Monday, May 14, 2018

Oh wow, this could be bad! And I just recommended PGP to my students. I wonder if it’s the plug-in and not the actual encryption packages? Either way, I’m glad I taught my students to build their own encryption system.
Stop Using Common Email Encryption Tools Immediately, Researchers Warn
Throughout the many arguments over encrypted communications, there has been at least one constant: the venerable tools for strong email encryption are trustworthy. That may no longer be true.
On Tuesday, well-credentialed cybersecurity researchers will detail what they call critical vulnerabilities in widely-used tools for applying PGP/GPG and S/MIME encryption. According to Sebastian Schinzel, a professor at the Münster University of Applied Sciences in Germany, the flaws could reveal the “plaintext” that email encryption is supposed to cover up—in both current and old emails.
The researchers are advising everyone to temporarily stop using plugins for mail clients like Microsoft Outlook and Apple Mail that automatically encrypt and decrypt emails—at least until someone figures out how to remedy the situation. Instead, experts say, people should switch to tools like Signal, the encrypted messaging app that’s bankrolled by WhatsApp co-founder Brian Acton.
When contacted by Fortune, Schinzel declined to divulge further details ahead of Tuesday’s announcement, but he pointed to a blog post from the world’s biggest digital rights group, the Electronic Frontier Foundation (EFF,) for further advice.

The downside of trusting crooks to be honest.
Catalin Cimpanu reports:
Ransomware has infected the servers of the Riverside Fire and Police department for the second time in a month.
The first ransomware infection took place on April 23, last month and encrypted ten months worth of work data related to active investigations.
Officials said they didn’t pay the ransom and were able to recover some of the data from previous backups. Other data they recovered from public court records, but to this day, the Riverside Fire and Police department have not fully recovered from the first attack.
Read more on Bleeping Computer
[From the article:
The second infection took place last week, May 4, but only came to light today when US Secret Service agents arrived in the Ohio town to help with the investigation.
This time around officials appear to have learned their lesson and were actively making backups on a daily basis. Officials said the second ransomware infection only locked up data for the last eight hours of work, and the department fully recovered after the second attack.
"Everything was backed-up, but we lost about eight hours worth of information we have to re-enter," City Manager Mark Carpenter told local media. "It was our police and fire records, so we just re-enter the reports."
This is not the first ransomware infection that hit a police department and has wiped data on investigations. Police in Cockrell Hill, Texas suffered a similar incident in January 2017 when they lost nearly eight years worth of evidence.
Police and fire departments are regularly hit with ransomware, but usually, they manage to recover either by restoring backups or by paying the ransom. Past victims include the police departments in the Mad River Township, Ohio; Roxana, Illinois; Tewksbury, Massachusetts; Rockport, Oregon; Mount Pleasant, South Carolina; just to name a few.

A new(ish) term that defines a category of Identity Theft.
Sizing Up the Impact of Synthetic Identity Fraud
With recent data breaches and the associated flood of PII onto the dark web, synthetic identity fraud is easier to commit than ever. Credit card losses due to this fraud exceeded $800 million in the U.S. last year, says Julie Conroy, a research director at Aite Group. Perhaps more shocking is just how much of the fraud is going undetected, flying under the radar as credit write-offs.
"One of the challenging aspects of this is often it doesn't get recognized as fraud and gets written off as a credit loss; so understanding the scope of the problem has been a challenge," Conroy says in an interview with Information Security Media Group about Aite's latest research. "A number of institutions are starting to see fundamental shifts to things like their credit delinquency curves that are only explainable by synthetic identity fraud."

Synthetic Identity Theft
A type of fraud in which a criminal combines real (usually stolen) and fake information to create a new identity, which is used to open fraudulent accounts and make fraudulent purchases. Synthetic identity theft allows the criminal to steal money from any credit card companies or lenders who extend credit based on the fake identity.

Cambridge again? Don’t they have Computer Security managers there?
Phee Waterfield and Timothy Revell report:
Data from millions of Facebook users who used a popular personality app, including their answers to intimate questionnaires, was left exposed online for anyone to access, a New Scientist investigation has found.
Academics at the University of Cambridge distributed the data from the personality quiz app myPersonality to hundreds of researchers via a website with insufficient security provisions, which led to it being left vulnerable to access for four years. Gaining access illicitly was relatively easy.
The data was highly sensitive, revealing personal details of Facebook users, such as the results of psychological tests. It was meant to be stored and shared anonymously, however such poor precautions were taken that deanonymising would not be hard.
Read more on New Scientist

The flip side of blocking Russian Facebook ads?
When governments censor websites and block messaging apps like Telegram, here's where to turn for proof
In Iran, use of the messaging app Telegram has officially been banned.
For some 40 million Iranians, Telegram has been an integral part of daily life, a place to talk with friends and family beyond the reach of government censors. Which is why, after anti-government protests broke out in the final days of 2017, the government instructed the country's internet service providers to implement temporary controls that would make Telegram harder to use — before outright banning its use this month.
Anecdotal reports are one thing. But to understand how, exactly, Telegram was being blocked — and to what extent in different parts of the country — researcher Mahsa Alimardani turned to technical data gathered by a watchdog group called the Open Observatory of Network Interference, or OONI.
… All of the data collected by OONI's measurement software — called probes — is stored in a publicly accessible database, where anyone can go to understand what's being blocked, filtered, or throttled in a particular country, and how. That data can be used to track the evolution of information controls over time or link censorship with political events like elections and protests.

For my Computer Security and Software Architecture students.
Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
“This update to NIST Special Publication 800-37 (Revision 2) responds to the call by the Defense Science Board, Executive Order 13800, and OMB Memorandum M-17-25 to develop the next-generation Risk Management Framework (RMF) for information systems, organizations, and individuals. There are seven major objectives for this update:
  • Provide closer linkage and communication between the risk management processes and activities at the C-suite or governance level of the organization and the individuals, processes, and activities at the system and operational level of the organization;
  • Institutionalize critical organization-wide risk management preparatory activities to facilitate a more effective, efficient, and cost-effective execution of the RMF;
  • Demonstrate how the Cybersecurity Framework can be aligned with the RMF and implemented using established NIST risk management processes;
  • Integrate privacy risk management concepts and principles into the RMF and support the use of the consolidated security and privacy control catalog in NIST Special Publication 800-53 Revision 5;
  • Promote the development of trustworthy secure software and systems by aligning life cycle-based systems engineering processes in NIST Special Publication 800-160 with the steps in the RMF;
  • Integrate supply chain risk management (SCRM) concepts into the RMF to protect against untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC; and
  • Provide an alternative organization-generated control selection approach to complement the traditional baseline control selection approach…”

You need the latest tools to match competition.
Platform business models are booming—becoming bigger and more powerful than ever. Just consider that a few tweets from the president caused Amazon’s market capitalization to fall by about $40 billion, or that Russian influencers were able to reach 126 million people through Facebook. At OpenMatters, we spend a lot of time studying network orchestration—business models where companies facilitate relationships and interactions, rather than serving up all the products, services, and pieces of content themselves. Think Facebook, Uber, Pinterest, Alibaba, Airbnb, and the myriad “unicorns” that are being showered in investor dollars. These companies are groundbreaking, leveraging networks effects and near-zero scaling cost to trounce competition or define new markets. However, not all platform plays work—the business model alone isn’t sufficient for success. There are lots of things that can make a platform succeed or fail, of course, but an increasingly central aspect of a successful platform strategy is machine learning.
… What happened is pretty clear: people got tired of sorting through hundreds of unqualified applicants for every job opening. The pile of resumes was too large, and the simple algorithms attempting to serve up relevant content were insufficient for the size and varied needs of the user base. Then, better solutions emerged. Companies like LinkedIn and Glassdoor began filling the gap—standing out by better curating professional networks. Craigslist is another great example of an early platform company that failed to innovate and curate, and is quickly losing market share to added-value platforms like OfferUp or even Facebook Marketplace.
… In addition to using machine learning to parse and understand data generated by a network, platform companies are now seeing the importance of AI for detecting and preventing misuse. Fraudulent, criminal, and abusive behaviors are a problem for many networks and companies are realizing that they can no longer wash their hands of the actions of their users. Twitter has had to take steps to curb abuse, Yelp and LinkedIn are working on filtering out fake content, and Facebook is likely at the beginning of a long journey to prevent misuse following the Russian influencing scandal. These platforms are simply too big and too complicated for manual or human-led solutions to uncover and thwart misuse. Machine learning and artificial intelligence are the only way to manage the content at scale and as it evolves.

More than a Roomba, less than a Terminator?
Russia Just Showed Off Its New Robot Tank — And Confirmed It Was On The Ground In Syria
Russia has been on the forefront of building unmanned ground vehicles and last week the Russian Defense Ministry confirmed that their armed drone tank Uran-9 was tested in Syria.
The Uran-9 is powerfully armed with anti-tank missiles, an automatic cannon, and a machine gun. It can also be reconfigured to carry different weapons like surface-to-air missiles. Additionally, the unmanned vehicle is equipped with advanced optics and targeting systems including a laser warning system and thermal imaging.
… Since its Syrian intervention in 2015, the resurgent Russian military has battle tested an arsenal of new weapons including the Su-57 stealth fighter jet, the T-90 battle tank, ship-launched cruise missiles and air defense systems.
… In the case of the Uran-9, it is remotely controlled by an individual from a mobile vehicle that must remain within 1.8 miles. The automatic turret is able to detect and acquire targets, but the ultimate decision to fire rests with the controller.

No comments: