- 50 percent of respondents reported that they had data breaches involving customer and employee information in the last 12 months.
- Three out of four survey respondents reported that exploits have evaded their anti-virus solutions.
- 59% of respondents say they have no visibility into employees' password practices and hygiene.
- 65% do not strictly enforce their documented password policies.
Friday, July 08, 2016
For my Computer Security students.
Study: More than 50% of SMBs were breached in the past year
A new study conducted by the Ponemon Institute and sponsored by password management provider Keeper Security analyzed the state of cybersecurity in small and medium-sized businesses (SMBs) and found that confidence in SMB security is shockingly low (just 14% of the companies surveyed rated their ability to mitigate cyber attacks as highly effective).
The scale of a breach is very difficult to measure quickly, as articles like this consistently illustrate.
Remember when Wendy’s updated its breach disclosure in May to report that it was 300 stores impacted? They subsequently revealed that they had found two types of malware and the number of impacted stores could be “considerably higher.”
… Wendy’s first reported unusual payment card activity affecting some restaurants in February 2016. In May, we confirmed that we had found evidence of malware being installed on some restaurants’ point-of-sale systems, and had worked with our investigator to disable it. On June 9th, we reported that we had discovered additional malicious cyber activity involving other restaurants. That malware has also been disabled in all franchisee restaurants where it has been discovered. We believe that both criminal cyberattacks resulted from service providers’ remote access credentials being compromised, allowing access – and the ability to deploy malware – to some franchisees’ point-of-sale systems.
[Apparently only the Wendy’s in Thornton Colorado was hit. Bob]
Ah the joys of having the latest technology!
Megan Scudellari reports:
“It knows too much,” says Wang, an assistant professor of computer science at Binghamton University in Upstate New York. “If you are using a smart watch, you need to be cautious.”
He would know. Wearable devices can give away your PIN number, according to research he and colleagues presented in June at the 11th annual Association for Computing Machinery Asia Conference on Computer and Communications Security (ASIACCS) in Xi’an, China. By combining smart watch sensor data with an algorithm to infer key entry sequences from even the smallest of hand movements, the team was able to crack private ATM PINs with 80 percent accuracy on the first try and more than 90 percent accuracy after three tries.
Read more on IEEE Spectrum.
Computer Security, Data Management and Data Architecture!
Buyers Beware: The Latest Wave of Retail Cyber Scams
… “Retailers have been caught out by bad data architecture. You should never store sensitive information on a network that third-party vendors have access to. Create a systematic classification categorizing what’s sensitive and what’s not,” suggests Yoo.
Daniel Garrie, CEO of consulting firm Law & Forensics and senior advisor at Risk Assistance Network and Exchange (RANE), suggests to his retail clients to go as far as providing cybersecurity to the vendors themselves. “I tell my clients you need to secure them. Spending any amount of money is worth it if these are vendors you can’t live without.”
Will this reignite the encryption debate? Stay tuned.
‘Secret Conversations:’ End-to-End Encryption Comes to Facebook Messenger
Just a few years ago, end-to-end encryption was a nerdy niche: a tiny collection of obscure software let you encrypt communication so only your recipient could read it, but the vast majority left you no option to hide your words from hackers or eavesdroppers. This year, that balance shifted. And now, roughly 900 million more people are about to be invited into the crypto club.
On Friday, Facebook plans to roll out a beta version of a new feature it calls “secret conversations.” It’s encrypted messages, end-to-end, so that in theory no one—not a snoop on your local network, not an FBI agent with a warrant, not even Facebook itself—can intercept them. For now, the feature will be available only to a small percentage of users for testing; everyone with Facebook Messenger gets it later this summer or in early fall.
I’ll use this the next time I teach Statistics. Isn’t the question wrong? Did insurance rates change for these drivers?
Three years ago, the insurance industry set up ten covert speed cameras across Northern Virginia to photograph and access the personal information of 65,000 drivers. A motorist rights group is crying foul. The Insurance Institute for Highway Safety (IIHS) gathered all of this data to make a political point.
“The association between higher speed limits and faster vehicle speeds is well-established, but not as much is known about how horsepower affects travel speeds,” wrote in a May 24 report.
The report was made possible by the 2014 decision of Virginia Department of Motor Vehicle Commissioner Richard D. Holcomb to release vehicle identification number (VIN), age and sex information from the records of 65,000 vehicle owners. IIHS compared this personal information against the facial photograph captured by the industry’s speed cameras to conclude that vehicles “packing more horsepower” drive faster than the posted speed limit.
“Why precisely the insurance industry advocates felt the need to capture facial images of drivers and compare that to personal data in DMV records is a mystery,” NMA president Gary Biller told TheNewspaper. “Identifying drivers isn’t germane to the horsepower versus speed question.”
Indeed. And they could have let me know so that I could comb my hair before blowing off their speed limits in my little sports car.
Read more on TheNewspaper.com.
Well, if no one in Congress cares…
EFF – FBI Must Not Sidestep Privacy Protections For Massive Collection of Biometric Data
by Sabrina I. Pacifici on Jul 7, 2016
Iris Scans, Palm Prints, Face Recognition Data, and More Collected From Millions of Innocent Citizens – “The FBI, which has created a massive database of biometric information on millions of Americans never involved in a crime, mustn’t be allowed to shield this trove of personal information from Privacy Act rules that let people learn what data the government has on them and restrict how it can be used. The Electronic Frontier Foundation (EFF) filed comments today with the FBI, on behalf of itself and six civil liberties groups, objecting to the agency’s request to exempt the Next Generation Identification (NGI) database from key provisions of federal privacy regulations that protect personal data from misuse and abuse. The FBI has amassed this database with little congressional and public oversight, failed for years to provide basic information about NGI as required by law, and dragged its feet to disclose—again, as required by law—a detailed description of the records and its policies for maintaining them. Now it wants to be exempt from even the most basic notice and data correction requirements…”
(Related) “We’re going to do it, but we don’t know what we’re going to do yet.”
lan Lior and Or Kashti report:
Interior Minister Arye Dery announced on Thursday that starting next year, joining the biometric database will be obligatory.
“From now on anyone obtaining a document from the Interior Ministry, whether an ID card or a passport, will receive a biometric one. We’ve decided on having this database and we’ll soon decide what will be included in it,” Dery said at a ceremony marking the millionth person to join the biometric database, which was held at the new Population and Immigration Authority office in south Tel Aviv.
Read more on Haaretz.
So with the U.S. banking sector also embracing biometrics and with everyone’s Social Security number already have been leaked or compromised in numerous breaches, can the U.S. be far behind in switching to biometrics for identity authentication?
And if so, isn’t it even more important, then, that the FBI not be able to exempt the biometrics database from Privacy Act protections? Have you signed EFF’s petition on this? If not, go do so right now.
Perspective. At least, something to think about.
Deciphering Facebook's Software Philosophy
Last week, Facebook offered a peek into the philosophy governing its News Feed algorithm, the piece of software that decides which posts are shown to people when they log into the platform’s app or homepage. The announcement was more than just academic. One in five adults worldwide use Facebook, and 44 percent of Americans get their news from the platform. If traditional agenda-setting news barons like Rupert Murdoch count as powerful, then surely the News Feed algorithm wields influence, too. In fact, its algorithm may be one of the most powerful pieces of software in the world.
Which makes the ideas governing such a piece of software extra-important. These particular ideas came in a blog post entitled “News Feed Values,” written by Adam Mosseri, a Facebook vice president and the product manager of the News Feed. The post is a list of broad principles and vague promises that users should expect from their News Feed. It was at once a piece of marketing and—more interestingly—a set of operational ethics, a kind of guide to what Facebook values when it decides to alter the feed.
Pew – The Modern News Consumer
by Sabrina I. Pacifici on Jul 7, 2016
“Wave after wave of digital innovation has introduced a new set of influences on the public’s news habits. Social media, messaging apps, texts and email provide a constant stream of news from people we’re close to as well as total strangers. News stories can now come piecemeal, as links or shares, putting less emphasis on the publisher. And, hyper levels of immediacy and mobility can create an expectation that the news will come to us whether we look for it or not. How have these influences shaped Americans’ appetite for and attitudes toward the news? What, in other words, are the defining traits of the modern news consumer? A new, two-part survey by Pew Research Center, conducted in early 2016 in association with the John S. and James L. Knight Foundation, reveals a public that is cautious as it moves into this more complex news environment and discerning in its evaluation of available news sources…”
The difference is important!
Augmented vs. Virtual Reality: What’s the Difference?
… Augmented reality (AR) refers to devices that combine elements of the real world with virtual aspects laid over it. This often manifests itself in using your phone’s camera to display the “real world” with a virtual overlay, though not always.
… VR essentially boils down to: creating an entire world within virtual space. Whereas augmented reality relies on input from the “real world”, virtual reality aims to create its own distinct and separate world.
For the Movie club?
Watch 100+ Free Public Domain Movies on YouTube Now
… The list of films on the aptly named Public Domain Full Movies channel is truly staggering, ranging from some in the 60s and 70s, and going all the back to the silent film era of the early 1900s.