Thursday, December 20, 2012

Another Year End list.
Verizon DBIR Researchers’ Predictions for 2013 Threats
December 20, 2012 by admin
BASKING RIDGE, N.J. – Although many security experts predict that the most likely data breach threats organizations will face in 2013 include cloud exploits, mobile device attacks and all-out cyber war, “Verizon Data Breach Investigations Report” (DBIR) researchers have reached a far different conclusion: The most likely threats involve authentication attacks and failures, continued espionage and “hacktivism” attacks, Web application exploits and social engineering.
The findings of the researchers — members of the company’s RISK (Research Intelligence Solutions Knowledge) Team – are based on data that spans eight years and thousands of cases and is contained in the 2012 data breach report, released earlier this year.
”Many security experts are using anecdote and opinion for their predictions, whereas Verizon’s researchers are applying empirical evidence to help enterprises focus on what will be truly important in the coming year — and also what isn’t,” said Wade Baker, principal author of the DBIR.
“First and foremost, we don’t believe there will be an all-out cyber war, although it’s possible,” he said. “Rather, an enterprise’s 2013 data breach is much more likely to result from low-and-slow attacks.”
Verizon’s RISK team has identified the following most likely data threats:
  • Topping the list – with a 90 percent change of probability — are attacks and failures related to authentication, including vulnerable or stolen usernames and passwords, which often represent the initial events in a breach scenario. “Nine out of 10 intrusions involved compromised identifies or authentication systems, so enterprises need to make sure they have a sound process for creating, managing and monitoring user accounts and credentials for all of their systems, devices and networks,” Baker said.
  • Web application exploits which are most likely to affect larger organizations and especially governments, rather than small to medium-sized businesses. The chances of such attacks occurring are three in four, according to the data compiled by the RISK Team. “Given these odds, organizations that choose to take their chances and ignore secure application development and assessment practices in 2013 are asking for trouble,” said Baker.
  • Social engineering, which targets people rather than machines and relies on clever — and sometimes clumsy — deceptions to be successful. “The use of social tactics like phishing increases by a factor of three for larger enterprises and governments,” said Baker. “It’s impossible to eliminate all human error or weaknesses from an organization, but vigilance and education across the employee population help to control and contain such schemes.”
Baker also said that targeted attacks from adversaries motivated by espionage and hacktivism — breaking into a computer system, for a politically or socially motivated purpose — will continue to occur, so “it’s critical to be watchful on this front.”
In addition, the RISK team does not foresee the failure of an organization’s cloud technology or configuration as being the root cause of a breach. However, an organization’s service provider could inadvertently increase the likelihood of a breach by failing to take appropriate actions or taking inappropriate ones.
As for mobile devices, the Verizon researchers believe that lost and stolen – and unencrypted — mobile devices will continue to far exceed hacks and malware.
The RISK Team also projects that attacks on mobile devices by the criminal world will follow closely the push to mobile payments in the business and consumer world. “There’s a good chance we’ll see this shift in 2013, but our researchers think mobile devices as a breach vector in larger enterprises will lag beyond 2013,” Baker said.
Large organizations tend to pride themselves on their security strategy and accompanying plans, but the reality is that a large business is less likely to discover a breach itself than being notified by law enforcement. “And, if you do discover it yourself,” Baker said, “chances are it will be by accident.” He concluded:
“Keep in mind that all of these breaches can still be an issue for enterprises. However, what we’re saying is that they’re over-hyped according to our historical data and are far less likely to factor into an organization’s next breach than is commonly thought.”


Grab them quick, before thay are declaired state secrets. After all, any discussion of secrets reveals what we think secrets should be, which is a topic that should remain secret.
Introducing the ‘State Secrets’ Drinking Game
We reported Friday of a three-hour hearing in San Francisco federal court in which the Justice Department repeatedly invoked the state secrets privilege and demanded U.S. District Judge Jeffrey White dismiss a lawsuit accusing the government of siphoning Americans’ electronic communications from willing telecoms and funneling them to the National Security Agency without warrants.
As it turns out, the San Francisco federal court produced two roughly 90-minute videos of the hearing as part of a pilot project and just published them on its website. Normally, cameras in the court are not allowed.


Very familiar language to someone who got their MBA in the 80s “Hey, we have lots of data but it isn't consistant and no one is in charge...”
"President Obama on Wednesday released a national strategy designed to balance the sharing of information with those who need it to keep the country safe, while protecting the same data from those who would use it to cause harm. 'The National Strategy for Information Sharing and Safeguarding' outlines how the government will attempt to responsibly share and protect data that enhances national security and protects the American people. The national strategy will define how the federal government and its assorted departments and agencies share their data. Agencies can also share services and work towards data and network interoperability to be more efficient, the President said. The President aimed to address concerns over Privacy by noting, 'This strategy makes it clear that the individual privacy, civil rights and civil liberties of United States persons must be — and will be — protected.' The full document is available here in PDF format from the White House website."


Is this true of all retention laws that exceed operational requirements?
An anonymous reader writes in with a story about the Constitutional Court of Austria objecting to the EU's data retention law.
"The European Union's data retention law could breach fundamental E.U. law because its requirements result in an invasion of citizens' privacy, according to the Constitutional Court of Austria, which has asked the European Court of Justice (ECJ) to determine the directive's validity. The primary problem with the data retention law is that it almost exclusively affects people in whom government or law enforcement have no prior interest. But authorities use the data for investigations and are informed about people's personal lives, the court said, and there is a risk that the data can be abused. 'We doubt that the E.U. Data Retention Directive is really compatible with the rights that are guaranteed by the E.U. Charter of Fundamental Rights,' Gerhart Holzinger, president of the Constitutional Court of Austria said in a statement."


Two years of thoughtful preparation or two years to get a majority to agree?
FTC Strengthens Kids’ Privacy, Gives Parents Greater Control Over Their Information By Amending Children’s Online Privacy Protection Rule
December 19, 2012 by Dissent
From the FTC:
The Federal Trade Commission adopted final amendments to the Children’s Online Privacy Protection Rule that strengthen kids’ privacy protections and give parents greater control over the personal information that websites and online services may collect from children under 13.
… The final amendments:
  • modify the list of “personal information” that cannot be collected without parental notice and consent, clarifying that this category includes geolocation information, photographs, and videos;
  • extend the COPPA Rule to cover persistent identifiers that can recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs;
The Commission vote to issue the amended Final Rule was 3-1-1, with Commissioner J. Thomas Rosch abstaining. Commissioner Maureen Ohlhausen voted no and issued a dissenting statement on the ground that she believes a core provision of the amendments exceeds the scope of the authority granted by Congress in COPPA.
The final amended Rule will be published in a notice in the Federal Register. The amendments to the Final Rule will go into effect on July 1, 2013.

(Related) Sometimes a cigar is just a cigar, but not in New York.
It’s no small feat taking on the entire internet when you’re making sure the world is safe for children – that’s why New York attorney general Eric Schneiderman has removed approximately 2,100 registered sex offenders from online gaming communities instead. Targeting groups like Gaia Online, NCSoft, and THQ, Scheiderman has made it clear that if it’s possible that a child is playing a video game online, he doesn’t want sex offenders anywhere on the digital premises.
… “The Internet is the crime scene of the 21st century, and we must ensure that online video game platforms do not become a digital playground for dangerous predators. That means doing everything possible to block sex offenders from using gaming systems as a vehicle to prey on underage victims.”


Where are we going? Toward Privacy or just droning on...
Markey Introduces Legislation to Ensure Privacy, Transparency in Domestic Drone Operations
December 19, 2012 by Dissent
Press release from Rep. Ed Markey:
Congressman Edward J. Markey (D-Mass.), co-Chair of the Bi-Partisan Congressional Privacy Caucus, today introduced legislation to ensure standards for informing the public and establish safeguards to protect the privacy of individuals as the federal government develops a comprehensive plan for the use of drones in U.S. Airspace. H.R. 6676, the Drone Aircraft Privacy and Transparency Act (DAPTA) amends the Federal Aviation Administration (FAA) Modernization and Reform Act to include privacy protection provisions relating to data collection and minimization, disclosure, warrant requirements for law enforcement, and enforcement measures in the licensing and operation of “unmanned aircraft systems”, commonly known as drones.
… The FAA has already begun issuing limited drone certifications for government entities and educational institutions.
A copy of the Drone Aircraft Privacy and Transparency Act can be found HERE.
… In April, Reps. Markey and Joe Barton (R-Texas) sent a letter querying the FAA about the potential privacy implications of non-military drone use. The FAA response can be found HERE.

(Related) If anyone can build and fly a drone, how will the FAA cope with this new freedom?
"People have made UAVs out of wood, aluminum, even 3D-printed plastic. But now comes the tale of C#/C++ developer Ed Scott who, after damaging his Gaui 330x, got the idea of designing and building a Lego quadcopter. And it worked! 'Most people go to their favourite hobby store to get parts for their UAV, I go to my kids playroom.'"


So many questions, so little time. If I own an asteroid one mile in diameter, can I park it in orbit above Colorado?
"A number of companies have announced plans in the last couple of years to undertake private development of space. There are asteroid-mining proposals backed by Larry Page and Eric Schmidt, various moon-mining proposals, and, announced just this month, a proposed moon-tourism venture. But all of these — especially the efforts to mine resources in space — are hampered by the fact that existing treaties, like the Outer Space Treaty, seem to prohibit private ownership of space resources. A new essay in The New Atlantis revisits the debates about property rights in space and examines a proposal that could resolve the stickiest treaty problems and make it possible to stake claims in space."


The evidence that you are a twit grows larger... Tools for e-Discovery? Certainly a target for hackers.
December 19, 2012
Your Twitter archive is now downloadable
"Today, we’re introducing the ability to download your Twitter archive, so you’ll get all your Tweets (including Retweets) going back to the beginning. Once you have your Twitter archive, you can view your Tweets by month, or search your archive to find Tweets with certain words, phrases, hashtags or @usernames. You can even engage with your old Tweets just as you would with current ones. Go to Settings and scroll down to the bottom to check for the option to request your Twitter archive. If you do see it, go ahead and click the button. You’ll receive an email with instructions on how to access your archive when it’s ready for you to download."


For my students...
Introduction to Statistics from Ani Adhikari, the UC Berkeley lecturer in statistics and recipient of UC Berkeley’s Distinguished Teaching Award.
Copyright from William Fisher III, WilmerHale Professor of Intellectual Property Law, Harvard Law School, and Director, Berkman Center for Internet & Society, will explore the current law of copyright and the ongoing debates concerning how that law should be reformed.
… All of the courses will be hosted on edX’s innovative platform at www.edx.org and are open for registration as of today. EdX expects to announce a second set of spring 2013 courses in the future.


Geeky, but cool!
If you are a web programmer, you know that every programming language has it own language syntax including weird characters and spacing. Now, thanks to Typing.io you can practice typing based on the programming language(s) you use. It includes typing lessons for 14 most popular web programming languages
… Simply login with your Google account, choose your programming language and start typing. If you mistype a character or miss a space you will get a red arrow poiting to the location where you mistyped.


A good idea (and a track record) makes funding easy.
Record-Breaking Kickstarter Turns Hamlet Into a Choose-Your-Adventure Epic
On Friday, an unlikely book will break the all-time record for Kickstarter’s most successful publishing project: a comedic choose-your-own-adventure-style novel by popular webcartoonist Ryan North that transforms Shakespeare’s Hamlet into an interactive story where readers can actually choose whether to be — or not to be. It’s a quirky idea that couldn’t get any traction at book publishing houses, but as a crowdsourced, collaborative online project, To Be or Not to Be: That Is the Adventure has earned over $425,000 in less than a month.

No comments: