Over the weekend, the hacker, who asked to remain anonymous, told me that VTech left other sensitive data exposed on its servers, including kids’ photos and chat logs between children and parents. This data is from the company’s Kid Connect, a service that allows parents using a smartphone app to chat with their kids using a VTech tablet. In online tutorials, the company encourages parents and kids to take headshots and use them in their apps.
Tuesday, December 01, 2015
Doesn't sound so good now, does it?
Lorenzo Franceshi-Bicchierai has a follow-up to his early report on VTECH:
Read more on Motherboard.
The VTech hack is getting a lot of mainstream media attention, and understandably so, as it’s a cautionary tale. But keep in mind that so far, it doesn’t sound like this hacker has any intention of misusing the data. If s/he did, it would have been put up for sale and not helpfully disclosed to Motherboard. It sounds like the hacker wants to make a point about security. Yes, it’s still a crime, and everyone – company and parents – need to be more cautious going forward, but it’s not clear what the real and imminent risk is from this particular hack.
Yet another follow-up. How can you manage what you don't know exists?
OPM Just Now Figured Out How Much Data It Owns
... According to its inspector general, at the time of the breaches, OPM did not have a complete inventory of the servers, databases, and network devices that it owns, maintains, and operates. Not having the inventory “drastically diminishe[d] the effectiveness of its security controls,” wrote Michael Esser, the agency’s assistant inspector general for audits, in an oversight report published this month.
“Failure to maintain an accurate IT inventory undermines all attempts at securing OPM’s information systems,” the report read.
… The high-profile data breaches have kept OPM in the news, but it’s far from the only government agency that has fallen short of basic IT standards.
A recent report compiled by the House Oversight Committee graded federal agencies on their implementation of a key federal IT law. The majority of agencies—including OPM—received a D grade. Three agencies received an F: the Department of Education, the Department of Energy, and NASA. No agency received an A.
This week, my Computer Security students are discussing encryption.
BlackBerry Exits Pakistan Over Backdoor Request
The Canadian smartphone maker revealed that the Pakistani government was looking for means to monitor all BlackBerry Enterprise Service traffic in the country. However, as BlackBerry refused to comply with this demand, the government decided to prohibit BlackBerry’s BES servers from operating in Pakistan starting in December.
Definitely one for my Computer Security students to discuss.
Target Website’s Near Cyber Monday Crash: In Ironic Twist, Customers Forced To Wait On Line
The website for Target, one of the largest retailers in the U.S., almost crashed on Cyber Monday, due to a huge number of bargain hunters attempting to access the site simultaneously. To manage the deluge, the store set up a queue reminiscent of in-store Black Friday lines, in which Web customers were required to wait behind others who were already shopping.
… By just midday, according to the company, traffic on the site had already doubled that of the formerly most busy day in Target website history.
Another article for my Computer Security students.
The attack that broke the Dark Web—and how Tor plans to fix it
Backup. Backup. Backup.
British Man Blames Apple For Erasing His iPhone’s Data, Wins $3,000 In Lawsuit
… it appears that at least one British man didn’t use enough caution when he took his malfunctioning iPhone in to be serviced at a local Apple Store. Deric White claims the Apple Geniuses never asked him if he had backed up his iPhone 5, and took it upon themselves to reset the iPhone, wiping out all of its data in the process, in order to solve his issues.
“It was only after staff fiddled around they asked if I’d backed my things up,” said White, who was obviously distraught over the fact that he lost 15 years worth of contacts and countless photos with sentimental value.
… The judge said that Apple had acted negligently in erasing the data from Mr. White’s phone while performing a reset.
… If Mr. White had an iCloud account, he would have been able to easily restore his data (including contact information and photos). But in this case, he didn’t even setup an iCloud account, stating that he “[didn’t] like the databank in the sky.” Likewise, an iTunes backup would have made for an even quicker way to restore his iPhone 5 to its previous state before he visited the Apple Store. This method of backing up data also eluded Mr. White.
The overreaction to 9/11 continues.
Revealed: FBI can demand web history, phone location data without a warrant
The FBI can compel companies and individuals to turn over vast sums of personal data without a warrant, it has been revealed for the first time.
In a case that's lasted more than a decade, a court filing released Monday showed how the FBI used secret interpretations to determine the scope of national security letters (NSLs).
Nicholas Merrill, founder of internet provider Calyx Internet Access, who brought the 11-year-old case to court after his company was served a national security letter, won the case earlier this year.
National security letters are almost always bundled with a gag order, preventing Merrill from speaking freely about the letter he received.
… In a statement on Monday, Merrill revealed the FBI has used its authority to force companies and individuals to turn over complete web browsing history; the IP addresses of everyone a person has corresponded with; online purchase information, and also cell-site location information, which he said can be used to turn a person's phone into a "location tracking device."
According to a release, the FBI can also force a company to release postal addresses, email addresses, and "any other information which [is] considered to be an electronic communication transactional record."
Merrill said in remarks: "The FBI has interpreted its NSL authority to encompass the websites we read, the web searches we conduct, the people we contact, and the places we go. This kind of data reveals the most intimate details of our lives, including our political activities, religious affiliations, private relationships, and even our private thoughts and beliefs."
… Merrill is the first person who has succeeded in completely lifting a national security letter gag order.
Yes, it's a big deal. Now all they need do is get others to use the yuan.
China needs more users for 'freely usable' yuan after IMF nod
The International Monetary Fund's decision to add China's yuan to its reserves basket is a triumph for Beijing, but the fund's verdict that the currency met its "freely usable" test will have little financial impact unless Beijing recruits more users.
The desire of Chinese reformers to internationalize the currency has a clear economic rationale; a yuan in wide circulation overseas would reduce China's dependence on the dollar system and on policy set in Washington.
It would also make it easier for Chinese firms to invoice and borrow offshore in yuan, reducing the risk of exchange rate fluctuations and prompting China's inefficient state-owned banks to improve their performance or lose business.
Those concerned about a potential global liquidity crisis caused by overdependence on the United States might also welcome the yuan as an alternative to the dollar, as would countries locked out of dollar capital markets by sanctions.
ITU: 3.2B People Now Online Globally, Mobile Broadband Overtakes Home Internet Use
… according to International Telecommunication Union, which today published its annual global survey
Perspective. “Out, out damned driver! Out, I say!” (If Lady MacBeth was a programmer)
The High-Stakes Race to Rid the World of Human Drivers
Perspective. Remember, this is not an Internet First company, like Amazon.
Walmart: Nearly Half Of Orders Since Thanksgiving Placed On Mobile Device
… Mobile is making up more than 70 percent of traffic to Walmart.com, and now, nearly half of our orders since Thanksgiving have been placed on a mobile device - that's double compared to last year."
Want to Obtain FBI Records a Little Quicker? Try New eFOIA System
by Sabrina I. Pacifici on Nov 30, 2015
“The FBI recently began open beta testing of eFOIA, a system that puts Freedom of Information Act (FOIA) requests into a medium more familiar to an ever-increasing segment of the population. This new system allows the public to make online FOIA requests for FBI records and receive the results from a website where they have immediate access to view and download the released information. Previously, FOIA requests have only been made through regular mail, fax, or e-mail, and all responsive material was sent to the requester through regular mail either in paper or disc format. “The eFOIA system,” says David Hardy, chief of the FBI’s Record/Information Dissemination Section, “is for a new generation that’s not paper-based.” Hardy also notes that the new process should increase FBI efficiency and decrease administrative costs. The eFOIA system continues in an open beta format to optimize the process for requesters. The Bureau encourages requesters to try eFOIA and to e-mail email@example.com with any questions or difficulties encountered while using it. In several months, the FBI plans to move eFOIA into full production mode.”
An article to leave on my wife's chair… Hint, hint babe.
A New Delivery Service Gives Beer Geeks Their Monthly Fix
… Customers reply to the daily e-mails if they want the beers on offer, and Tavour stockpiles the orders for a monthly delivery. Recent prices range from $2.50 to $20 a beer. Regardless of how many it’s sending you, the company charges $15 shipping to any of the seven states it covers so far: Arizona, California, Colorado, New Mexico, Ohio, Oregon, and Washington.
Storage, for my Math students.
Storage Enters the Age of Erasure Coding
Its appeals are obvious: it's a data protection system that's more space efficient than straight replication, and one which tolerates more faults and allows you to recover lost data far more quickly than is possible with traditional RAID systems.
Here are just a few examples of storage offerings that are getting serious about the technology: Intel and Cloudera are developing erasure coding in HDFS for release in Hadoop 3.0, and Nutanix has begun showing off its own proprietary erasure coding called EC-X in the current versions of its Nutanix OS in preparation for its launch in NOS 5. Ceph, the open source software storage platform, introduced erasure coding last year with the Firefly (v0.80) release, and erasure coding is at the heart of Cleversafe's dispersed storage systems. (Earlier this month IBM announced that it had acquired Cleversafe for an undisclosed sum.)
Erasure coding works by splitting a file in to a number of equally sized pieces, and then doing some fancy mathematics [Not so fancy… Bob] encoding to produce a larger number of pieces. For example, you could start with a single file, split it in to 6 pieces, and then do the encoding to produce 10 pieces.
What's clever about the encoding is that you would only need 6 of the 10 encoded pieces to get back to the original file – you can lose any four and without resulting in any data loss.
To get an idea of how EC works, let's look at a very simple example where you split a file into 2 pieces, and then encode those in to 4 encoded pieces.
So we start with a single file, split it into 2 pieces which we'll call P1 and P2, and then encode those into 4 encoded pieces EP1, EP2, EP3 and EP4
We are left with EP1 and EP3, and we know that EP1 is identical to P1, and EP3 is simply P1 +P2. So with a little mathematical equation solving it is possible to get the original file back from just these two encoded pieces.
That's the principal. In fact erasure coding is more complex than that. A common form of erasure coding is called Reed-Solomon (RS) erasure coding, invented in 1960 at MIT Lincoln Laboratory by Irving S. Reed and Gustave Solomon. It uses linear algebra operations to generate extra encoded pieces, and can be configured in different ways so that a file is split in to k pieces, and then encoded to produce an extra m encoded pieces which are effectively parity pieces.
My students will be writing Apps next Quarter.
Microsoft takes wraps off PowerApps mobile-app creation service
… Microsoft's goal in developing PowerApps is to allow business users to harness the power of data scattered throughout their organizations in both software-as-a-service and on-premises apps without having to know how to write a single line of code.
May 'splain y my students don't right gud.
OMG! In Text Messages, Punctuation Conveys Meaning
… A Binghamton University research team has apparently identified one such indicator: Whether or not you put a period at the end of a reply.
In the journal Computers in Human Behavior, researchers led by psychologist Celia Klin report that college students perceive text messages that end with a period to be less sincere than ones that do not.