Saturday, May 28, 2016
If this claim is true, does it suggest hacking is even easier than we thought?
Lorenzo Franceschi-Bicchierai reports:
There’s an oft-repeated adage in the world of cybersecurity: There are two types of companies, those that have been hacked, and those that don’t yet know they have been hacked.
MySpace, the social media behemoth that was, is apparently in the second category. The same hacker who was selling the data of more than 164 million LinkedIn users last week now claims to have 360 million emails and passwords of MySpace users, which would be one of the largest leaks of passwords ever. And it looks like the data is being circulated in the underground by other hackers as well.
Read more on Motherboard.
There has been a significant increase in ATM thefts recently. Here’s how to do it.
3 Danger Signs to Look for Each Time You Use an ATM
Encrypt everything. Use TOR. Pretend to be someone else (like a law professor or Secretary of State, for example)
A provision snuck into the still-secret text of the Senate’s annual intelligence authorization would give the FBI the ability to demand individuals’ email data and possibly web-surfing history from their service providers without a warrant and in complete secrecy.
If passed, the change would expand the reach of the FBI’s already highly controversial national security letters.
… In February, FBI Director James Comey testified during a Senate Intelligence Committee hearing on worldwide threats that the FBI’s inability to get email records with NSLs was a “typo” — and that fixing it was one of the FBI’s top legislative priorities.
Greene warned at the time: “Unless we push back against Comey now, before you know it, the long slow push for an [electronic communication transactional records] fix may just be unstoppable.”
The FBI used to think that it was, in fact, allowed to get email records with NSLs, and did so routinely until the Justice Department under George W. Bush told the bureau that it had interpreted its powers overly broadly.
Ever since, the FBI has tried to get that power and has been rejected, including during negotiations over the USA Freedom Act. [If at first you don’t succeed, try over and over and over and over, until you do. Bob]
Perhaps we should call politicians and claim they owe a ‘Federal Stupid Tax?” I wonder how many would bite?
IRS Warns Taxpayers About New Scam Involving Bogus 'Federal Student Tax'
… the Internal Revenue Service (IRS) issued a warning about a new scam making the rounds. The latest IRS impersonation scheme involves bogus phone calls to demanding payment for a non-existent tax, the “Federal Student Tax.”
The lack of such a tax hasn’t kept scammers from targeting students, and threatening to report them to the police if they do not immediately wire money via MoneyGram or other untraceable method. According to the FTC, the callers generally have some piece of information that makes the call seem legit. That information might be the name of the student’s school or info that is designed to make the student feel like the caller is a real authoritative figure. Sometimes, if the student hangs up on the caller, the caller follows up with spoofed caller-ID information advising that 911 or the U.S. Government is calling.
Something my Computer Security students agreed should be built into every password system.
Microsoft bans ‘12345’ and other common passwords to boost security
Microsoft wants you to stop using “password” as your account password, and the company knows just how to do that — ban it outright.
The company wrote in a technical blog, noticed by online news site Mashable, that it will ban users from setting up some of the most commonly used passwords.
Microsoft hopes the practice will increase security for user accounts, as those with passwords such as “football” and “12345” are some of the most susceptible to hackers.
If users try to set up an account with many of the passwords found on the annual Worst Passwords List put together by SplashData, Microsoft will show a red warning that says, “Choose a password that’s harder for people to guess.”
Something my Ethical Hacking class should consider. When we find holes in FBI systems, should we tell anyone?
Over on Daily Dot this morning, I reported that the FBI executed a search warrant at the home of researcher Justin Shafer. Shafer’s name will be amiliar to regular readers of DataBreaches.net because he exposed a long-standing security vulnerability in Dentrix software and challenged Henry Schein’s claims that their product provided “encryption.” Our combined efforts resulted in the recent consent order announced by the FTC.
… If Shafer did nothing wrong, how did a prosecutor convince a magistrate judge to issue a search warrant based on probable cause when there was no code bypassed, no login required, no evidence that any data downloaded had been used in furtherance of a crime, and no personal data disclosed publicly in Shafer’s reporting on the incident or this site’s reporting on it? Unfortunately, the probable cause affidavit is under seal, but this blogger wonders if the magistrate judge really understood the nature of an anonymous FTP server.
For my next talk on encryption…
The Downside of the FCC’s New Internet Privacy Rules
There may soon be a new cop on the privacy beat — the Federal Communications Commission. Last month, the FCC issued a 150-page document proposing sweeping new rules and regulations for broadband Internet Service Providers (ISPs). But in my analysis, this is not good news for those who genuinely care about promoting consumer privacy.
To understand why the FCC’s involvement would create more problems than it would solve, it helps to understand a massive shift in web security over the last few years: the overwhelmingly successful campaign to encrypt data flowing to and from consumers over the Internet.
My government in action! Should we say government is slow and poorly managed or no matter how much money they toss at a problem, still manages to be slow?
OPM IG Report on Information Infrastructure Improvement Project
by Sabrina I. Pacifici on May 27, 2016
Second Interim Status Report on the U.S. Office of Personnel Management’s (OPM) Infrastructure Improvement Project – Major IT Business Case (Report No. 4A-CI-00-16-037). May 18, 2016.
“OPM has still not performed many of the critical capital project planning practices required by the Office of Management and Budget (OMB). Of primary concern, prior to initiating the Infrastructure Improvement Project (Project), OPM did not perform the mandatory Analysis of Alternatives to evaluate whether moving all infrastructure and systems to a new environment (initially known as Shell, but now referred to as IaaS [Infrastructure as a Service]) was the best solution to address the stated objective of this initiative: to provide a secure operating environment for OPM systems at a lower cost. In light of recent developments involving the creation of the National Background Investigations Bureau within OPM to replace the Federal Investigative Services, the current Federal background investigations program, and the shifting of the responsibility for developing and maintaining the associated information technology systems to the Department of the Defense, this analysis is even more important. In addition, most, if not all, of the supporting project management activities required by OMB have still not been completed…”
See also related posting, CRS Insights – OPM Data Breach
I sense a business opportunity here. Skype into our classes?
FT Business Education – Executive education rankings 2016
by Sabrina I. Pacifici on May 27, 2016
FT Business Education Report, May 23, 2016: ” For the dream of life long learning to be realised fully, those in the 35-60 age group must also be given the opportunity to refine and revise their skills through out their careers, which could well stretch into their seventies. This is not happening enough. Executive education has traditionally been one niche in which the middle aged have been able to polish theirs kills. But the super charged intensity of the modern office makes it hard to get away from daily duties. Glenn Hubbard, dean of Columbia Business School, ruefully observes that its MBA graduates have a lifetime entitlement to come back and sit in on any class—but they almost never find the time. “People don’t take me up on it because they are busy,” he says.”
Might be fun to try.
Amazon Alexa Hits The Browser With Echo Simulator Skill Testing Tool: Here's How It Works
Amazon recently unveiled Echosim.io, a site that emulates the functionality of an Amazon Echo speaker, bringing the Alexa voice assistant technology to desktops.
… It's really easy to tap into Alexa's potential on desktop systems. Simply go to Echosim.io and sign in with your Amazon username and password, then hold your mouse over the microphone button and start interacting with the voice assistant. Obviously, you will need a working microphone to throw more or less serious questions at the AI.
For anyone who likes to look up.
5 Tools to Watch the Night Sky and Track Events in Astronomy
[And one of my favorites: http://iss.astroviewer.net/observation.php?lon=-104.990251&lat=39.7392358&name=Denver