Thursday, August 23, 2012

Here's one for my Ethical Hackers to dissect.
"The Windows version of the Crisis Trojan is able to sneak onto VMware implementations, making it possibly the first malware to target such virtual machines. It also has found a way to spread to Windows Mobile devices. Samples of Crisis, also called Morcut, were first discovered about a month ago targeting Mac machines running various versions of OS X. The Trojan spies on users by intercepting e-mail and instant messenger exchanges and eavesdropping on webcam conversations. Launching as a Java archive (JAR) file made to look like an Adobe Flash Installer, Crisis scans an infected machine and drops an OS-specific executable to open a backdoor and monitor activity. This week, researchers also discovered W32.Crisis was capable of infecting VMware virtual machines and Windows Mobile devices."


“Just because all you hackers think it's not secure doesn't mean we won't go ahead as planned!” After all, they have a long tradition of bureaucratic incompetence to live up to.
"The FAA's NextGen Air Traffic Control (ATC) modernization plan is at risk of serious security breaches, according to Brad Haines (aka RenderMan). Haines outlined his concerns during a presentation (PDF) he gave at the recent DefCon 20 hacker conference in Las Vegas, explaining that ADS-B signals are unauthenticated and unencrypted, and 'spoofing' (video) or inserting a fake aircraft into the ADS-B system is easy. The FAA isn't worried because the system has been certified and accredited."


For my Computer Security students. Reminds me of a neighbor who used to leave a note on his door that said, “Your damn rattlesnake has escaped again. Call me when you find it. Call 911 if it finds you first.”
"Softpedia reports that Global Link Security Solutions are offering a product that doesn't actually do anything to alert an owner of a break-in to their home or business, but it displays "one hell of a laser show in an attempt to scare potential crooks into thinking that they have no chance of breaking in without triggering the alarm." According to the security firm, LaserScan has four lines of protection: a number of lasers that move along the walls and floors (video), an LED which indicates that there's a "link" to a satellite, a beeping alert, and a sticker placed on the front door. Although the company claims that none of their current customers has reported break-ins since the system has been installed, security guru Bruce Schneier highlights that the product only works if the product isn't very widely known."


Local. Just because you have a cop in your class?
University of Colorado-Boulder tells faculty no class cancellations over guns
University of Colorado Chancellor Phil DiStefano is telling faculty members they have no right to cancel classes if one of their students is lawfully carrying a gun.
The warning comes a day after Professor Jerry Peterson said he plans to cancel class if he ever learns any of his students are carrying firearms.
According to the Boulder Daily Camera, DiStefano warned Tuesday that any faculty members who do so will be in violation of their contracts and could face disciplinary action.
The Colorado Supreme Court has ruled that students with conceal-carry permits are allowed to bring guns into classrooms and labs.
Peterson said Tuesday he still stands by his classroom policy because a student with a gun would be a classroom distraction.


I'm sure this list covers every conceivable point... Perhaps we could write up a list of things your privacy policy (and practices) should address?
7 reasons the FTC could audit your privacy program
… What did I find out? A shortlist of seven practices that will put a bull's eye on your company.
1. Secretly tracking people
2. Not regularly assessing and improving data security
3. Not honoring opt-outs
4. Not collecting parental consent
5. Not providing complete and accurate privacy policies
6. Disclosing consumer data without consent
7. Not assessing vendor and client security


Are the state laws cutting edge? If so, what parts should be adopted by the Feds?
State Privacy Laws Evolve While Congress Remains Stalemated
August 22, 2012 by admin
New legislation governing data breaches and privacy issues is popping up in states across the country. Most recently, Connecticut, Vermont, and Illinois have enacted new laws in these areas.
You can find a nice summary of the three new laws on CyberInquirer.


Does AT&T no longer have a legal department or is this just a strategy I can't understand? (Or, “We can screw with it until we are force to stop. Maybe that will be enough to allow our inferior products to catch up.”)
AT&T’s App-Blocking Defense Is Weak and Anti-Consumer
Amid a wave of backlash about its plans to block FaceTime over mobile, AT&T Senior Vice President for Regulatory Affairs Bob Quinn took to the company’s policy blog on Wednesday to defend its plans to block the popular app on its network unless users pony up extra cash for its new, expensive “Mobile Share” plans.
AT&T’s defense? The carrier asserts that it can block FaceTime all it wants, because the app comes preloaded on the iPhone and is not downloaded by the user.
But the rules adopted by the Federal Communications Commission to prevent carriers from blocking access to applications and websites over mobile connections are crystal clear: Mobile broadband providers cannot “block applications that compete with the provider’s voice or video telephony services.”


Are they using this because many evil doers won't fight back? Where does that leave the innocent sites?
Feds Expand Domain Seizures to Mobile-App Pirate Sites
The U.S. government for the first time has seized internet domains of online sites accused of selling pirated mobile applications, in this instance, Android apps.
Seizing domains is nothing new under the President Barack Obama administration. Usually, however, sites are shuttered for offering gambling, hawking counterfeit goods, or providing links to or streaming unauthorized movies and sporting events, or selling unauthorized copies of software. The government has seized more than 750 domains in the past two years under a program called “Operation in Our Sites.” (.pdf)


“We're moving as fast as we want to...”
Oops! Venture Capital Rebirth Delayed by Third Blown Deadline
The Securities and Exchange Commission now says it needs at least another week before it can detail its proposal to rescind longstanding prohibitions against startups advertising that they are seeking investors.
The SEC had been scheduled to consider the changes at its open meeting today following a delay last week. Prior to missing this week’s deadline and last week’s deadline, both self imposed, the commission missed a July 4 deadline spelled out in the JOBS Act, a recently approved piece of legislation that, among various other securities rules, loosens restrictions on how startups can raise money from venture capital funds and other wealthy “accredited investors.” The commission is now slated to discuss the so-called general solicitation rules at a meeting Aug. 29.


Jobs for my Ethical Hackers?
Darpa Looks to Make Cyberwar Routine With Secret ‘Plan X’
The Pentagon’s top research arm is unveiling a new, classified cyberwarfare project. But it’s not about building the next Stuxnet, Darpa swears. Instead, the just-introduced “Plan X” is designed to make online strikes a more routine part of U.S. military operations. That will make the son of Stuxnet easier to pull off — to, as Darpa puts it, “dominate the cyber battlespace.”
Darpa spent years backing research that could shore up the nation’s cyberdefenses. “Plan X” is part of a growing and fairly recent push into offensive online operations by the Pentagon agency largely responsible for the internet’s creation. In recent months, everyone from the director of Darpa on down has pushed the need to improve — and normalize — America’s ability to unleash cyberattacks against its foes.

(Related) More jobs?
"Google, which has come under fire for years for its privacy practices and recently settled a privacy related case with the Federal Trade Commission that resulted in a $22.5 million fine, is building out a privacy 'red team,' a group of people charged with finding and resolving privacy risks in the company's products. The concept of a red team is one that's been used in security for decades, with small teams of experts trying to break a given software application, get into a network or circumvent a security system as part of a penetration test or a similar engagement. The idea is sometimes applied in the real world as well, in the form of people attempting to gain entry to a secure facility or other restricted area."


Something to amuse my Statistics class? (If this was reliable, we're looking at a landslide.)
Amazon’s Political Heat Map Colors Book-Buying Preferences
Amazon has introduced a heat map of the political books sold in the U.S. An overwhelming lean toward red hues suggests that conservative-themed books are outselling left leaning ones coast to coast.
Amazon is quick to point out that the system isn’t scientific. The map presents a rolling 30-day average of book-buying data and classifies them as red or blue depending on promotional materials and customer classifications. And there’s no sliding scale. A book is either red or blue, so there’s no nuance for centrists. “Just remember, books aren’t votes,” Amazon says on the heat map site. “ So a map of book purchases may reflect curiosity as much as commitment.”


Perspective


Something for my Data Miners?
Google’s Mind-Blowing Big-Data Tool Grows Open Source Twin


Cheap is good, if you can't find free


A nifty online resource for my Excel students...
30 Excel Functions in 30 Days

No comments: