Wednesday, April 13, 2016
Reading for my Computer Security students.
Symantec Speaks on Latest Threat Trends
… According to the report (PDF), the number of exposed identities jumped 23% to 429 million. "But this number hides a bigger story. In 2015, more and more companies chose not to reveal the full extent of the breaches they experienced."
Another court explains “search in the digital era.”
Maryland Court ends Baltimore police use cellphone tracking devices
Via TechDirt: “The Baltimore Police Department’s warrantless deployment of Stingray devices has come to an end. It may have gotten away with more than 4,300 times so far, but the Maryland Special Appeals Court has declared these devices operate as searches under the Fourth Amendment. The 74-page opinion — which belatedly follows its two-page order from nearly a month ago, indicating which side it had taken in this dispute — dives into every issue implicated by the warrantless use of Stingray devices and examines them alongside a long list of Fourth Amendment-related Supreme Court decisions and the Fourth Circuit Appeals Court’s precedent-setting US v. Graham opinion on cell site location info…” [Darlene Fichter]
Because of their App, Uber may have much more information about you than an “old fashioned” taxi company.
What Private Information Did Uber Give the Government?
Between July and December 2015, Uber provided information on more than 11.6 million users and nearly 600,000 drivers to state and local regulatory agencies, the ride-sharing mobile app said Tuesday.
In its first-ever transparency report, the transportation company said it is required by law to provide certain information to government agencies, and has been asked to hand over information on trip requests, pickup and drop-off locations, and fees. Uber says it was able to negotiate “a narrower scope,” limiting the amount of information provided than was requested by regulatory agencies, for more than 42 percent of requests.
Finding the next “Unabomber?”
USPS leveraging social media to target employee misconduct
Via NextGov: “Paid consultants are scheduled to teach agents “Internet reconnaissance” during a three-day June workshop at the office’s Arlington, Virginia, headquarters, according to a November 2015 contracting notice. The training will include methods “to identify the target individual/organization’s social media and Internet footprint,” the notice states, referring to government employees, contractors and other companies. “Developing the methods necessary to attack those targets successfully” via social media and other public Internet pathways will be one lesson. A government or contract employee’s online footprint could include, among other things, dating websites, user name searches, phone searches, website downloads, people searches, and public records, according to the contract synopsis. Specific websites mentioned are Facebook, YouTube, Pinterest, Google Image Recognition, CraigsList and Google Advanced Search. The online surveillance performed must be covert “with no attribution back” to Postal Service agents, according to the contract…”
Eventually the FBI will leak everything about this hack. Meanwhile, would Apple buy details of the security flaw they used?
FBI paid professional hackers one-time fee to crack San Bernardino iPhone
The FBI cracked a San Bernardino terrorist’s phone with the help of professional hackers who discovered and brought to the bureau at least one previously unknown software flaw, according to people familiar with the matter.
… The bureau in this case did not need the services of the Israeli firm Cellebrite, as some earlier reports had suggested, people familiar with the matter said.
… At least one of the people who helped the FBI in the San Bernardino case falls into a third category, often considered ethically murky: researchers who sell flaws — for instance, to governments or to companies that make surveillance tools.
This last group, dubbed “gray hats,” can be controversial. Critics say they might be helping governments spy on their own citizens. Their tools, however, might also be used to track terrorists or hack an adversary spying on the United States. These researchers do not disclose the flaws to the companies responsible for the software, as the exploits’ value depends on the software remaining vulnerable.
Someone really, really needs to explain technology to this guy. Learning security by watching TV News? Is that the best the FBI can do? (By the way, did you also disable the microphone on your laptop?)
The Director of the FBI Puts a Piece of Tape Over his Laptop Webcam. Should You?
FBI Director James Comey said this week, while speaking about privacy issues at Kenyon College, that he places a piece of tape over his laptop webcam to mitigate the danger of secret surveillance.
“I saw something in the news, so I copied it, I put a piece of tape over the camera,” Comey explained, “because I saw somebody smarter than I am had a piece of tape over their camera.”
Passwords are passé. And they are far from adequately secure!
DoD tests public key infrastructure for DTIC secure website access
SecureIDNews: “The federal government’s use of user IDs and passwords for access to its applications could soon give way to more secure PKI-based credentials if more government entities follow the lead of the U.S. Department of Defense. The Defense Department is leveraging PKI to better protect its information systems, with the intent of making access much more secure than the old login system. The DOD’s Defense Technical Information Center (DTIC) – a DOD entity that serves the information needs of the defense community and maintains a large database of research information – announced that it would no longer enable users to access its secure websites by a user ID and password…”
(Related) “Two factor” is also less than perfect.
Two-Factor Authentication Bypassed in Simple Attacks
… In their paper called “How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication,” researchers Radhesh Krishnan Konoth, Victor van der Veen, and Herbert Bos demonstrate practical attacks against both Android and iOS devices, showing how a Man-in-the-Browser attack can be elevated to bypass 2FA.
A tool to make Facebook’s job easier? At least it provides the content owner a sense that they can do something.
Facebook Launches Tool to Combat Video ‘Freebooting’
Amid complaints from video creators that their content is being stolen and re-uploaded across Facebook, the company on Tuesday announced the release of a new rights management tool for video producers and companies that aims to combat the “freebooting” piracy issue.
In a blog post, Facebook said that the tool, called Rights Manager, will allow video creators to “easily upload and maintain a reference library of the video content they want to monitor and protect.” Creators can set rules that either permit or report copies of their work based on criteria like how much of the video has been clipped or how many views it has garnered.
… Video creators, many of whom make their living on Google’s YouTube through advertising, had griped for months that pirated clips were running wild across Facebook as the social network pushed more into expanding its video business.
The chatbots are coming — and they want to help you buy stuff
The battle for your online shopping dollars has largely been waged on websites and, more recently, smartphone apps. Now, retailers are looking to another digital tool to win your money and your loyalty: An army of chatbots.
Chatbots — the name for robots that simulate human conversation — have been thrust into the spotlight in recent weeks amid a flurry of new experiments in how they might be used to shape the future of shopping. Retail heavyweights Sephora and H&M recently launched bots on messaging app Kik that help shoppers browse and buy their products. Taco Bell showed off its TacoBot, a way to use the messaging app Slack to place a meal order. And on Tuesday, Facebook announced it has created a platform that allows companies to develop bots that run within its Messenger app, which has some 900 million users worldwide.
… evangelists of the technology say that bots are poised to be at the center of a crucial paradigm shift in how we think about using the Internet. While a Web browser might once have been our front door to the Internet and apps often play that role today, experts say that bots could soon become our primary digital gateway. At a conference last month, Microsoft chief executive Satya Nadella said, “Bots are the new apps.”