So which vendor was responsible for this one? The archdiocese wouldn’t answer that question
when I put it to them….
Tom McGhee reports:
Authorities are investigating a
data breach at the Catholic Archdiocese of Denver that put
current and terminated employees, their dependents, spouses, and beneficiaries
at risk of ID theft.
A third-party software provider
that administers the data reported that someone had gotten into an Archdiocese
payroll system and looked at W-2 information for about 80 individuals in October,
said Keith Parsons, Archdiocese CFO on Tuesday.
It wasn’t clear at that time if
the information was used to steal identities from the database, which also
includes information about employee spouses, dependents and insurance
beneficiaries, Parsons said.
Read more on Denver
Post.
What does this tell us about the “security mindset?” I think I’ll ask my students.
Google
warns 760,000 websites: 'You've been hijacked' - but many are infected again in
days
Google is urging website operators to sign up for its
security notifications after a study of 760,935 hijacked websites revealed the
difficulties in cleaning up infections that expose visitors to malware.
Google details its findings in a study it conducted with the University of California,
Berkeley, which looked at the hijacked websites it found in an 11-month period
to June 2014.
The sites were identified through Google Safe Browsing,
which notifies browser users of a potentially harmful site, and Search Quality,
which flags risky sites in search results.
The study looked at the most effective way to communicate
the issue to website operators, and whether operators had the technical knowhow
to resolve it.
(Related) I’m not the only one concerned.
Security
Awareness Training: Poor in UK, Better in US
AXELOS, a UK firm with strong ties to the UK government Cabinet Office,
yesterday published a stinging criticism on business security awareness training in the
UK. "The one-dimensional and
outdated cyber security awareness learning provided by most UK organizations is
not ‘fit for purpose’ and is limiting employees’ ability to understand what
good cyber behaviors look like," it reported.
This happens to be part of my Computer Security lecture this week.
The
Emergence of Identity as an Enterprise Attack Surface
In spite of heroic efforts, many companies today
offer attackers no shortage of vulnerable points for entry into their networks.
Whether it’s cloud services unknown to
the corporate security team, or a web server that is 10 patch revisions behind,
or an application that never underwent proper security or code review – the
options are plentiful.
Once an attacker gets in, they have to achieve
their objectives. They need to move around,
understand your organization’s layout and find exploitable weaknesses to
accomplish their mission. Or they could
completely bypass all that by assuming the identity of one of your
administrators and (likely) have free reign of everything. Complicating this further, attackers don’t
just come at you from the ‘outside.’ Sometimes,
they’re existing employees seeking to exploit your organization’s weaknesses to
steal information without anyone noticing and leave for a competitor.
… If you doubt the
danger that identities pose to your organization, you should conduct a simple
test. Pick any given user in your
organization—an administrator or generic user—and investigate the power their
identity has on your network, systems and applications. In most companies, when a new user is
on-boarded they are given rights to the network, systems and applications they
need to do the job they’re assigned. Over
time, that scope creeps and spins out of control.
Over the course of a few months to a few years many of
these identities never lose the old access requirements they had when they were
hired. They move from role to role and
acquire new access requirements. Before
you know it, individuals have got access to servers, shared folders,
applications and loads of other things to which they don’t need access. Processes for clean-up and audit are becoming
more pervasive, but still not commonplace, even as identity stores grow over
time. It’s an effort that requires
deliberate focus and attention.
Outsmarting Jeff Bezos?
How amazing! This is from a
victim.
KU
Scammers on Amazon – What’s Going On?
… For those who
don’t know, to be in KU, a book can’t be available at any other vendor. Amazon exclusive. The bonus is that it gets slightly better
visibility simply because it can be a “recommendation” to KU browsers. Books not in KU are often not shown to them
unless they are bigger names.
On to the issue of the scammers and what’s really going
on…
… KU 2.0 (which is
what we’re in now) pays by the page. Not pages in books, but pages reader reads.
So, let’s say a reader checks out a book from KU, reads to
page 100, decides they don’t like the book and returns it. The author gets paid for the 100 pages read. If it’s a page turner that the reader reads
through to the end, the authors get paid for all 500 pages of wonderful and
quality prose.
The pay per page is a small number and varies by a few
thousandths of a penny each month, but it seems to be settling in at around
$00.0045 per page. That equates to about
$1.575 for a 350 page book.
One thing we were all assured by Amazon…many times…in
writing…was that Amazon knew how much a reader was reading in each book and
they would pay us for those pages.
Scammers being scammers, they
realized Amazon was lying very early on. Amazon couldn’t tell what pages were read. They only knew the last place you were at in
the book. And that’s what they were
paying authors, the last place that the reader synced in the book.
So, a KU borrow on a device that didn’t sync until after
the book was read and the reader flipped back to the front to check out what
else you’d written? Yeah, no pages read.
But likewise, a reader who clicked a link on Page 1
offering them the opportunity to win a Kindle Fire HDX 8.9 and a $100 Amazon
Gift Card … which then sent them to the back of a 3000 page book? Yep, you guessed it. They got paid for 3000 unread pages. (And no, there was no winner for those
contests that anyone knows of.)
… One of the scammers has YouTube tutorials on how to pull the
scam. He showed a screen shot of a 15
year old kid’s KDP Dashboard who made over $70,000 in one month pulling this
scam. And there are HUNDREDS of them.
All talk and no listening?
App Store
Censorship and FBI Hacking Proposed at Congressional Crypto Hearing
Tech experts and industry representatives squared off
against law enforcement officials in two
sessions of lively testimony today in front of the House Energy and
Commerce committee. Today's hearing is
the latest in the ongoing battle in the courts and legislature commonly called
the second “Crypto Wars,” after a similar national debate in the 1990s.
Two witnesses on the law enforcement panel offered a
chilling proposal to deal with the well-documented weakness that any domestic
encryption ban would do little against the hundreds
of encryption products developed and sold internationally. Thomas Galati of the NYPD and Charles Cohen of
the Indiana State Police argued that software could be kept off American
computing devices by exerting
legal pressure on the Android, Apple, and Blackberry app stores.
… At another point
in the hearing, lawmakers pressed the FBI's Amy Hess on the role of third-party
“grey hat” hackers in accessing the data on the iPhone at the heart of the hotly
contested “Apple v. FBI” case. Representative
Diana DeGette of Colorado
suggested those
capabilities might be cultivated internally instead.
Hess disagreed, saying the FBI will always need to seek
the cooperation of industry and academic experts. That might have been an opportunity to discuss
the duty FBI and other agencies have in disclosing vulnerabilities to those
same tech industry companies—an area EFF has worked to shine light on through
Freedom of Information Act requests and lawsuits concerning
the Vulnerabilities Equities Process (VEP). Unfortunately, no lawmakers pushed Hess on the
question.
It’s not just one phone…
Apple Gets
Thousands of Requests From Law Enforcement, Transparency Report Shows
… U.S. law
enforcement sought information from Apple 4,000 times, covering 16,112 devices,
in the second half of 2015, according to Apple’s biannual transparency report, released late Monday. The numbers increased from the first half of
2015, but fell compared with the second half of 2014.
Apple said it handed over some data in 80% of the cases in
the second half of 2015, compared with 81% in the first half of 2015 and 79% in
the second half of 2014.
Do they offer a “solution?”
Google
Charged With Breaking Europe’s Antitrust Rules
European officials charged Google
on Wednesday with breaking the region’s competition rules by favoring some
of its services on the popular Android mobile software over those of its
rivals.
The charges are
the latest chapter in Europe’s
continuing battle with technology companies that have come to dominate how
the region’s 500 million people use digital services including social media,
like Facebook, and e-commerce, like Amazon.
Google has already been the subject of a series of antitrust and privacy
investigations across the 28-member bloc.
As part of the
latest charges — officially known as a statement of objections — Margrethe
Vestager, Europe’s competition chief, said on Wednesday that Google had unfairly promoted [Is that an EU legal term? Bob] its own services, like mobile
search and its Chrome web browser, with cellphone manufacturers, limiting how
rival companies could operate in the fast-growing smartphone software market.
Interesting volume of data. Withhold information to avoid embarrassing
questions? How bureaucratic.
Justice
Department to VW: Don’t Release Results of Pollution Probe
The Justice Department has told Volkswagen
AG to refrain from publicly
releasing results of an independent investigation into cheating on
diesel-emissions tests to keep confidential names and events key to the U.S.
government’s probes.
The request to keep investigative details under wraps
could complicate the car maker’s efforts to provide answers to shareholders,
dealers and car buyers. The Justice
Department has told lawyers for the firm that making any interim findings
public would hamstring efforts to pursue potential criminal charges and a
multibillion-dollar fine, according to people familiar with the matter.
… “The Jones Day
investigators are sifting through enormous amounts of data,” Europe’s largest
car maker said on March 2. “Volkswagen
will report preliminary results of the investigation in the second half of
April.”
At the time, Volkswagen said 102 terabytes of data
had been secured by its investigators, the equivalent of about 50
million books.
… The Justice Department is concerned that if certain names or
facts are made public, it could make it more difficult for civil and criminal
authorities to determine what happened, according to people familiar with the
conversations. Employees or witnesses identified by
the company might become reluctant to talk, for example, the people said.
… The withholding
of additional details could help the government avoid the criticisms it faced
following an earlier auto industry investigation. When General
Motors Co. released a report in 2014 amid a federal
probe into how it handled problems with its ignition switches, it led to tough questions about why the government decided against
charging any of the individuals identified by investigators as knowing about
the problem.
Perspective.
Homes are
increasingly relying on mobile internet only
… Statistics from a huge survey
conducted by the National Telecommunication and Information Administration show
that 20 percent of people with home internet rely on mobile only, with no wired
connection. That number has doubled
since 2013.
… Twenty-seven
percent of homes still do not have any form of home internet.
I swear I’m going to make my students do this. Prove you know “how to do that” in whatever
technology I’m teaching.
Record
Your Desktop with These 12 Great Screencasting Apps
Need to record your desktop? Perhaps you’re demonstrating how to use an app
so you can upload the clip to YouTube, or you just need to show a
friend or colleague how to do something relatively simple, but can only do that
by recording and sharing the clip.
Whatever the reason, you’ll find that screencasting apps
are more common than you might think. In
fact, half the problem is choosing one that actually works as you want it to.
Use our roundup of screencasting apps to find the best tool for the job you’re
doing.
No comments:
Post a Comment