So it appears that 71 million Twitter login credentials
(email addresses and passwords, all cleartext) are up for sale on the dark net.
No
indication where they came from or how fresh they are (I’ve inquired
and will update this post if I get any info).
Might this be a good time to change your password?
And if the Twitter offering doesn’t concern you, how about
80,000 Amazon
Kindle users’ details? TechMic
reports:
@0x2Taylor — said in a Twitter
direct message that he and a friend “breached a server” owned by Amazon that
contained database files with more than 80,000 Kindle users’ information.
“When they first got Kindles and
set them up, all their stuff was being logged and put into a database,”
@0x2Taylor said. He added that the
database includes a user’s email, password, city, state, phone number, zip
code, user-agent, LastLoginIP, Proxy IP and street. He sent us several emails and passwords in an
effort to legitimize the breach.
“If I don’t receive a payment
from them the data will be posted online along with an older dump,” he said.
As of the time of this posting, there’s a 569mb dump with
83k records that the hacker’s uploaded. The file is dated May 25.
(Related) When do
you report an incident? (DLP = Data Loss Prevention)
OIG Audit of FDIC Info System Security Issues
by Sabrina
I. Pacifici on Jul 8, 2016
“Our audit focused on the FDIC’s processes for addressing
one particular type of information security incident—a breach of sensitive
information—because the incident we selected for detailed review (i.e., the
Florida Incident) was a breach. The
Florida Incident involved a former FDIC employee who copied a large quantity of
sensitive FDIC information, including personally identifiable information, to
removable media and took this information when the employee departed the FDIC’s
employment in October 2015. The FDIC
detected the incident through its DLP tool. Audit Results Although the FDIC had
established various incident response policies, procedures, guidelines, and
processes, these controls did not provide reasonable assurance that major
incidents were identified and reported in a timely manner. Specifically, we found that:
- The FDIC’s incident response policies, procedures, and guidelines did not address major incidents.
- The large volume of potential security violations identified by the DLP tool, together with limited resources devoted to reviewing these potential violations, hindered meaningful analysis of the information and the FDIC’s ability to identify all security incidents, including major incidents.
- Further, based on our analysis of the Florida Incident, we concluded that the FDIC had not properly applied the criteria in OMB Memorandum M-16-03 when it determined that the incident was not major. Specifically, the FDIC based its determination on various mitigation factors related to the “risk of harm” posed by the incident. Although such factors have relevance in determining the mitigation actions to be taken in addressing incidents, the factors are not among those listed in OMB Memorandum M-16 -03 for agencies to consider when determining whether incidents are major and, therefore, are not relevant. We notified the CIO on February 19, 2016 that our analysis of the Florida Incident found that reasonable grounds existed to designate the incident as major as of December 2, 2015, and, as such, the incident warranted immediate reporting to the Congress. The FDIC subsequently reported the Florida Incident to the Congress as major on February 26, 2016…”
A question for my Computer Security class? Is censorship their job?
Facebook explains censorship policy for Live video
Facebook only removes content if it celebrates or
glorifies violence, not if it’s only graphic or disturbing, according to a
spokesperson.
Facebook also insists that the video of Philando Castile’s
death was temporarily unavailable due to a technical glitch that was Facebook’s
fault. That contradicts theories that
the video disappeared due to Facebook waffling on whether it should stay up, a
high volume of reports of it containing violent content, a deletion by police
who’d taken possession of Castile’s girlfriend’s phone and Facebook account or
a request from police to remove it.
However, Facebook refused to detail exactly what caused
the glitch, such as a traffic spike. It
did release this statement, however.
… The company
suspiciously refused to detail the cause of the glitch, though a spike in
traffic is a possibility. Still, that
ambiguity stokes concerns that Facebook purposefully brought down the clip.
Even if it was a technical glitch, it’s one Facebook must
prevent from happening in the future. Live
is its chance to become a hub for real-time news that has historically ended up
on Twitter first. And with the
acquisition of Periscope, Twitter wants to control live video broadcasting,
too. Users may reach for whichever they
think is most likely to make their voice heard and not censor them.
Jobs for my Computer Security students?
Criminal Capability Outpacing Ability to Defend Attacks in
UK: Report
The UK's National Crime Agency (NCA) released its Cyber
Crime Assessment 2016 this week. Designed to outline the "real and
immediate threat to UK businesses" from cyber crime, the report tells us little that is new. It argues that criminal capability is
outpacing industry's ability to defend against attacks, and suggests that
"only by working together across law enforcement and the private sector
can we successfully reduce the threat to the UK from cyber crime."
Something for my lawyer friends? (and my Computer Security students)
The law firm of Bryan Cave lists nine factors
entities should look at when considering the risk that litigation poses
following a breach. They note:
Specifically, unless a
plaintiff has been the victim of identity theft or has suffered some other type
of concrete injury, most courts have refused to let them proceed based solely
on the allegation that they are subject to an increased risk of harm as a
result of the breach.
They then go on to list factors to consider in assessing
risk:
- Was the quantity of records lost lower, or greater, than the average number of records involved in recent class action lawsuits?
- Were the records lost encrypted, obscured, or de-identified?
- Could the type of information lost be used to commit identity theft?
- Did patients suffer any direct monetary harm?
- Has there been any evidence of actual identity theft?
- Could the data loss hurt the reputation of a patient or cause emotional distress?
- Did you offer credit monitoring, identity theft insurance, and/or credit repair services?
- If so, what percentage of impacted consumers availed themselves of your offer?
- If filed as a class action, is the class representative’s claim of identity theft premised on unique facts?
Unfortunately, the article doesn’t indicate whether their
list of factors is ranked in order of importance/predictive value or is
just in random order. Looking at their
list, I think 3, 4, 5, and 6 may be the most predictive of whether standing
would be conferred, but I’ve written to them to ask their opinion, and will
update this post if I get a response.
Their article also lists allegations plaintiffs have
made that courts have not found sufficient to confer standing and
allegations which some courts have found sufficient to confer
standing.
Read the article here.
For another perspective on the risks of litigation with
reference to specific court opinions, read No
harm, no foul? Private and public litigation in cybersecurity law.
Is this the future of IT?
At minimum the architecture is changing.
Exclusive: Why Microsoft is betting its future on AI
… No matter where we
work in the future, Nadella says, Microsoft will have a place in it. The company’s "conversation as a
platform" offering, which it unveiled in March, represents a bet that
chat-based interfaces will overtake apps as our primary way of using the
internet: for finding information, for shopping, and for accessing a range of
services. And apps will become smarter
thanks to "cognitive APIs," made available by Microsoft, that let
them understand faces, emotions, and other information contained in photos and
videos.
… In January, The
Verge described the tech industry's search
for the killer bot. In the months
that followed, companies big and small have accelerated their development
efforts. Facebook opened
up a bot development platform of its own, running on its popular Messenger
chat app. Google announced a new
intelligent assistant running inside Allo, a
forthcoming messenger app, and Home,
its Amazon Echo competitor. Meanwhile
the Echo, whose voice-based inputs have captivated developers, is reportedly in
3
million homes, and has added 1,200 "skills" through its API.
… But to win, Lu
says, a company needs five "key assets." The first is a "conversation canvas"
— a place where people are doing lots of talking and texting. Microsoft has Office, Outlook, Skype, and
Cortana. The second is that AI
"brain" — a sophisticated mental model of the world. Microsoft says its own AI efforts date back
nearly 20 years. The third is access to
a social graph — people’s activity on the internet often involves their friends
and coworkers. Not coincidentally, a few
days after I met Lu, Microsoft announced
it would spend $26.2 billion to acquire LinkedIn, and its 433 million
registered users.
The fourth piece is a platform for the artificial
intelligence to operate on. Microsoft
has Windows and a family of devices, notably the Xbox. The final piece is a network of developers
eager to build on your platform, and to pay you for the privilege. Stoking that interest had been the primary
goal of the Microsoft Build developer conference in March.
Is the future of law enforcement? Do remotely controlled robots allow cooler
heads to determine how much force is required?
The Dallas Shooting and the Advent of Killer Police Robots
… “I’m not aware
of officers using a remote-controlled device as a delivery mechanism for lethal
force,” said Seth Stoughton, an
assistant professor of law at the University of South
Carolina who is a former police officer and expert on police methods. “This is sort of a new horizon for police
technology. Robots have been around for
a while, but using them to deliver lethal force raises some new issues.”
Thoughtful analysis.
The WSJ does this well. (even
guest writers)
Roads That Work for Self-Driving Cars
In May, a Tesla “autopilot” enthusiast in Florida became
the first known fatality in a self-driving car. But
this was no ordinary accident. The car performed exactly as designed, and
the (non)driver’s failure to take any corrective action could reasonably have
been foreseen by the manufacturer. This
unwelcome yet widely anticipated milestone may set back progress on what
promises to be one of the most valuable technologies of the 21st century.
… The National
Highway Traffic Safety Administration is soon expected to issue rules that will mandate transponders for all new cars
and most trucks. This
will permit vehicles to broadcast their speed, heading and braking status to
anyone or anything within 300 meters, which is well beyond the range of current
onboard sensors. These devices, called
“V2V” (vehicle-to-vehicle) communicators, can see around corners and convey a
driver’s intent (such as, say, an impending left turn), along with other
relevant information.
… The potential
economic and social benefits of self-driving technology are difficult to
overstate. When the taxi you summon
arrives within seconds and doesn’t require a driver, personal transportation
will be far more convenient and much cheaper. You won’t want to own (or insure) your own
car. Garages will go the way of
outhouses, and the 14% of Los Angeles real estate devoted to parking can be
repurposed for higher uses.
… In the fatal
self-driving accident in Florida, the car failed to recognize that a truck
traveling in the other direction was about to make a left turn in front of it. Tesla pointed out that the driver also failed
to take corrective action. As the
company said in a statement, “When
drivers activate Autopilot, the acknowledgment box explains, among other
things, that Autopilot is an assist feature that requires you to keep your
hands on the steering wheel at all times.”
This disclaimer may mitigate Tesla’s liability, but it’s
simply not practical to ask passengers in a self-driving vehicle to remain
alert and engaged. Reports from the
accident scene in Florida suggest that the driver may have been watching a
“Harry Potter” movie on a portable DVD player at the time.
The risk now is that politicians and government agencies,
reacting to such unfortunate incidents, will enact a hodgepodge of new
regulations that will hamper the development and adoption of the technology.
For all my students, not just the Computer Security
students.
Should You Accept LinkedIn Invites from Strangers?
A recent survey, reported in SC Magazine, found
that 24% of surveyed LinkedIn users have connected with people they didn’t know
on the professional social network, despite
LinkedIn’s repeated warnings not to do so. Why is this an issue?
Because LinkedIn can be a vector for spear-phishing and other types of attacks.
Tips for my students.
My students already snap pictures of my math problems from the
whiteboards.
Get Mad Detective Research Skills with PDF Tricks & a
Smartphone
The smartphone is an invaluable tool for
capturing data wherever you are.
No matter what you’re researching or what real-world
information you need to save,
Maybe, you are a university student who needs to
archive newspaper clippings on microfiche, an archivist that wants to save a
page or two from an antique book, or a web researcher who needs to archive
emails and web pages?
The PDF format — and the smartphone apps that help you create and organize PDF documents — is one of the
fastest ways to collect lots of information easily.
Humor in education.
Hack Education Weekly News
… Via
ProPublica: “New Jersey‘s Student Loan Program is ’State-Sanctioned Loan-Sharking’.”
[Hey! It’s New Jersey, what else did you
expect? Bob]
… Via
the Texas Tribune: “Three University of Texas at Austin
professors sued their university and the state on Wednesday, claiming Texas’
new campus
carry law is forcing the school to impose ‘overly-solicitous,
dangerously-experimental gun policies’ that violate the First and Second
Amendments.”
[From the article:
"Compelling professors at a
public university to allow, without any limitation or restriction, students to
carry concealed guns in their classrooms chills their First Amendment rights to
academic freedom," the lawsuit says.
… Michigan State University
has dropped
its general ed requirement that students take college-level algebra.
… From the Berkman Klein Center:
“Privacy and Student Data – An Overview of Federal Laws
Impacting Student Information Collected Through Networked Technologies.”
… Via
the Milwaukee Wisconsin Journal Sentinel: “Over the past three decades,
state and local expenditures on prisons and jails have
increased more than three times as fast as spending on elementary and secondary
education, according to a new brief released Thursday by the U.S. Department of
Education.”
No comments:
Post a Comment