily build a list to distribute information to people depending on which issues they are interested in, such as the environment.

An interesting question. The majority of my IT students are female. The majority of my Computer Science and Computer Security students are male.
When Women Code
Code builds things: websites, games, this story you're reading. But what code hasn't built, as the tech industry proves again and again, is gender parity among the coders themselves.
That's the central issue in CODE: Debugging the Gender Gap, a documentary that premiered this week at the Tribeca Film Festival. The film dives into why deep-seated cultural stereotypes have permeated an industry that's supposed to think different, to move fast and break things.
[Also see the resources listed at:

Perspective. Yes, I remember the days (nights really) when all we had were shadow puppets. (Good collection of viral videos)
YouTube is 10 years old today, let’s celebrate by… watching some videos
… In celebration of the billions of hours the world has wasted on YouTube in the past 10 years, here are some of‘s favourite viral vids.

No comments: