Wednesday, May 06, 2015

For my Ethical Hacking students. Another “Thing” that probably should not be connected to the Internet of Things.
Serious Security Flaws Found in Hospira LifeCare Drug Pumps
Researchers have identified several critical vulnerabilities in Hospira LifeCare patient-controlled analgesia (PCA) infusion systems, which can be exploited by a remote attacker to take complete control of affected devices.
According to the manufacturer’s website, the LifeCare PCA drug pump is designed to prevent medication errors that commonly arise in PCA. The device is advertised as including features that enhance safe and secure delivery.
Canada-based researcher Jeremy Richards (@dyngnosis) published a blog post on Tuesday detailing multiple security issues identified in Hospira LifeCare PCA3 drug infusion pumps.
I would personally be very concerned if this devices was being attached to me. It is not only susceptible to attack, it is so poorly programmed it can be rendered a useless brick with a single typo,” the researcher said.
Such an attack is possible due to several flaws. One of the vulnerabilities is that the Wi-Fi Protected Access (WPA) keys for a hospital’s wireless network are stored in plain text on the device and they can be accessed over FTP and Telnet.

For my Computer Security students. Things just keep getting more interesting.
Cisco Unearths ‘Rombertik’ Virus That Self-Destructs When Poked By Security Researchers
… Take Rombertik, for example. This is a piece of malware that was deeply analyzed by Cisco's Talos Security Intelligence and Research Group that at the high level hooks into a user's Web browser to read sensitive information that is then passed along to a remote attack server.
… Once executed, Rombertik will run through a couple of checks to make sure it's not running in a sandbox, and if not, it will fully install itself on the victim's PC. It then copies itself and overwrites the copy with a copy that bundles the malware's core functionality.
… Here's where things get interesting: if the final check fails, which is to see if it's being analyzed in memory, Rombertik will purge the hard disk's MBR and reboot, so that the PC becomes unbootable. If the MBR is somehow unaffected by its attempts, Rombertik will instead render the user's home folder useless by encrypting each file with a random key, and then reboot. Neither of these routes are ideal, but the former could be fixed - the latter cannot.
If you want to dig deep into how Rombertik works, you'll want to check out the article below, as it's very in-depth, and even a bit enlightening. For the enterprise and home alike, this is yet another example of why staff need to be well-aware of the dangers of opening unsolicited attachments.

(Related) Phishing emails you want to open?
Attackers Used CareerBuilder to Send Malicious Resumes to Victims: Proofpoint
Researchers at Proofpoint recently identified a clever attack campaign involving
"When a resume has been submitted to a listed job opening, the CareerBuilder service automatically generates a notification email to the job poster and attaches the document, which in this case is designed to deliver malware," Proofpoint explained. "While this approach is more manual and requires more time and effort on the part of the attacker, the probability of the mail being delivered and opened is higher."
"Rather than attempt to create a realistic lure, the attackers here have instead capitalized on the brand and service of a real site: the recipients are likely to read them and open the attachments because not only are they legitimate emails from a reputable service, but these emails are expected and even desired by the recipient," the researchers added.

Unfortunately, this language is not unique.
David Allison reports:
Consumers hurt in the giant Home Depot data breach have filed a consolidated lawsuit that accuses the company’s management of “overarching complacency when it came to data security.”
In a 187-page complaint filed in federal court in Atlanta on May 1, consumers state their case that by allowing the data breach to occur, Home Depot (NYSE: HD) breached its obligation to protect customers’ personal and financial information and violated its own internal policies and standards.

The pendulum of “Do! Don't! Do! Don't!” Interesting because you don't have to make a phone call for your phone to “connect” to a cellphone tower.
Curt Anderson reports:
Investigators do not need a search warrant to obtain cellphone tower location records in criminal prosecutions, a federal appeals court ruled Tuesday in a closely-watched case involving the rules for changing technology.
The Atlanta-based 11th U.S. Circuit Court of Appeals, overturning a three-judge panel of the same court, concluded that authorities properly got 67 days’ worth of records from MetroPCS for Miami robbery suspect Quartavious Davis using a court order with a lower burden of proof.
In its 9-2 decision, the 11th Circuit decided Davis had no expectation of privacy regarding historical records establishing his location near certain cellphone towers
Read more on PhysOrg.
Related: Here’s the published opinion (pdf) from the court.
Thanks to Joe Cadillic for this link.
Update: Orin Kerr comments on the opinion, here.
[From the opinion:
The court reasoned: (1) the cell user has knowledge that his cell phone must send a signal to a nearby cell tower in order to wirelessly connect his call; (2) the signal only happens when a user makes or receives a call;

A new word! At least a new definition of DWI.
Driving While ‘Intexticated': Texting, Driving, and Punishment
by Sabrina I. Pacifici on May 5, 2015
Weaver, Russell L. and Friedland, Steven, Driving While ‘Intexticated': Texting, Driving, and Punishment (May 4, 2015). 47 Tex. Tech L. Rev. 101 2014-2015; University of Louisville School of Law Legal Studies Research Paper Series No. 2015-09. Available for download at SSRN:
“In this short article, we argue that texting while driving presents a special danger to society for which preventive solutions are needed. Although a variety of societal responses might be possible, and some other (softer) approaches should generally be preferred (e.g., education), since this is a symposium on homicide, it is appropriate to note that there will be situations when a prosecutor might justifiably (and probably should) bring murder or manslaughter charges against a driver whose texting causes a fatal accident. This article outlines the problems associated with texting, explains the legal basis on which homicide charges might be brought, and suggests some less drastic alternatives for dealing with the problem.”

A Privacy Law database?
EPIC Launches State Policy Project
by Sabrina I. Pacifici on May 5, 2015
“EPIC has launched the EPIC State Policy Project to track legislation across the county concerning privacy and civil liberties. The EPIC State Project will identify new developments and model legislation. The Project builds on EPIC’s extensive work on emerging privacy and civil liberties issues in the states. The new State Project will focus on student privacy, drones, consumer data security, data breach notification, location privacy, genetic privacy, the right to be forgotten, and auto black boxes.”

I think this was inevitable. After all, it's what the police cameras should be doing. (Upload to department servers I mean, not the ACLU)
Film the Police
… A new app tries to answer this question by offering, in effect, a different kind of backup. Called Mobile Justice CA, the app uploads all video footage as it’s being captured to servers owned by the American Civil Liberties Union (ACLU). Even if the phone is destroyed, the video will survive.
The app was co-released Friday by the ACLU of Southern California and the Oakland-based Ella Baker Center for Human Rights, and it’s available now for iOS and Android devices.
Mobile Justice CA does more than automatically upload video. It includes a “witness” button, which a user can press to notify other app users within a three-mile radius that they are observing a police interaction. It also lets users file written reports with a local ACLU office and includes versions of the ACLU’s “Know Your Rights” guides for photographers, protesters, and citizens.

As Mobile Grabs Over Half Of All Searches, Google Hits Refresh Button On Its Ads
More than half of all Google searches now happen on mobile devices. Since you’re probably reading this on your smartphone, that may not surprise you.
But it’s still a milestone that Google has just reached in the U.S., Japan, and eight other unnamed countries. And today, the search giant today is using it as a hook to release a slew of new types of mobile ads and tools to measure their impact all the way to sales in stores.

Interesting. It used to be that millionaires hated Democrats. Then they realized that lots of Democratic politicians were millionaires. Who needs the little people?|editorspicks|&par=google&google_editors_picks=true
Hillary is the favorite among millionaire voters: Survey
Hillary Clinton is the favorite U.S. presidential candidate among millionaire voters and would win a head-to-head contest with former Florida Governor Jeb Bush, according to the third CNBC Millionaire Survey conducted in March that was released today.

Perspective. I haven't subscribed to a newspaper for years. They keep tossing the free local paper in my driveway every week. Is free the way of the future?
Murdoch's News Corp profits slashed by half
Rupert Murdoch's News Corp, which publishes The Sun, The Times and the Wall Street Journal, saw net profits more than halve in the three months to March 31, due to declining advertising revenues and falling newspaper circulations.
Net income attributable to shareholders dropped by 52% to $23 million (£15.1 million) for the quarter to the end of March. Total revenues for the global group slipped 1% to $2.06 billion.

State of the News Media 2015
Call it a mobile majority. At the start of 2015, 39 of the top 50 digital news websites have more traffic to their sites and associated applications coming from mobile devices than from desktop computers, according to Pew Research Center’s analysis of comScore data.

For my spreadsheet students.
Need Help with Excel Formulas? 7 Resources to Consult
… A few Internet instructors understand that Excel is a sore spot for many, and these people have created free resources that start with the basics of Excel and eventually move onto the harder stuff, all in a clear and concise manner.

For my Data Management and Business Intelligence students. Not really new, but increasingly useful. Podcasts, local TV and Radio news, etc. Search for any mention of your company.
Docs reveal how NSA turns phone calls into searchable text
The National Security Agency (NSA) has for years used sophisticated technology that can turn audio content from phone calls or news broadcasts into rough transcripts that can be easily searched and stored.
The spy agency’s ability — revealed in documents from former contractor Edward Snowden posted by the Intercept on Tuesday — resembles commercial services that turn speech into text, but it was developed in secret with the assistance of massive data archives and ultra high-speed computing power.
… The first version of the technology was rolled out in 2004, under the code name "Rhinehart," designed to search real-time audio as well as months-old archives.

No comments: