Monday, July 13, 2015

I am not a “world class” expert on encryption, but I know of no way to create “3 key” encryption. It may be possible. Ask the NSA. I can't think of any reason why they would employ such a system, but then it's been a while since I worked in that field.
If I thought that the FBI could read my encrypted files, I would no longer encrypt – I would encode. Sending, “Blue baby buggy bumpers” would convey exactly the same message as, “&7GDA PQPQ7 BLX8S GR4OK PWVUC” but would not be decipherable. (Neither would a “one time pad” but that is another story.)
Encryption: if this is the best his opponents can do, maybe Jim Comey has a point
Behind the opponents’ demand for “concrete technical requirements” is the argument that any method of guaranteeing government access to encrypted communications should be treated as a security flaw that inevitably puts everyone’s data at risk. In principle, of course, adding a mechanism for government access introduces a risk that the mechanism will not work as intended.

“We gotta do something!” True, but shuffling the deck does not eliminate marked cards.
Lawmakers look to strip OPM powers after hack
… Reps. Ted Lieu (D-Calif.) and Steve Russell (R-Okla.), who both likely had their security clearance details taken in the breach, are prepping a bill that would move the security clearance database away from the OPM, perhaps back to the Defense Department (DOD), where it was housed until 2004.
“OPM was never designed to deal with national security,” Lieu told The Hill. [So which idiots moved it there? Bob]
But several senators backing a bill to boost oversight of those holding security clearances, told The Hill that it’s more audits, not necessarily a new agency, that the review process needs. [They ignored the audits that pointed out weak security, why would they stop ignoring them now? Bob]

(Related) Again, shuffling isn't the answer.
Chris Strohm, Michael Riley, and Jordan Robertson report:
The vast cyber-attack in Washington began with, of all things, travel reservations.
More than two years ago, troves of personal data were stolen from U.S. travel companies. Hackers subsequently made off with health records at big insurance companies and infiltrated federal computers where they stole personnel records on 21.5 million people — in what apparently is the largest such theft of U.S. government records in history.
Those individual attacks, once believed to be unconnected, now appear to be part of a coordinated campaign by Chinese hackers to collect sensitive details on key people that went on far longer — and burrowed far deeper — than initially thought.
Read more on Bloomberg.
[From the article:
China is building the Facebook of human intelligence capabilities,” said Adam Meyers, vice president of intelligence for cybersecurity company CrowdStrike Inc. “This appears to be a real maturity in the way they are using cyber to enable broader intelligence goals.”

“Old data never dies” 2008 breach, 2014 discovery of the breach? Organizations say they have improved (suggesting “Fixed”) their security after every breach.
Herald Scotland reports:
Barclays is paying around half a million pounds in compensation to 2,000 customers, including many in Scotland, after their personal data was found on a USB stick at a flat on the south coast of England.
The electronic device was found by police with a copy of information originally lost last year in the latest problem to hit the banking industry.
The bank has written to around the customers offering them £250 compensation each.
Read more on Herald Scotland.
[From the article:
A source said the information on the USB stick would have been encrypted and almost impossible for it to be read without specialist technology.
The letter stated: "The data taken included information you provided in meetings with a Barclays Financial Planning adviser prior to 2009.
"It includes details taken during the meeting...and the subsequent letter Barclays sent you containing our investment recommendations." It added that it may 'take some time' to establish how the theft happened.
In February last year it was revealed that thousands of files containing financial and personal data had been stolen from Barclay's internal data bases.
… The files run to 20 pages per person and contain information on customer's investment plans and capabilities and personal information such as health issues and passport number. Barclays say there is no evidence it had been opened
The information taken was provided by customers to Barclay's now closed Financial Planning service prior to 2009.
Since 2014, the company has drastically increased its cyber security capabilities. [Barn doors and missing horses Bob]
… A Barclays spokesman said: "This is not a new theft of data from Barclays. Every indication is that the data here was part of the same theft of data that was reported last year, relating to data stolen in 2008.

For my Ethical Hacking students. Why protecting your identity is important.
Elhanan Miller reports:
Computer hackers likely working for the Syrian regime and Hezbollah have managed to penetrate the computers of Israeli and American activists working with the Syrian opposition, exposing sensitive contacts between the sides.
Al-Akhbar, a newspaper serving as Hezbollah’s mouthpiece in Lebanon, published a series of articles over the weekend purporting to divulge correspondence between Mendi Safadi, a Druze Israeli and former political adviser to Deputy Regional Cooperation Minister Ayoub Kara, with members of the Syrian opposition around the world, taken from taken from Safadi’s computer.
Though Al-Akhbar’s articles contain dozens of names, nicknames and telephone numbers of Syrians and others who were in touch with Safadi, he maintained they face no real danger of reprisal.
Read more on Times of Israel.

Always surveilling?
EPIC Urges Investigation of “Always On” Consumer Devices
by Sabrina I. Pacifici on Jul 12, 2015
“EPIC has asked the Federal Trade Commission and the Department of Justice to conduct a workshop on ‘Always-On’ Consumer Devices. EPIC described the increasing presence of internet-connected devices in consumer’s homes, such as TVs, toys, and thermostats, that routinely record and store private communications. EPIC urged the agencies to conduct a comprehensive investigation to determine whether “always on” devices violate the Wiretap Act, state privacy laws, or the FTC Act. Earlier this year, EPIC filed a formal complaint with the FTC concerning Samsung TV, arguing that the recording of private communications in the home is an unfair and deceptive trade practice.”

Not a new type of intrusion, but one greatly facilitated by the Internet.
AP reports:
Someone else’s sex tape is proving to be costly for 50 Cent: A jury ordered the rapper-actor Friday to pay $5 million to a woman who said he acquired a video she made with her boyfriend, added himself as a crude commentator and posted it online without her permission.
And the Manhattan jurors are set to continue deliberating next week on possible further, punitive damages in Lastonia Leviston’s invasion-of-privacy lawsuit against the multiplatinum-selling “Get Rich or Die Tryin'” artist.
Read more on Fox News.

(Related) See? This one didn't even need the Internet.
Kathryn Schroeder writes:
A medical reality show used footage of a woman’s husband dying without her knowledge or permission and she only found out because she tuned in to watch the program.
Mark Chanko was struck and killed by a New York City sanitation truck. He is survived by his wife, Anita Chanko, who counts “NY Med” as one of her favorite television shows.
About 16 months after Mark’s death, Anita sat down to watch the program and, to her horror, her husband’s final moments in the hospital were being shown, reports PIX 11.
“I actually watched my husband die in front of my eyes and the worst thing is not only did I hear him moan and groan in pain but I heard him say, ‘Does my wife know I’m here?’” Anita said.
Read more on Opposing Views.
Okay, this definitely has a poor taste aspect to it, but have any privacy laws been broken? How was the airing of this not a HIPAA violation of her husband’s privacy? Public curiosity does not make this man’s care newsworthy, in my opinion. I realize that what happens out in public – on the street – may result in reduced privacy expectations, but filming him in the hospital?
How the heck was this found legal?

Might be a few government agencies in the email address list.
32k email addresses from the Hacking Team breach are now in “Have I Been pwned?”
… What I decided to do was just load the email addresses that appear in the PSTs. This may be a sender or a recipient or even a mention of the email in the body or in an address book, but they’re all just from the PSTs. Of the 32k addresses in there, some of them are completely inconsequential; password reset links, support queues, spam etc. But the vast majority are of consequence and the question of establishing context was solved once Wikileaks published the PSTs. They’re all now searchable which means that given a single email address that appears in HIBP against the Hacking Team breach, a Wikileaks search can establish the context.

(Related) Everyone wants to name a “state sponsor” for their hack. It makes it seems like they are less at fault if their “opponent” is an entire country!
Oh ho. Kelly Fiveash reports that Hacking Team claims it was the victim of a state actor:
The boss of Italian spyware vendor Hacking Team has spoken for the first time about the mass hack on the beleaguered company’s data – which has exposed severe software security holes and gifted terrorists with zero-day exploits.
David Vincenzetti, in an interview with La Stampa newspaper, claimed his firm would recover from the attack and alleged that an unnamed government or organisation with “considerable funds” had infiltrated its data servers and leaked the information.
Read more on The Register.

Perspective. You don't have to sell the most phones...
Apple Inc. Clinches 92% Of Overall Smartphone Industry Profits In Q1 2015
… Apple received 92% of the combined operating income of the top eight smartphone manufacturers in the first quarter of 2015, up from 65% last year. This number is even more surprising when you consider the fact that Apple only sells less than 20% of smartphones globally.

Something for my Intro to IT class!
History of the internet – 40 maps and key resources
by Sabrina I. Pacifici on Jul 12, 2015
For all those who do not recollect or may not know how the internet evolved from ARPANET in 1969 to the web of 2015 with its data analytics, e-commerce profiling and of course, global surveillance, I recommend 40 maps that explain the internet by Timothy B. Lee via Vox, posted on June 2, 2014: “The internet increasingly pervades our lives, delivering information to us no matter where we are. It takes a complex system of cables, servers, towers, and other infrastructure, developed over decades, to allow us to stay in touch with our friends and family so effortlessly. Here are 40 maps that will help you better understand the internet — where it came from, how it works, and how it’s used by people around the world.”

I need to try this. We might use it in our Business classes.
Microsoft's Business Intelligence Service Gets a Power Boost
An updated version of Microsoft’s Power BI service will be released July 24, the company announced Friday. The goal of the updated service is to enable business users to benefit from business intelligence Relevant Products/Services and analytics without requiring sophisticated help from analysts, data Relevant Products/Services scientists, or other tech staff.
… "We believe Power BI is, by a very wide margin, the most powerful business analytics SaaS service," said James Phillips, corporate VP for Microsoft's Business Intelligence Products Group. "And yet, even the most non-technical of business users can sign up in five seconds, and gain insights from their business data in less than five minutes with no assistance, from anyone."
Microsoft offers two levels of the upgraded Power BI service: a free version and another that’s $9.99 per month/per user. The differences between the two tiers have mostly to do with data-refresh rates and collaboration capabilities.

No comments: