Wednesday, April 20, 2016
A small, local breach.
So which vendor was responsible for this one? The archdiocese wouldn’t answer that question when I put it to them….
Tom McGhee reports:
Authorities are investigating a data breach at the Catholic Archdiocese of Denver that put current and terminated employees, their dependents, spouses, and beneficiaries at risk of ID theft.
A third-party software provider that administers the data reported that someone had gotten into an Archdiocese payroll system and looked at W-2 information for about 80 individuals in October, said Keith Parsons, Archdiocese CFO on Tuesday.
It wasn’t clear at that time if the information was used to steal identities from the database, which also includes information about employee spouses, dependents and insurance beneficiaries, Parsons said.
Read more on Denver Post.
What does this tell us about the “security mindset?” I think I’ll ask my students.
Google warns 760,000 websites: 'You've been hijacked' - but many are infected again in days
Google is urging website operators to sign up for its security notifications after a study of 760,935 hijacked websites revealed the difficulties in cleaning up infections that expose visitors to malware.
Google details its findings in a study it conducted with the University of California, Berkeley, which looked at the hijacked websites it found in an 11-month period to June 2014.
The sites were identified through Google Safe Browsing, which notifies browser users of a potentially harmful site, and Search Quality, which flags risky sites in search results.
The study looked at the most effective way to communicate the issue to website operators, and whether operators had the technical knowhow to resolve it.
(Related) I’m not the only one concerned.
Security Awareness Training: Poor in UK, Better in US
AXELOS, a UK firm with strong ties to the UK government Cabinet Office, yesterday published a stinging criticism on business security awareness training in the UK. "The one-dimensional and outdated cyber security awareness learning provided by most UK organizations is not ‘fit for purpose’ and is limiting employees’ ability to understand what good cyber behaviors look like," it reported.
This happens to be part of my Computer Security lecture this week.
The Emergence of Identity as an Enterprise Attack Surface
In spite of heroic efforts, many companies today offer attackers no shortage of vulnerable points for entry into their networks. Whether it’s cloud services unknown to the corporate security team, or a web server that is 10 patch revisions behind, or an application that never underwent proper security or code review – the options are plentiful.
Once an attacker gets in, they have to achieve their objectives. They need to move around, understand your organization’s layout and find exploitable weaknesses to accomplish their mission. Or they could completely bypass all that by assuming the identity of one of your administrators and (likely) have free reign of everything. Complicating this further, attackers don’t just come at you from the ‘outside.’ Sometimes, they’re existing employees seeking to exploit your organization’s weaknesses to steal information without anyone noticing and leave for a competitor.
… If you doubt the danger that identities pose to your organization, you should conduct a simple test. Pick any given user in your organization—an administrator or generic user—and investigate the power their identity has on your network, systems and applications. In most companies, when a new user is on-boarded they are given rights to the network, systems and applications they need to do the job they’re assigned. Over time, that scope creeps and spins out of control.
Over the course of a few months to a few years many of these identities never lose the old access requirements they had when they were hired. They move from role to role and acquire new access requirements. Before you know it, individuals have got access to servers, shared folders, applications and loads of other things to which they don’t need access. Processes for clean-up and audit are becoming more pervasive, but still not commonplace, even as identity stores grow over time. It’s an effort that requires deliberate focus and attention.
Outsmarting Jeff Bezos? How amazing! This is from a victim.
KU Scammers on Amazon – What’s Going On?
… For those who don’t know, to be in KU, a book can’t be available at any other vendor. Amazon exclusive. The bonus is that it gets slightly better visibility simply because it can be a “recommendation” to KU browsers. Books not in KU are often not shown to them unless they are bigger names.
On to the issue of the scammers and what’s really going on…
… KU 2.0 (which is what we’re in now) pays by the page. Not pages in books, but pages reader reads.
So, let’s say a reader checks out a book from KU, reads to page 100, decides they don’t like the book and returns it. The author gets paid for the 100 pages read. If it’s a page turner that the reader reads through to the end, the authors get paid for all 500 pages of wonderful and quality prose.
The pay per page is a small number and varies by a few thousandths of a penny each month, but it seems to be settling in at around $00.0045 per page. That equates to about $1.575 for a 350 page book.
One thing we were all assured by Amazon…many times…in writing…was that Amazon knew how much a reader was reading in each book and they would pay us for those pages.
Scammers being scammers, they realized Amazon was lying very early on. Amazon couldn’t tell what pages were read. They only knew the last place you were at in the book. And that’s what they were paying authors, the last place that the reader synced in the book.
So, a KU borrow on a device that didn’t sync until after the book was read and the reader flipped back to the front to check out what else you’d written? Yeah, no pages read.
But likewise, a reader who clicked a link on Page 1 offering them the opportunity to win a Kindle Fire HDX 8.9 and a $100 Amazon Gift Card … which then sent them to the back of a 3000 page book? Yep, you guessed it. They got paid for 3000 unread pages. (And no, there was no winner for those contests that anyone knows of.)
… One of the scammers has YouTube tutorials on how to pull the scam. He showed a screen shot of a 15 year old kid’s KDP Dashboard who made over $70,000 in one month pulling this scam. And there are HUNDREDS of them.
All talk and no listening?
App Store Censorship and FBI Hacking Proposed at Congressional Crypto Hearing
Tech experts and industry representatives squared off against law enforcement officials in two sessions of lively testimony today in front of the House Energy and Commerce committee. Today's hearing is the latest in the ongoing battle in the courts and legislature commonly called the second “Crypto Wars,” after a similar national debate in the 1990s.
Two witnesses on the law enforcement panel offered a chilling proposal to deal with the well-documented weakness that any domestic encryption ban would do little against the hundreds of encryption products developed and sold internationally. Thomas Galati of the NYPD and Charles Cohen of the Indiana State Police argued that software could be kept off American computing devices by exerting legal pressure on the Android, Apple, and Blackberry app stores.
… At another point in the hearing, lawmakers pressed the FBI's Amy Hess on the role of third-party “grey hat” hackers in accessing the data on the iPhone at the heart of the hotly contested “Apple v. FBI” case. Representative Diana DeGette of Colorado suggested those capabilities might be cultivated internally instead.
Hess disagreed, saying the FBI will always need to seek the cooperation of industry and academic experts. That might have been an opportunity to discuss the duty FBI and other agencies have in disclosing vulnerabilities to those same tech industry companies—an area EFF has worked to shine light on through Freedom of Information Act requests and lawsuits concerning the Vulnerabilities Equities Process (VEP). Unfortunately, no lawmakers pushed Hess on the question.
It’s not just one phone…
Apple Gets Thousands of Requests From Law Enforcement, Transparency Report Shows
… U.S. law enforcement sought information from Apple 4,000 times, covering 16,112 devices, in the second half of 2015, according to Apple’s biannual transparency report, released late Monday. The numbers increased from the first half of 2015, but fell compared with the second half of 2014.
Apple said it handed over some data in 80% of the cases in the second half of 2015, compared with 81% in the first half of 2015 and 79% in the second half of 2014.
Do they offer a “solution?”
Google Charged With Breaking Europe’s Antitrust Rules
European officials charged Google on Wednesday with breaking the region’s competition rules by favoring some of its services on the popular Android mobile software over those of its rivals.
The charges are the latest chapter in Europe’s continuing battle with technology companies that have come to dominate how the region’s 500 million people use digital services including social media, like Facebook, and e-commerce, like Amazon. Google has already been the subject of a series of antitrust and privacy investigations across the 28-member bloc.
As part of the latest charges — officially known as a statement of objections — Margrethe Vestager, Europe’s competition chief, said on Wednesday that Google had unfairly promoted [Is that an EU legal term? Bob] its own services, like mobile search and its Chrome web browser, with cellphone manufacturers, limiting how rival companies could operate in the fast-growing smartphone software market.
Interesting volume of data. Withhold information to avoid embarrassing questions? How bureaucratic.
Justice Department to VW: Don’t Release Results of Pollution Probe
The Justice Department has told Volkswagen AG to refrain from publicly releasing results of an independent investigation into cheating on diesel-emissions tests to keep confidential names and events key to the U.S. government’s probes.
The request to keep investigative details under wraps could complicate the car maker’s efforts to provide answers to shareholders, dealers and car buyers. The Justice Department has told lawyers for the firm that making any interim findings public would hamstring efforts to pursue potential criminal charges and a multibillion-dollar fine, according to people familiar with the matter.
… “The Jones Day investigators are sifting through enormous amounts of data,” Europe’s largest car maker said on March 2. “Volkswagen will report preliminary results of the investigation in the second half of April.”
At the time, Volkswagen said 102 terabytes of data had been secured by its investigators, the equivalent of about 50 million books.
… The Justice Department is concerned that if certain names or facts are made public, it could make it more difficult for civil and criminal authorities to determine what happened, according to people familiar with the conversations. Employees or witnesses identified by the company might become reluctant to talk, for example, the people said.
… The withholding of additional details could help the government avoid the criticisms it faced following an earlier auto industry investigation. When General Motors Co. released a report in 2014 amid a federal probe into how it handled problems with its ignition switches, it led to tough questions about why the government decided against charging any of the individuals identified by investigators as knowing about the problem.
Homes are increasingly relying on mobile internet only
… Statistics from a huge survey conducted by the National Telecommunication and Information Administration show that 20 percent of people with home internet rely on mobile only, with no wired connection. That number has doubled since 2013.
… Twenty-seven percent of homes still do not have any form of home internet.
I swear I’m going to make my students do this. Prove you know “how to do that” in whatever technology I’m teaching.
Record Your Desktop with These 12 Great Screencasting Apps
Need to record your desktop? Perhaps you’re demonstrating how to use an app so you can upload the clip to YouTube, or you just need to show a friend or colleague how to do something relatively simple, but can only do that by recording and sharing the clip.
Whatever the reason, you’ll find that screencasting apps are more common than you might think. In fact, half the problem is choosing one that actually works as you want it to. Use our roundup of screencasting apps to find the best tool for the job you’re doing.