Tuesday, August 02, 2016
For my Computer Security students. See why I stress Best Practices?
Defending Our Data: The Need for Information We Do Not Have
by Sabrina I. Pacifici on Aug 1, 2016
Warner, Richard and Sloan, Robert H., Defending Our Data: The Need for Information We Do Not Have (July 29, 2016). Available for download at SSRN: http://ssrn.com/abstract=2816010
“Data breaches occur at the rate of over two a day. The aggregate social cost is high. Security experts have long explained how to defend better. So why does society tolerate a significant loss that it has the means to avoid? Current laws are ineffective in providing an adequate incentive to avoid the loss. As Thomas Smedinghoff notes, laws — current and proposed — “obligate companies to establish and maintain ‘reasonable’ or ‘appropriate’ security measures, controls, safeguards, or procedures.” However, most the laws “simply obligate companies to establish and maintain ‘reasonable’ or ‘appropriate’ security measures, controls, safeguards, or procedures, but give no further direction or guidance.” We contend that the consequence is that the laws fail to provide an adequate incentive to improve information security. The solution is to provide better guidance about what counts as reasonable security measures. Data breach notification laws may seem like a viable alternative, but we argue they are unlikely to sufficiently improve security.
For my Ethical Hacking students and the Pen-Testing Club.
Researcher Earns $5,000 for Hacking Imgur
Researcher Nathan Malcolm started analyzing Imgur’s systems in the summer of 2015 and quickly discovered several types of vulnerabilities, including clickjacking, cross-site scripting (XSS) and cross-site request forgery (CSRF) issues.
While it had been accepting vulnerability reports, Imgur only launched a bug bounty program in September 2015, shortly after hackers discovered a flaw that allowed them to attach malicious code to image files. Attackers exploited the security hole to launch a distributed denial-of-service (DDoS) attack against the imageboard website 8chan.
Yeah, we were looking for him but we were not searching for him.
Pinging a cellphone is justified by exigent circumstances, court holds
In a decision issued today in United States v. Caraballo, the U.S. Court of Appeals for the Second Circuit (per Judge Guido Calabresi) held that police did not violate the Fourth Amendment when they “pinged” a suspect’s cellphone because exigent circumstances existed. I find the outcome plausible on its facts, but the analysis strikes me as pretty unusual.
… The second part of the exigent circumstances analysis is more doctrinally novel. Judge Calabresi quotes a passage from a prior case saying that the amount of force and the degree of privacy invasion used in carrying out a search and seizure are relevant to reasonableness. From that, he deduces a somewhat different principle:
Maybe cheating a little on emissions tests was not such a good idea?
Bavaria to sue VW over state pension fund losses
As of September 2015, when the emissions manipulation scandal became public, Bavaria held some 58,000 preferred shares in Lower-Saxony-based Volkswagen. They've lost some 40 percent of their value, and dpa reports that Bavaria is seeking 700,000 euros ($781,480) in damages.
Now this could be amusing!
Washington state suing Comcast over repair fees, credit checks
Washington state has lodged a $100 million consumer-protection lawsuit against cable-television giant Comcast.
Comcast engaged “in a pattern of deceptive practices,” the state claimed Monday, saying it believes Comcast committed more than 1.8 million individual violations of the state Consumer Protection Act, affecting 500,000 state residents.
Attorney General Bob Ferguson briefed the media about the lawsuit Monday, saying that Comcast’s “deceptive” practices came in three areas involving repair charges and credit checks.
… The case revolves in part around a Comcast service plan that customers can subscribe to for a monthly $4.99 fee. The company says the plan covers repairs to customer-owned wiring related to Xfinity TV, voice and internet. Comcast marketing material says the plan is “comprehensive.”
But in many cases, the state claims, Comcast charged for or would not repair customer issues, despite the online description of the plan.
“It simply covers the technician visiting the customer’s house and declaring that the customer’s equipment is broken,” the lawsuit says.
So the distribution isn’t random? Will we see an investigation? Do we need Pokecops? (I hereby copyright the word Pokecops so I can sue when they make a movie or TV show about them! I will also register a trademark, apply for a patent, and ask my old friend Guido to break the kneecaps of any infringers.)
PokemonNo for sex offenders, New York governor says
At the request from New York Governor Andrew Cuomo, the state’s Department of Corrections and Community Supervision will ban nearly 3,000 paroled sex offenders from playing PokemonGo.
… Cuomo said in a news release. “These actions will provide safeguards for the players of these augmented reality games and help take one more tool away from those seeking to do harm to our children.”
The governor’s decision came days after two New York state senators released a report that found that Pokemon and game items often appeared next to sex offenders’ houses. Investigators visited 100 homes of offenders convicted of sexual abuse of children or the possession of child pornography and found that Pokemon appeared in front of 57 percent of them. Overall, the investigation found that 73 of the 100 addresses belonging to sex offenders that were surveyed were within half a block from a Pokemon, PokeStop or a gym — all key locations for the game’s players that could draw children near.
… The governor was concerned that “lures,” a feature in the game that allows a player to attract Pokemon to a specific location, could also be used by predators to attract children hunting the critters.
Cuomo also sent a letter to the game’s creator, Niantic Inc., to ask for its help to prevent offenders from downloading the game. He asked the state’s Division of Criminal Justice Services to share an updated registry of sex offenders with the company.
In 2008, Cuomo introduced legislation that required state agencies to give information about sex offenders to dozens of social media companies. The companies then use that list to keep the offenders off their platforms.
It’s there in plain English, but not everyone reads it like I do.
Federal Agencies Seek Cyberdefenders
The U.S. government is in the process of hiring a small army of information technology specialists to bolster its efforts to protect data held at federal agencies from cybersecurity threats. The federal government hired 3,000 new cybersecurity and IT professionals in the first six months of the current fiscal year.
In addition, the government is "committed to a plan by which agencies would hire 3,500 more individuals to fill critical cybersecurity and IT positions by January 2017," said Shaun Donovan, director of the Office of Management and Budget.
The hiring spree is just one component of a "first ever" Federal Cybersecurity Workforce Strategy revealed by the White House last month. [Why is this a separate strategy? Perhaps there is no “Federal (everything else) Workforce Strategy?” Bob]
… "However, the supply of cybersecurity talent to meet the increasing demand of the federal government is simply not sufficient," the officials added. [So it is impossible to meet our goals? Bob]
The workforce strategy includes four major components:
Education and Training
Recruit Federal Talent
Identify Requirements [Shouldn’t this be first? Bob]
IT Architecture is changing every day.
Four U.S. companies rule the world's cloud infrastructure
There are plenty of companies vying for a piece of the worldwide cloud infrastructure market, but the top four -- all in the U.S. -- dominate by such a wide margin as to effectively leave their competitors in the dust.
That's the overriding conclusion of a study released Monday by Synergy Research Group
mazon Web Services, Microsoft, IBM and Google collectively control more than half of the worldwide cloud infrastructure service market, Synergy found, with an overwhelming lead by AWS, which held a 31 percent share in the second quarter. Microsoft came next with 11 percent, while IBM weighed in at 8 percent, and Google came in with 5 percent.
Why? Are they falling short on recruiting? Yes, they are.
Air Force raises enlistee age limit from 27 to 39
… The new policy comes at a time of a declining defense budget, a shrinking military and falling recruiting goals, however. From 2009 to 2013, the number of recruits dropped from nearly 32,000 to just over 26,000. While recruiting goals for 2014 are still being finalized, they’re likely to fall again.
They really want everyone on Windows 10.
Missed the Free Windows 10 Upgrade? Psst, Here’s a Backdoor!
… Microsoft has left open a small backdoor that you can exploit to get the Windows 10 upgrade after the deadline. While the offer is closed for the general public, Microsoft invites customers who use assistive technologies on Windows 7, 8, or 8.1 to upgrade for free anytime.
So how do you benefit? Well, Microsoft isn’t actually checking if you use assistive technologies or not.
Something for my students? What do they already use and what should I be recommending?
3 Easy Ways to Learn Anything on Social Media for Free
… According to a 2014 research study by Ofcom, 66% of all adults aged 16+, have at least 1 social networking profile. That is a staggering number. Also, each person on average spends 31 hours on the Internet every month.
… In this article, I will show you how to extract knowledge from the same online communities that we spend the majority of our online time on.
… have you tried joining one of Facebook’s many free and educational groups?
· BBC English – To learn or just better your English.
· The Next Web – On technology and related news.
… You can create your own closed group on Facebook and use it as a platform to connect, collaborate, and learn with your friends.