- Are we secure? If so, just how secure are we?
- Could what happened to company xyz happen to us? Are we getting better over time?
- JP Morgan Chase just announced they will deploy $250 million in security. Are we spending enough? Should we spend more?
Wednesday, November 30, 2016
I assume that anyone signing up for a porn site uses a phony name, or perhaps the name of some randomly selected lawyer at the local law school. (I propose “phack” rather than “fhack”)
Hackers Are Trading Hundreds of Thousands of xHamster Porn Account Details
… Although xHamster is a free porn site, users can sign up to create personal favorite collections, post comments, or upload their own videos. According to the xHamster site, over 12 million people have signed up for an account.
… Update: After the publication of this article, Alex Hawkins, xHamster spokesperson, told Motherboard in an email, "The only way to respond to this news is to coin a new term: 'Fhack.' A fhack is best defined as a fake hack. There was a failed attempt to hack our database which occurred 4 years ago. The integrity of our user data is secure. Passwords are encrypted and impossible to hack. In short, this was a successful fhack; and a failed hack."
When pressed on how did data traders then obtain a list of xHamster user email addresses, the company said, "We cannot validate that the emails are real and we don't believe that this is a genuine database." This is despite Motherboard's independent verification of the email addresses and usernames.
For my Ethical Hacking students.
How Machine Learning Will Help Attackers
Inside McAfee Labs' predictions (PDF) for 2017 is this: criminals will use machine learning to analyze massive quantities of stolen records to identify potential victims and build contextually detailed emails that very effectively target these individuals. In short, just as defenders use machine learning to detect attacks, attackers will use machine learning to automate attacks and evade detection.
(Related) From the same report.
'Dronejacking' May be the Next Big Cyber Threat
A report by Intel's McAfee Labs said hackers are expected to start targeting drones used for deliveries, law enforcement or camera crews, in addition to hobbyists.
"Drones are well on the way to becoming a major tool for shippers, law enforcement agencies, photographers, farmers, the news media, and more," said Intel Security's Bruce Snell, in the company's annual threat report.
I didn’t know the Hillary Clinton worked for Europol.
Toby Sterling reports:
Information on numerous international investigations into terrorism groups compiled by Europol was accidentally left online, unguarded by any password, a Dutch television program reported on Wednesday.
Europol, which helps European Union national police organizations cooperate, could not immediately be reached for comment. The television program Zembla cited the Europol’s adjunct director Wil van Gemert as acknowledging the incident.
According the program, the leak was caused by a former employee who took dossiers home, against Europol policy, and put them on a hard drive connected to the Internet without realizing it was accessible to anyone.
Read more on Reuters.
Gathering stuff for my Computer Security class. Might also work this into my Statistics class.
Measuring what matters in cybersecurity
The cybersecurity risk metrics market has exploded, and at least half a dozen companies are offering real time risk metrics for enterprises. Insurance carriers will collect upwards of $3 billion in premiums this year. In my recent analysis of this $20 billion market, it was evident that the rise of adversaries, boardroom pressures and financial losses are driving a whole new world of underwriters, brokers and consultants. CISOs are now supposed to answer to the C level and the boardroom, somewhat challenging questions like:
… Richard Seiersen, vice president of Trust and CISO at Twilio, wants to simplify this debate. A soft spoken classically trained guitarist and co-author of the recently published book - “How to measure anything in Cybersecurity”, Selersen advocates risk management using probabilistic thinking and probabilistic programming.
Is this the kind of backlash we should expect whenever robots start “taking the jobs of the common man?”
New York Bars Scalpers From Using Bots To Snap Up Tickets Before Everyone Else
… New York’s Governor Andrew Cuomo signed a law that makes using so-called “ticket bots” — software designed to manipulate systems that are designed to limit the numbers of tickets sold to an individual — illegal.
Previously, NY law barred the use of ticket bots, but only imposed civil sanctions for brokers who violate that law. Now, using ticket bots, maintaining an interest in or control of bots, and reselling tickets knowingly obtained with bots constitutes a class A misdemeanor. As such, violators could face substantial fines and imprisonment.
(Related) Perspective. Would this be possible without automation?
… This week TorrentFreak crunched the numbers in Google’s Transparency Report and found that over the past 12 months Google has been asked to remove over a billion links to allegedly infringing pages, 1,007,741,143 to be precise.
More than 90 percent of the links, 908,237,861 were in fact removed. The rest of the reported links were rejected because they were invalid, not infringing, or duplicates of earlier requests.
Now this is automation to be worried about. I wonder who can override the score?
China Turns Big Data into Big Brother
… The Wall Street Journal reports that the Chinese government is now testing systems that will be used to create digital records of citizens’ social and financial behavior. In turn, these will be used to create a so-called social credit score, which will determine whether individuals have access to services, from travel and education to loans and insurance cover. Some citizens—such as lawyers and journalists—will be more closely monitored.
The French still think the world revolves around them.
We Won’t Let You Forget It: Why We Oppose French Attempts to Export the Right To Be Forgotten Worldwide
… The brief, filed Nov. 23, 2016, argues that extending European delisting requirements to the global Internet inherently clashes with other countries’ laws and fundamental rights, including the First Amendment in the U.S.
… For an in depth analysis, read our legal background document.
Last chance before Trump trumps their urge?
Ed Pilkington reports:
The campaign to persuade Barack Obama to allow the NSA whistleblower Edward Snowden to return home to the US without facing prolonged prison time has received powerful new backing from some of the most experienced intelligence experts in the country.
Fifteen former staff members of the Church committee, the 1970s congressional investigation into illegal activity by the CIA and other intelligence agencies, have written jointly to Obama calling on him to end Snowden’s “untenable exile in Russia, which benefits nobody”. Over eight pages of tightly worded argument, they remind the president of the positive debate that Snowden’s disclosures sparked – prompting one of the few examples of truly bipartisan legislative change in recent years.
Read more on The Guardian.
For my Governance and Architecture classes. Politicians don’t seem to get the concept of global companies.
Sanders launches new attack on offshore outsourcing
Former presidential candidate and U.S. Sen. Bernie Sanders will introduce legislation to discourage companies from relocating jobs offshore. The legislation would punish offshore decisions with loss of tax breaks and government contracts and impose an "outsourcing tax" on firms that proceed nonetheless.
Something to play with?
UK's GCHQ Spy Agency Launches Open Source Data Analysis Tool
The U.K. Government Communications Headquarters (GCHQ) on Monday announced the launch of a new open source web tool designed for analyzing and decoding data.
Named CyberChef, the tool is advertised by the intelligence agency as a “Cyber Swiss Army Knife.” It uses a simple interface with a drag-and-drop feature to allow both technical and non-technical people to analyze encryption, compression and decompression, and data formats.
… Users can, for example, convert data from a hexdump, display timestamps as a full date, decode Base64 strings, parse Teredo IPv6 addresses, and manipulate different types of data.
… The source code and a demo have been made available on GitHub. The agency pointed out that the tool is not complete and has encouraged developers to contribute as much as possible.
What we could do if we chose to…
Altice Plans Fiber Upgrade That Could Leave Rivals in the Dust
Altice USA, the fourth largest U.S. cable operator, said it plans to convert its entire network into an ultrafast fiber-to-the-home network capable of 10 gigabits-per-second speeds within the next five years, a bold plan that takes aim at the company’s fierce rival, Verizon Communications Inc.’s Fios.
Is this really how my students react to my research projects?