- We often adopt it before we fully understand the security implications.
- Our bad habits from legacy technologies are highly portable.
- We don’t avail ourselves of the new and/or improved security capabilities that are part and parcel of new technology.
Friday, August 12, 2016
Is this another “shortcut” some VW engineer tried to get away with?
https://www.wired.com/2016/08/oh-good-new-hack-can-unlock-100-million-volkswagens/ A New Wireless Hack Can Unlock 100 Million Volkswagens
In 2013, when University of Birmingham computer scientist Flavio Garcia and a team of researchers were preparing to reveal a vulnerability that allowed them to start the ignition of millions of Volkswagen cars and drive them off without a key, they were hit with a lawsuit that delayed the publication of their research for two years. But that experience doesn’t seem to have deterred Garcia and his colleagues from probing more of VW’s flaws: Now, a year after that hack was finally publicized, Garcia and a new team of researchers are back with another paper that shows how Volkswagen left not only its ignition vulnerable but the keyless entry system that unlocks the vehicle’s doors, too. And this time, they say, the flaw applies to practically every car Volkswagen has sold since 1995.
… The researchers found that with some “tedious reverse engineering” of one component inside a Volkswagen’s internal network, they were able to extract a single cryptographic key value shared among millions of Volkswagen vehicles. By then using their radio hardware to intercept another value that’s unique to the target vehicle and included in the signal sent every time a driver presses the key fob’s buttons, they can combine the two supposedly secret numbers to clone the key fob and access to the car.
The author is talking of many things, but these “rules” stand out! It’s another way of saying that we have to re-learn basic security practices every time something new cones along.
The Internet of (insecure) Things and other inside observations from the Black Hat hackers conference
If there are common threads in our adoption of any new technology, they would most likely be:
Clever. Possibly true. So what? So my Computer Security students should have evidence to refute this claim?
Hold On, You Didn’t Overpay for That: Courts Address New “Overpayment” Theory from Plaintiffs in Data Breach Cases
Andrew C. Glass, David D. Christensen and Matthew N. Lowe of K&L Gates write:
With the ever-increasing amount of personal information stored online, it is unsurprising that data breach litigation has become increasingly common. A critical issue in nearly all data breach litigation is whether a plaintiff has standing to pursue claims—especially where there is no evidence of actual fraud or identity theft resulting from the purported data breach. The plaintiffs’ bar has pursued a litany of legal theories in the attempt to clear the standing hurdle, including the recent theory of “overpayment” (a/k/a “benefit of the bargain” theory). Under this theory, the plaintiff alleges that the price for the purchased product or service—whether sneakers, restaurant meals, or health insurance—included some indeterminate amount allocated to data security. Depending on how the theory is framed, the purported “injury” is either that the plaintiff “overpaid” for the product or service, or that the plaintiff did not receive the “benefit of the bargain,” because the defendant did not appropriately use the indeterminate amount to provide adequate data security. Despite plaintiffs’ attempts to establish standing through this novel theory, courts have limited its applicability in a variety of ways discussed below.
Read more on Lexology.
Important enough to take 9 years investigating, but not important enough to do anything about? Something a little fishy here?
I have been following this case from the beginning and wondering why the heck HHS didn’t come down on Walgreens like they did on their competitors CVS and RiteAid. And now we learn that OCR just closed the case with no penalty? Seriously? So CVS and RiteAid get clobbered by both the FTC and HHS/OCR, and Walgreens…. nothing other than throwing the issued into a larger environmental case?
WTHR, who first made the public aware of the problem with Walgreens’ privacy and data security, reports:
A decade after WTHR exposed the county’s largest pharmacy chains failed to protect their customers’ sensitive healthcare information, 13 Investigates has learned government regulators have quietly closed their investigation into improper trash disposal practices by Walgreens.
The government’s decision – announced in an e-mail to WTHR – means Walgreens will not face any federal penalty despite repeatedly violating federal law and jeopardizing customer privacy in the same manner that resulted in record-setting fines against its largest competitors.
Read more on WTHR, who did a tremendous public service via their original investigative reporting in 2006, and their follow-ups on this issue. It’s a damned shame that OCR did not impose a monetary penalty as a reminder to entities that disposal of paper records matters.
Does the government like covering agencies whenever possible or is there something really embarrassing this time? (One system for employees & contractors, one for vendors, one for the environments they “protect.” That leaves me 27 systems short?)
EPA conducts, will not release, cyber audit
Citing privacy concerns, the Environmental Protection Agency will not be releasing an Inspector General’s report discussing cybersecurity.
An “At A Glance” summary of the report says an audit of the agency’s computers found 30 systems with personally identifiable information.
So now we
can can’t can can’t can block ads!
Adblock Plus has already defeated Facebook's new ad blocking restrictions
Disintermediation? What a concept!
This Company Wants to Disrupt Ticketmaster's Tight Grip on Your Favorite Events
… SeatGeek, founded in 2009, carved a niche as a search engine to help customers find the best deals among tickets being sold and resold online, as well as a place for electronic tickets to safely change hands (or mobile devices, rather) without fraud worries. Today, the company has announced SeatGeek Open, its official entry into primary sales that aims to eventually compete with the ticketing industry’s biggest players.
Overall, SeatGeek’s goal is to open up the marketplace (despite the fact that Ticketmaster is trying to keep it as closed as possible). Its key differentiator lies in its open-source technology, which will allow artists, teams, venues and the like to present and sell available tickets directly via social media and ecommerce.
A response to those slow chipped credit cards? Will every (large?) company want its own payment App?
CVS Pharmacy launches its own mobile payments and loyalty solution, CVS Pay
… Currently, customers have to either present their physical CVS rewards card at the register, or they have to say their name and birthday in order for the store associate to look up their account information. Then, after their purchases and prescriptions are run up, they have to pay. (And thanks to the slow-to-process chip cards, this, too, takes time.)
Perspective. HPE is becoming a player in the super computer market?
Hewlett Packard Enterprise acquires SGI for $275 million
For my students who get outdoors?
Printable USGS PDF Quads A Quick, Easy, Free way to Download any Quad in the Country
by Sabrina I. Pacifici on Aug 11, 2016
“National Geographic has built an easy to use web interface that allows anyone to quickly find any quad in the country for downloading and printing. Each quad has been pre-processed to print on a standard home, letter size printer. These are the same quads that were printed by USGS for decades on giant bus-sized pressed but are now available in multi-page PDFs that can be printed just about anywhere.”