Something my Ethical
Hackers should consider. Will we look back at Syria as the first
true “Digital Battlefield,” even though it is very one sided
(that we can prove) and targeted at non-combatants as well as the
“rebels.” No violation of the “laws of war” (Is it?) but how
do you counter?
Social
Engineering and Malware in Syria: EFF and Citizen Lab’s Latest
Report on the Digital Battlefield
“More than two years
into the Syrian conflict, the violence continues both on the ground
and in the digital realm. Just as human rights investigators and
weapons inspectors search for evidence of chemical weapons, EFF, and
the University of Toronto’s
Citizen
Lab have been collecting, dissecting, and documenting malicious
software deployed against the Syrian opposition. Citizen Lab
security researchers Morgan Marquis-Boire and John Scott-Railton and
EFF Global Policy Analyst Eva Galperin today published their latest
technical paper,
Quantum
of Surveillance: Familiar Actors and Possible False Flags in Syrian
Malware Campaigns. The report outlines how pro-government
attackers have
targeted the opposition, as well as
NGO workers and journalists, with social engineering and
“Remote Access Tools” (RAT).”
Very nice summary.
Really really helpful
post over on 451 Security. Here’s the intro:
I’ve
written this post for two reasons. First, the recent Target breach
has led to some confusion, which I will try to clear up here.
Second, I wanted to create an easily referenced educational
resource on how credit cards are designed to work. I’m hoping
this will help people understand the intricacies of credit card fraud
and how some credit card features attempt to limit it.
Here
is the TL;DR version: CVV codes were compromised and should not be
stored post-authorization, but the CVV codes compromised are not
the codes printed on the card that we get asked for when making
online purchases. There are actually two separate security
codes: one to prove possession of the card when it is swiped
(stored on the magnetic strip) and another printed on the card, to
prove possession of the card when it is used in card-not-present
transactions, like e-commerce or over the phone. The same value is
not used for both codes.
[From
the article:
Based on what we know
about the breach, it sounds like track data was either potentially
stored by Target (against PCI DSS rules), was captured in transit or
was captured pre-authorization (PCI says you can’t store track data
after authorization). If full track data was
compromised, the primary threat of consumer fraud from this breach
will be for stolen data to be copied to fake credit cards and used
in-person.
Just up the road, but
also available globally via Live Stream.
This sounds like a
not-to-be-missed event. Wish I could get there to attend, but I’ll
have to console myself with watching the live stream.
Friday,
January 17, 2014; 9:00 AM – 5:30 PM
@
University of Colorado Law School, Room 101
What
harms are privacy laws designed to prevent? How are people injured
when corporations, governments, or other individuals collect,
disclose, or use information about them in ways that defy
expectations, prior agreements, formal rules, or settled norms? How
has technology changed the nature of privacy harm?
These
questions loom large in debates over privacy law. Often, they are
answered skeptically. The President of the United States justifies
massive NSA surveillance programs by arguing that non-content
surveillance is not very harmful. Advertisers resist calls for
aggressive forms of Do Not Track by arguing that the way they track
online behavior creates little risk of harm. Judges dismiss lawsuits
brought by users suing services that suffer massive data breaches,
for lack of harm.
Meanwhile,
many privacy law scholars and advocates do not speak consistently, if
they speak at all, about privacy harm. Some prefer to talk about
“problems” or “conflicts” not harms. Others point primarily
to abstract, societal harms such as chilling effects or harms to
dignity or individual autonomy. Many of these people have tried to
move the conversation away from harm and what they see as crabbed,
tort-centric approaches to privacy protection.
It
is time to revisit old conversations about harm. New
practices and technologies raise new threats of harm. [Or
automate existing ones? Bob] The fear of Big Data
techniques (for example in the public debate over the pregnancy
prediction program of the retailer Target) have inspired new theories
of harm. Economists and computer scientists have developed new ways
of measuring privacy harm. Regulators have adopted new ways of
talking about harm.
Join
the Silicon Flatirons Center for Law, Technology, and
Entrepreneurship on Friday, January 17, 2014, from 9:00 AM – 4:15
PM as we venture into the New Frontiers of Privacy Harm. We will
assemble thought leaders and top practitioners and regulators for a
diverse and rich set of conversations about privacy harm.
You can see the great
line-up of presenters and discussants, and access the day’s
schedule
here.
(Related) Interesting
article!
Abstract:
As
online social media grow, it is increasingly important to distinguish
between the different threats to privacy that arise from the
conversion of our social interactions into data. One
well-recognized threat is from the robust concentrations of
electronic information aggregated into colossal databases. Yet
much of this same information is also consumed socially and dispersed
through a user interface to hundreds, if not thousands, of peer
users.
In
order to distinguish relationally shared information from the threat
of the electronic database, this essay identifies the massive amounts
of personal information shared via the user interface of social
technologies as “social data.” The main thesis of this essay
is that, unlike electronic databases, which are the focus of the Fair
Information Practice Principles (FIPPs), there are no commonly
accepted principles to guide the recent explosion of voluntarily
adopted practices, industry codes, and laws that address social data.
This
essay aims to remedy that by proposing three social data principles —
a sort of FIPPs for the front-end of social media: the Boundary
Regulation Principle, the Identity Integrity Principle, and the
Network Integrity Principle. These principles can help courts,
policymakers, and organizations create more consistent and effective
rules regarding the use of social data.
You can download the
full article from
SSRN.
You may also wish to see the other articles in the
same
issue of the Ohio State Law Journal
I doubt most people
even think about why privacy is of concern to magazines like Forbes.
Over on Forbes, Kashmir
Hill writes:
Forget
“twerking” and “selfies.” Dictionary.com dubbed “privacy”
the
word of the year in 2013. Here at
The Not-So Private Parts,
it feels a little like the unknown indie band we’ve been obsessed
with for years just won best album at the Grammys. So why did the
plight of our personal data achieve Arcade Fire-level fame this year?
(Related) Illogical or
merely ignorant?
Liz Gannes reports:
When
asked to choose which is more important to them, protecting their
personal information online or protecting their online behavior,
respondents to a recent survey said hacking is a bigger concern than
tracking.
Some
75 percent of those surveyed said they are worried about hackers
stealing their personal information, while 54 percent are worried
about their browsing history being tracked by advertisers.
These are common
failings in all industries. Managers do not like to spend money or
resources on things like logs that are only useful in the unlikely
event they are breached. Rational or irrational?
From the Executive
Summary of a newly released report:
WHAT
WE FOUND
Nearly
all hospitals with EHR technology had RTI-recommended audit functions
in place, but they may not be using them to their full extent.
In addition, all hospitals employed a variety of RTI-recommended
user authorization and access controls. Nearly all hospitals were
using RTI-recommended data transfer safeguards. Almost half of
hospitals had begun implementing RTI-recommended tools to include
patient involvement in anti-fraud efforts. Finally, only about one
quarter of hospitals had policies regarding the use of the copy-paste
feature in EHR technology, which, if used improperly, could pose a
fraud vulnerability.
WHAT
WE RECOMMEND
We
recommend that audit logs be operational whenever EHR technology
is available for updates or viewing. We also recommend that ONC and
CMS strengthen their collaborative efforts to develop a comprehensive
plan to address fraud vulnerabilities in EHRs. Finally, we recommend
that CMS develop guidance on the use of the copy-paste feature in EHR
technology. CMS and ONC concurred with all of our recommendations.
You can access the full
report
here
(pdf, 30 pp.)
Sign up an you can be
among the first to know you've been had. Possibly even before the
breachee.
Have
you been pwned? Now you can be automatically told when you are!
Just under three weeks
ago now,
I
launched Have I been pwned? which could tell you if you owned one
of
154 million email addresses that had been caught up in recent
data breaches. Subsequently, the site
turned
out to be wildly popular and as with such things, a lot of good
ideas came up in terms of features people would like to see.
Without doubt, the
number one request was for notifications. Searching for accounts
that may have been pwned up to the current date is one thing, but the
real value is in being automatically notified when you get
pwned in the future. So I built it – oh and I’ve
made it a free service.
Signing up for
notifications
Let me talk you through
it: First of all, jump over to
haveibeenpwned.com
and search for your email address. You can always just hit the
“Notify me” link in the nav but I suspect most people will want
to kick off by looking at whether they’ve already been compromised.
This is pretty much
business as usual, except now you’ve got a “Notify me if my
address gets pwned in the future” hyperlink just above the social
media icons. Click that guy and you’ll get a little window:
I like lists like this,
because I always try to steal learn from the best!
Many more blogs listed at the site.
Announcing
the 2013 Blawggie Awards – Tenth Edition
2013
Blawggie Award Categories and Winners.
For
my Apple toting students...
Year
in Review: 5 Most Notable New iOS Apps of 2013
For my Ethical Hackers
… The learning
opportunity comes into play when you don’t already understand
something you encounter in the packet capture file. You are expected
to do your own research to understand the artifact well enough to
explain it in your response. Given that this year’s scenario is
based on a virtual city’s critical infrastructure, Skoudis says
there will be some protocols that network professionals probably
aren’t familiar with. It’s a chance to stretch your knowledge a
bit and build some in-demand skills in a fun way.
Since this is the 10th
year for the competition, some of the previous years’ challenges
and answers are posted online.
… For a look at the
2012 Holiday Hacking Challenge and the winning and honorable mention
responses,
click
here.