Friday, January 12, 2018

Step by step to illustrate a failure. Where else might this work?
Bogus Passwords Can Unlock AppStore Preferences in macOS
A security vulnerability impacting macOS High Sierra allows admins to unlock the AppStore Preferences in System Preferences by providing any password.
The issue was found to affect macOS 10.13.2, the latest iteration of the platform, and can be reproduced only if the user is logged in as administrator. For non-admin accounts, the correct credentials are necessary to unlock the preferences pane.
macOS High Sierra 10.13.2 users interested in reproducing the bug should log into their machines as administrators, then navigate to the App Store preferences in System Preferences.
Next, users should click on the padlock icon to lock it if necessary, then click it again. When prompted to enter the login credentials, they can use any password and still unlock the Prefpane.




Interesting. Prepare a dossier by stealing data online (or maybe just the Equifax data?) and use it to construct a plausible case for infidelity. Would it seem more real if it came by mail?
Bitcoin Blackmail by Snail Mail Preys on Those with Guilty Conscience
KrebsOnSecurity heard from a reader whose friend recently received a remarkably customized extortion letter via snail mail that threatened to tell the recipient’s wife about his supposed extramarital affairs unless he paid $3,600 in bitcoin. The friend said he had nothing to hide and suspects this is part of a random but well-crafted campaign to prey on men who may have a guilty conscience.
The letter addressed the recipient by his first name and hometown throughout, and claimed to have evidence of the supposed dalliances.
… Of course, sending extortion letters via postal mail is mail fraud, a crime which carries severe penalties (fines of up to $1 million and up to 30 years in jail). However, as the extortionist rightly notes in his letter, the likelihood that authorities would ever be able to catch him is probably low.
The last time I heard of or saw this type of targeted extortion by mail was in the wake of the 2015 breach at online cheating site AshleyMadison.com. But those attempts made more sense to me since obviously many AshleyMadison users quite clearly did have an affair to hide.
… I opted not to publish a scan of the letter here because it was double-sided and redacting names, etc. gets dicey thanks to photo and image manipulation tools. Here’s a transcription of it instead (PDF).




How (not) to handle a breach?
Federal Appeals Court Slams Data Breach Privilege Claim
In the most recent object lesson in a data breach privilege case, a federal appeals court has ordered a Michigan-based mortgage lender to turn over privileged forensic investigatory documents after the investigator’s conclusions were revealed in discovery.
… In an interrogatory response, United Shore said that it retained a forensic firm – through counsel – to investigate the breach that had concluded XMS’s action caused the intrusions. The interrogatory stated that its forensic investigator determined that “certain files stored in XMS’s … system had been accessed without authorization … in plain violation of established security protocols.” United Shore disclosed more than 150 non-privileged documents concerning the investigation, but it withheld additional documents based on the attorney client privilege.
District Court Ruling. XMS moved to compel United Shore to produce the privileged documents, arguing that it implicitly waived the attorney-client privilege by referencing its investigator’s conclusions in its discovery response.
The district court agreed. It concluded that United Shore not only disclosed that its investigator "conducted an investigation ... [but] also provided...conclusions from that investigation.”




Would we pass a law like this if we were starting from zero today? Probably not.
House Extends Surveillance Law, Rejecting New Privacy Safeguards
The House of Representatives voted on Thursday to extend the National Security Agency’s warrantless surveillance program for six years with minimal changes, rejecting a push by a bipartisan group of lawmakers to impose significant privacy limits when it sweeps up Americans’ emails and other personal communications.
The vote, 256 to 164, centered on an expiring law that permits the government, without a warrant, to collect communications from United States companies like Google and AT&T of foreigners abroad — even when those targets are talking to Americans.




Law is complex. Is there any place to ask about a topic and get answers that point out differences in all 50 states?
This may come as a shock. AP reports:
Connecticut’s highest court ruled Thursday on an issue that most people may think is already settled, saying doctors have a duty to keep patients’ medical records confidential and can be sued if they don’t.
The Supreme Court’s 6-0 decision overturned the ruling of a lower court judge who said Connecticut had yet to recognize doctor-patient confidentiality.
The high court’s ruling reinstated a lawsuit by former New Canaan resident Emily Byrne against the Avery Center for Obstetrics & Gynecology in Westport.
Read more on Boston Herald, while I scratch my head over this one. Connecticut health law never required confidentiality? Seriously? From reading the rest of the article, it sounds like the center had a pretty clear privacy policy that made it clear that they might disclose in response to subpoenas, but even so…..
So for all this time, mental health patients in Connecticut had no enforceable right to confidentiality? Or was there an exception for mental health?
How could this be????




Governments do not do IT well. (I may have said that a few hundred times.)
GAO – Agencies Need to Involve Chief Information Officers in Reviewing Billions of Dollars in Acquisitions
Information Technology: Agencies Need to Involve Chief Information Officers in Reviewing Billions of Dollars in Acquisitions GAO-18-42: Published: Jan 10, 2018. Publicly Released: Jan 10, 2018.
“Most of the 22 selected agencies did not identify all of their information technology (IT) contracts. The selected agencies identified 78,249 IT-related contracts, to which they obligated $14.7 billion in fiscal year 2016. However, GAO identified 31,493 additional contracts with $4.5 billion obligated, raising the total amount obligated to IT contracts in fiscal year 2016 to at least $19.2 billion (see figure). The percentage of additional IT contract obligations GAO identified varied among the selected agencies. For example, the Department of State did not identify 1 percent of its IT contract obligations. Conversely, 8 agencies did not identify over 40 percent of their IT-related contract obligations. Many of the selected agencies that did not identify these IT acquisitions did not follow Office of Management and Budget’s (OMB) guidance.
... agencies will likely miss an opportunity to strengthen CIOs’ authority and the oversight of IT acquisitions. As a result, agencies may award IT contracts that are duplicative, wasteful, or poorly conceived.”




Apparently, Ram trucks won’t be able to get over the wall either.
Fiat Chrysler Is Moving a Plant From Mexico to Michigan
Fiat Chrysler Automobiles said on Thursday it will shift production of Ram heavy-duty pickup trucks from Mexico to Michigan in 2020, a move that lowers the risk to the automaker’s profit should President Donald Trump pull the United States out of the North American Free Trade Agreement.




For my International students. Quite a list of languages supported!
Voice Dictation – Type with your Voice
Introducing the all-new Voice Dictation v2.0, a speech recognition app that lets you type with your voice. There’s no software to install, there’s no training required and all you need is Google Chrome on your Windows PC, Mac OS or Linux.
Dictation can recognize spoken words in English, Hindi, Español, Italiano, Deutsch, Français, and all the other popular languages. Another unique feature of Dictation is support for voice commands that let you do more with your voice. For instance, you can say a command like new line or nueva línea for inserting lines. You can add punctuations, special symbols and even smileys using simple commands in most languages.
This YouTube video will walk you through the Dictation app.
Dictation stores everything in your browser locally and not a byte of your data is uploaded anywhere.


No comments: