Another Year End list.
Verizon
DBIR Researchers’ Predictions for 2013 Threats
December 20, 2012 by admin
BASKING RIDGE, N.J. –
Although many security experts predict that the most likely
data breach threats organizations will face in 2013 include cloud
exploits, mobile device attacks and all-out cyber war, “Verizon
Data Breach Investigations Report” (DBIR) researchers have
reached a far different conclusion: The most likely threats involve
authentication attacks and failures, continued espionage and
“hacktivism” attacks, Web application exploits and social
engineering.
The findings of the researchers —
members of the company’s RISK (Research Intelligence Solutions
Knowledge) Team – are based on data that spans eight years and
thousands of cases and is contained in the 2012 data breach report,
released earlier this year.
”Many security experts are using
anecdote and opinion for their predictions, whereas Verizon’s
researchers are applying empirical evidence to help enterprises focus
on what will be truly important in the coming year — and also what
isn’t,” said Wade Baker, principal author of the DBIR.
“First and foremost, we
don’t believe there will be an all-out cyber war,
although it’s possible,” he said. “Rather, an enterprise’s
2013 data breach is much more likely to result from low-and-slow
attacks.”
Verizon’s RISK team has identified
the following most likely data threats:
- Topping the list – with a 90 percent change of probability — are attacks and failures related to authentication, including vulnerable or stolen usernames and passwords, which often represent the initial events in a breach scenario. “Nine out of 10 intrusions involved compromised identifies or authentication systems, so enterprises need to make sure they have a sound process for creating, managing and monitoring user accounts and credentials for all of their systems, devices and networks,” Baker said.
- Web application exploits which are most likely to affect larger organizations and especially governments, rather than small to medium-sized businesses. The chances of such attacks occurring are three in four, according to the data compiled by the RISK Team. “Given these odds, organizations that choose to take their chances and ignore secure application development and assessment practices in 2013 are asking for trouble,” said Baker.
- Social engineering, which targets people rather than machines and relies on clever — and sometimes clumsy — deceptions to be successful. “The use of social tactics like phishing increases by a factor of three for larger enterprises and governments,” said Baker. “It’s impossible to eliminate all human error or weaknesses from an organization, but vigilance and education across the employee population help to control and contain such schemes.”
Baker also said that targeted attacks
from adversaries motivated by espionage and hacktivism — breaking
into a computer system, for a politically or socially motivated
purpose — will continue to occur, so “it’s critical to be
watchful on this front.”
In addition, the RISK team does not
foresee the failure of an organization’s cloud technology or
configuration as being the root cause of a breach. However, an
organization’s service provider could inadvertently increase the
likelihood of a breach by failing to take appropriate actions or
taking inappropriate ones.
As for mobile devices, the Verizon
researchers believe that lost and stolen – and
unencrypted — mobile devices will continue to far exceed hacks and
malware.
The RISK Team also projects that
attacks on mobile devices by the criminal world will follow closely
the push to mobile payments in the business and consumer world.
“There’s a good chance we’ll see this shift in 2013, but our
researchers think mobile devices as a breach vector in larger
enterprises will lag beyond 2013,” Baker said.
Large organizations tend to pride
themselves on their security strategy and accompanying plans, but the
reality is that a large business is less likely to
discover a breach itself than being notified by law enforcement.
“And, if you do discover it yourself,” Baker said, “chances
are it will be by accident.” He concluded:
“Keep in mind that all of these
breaches can still be an issue for enterprises. However, what we’re
saying is that they’re over-hyped according to our historical data
and are far less likely to factor into an organization’s next
breach than is commonly thought.”
Grab them quick, before thay are
declaired state secrets. After all, any discussion of secrets
reveals what we think secrets should be, which is a topic that should
remain secret.
Introducing
the ‘State Secrets’ Drinking Game
We reported Friday of a three-hour
hearing in San Francisco federal court in which the Justice
Department repeatedly
invoked the state secrets privilege and demanded U.S. District
Judge Jeffrey White dismiss a lawsuit accusing the government of
siphoning Americans’ electronic communications from willing
telecoms and funneling them to the National Security Agency without
warrants.
As it turns out, the San Francisco
federal court produced two roughly 90-minute videos of the hearing as
part of a pilot project and just
published them on its website. Normally, cameras in the court
are not allowed.
Very familiar language to someone who
got their MBA in the 80s “Hey, we have lots of data but it isn't
consistant and no one is in charge...”
"President Obama on Wednesday
released a national
strategy designed to balance the sharing of information with
those who need it to keep the country safe, while protecting the same
data from those who would use it to cause harm. 'The National
Strategy for Information Sharing and Safeguarding' outlines how the
government will attempt to responsibly share and protect data that
enhances national security and protects the American people. The
national strategy will define how the federal government and its
assorted departments and agencies share their data. Agencies can also
share services and work towards data and network interoperability to
be more efficient, the President said. The
President aimed to address concerns over Privacy by
noting, 'This strategy makes it clear that the individual privacy,
civil rights and civil liberties of United States persons must be —
and will be — protected.' The full document is available here
in PDF format from the White House website."
Is this true of all retention laws that
exceed operational requirements?
An anonymous reader writes in with a
story about the Constitutional Court of Austria objecting
to the EU's data retention law.
"The
European Union's data retention law could breach fundamental E.U. law
because its requirements result in an invasion of citizens' privacy,
according to the Constitutional Court of Austria, which has asked the
European Court of Justice (ECJ) to determine the directive's
validity. The primary problem with the data
retention law is that it almost exclusively affects people in whom
government or law enforcement have no prior interest.
But authorities use the data for investigations and are informed
about people's personal lives, the court said, and there is a risk
that the data can be abused. 'We doubt that the E.U. Data Retention
Directive is really compatible with the rights that are guaranteed by
the E.U. Charter of Fundamental Rights,' Gerhart Holzinger, president
of the Constitutional Court of Austria said in a statement."
Two years of thoughtful preparation or
two years to get a majority to agree?
FTC
Strengthens Kids’ Privacy, Gives Parents Greater Control Over Their
Information By Amending Children’s Online Privacy Protection Rule
December 19, 2012 by Dissent
From the FTC:
The Federal Trade
Commission adopted final amendments to the Children’s Online
Privacy Protection Rule that strengthen kids’ privacy protections
and give parents greater control over the personal information that
websites and online services may collect from children under 13.
… The final
amendments:
- modify the list of “personal information” that cannot be collected without parental notice and consent, clarifying that this category includes geolocation information, photographs, and videos;
- extend the COPPA Rule to cover persistent identifiers that can recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs;
… The
Commission vote to issue the amended Final Rule was 3-1-1, with
Commissioner J. Thomas Rosch abstaining. Commissioner Maureen
Ohlhausen voted no and issued a dissenting
statement on the ground that she believes a core provision of the
amendments exceeds the scope of the authority granted by Congress in
COPPA.
… The
final amended Rule will be published in a notice
in the Federal Register. The amendments to the Final Rule will
go into effect on July 1, 2013.
(Related) Sometimes a cigar is just a
cigar, but not in New York.
It’s no
small feat taking on the entire internet when you’re making sure
the world is safe for children – that’s why New York attorney
general Eric Schneiderman has removed approximately 2,100 registered
sex offenders from online gaming communities instead. Targeting
groups like Gaia Online, NCSoft, and THQ, Scheiderman has made it
clear that if it’s possible that a child is playing
a video game online, he doesn’t want sex offenders anywhere on the
digital premises.
… “The
Internet is the crime scene of the 21st century, and we must ensure
that online video game platforms do not become a digital playground
for dangerous predators. That means doing everything possible to
block sex offenders from using gaming systems as a vehicle to prey on
underage victims.”
Where are we going? Toward Privacy or
just droning on...
Markey
Introduces Legislation to Ensure Privacy, Transparency in Domestic
Drone Operations
December 19, 2012 by Dissent
Press release from Rep. Ed Markey:
Congressman Edward
J. Markey (D-Mass.), co-Chair of the Bi-Partisan Congressional
Privacy Caucus, today introduced legislation to ensure standards for
informing the public and establish safeguards to protect the privacy
of individuals as the federal government develops a comprehensive
plan for the use of drones in U.S. Airspace. H.R. 6676, the Drone
Aircraft Privacy and Transparency Act (DAPTA) amends the
Federal Aviation Administration (FAA) Modernization and Reform Act to
include privacy protection provisions relating to data collection and
minimization, disclosure, warrant requirements for law enforcement,
and enforcement measures in the licensing and operation of “unmanned
aircraft systems”, commonly known as drones.
… The FAA has
already begun issuing limited drone certifications for government
entities and educational institutions.
… A
copy of the Drone Aircraft Privacy and Transparency Act can be found
HERE.
… In April,
Reps. Markey and Joe Barton (R-Texas) sent a letter
querying the FAA about the potential privacy implications of
non-military drone use. The FAA response can be found HERE.
(Related) If anyone can build and fly
a drone, how will the FAA cope with this new freedom?
"People have made UAVs out of
wood, aluminum, even 3D-printed plastic. But now comes the tale of
C#/C++ developer Ed Scott who, after damaging his Gaui 330x, got the
idea of designing and building
a Lego quadcopter. And it worked! 'Most people go to their
favourite hobby store to get parts for their UAV, I go to my kids
playroom.'"
So many questions, so little time. If
I own an asteroid one mile in diameter, can I park it in orbit above
Colorado?
"A number of companies have
announced plans in the last couple of years to undertake private
development of space. There are asteroid-mining
proposals backed by Larry Page and Eric Schmidt, various
moon-mining
proposals,
and, announced just this month, a proposed moon-tourism
venture. But all of these — especially the efforts to mine
resources in space — are hampered by the fact that existing
treaties, like the Outer
Space Treaty, seem to prohibit private ownership of space
resources. A new essay in The New
Atlantis revisits the debates about property rights in
space and examines
a proposal that could resolve the stickiest treaty problems and make
it possible to stake claims in space."
The evidence that you are a twit grows
larger... Tools for e-Discovery? Certainly a target for hackers.
December 19, 2012
Your
Twitter archive is now downloadable
"Today, we’re introducing the
ability
to download your Twitter archive, so you’ll get all your Tweets
(including Retweets) going back to the beginning.
Once you have your Twitter archive, you can view your Tweets by
month, or search your archive to find Tweets with certain words,
phrases, hashtags or @usernames. You can even engage with your old
Tweets just as you would with current ones. Go to Settings
and scroll down to the bottom to check for the option to request your
Twitter archive. If you do see it, go ahead and click the button.
You’ll receive an email with instructions on how to access your
archive when it’s ready for you to download."
For my students...
… Introduction
to Statistics from Ani Adhikari, the UC Berkeley lecturer in
statistics and recipient of UC Berkeley’s Distinguished Teaching
Award.
… Copyright
from William Fisher III, WilmerHale Professor of Intellectual
Property Law, Harvard Law School, and Director, Berkman Center for
Internet & Society, will explore the current law of copyright and
the ongoing debates concerning how that law should be reformed.
… All of the courses will be hosted
on edX’s innovative platform at www.edx.org
and are open for registration as of today.
EdX expects to announce a second set of spring 2013 courses in the
future.
Geeky, but cool!
If you are a web programmer, you know
that every programming language has it own language syntax including
weird characters and spacing. Now, thanks to Typing.io you can
practice typing based on the programming language(s) you use. It
includes typing lessons for 14 most popular web programming languages
… Simply login with your Google
account, choose your programming language and start typing. If you
mistype a character or miss a space you will get a red arrow poiting
to the location where you mistyped.
A good idea (and a track record) makes
funding easy.
Record-Breaking
Kickstarter Turns Hamlet
Into a Choose-Your-Adventure Epic
On Friday, an unlikely book will break
the all-time record for Kickstarter’s most
successful publishing project: a comedic
choose-your-own-adventure-style novel by popular webcartoonist Ryan
North that transforms Shakespeare’s Hamlet into an
interactive story where readers can actually choose whether to be —
or not to be. It’s a quirky idea that couldn’t get any traction
at book publishing houses, but as a crowdsourced, collaborative
online project, To
Be or Not to Be: That Is the Adventure has earned over
$425,000 in less than a month.
No comments:
Post a Comment