Summary Report on Audits of Security Controls for TSA
Information Technology Systems at Airports
by Sabrina
I. Pacifici on Jan 23, 2017
DHS OIG – Summary Report on Audits of Security
Controls for TSA Information Technology Systems at Airports, December 30,
2016. OIG-17-14.
“Our previous reports identified numerous deficiencies in
security controls for TSA’s IT systems and equipment at airports. These deficiencies included inadequate
physical security for TSA server rooms at airports, unpatched software, missing
security documentation, and incomplete reporting of IT costs. TSA has undertaken various actions to address
the recommendations we made in these reports. Based on our review of the corrective actions
taken as of May 2016, we consider most of the recommendations resolved and
closed. However, TSA has not yet
resolved recommendations we made in two key areas. TSA officials indicate it will take time,
money, and contract changes to include security requirements in the Security
Technology Integrated Program, a data management system that connects airport
screening equipment to servers. TSA also disagrees that closed-circuit televisions,
including cameras, at airports constitute IT equipment and that TSA
is responsible for maintaining them. Further,
as a result of our analysis to compile this report, we are making two new
recommendations to improve security controls for TSA’s IT systems at airports. Specifically, TSA needs to assess the risk of
not having redundant data communications capability to sustain operations at
airports in case of circuit outages. Additionally,
while TSA has undertaken reviews of security controls for its IT systems at
airports, it would benefit from establishing a plan to conduct the reviews on a
recurring basis nationwide.”
In theory, this research should have been done before
Pattern Locks were introduced. But,
where’s the fun in that?
Researchers Crack Android’s Popular Pattern Lock Security
Within 5 Attempts
Researchers from Lancaster University, Northwest
University in China, and the University of Bath have demonstrated that
attackers could easily unlock a phone in less than five attempts.
First off, what is Pattern Lock? In order to unlock a device’s content or
functions, users must draw a pattern on a grid of dots. Users typically have five chances to get it
right before they are locked out. 40% of
Android users utilize Pattern Lock and prefer it over using a PIN or password.
Researchers took video of owners unlocking their phones
with Pattern Lock. The attacks worked
regardless of screen size or content on the phone’s screen, and were able to be
tracked from roughly eight feet away. Hackers
were then able to use software to track the owner's fingertip movements
relative to the position of the device. The
researchers collected 120 patterns and were able to unlock 95% of them within
five attempts.
Ironically, the more complicated passwords were easier to
crack. Guixin Ye, the leading student
author from Northwest University, remarked, “Contrary to many people's
perception that more complex patterns give better protection, this attack
actually makes more complex patterns easier to crack and so they may be more
secure using shorter, simpler patterns”. Researchers were able to uncover all but one
of the “complex” patterns, 87.5% of the “medium” patterns and 60% of “simple”
patterns on their first attempt.
For my Computer Security, Ethical Hacking and Forensic
students.
FTC Releases New Report on Cross-Device Tracking
by Sabrina I.
Pacifici on Jan 23, 2017
“The Federal Trade Commission has released Cross-Device Tracking: An FTC Staff
Report that describes the technology
used to track consumers across multiple Internet-connected devices,
the benefits and challenges associated with it, and industry efforts to address
those challenges. The report concludes
by making recommendations to industry about how to apply traditional principles
like transparency, choice, and security to this relatively new practice. The report draws upon comments and discussions
from a November 2015 Cross-Device Tracking
Workshop and explains that cross-device tracking associates multiple
devices with the same consumer and links a consumer’s activity across her
devices (e.g., smartphones, tablets, personal computers, and other connected
devices). It describes how cross-device
tracking facilitates seamless experiences, can help to prevent fraud and more
effectively target ads, and can increase competition in advertising. However, the report also acknowledges that
cross-device tracking often takes place without consumers’ knowledge. It also discusses that consumers have limited
choices to control such tracking, and that it can result in caches of more—and
more sensitive—data that need to be protected.”
For my Ethical Hacking and Forensic students.
Researchers Link "de-identified" Browsing History
to Social Media Accounts
While the use of cookies and other tracking mechanisms
used to track computers is widespread and well understood, it is often believed
that the data collected is effectively de-identified; that is, the cookies
track the computer browser, not the person using the computer.
This is the message often promulgated by the advertising
industry: tracking cookies allow targeted advertising without compromising
personal privacy. Now new research from
academics at Stanford and Princeton universities demonstrates that this need
not be so.
In the new study 'De-anonymizing Web Browsing Data with Social Networks'
(due to be presented at the 2017 World Wide Web Conference Perth, Australia, in
April) the researchers show that de-identified web browsing histories can be
linked to social media profiles using only publicly available data. Once the
social media profile associated with a browsing pattern is known, the person is
known.
Should you join them?
Messaging App Has Bipartisan Support Amid Hacking Concerns
Aides to Trump,
Obama and de Blasio use Signal, a smartphone app that encrypts messages
Signal, a smartphone app that allows users to send
encrypted messages, is gaining popularity in the political world amid rising
fears about hacking and surveillance in the wake of a tumultuous election year.
When I teach a Data Management class, articles like this
really start the conversation going. Yes, people value Data Management.
Collibra nabs $50M led by ICONIQ to fix companies’ data
governance
Data governance and management startup Collibra … has raised $50
million in its latest round of funding.
… “Big data” has
been the term du jour in the enterprise software space for at least
the past two years… the phrase has become so over-used that it’s almost a punch
line.
However, behind the jargon is a hard fact that data is important.
It’s good
for businesses to know where their data comes from, how reliable it is, and how
best to use it.
That’s the problem that Collibra purports to solve. Services that it covers includes compliance with BCBS 239, CCAR MRAs and GDPR;
demonstrating data
protection and security; fixing bad
data; analytics; and data discovery.
“Data’s day has come. And with that, organizations have recognized
that data can only be leveraged as a strategic resource to the extent it can be
accessed and, most important, trusted,” said Felix Van de Maele, CEO and
co-founder of Collibra, in a statement.
Is Ford, like Tesla, saying, “We don’t need no stinking
dealers!”
Ford teams with startup for online car shopping
Ford Motor Credit Co. said Monday that it would use
software developed by AutoFi Inc. to let car buyers shop for a Ford or
Lincoln car and secure a loan online through its dealers’ websites.
As part of the new deal, Ford Motor Credit also announced
an equity investment in AutoFi. It
didn’t disclose the amount.
AutoFi doesn’t make any credit decisions or loans itself. The company operates a marketplace where
dealers can select which banks, credit unions or other lenders can pitch loans
to car buyers. Customers can choose
among competing offers. AutoFi gets paid a fee by both the dealer
and the lender if its service is used in a purchase.
Perspective. Then
ask yourself, ‘Should I care?’
1. In 2014, over
561 billion text messages were sent in one month. That equates to 18.7 billion text messages per
day, 779 million text messages per hour, 13 million text messages per minute,
or 216,000 text messages per second. Now
imagine how much worse it’s gotten in the two years since!
2. In 2016, Millenials prefer texting to calling for all communications. Of those aged between 18–24, when given a
choice between only being able to text or only being able to call, about 75
percent chose texting. Not only that,
but about 75 percent of Millenials prefer to receive texts for things like
appointments, payments, order alerts, etc.
3. Messaging apps are taking over traditional text messages. As of 2015, about 49 percent of smartphone
owners between 18–29 years of age preferred to use messaging apps. The older folks are catching on, too: about 37
percent of those aged 30–49 and 24 percent of those aged 50+ use messaging
apps.
But do they have the one I need?
CourtListener – free legal research website – millions of
legal opinions from federal and state courts
by Sabrina
I. Pacifici on Jan 23, 2017
“Search millions of opinions by case name,
topic, or citation. 418 Jurisdictions. Sponsored by the Non-Profit
Free Law Project. With CourtListener,
lawyers, journalists, academics, and the public can research an important case,
stay up to date with new opinions as they are filed, or do deep analysis using our raw data.”
(Related) I wonder
what Watson could do with this data?
Judge Profiles on CourtListener Now Show Oral Arguments Heard
by Sabrina
I. Pacifici on Jan 23, 2017
Free Law Project Blog – “We’re proud to share that we’ve
now linked together our database of judges and our database of oral argument recordings. This means that as of now if you look at the
profile page for a judge, you may see a list of oral argument recordings for
cases that judge heard. Clicking on the
button at the bottom takes you back to our database of oral argument recordings where you can
further refine your search. If the judge
is active, there is an icon in the upper right that lets you subscribe to a
podcast of the cases heard by that judge. At this time, these features are only
available for the Supreme Court and for jurisdictions where the judges for
specific cases are provided by the court website. We hope to expand this in the future. To our
knowledge, a linkage like this has never previously existed on any system,
and we hope that it will make research and exploration faster and easier for
our users. To get started with this
addition, you can browse the judges in CourtListener, or
explore our APIs and Bulk Data, where files now include
this information.” [Awesome!]
Perspective. The
world is changing when a retailer can create content that meets or beats the
content creators.
Oscars: Amazon Nabs Streaming's First Best Picture Nomination
With 'Manchester by the Sea'
With the nomination of Amazon Studios' Manchester by
the Sea for best picture on Tuesday morning, the Academy of Motion Picture
Arts and Sciences has officially put streaming services in the Oscar features
game.
Amazon has not only scored its first Oscar nominations
with Manchester, it has also become the first streaming service to
earn a best picture nod.
For such a simple (and cheap) device, a lot of big players
seem interested in connecting to it.
Perhaps they see it as a way to identify geeks they might like to hire?
Google To Enable Its AI And Machine Learning Tech On
Raspberry Pi This Year
If you’re a Raspberry Pi developer that
is at all interested in artificial intelligence (AI) and machine learning, we’ve
got a treat in store for you. Google is looking to bring its AI
and machine learning tools to the Raspberry Pi starting this year, but it wants
your help and input to make it happen.
Google has launched a survey that includes questions about how often
developers spend working on software and hardware projects, and if they are
interested in fields ranging from wearables to drones to IoT to robotics to 3D printing. It will use input gained from this survey to
narrow its focus on the tools that are provided later this year.
(Related)
Cluster HAT, the easiest way to build a Raspberry Pi Zero
cluster
I recently compiled a list of Raspberry Pi clusters
and reader Alex Hortin wrote in to suggest I looked at a cluster framework for
up to four Raspberry Pi Zeros called the Cluster HAT produced by 8086 Consultancy.
No comments:
Post a Comment