Thursday, December 03, 2015

Every technology that believes it is “new” thinks first about “selling features.” Why no one considers security a selling feature is beyond me. “Always bet on ignorance and intellectual laziness!”
Why VTech Breach is So Bad - and So Avoidable
The data breach involving Hong Kong toymaker VTech highlights a growing concern over manufacturers selling many more devices that are Internet-connected, yet apparently failing to safeguard those devices – and related information that gets collected and stored – against even the most rudimentary types of online attacks
… The apparent severity of the breach at VTech, which reported an annual revenue of $1.9 billion earlier this year, has continued to increase since the company first confirmed Nov. 27 that it had been breached, with the latest count of breach victims hitting 11.2 million people. In its most recent breach notification, released Dec. 2, the company says that on Nov. 14, "an unauthorized party accessed VTech customer data" connected with the databases and servers behind these services:
… Hong Kong's privacy commissioner, as well as attorneys general in multiple U.S. states, have said they are probing the breach.

(Related) Those who do not study history security best practices are doomed to repeat it.
More Trouble For VTech -- Kids Tablet Is 'Easy' To Hack
VTech is having a quite abysmal week following a hack that exposed data on 6.4 million children and 4.8 million adults. Not only has its stock price dipped to a year low, security researchers have found two glaring vulnerabilities in its InnoTab Max tablet for kids, and it is refusing to answer questions on whether it even has a security team.
Ken Munro, who heads up consultancy Pen Test Partners, discovered the issues with the InnoTab within a day. It was simple to find the flaw because it’s been known for more than two years.
… There have been numerous signs VTech hasn’t paid enough attention to security. First, the hack itself, according to a Vice Motherboard report, was perpetrated with an age-old techniqueSQL injection – that firms should be prepared for. It was storing most data, including children’s images and chat messages with parents, in unencrypted fashion. Its website was not protected with SSL web encryption. And its Android application used by parents to chat with their children was said to be vulnerable.

The continuing joy of data breaches.
Target in $39.4 million settlement with banks over data breach
Target Corp has agreed to pay $39.4 million to resolve claims by banks and credit unions that said they lost money because of the retailer's late 2013 data breach.
The settlement filed on Wednesday resolves class-action claims by lenders seeking to hold Target responsible for their costs to reimburse fraudulent charges and issue new credit and debit cards.
… Target reached a similar accord with MasterCard in April, but it was rejected the next month when card issuers deemed the sum too low.
… Earlier this year, Target agreed to pay Visa Inc card issuers as much as $67 million over the breach and reached a $10 million settlement with shoppers. The latter accord won court approval last month.
Last week, Target said it had spent $290 million related to the breach, and expected insurers to reimburse $90 million. It still faces shareholder lawsuits, as well as probes by the Federal Trade Commission and state attorneys general, over the breach.

Almost exactly what my Computer Security students concluded would happen. Perhaps this is easier than giving their hackers a bad performance review?
If I knew emojis, I’d include one for “highly skeptical” to accompany this story. Ellen Nakashima reports:
The Chinese government recently arrested a handful of hackers it says were connected to the breach of Office of Personnel Management’s database earlier this year, a mammoth break-in that exposed the records of more than 22 million current and former federal employees.
The arrests took place shortly before a state visit in late September by President Xi Jinping, and U.S. officials say they appear to have been carried out in an effort to lessen tensions with Washington.
The identities of the suspects — and whether they have any connection to the Chinese government — remain unclear.
Read more on Washington Post.

For my Forensics students.
Orin Kerr writes:
On Tuesday, the 11th Circuit handed down a new computer search decision, United States v. Johnson, that both sharpens and deepens the circuit split on how the private search doctrine of the Fourth Amendment applies to computers. Johnson isn’t a likely candidate for Supreme Court review. But it does leave the private search doctrine in computer searches ripe for Supreme Court review in other cases working their way through the courts.
Read more on The Volokh Conspiracy.
[From the article:
Because the Fourth Amendment applies only to the government and its agents, the Fourth Amendment is not triggered when private parties not associated with the government conduct searches. When a private party conducts a search and finds evidence of crime, the private party often goes to the police and voluntarily shows the police what she has found. The Supreme Court uses what I have called the “private-search reconstruction” doctrine to regulate what the police are allowed to see without a warrant. The police can reconstruct the private party search, seeing what the private party saw, but they can’t exceed the search the private party conducted.
On to the important legal question: When a private party searches a computer, sees a suspicious file and reports the finding to the police, what kind of government search of the computer counts as merely reconstructing the private search and what kind of search counts as exceeding the private search?
… In 2005, the 5th Circuit ruled that the entire computer was searched. In 2012, the 7th Circuit agreed with the 5th Circuit that the entire computer was searched. In May, the 6th Circuit handed down a ruling concluding that the unit should be data or the file, so that government observation of anything not actually viewed by the private party exceeds the scope of the private search.
The new case, Johnson, also adopts the data or file approach — thus deepening the 2-1 split into a 2-2 split.

I doubt this is what Belgium had in mind.
Facebook will block Belgians without accounts from access to its content
Facebook has outlined its plans to follow a court ruling in Belgium requiring it not to track people who do not have accounts on the social networking website.
The company said it was giving the details ahead of the order being served on it by the Belgian Privacy Commission, which is expected later this week.
Among the steps Facebook plans to take is to require people without Facebook accounts in Belgium to create accounts and log in to the social networking website before they can see its publicly available pages and other content, the company said.
"Today, anyone can see Facebook pages for small businesses, sports teams, celebrities and tourist attractions without logging into Facebook—typically found using a search engine," a Facebook spokesman said in an email.
… The dispute largely hinges around Facebook's use of a special cookie called 'datr' that it claims helps it distinguish between legitimate and illegitimate visits to its website, and identifies browsers and not individuals. Facebook claims that by using the security cookie it protected Belgian people from more than 33,000 takeover attempts in the past month.

I think they have a point! (Do we need a division of marketers?)
The ‘Soft Power’ War ISIS Doesn’t Want
For too long, ISIS’ digital influence in social media has gone largely unchecked. We have failed to match their commitment to content, imagery, emotion and reach. (President Obama describes them as “killers with good social media” who recruit in “far flung” places.) In the wake of the Paris attacks and our response, ISIS has “upped” their online game of intimidation and terror.
… In the first 24 hours following the attacks on Paris, there were hundreds of thousands of celebratory tweets from supporters of ISIS. An estimated 50,000 Twitter accounts — each having thousands of followers — streamed photo essays, audio, video, news bulletins and theological writings.
Remarkably, there was no organized response from the West or majority of Muslim countries.

If you don't want to do something, don't say you will!
… Internet provider Cox Communications is facing a lawsuit from BMG Rights Management which accuses the ISP of failing to terminate the accounts of subscribers who frequently pirate content.
BMG claimed that Cox gave up its DMCA safe harbor protections due to this inaction, something District Court Judge Liam O’Grady agreed on last week in a summary judgment.
… “The record conclusively establishes that before the fall of 2012 Cox did not implement its repeat infringer policy. Instead, Cox publicly purported to comply with its policy, while privately disparaging and intentionally circumventing the DMCA’s requirements,” the memorandum (pdf) reads.

Let the debate begin!
Google Calls Out EFF Over Bogus Claims That It Snoops On Students With Its Chromebooks
… "EFF bases this petition on evidence that Google is engaged in collecting, maintaining, using, and sharing student personal information in violation of the 'K-12 School Service Provider Pledge to Safeguard Student Privacy' (Student Privacy Pledge), of which it is a signatory,” alleged the EFF in its initial FTC complaint.
Google takes such allegations very seriously, and has thus responded to every claim brought forth by the EFF. “While we appreciate the EFF’s focus on student data privacy, we are confident that our tools comply with both the law and our promises, including the Student Privacy Pledge, which we signed earlier this year,” said Jonathan Rochelle, the Director of Google Apps for Education.
With respect to Google Apps for Education Core Services (GAFE), Rochelle asserts that all student data stored is “only used to provide the services themselves” and that student data isn’t used for advertising purposes, nor are ads served to students.

For my students. See, It's not just the big guys. Use it just to annoy the FBI director?
Encrypted messaging app Signal now available for desktops
The much-lauded encryption app Signal has launched a beta program for a desktop version of the app, which will run through Google's Chrome browser.
Signal Desktop is Chrome app that will sync messages transmitted between it and an Android device, wrote Moxie Marlinspike, a cryptography expert who had helped develop Signal, in a blog post on Wednesday.
… Signal Desktop won't be able to sync messages with iPhone just yet, although there are plans for iOS compatibility, Marlinspike wrote. It also won't support voice initially.
Signal, which is free, has stood out in a crowded field of encrypted messaging applications, which are notoriously difficult to engineer, and has been endorsed by none other than former U.S. National Security Agency contractor Edward Snowden. [Paid endorsement? Bob]
… Open Whisper Systems itself can't see the plain text of messages or get access to phone calls since it doesn't store the encryption keys.
Signal is open source, which allows developers to closely inspect its code.

Local news.
Uber is partnering with Enterprise Rent-A-Car, and—as the slogan goes—they’ll pick you up! By “they” I mean the poor schmucks who sign up to pay around $1000 a month to work for Uber.
The pilot program, which launched in Denver, gives people access to a discounted rental car at $210 a week, plus taxes and fees.
… In addition to the base payments, drivers will have to pay a $500 refundable deposit and a $40 sign-up fee. If they go over 2800 miles a month (90 miles a day) there’s also an additional $0.25 per mile fee tacked on.

Amazon Dominated 36% of Online Black Friday Sales, Says Slice
Slice Intelligence, which gathers e-commerce data from receipts linked to its Slice package tracking app, tells TechCrunch that Amazon dominated online Black Friday sales, accounting for 35.7 percent in e-commerce spending on November 27. A distant second, Best Buy brought in 8.23 percent of total online revenue, followed by Macy’s at 3.38 percent, Walmart at 3.35 percent and Nordstrom at 3.11 percent.

For my students… Please.
Quickly Improve Your Handwriting with These Fantastic Resources

No comments: