Tuesday, June 04, 2013

I wish I could say this was the first “shocking lack” I had ever reported. This relates to the ATM cash withdrawal incident. (Note that if this had been a CyberWar exercise by a state actor, passing some information to a criminal gang along with instructions on how to withdraw cash from ATMs would shift blame to them. Just saying...)
More fascinating reporting by Brian Krebs:
A 2011 hacker break-in at banking industry behemoth Fidelity National Information Services (FIS) was far more extensive and serious than the company disclosed in public reports, banking regulators warned FIS customers last month. The disclosure highlights a shocking lack of basic security protections throughout one of the nation’s largest financial services providers.
Read about it on KrebsonSecurity.com.
[From the article:
FIS management now recognizes that the security breach events of 2011 were not just a pre-paid card fraud event, as originally maintained, but rather are that of a broader network intrusion.”
Indeed, the FDIC’s examiners found that there was scarcely a portion of the FIS network that the hackers did not touch.


For my Ethical Hackers: Using the other guy's program means you don't leave any “programming fingerprints” during your attack. (Also see: False Flag)
American Gets Targeted by Digital Spy Tool Sold to Foreign Governments
The email appeared to come from a trusted colleague at a renowned academic institution and referenced a subject that was a hot-button issue for the recipient, including a link to a website where she could obtain more information about it.
But when the recipient looked closely at the sender’s email address, a tell-tale misspelling gave the phishing attempt away — the email purported to come from a professor at Harvard University, but instead of harvard.edu, the email address read “hardward.edu”. [Always use your spell checker! Bob]
Not exactly a professional con-job from nation-state hackers, but that’s exactly who may have sent the email to an American woman, who believes she was targeted by forces in Turkey connected to or sympathetic to the powerful Gülen Movement, which has infiltrated parts of the Turkish government.
The email contained a link to a web site in Turkey, where a malicious downloader file was waiting to install on her computer — a downloader that has been connected in the past to a spy tool purportedly sold exclusively to law enforcement and intelligence agencies around the world.


For my Ethical Hackers. Think we could borrow Denver's machines?
Bruce66423 submits a report from The Independent, writing that "a French primary election is made the stuff of farce after journalists defeat the 'secure' election system." From the article:
An 'online-primary,' claimed as 'fraud-proof' and 'ultra secure,' has turned out to be vulnerable to multiple and fake voting. The four-day election has also the exposed the poisonous divisions created within the centre-right Union Pour un Mouvement Populaire (UMP) by the law permitting gay marriage which took effect last week. ... What was already shaping up as a tense and close election was thrown into utter confusion at the weekend. Journalists from the news site Metronews proved that it was easy to breach the allegedly strict security of the election and vote several times using different names."


So this does not sound like his squad mates packing things up. Who searched his computer?
FourthAmendment.com writes:
Defendant was injured by an IED while serving in the Army in Iraq, and he was medically evacuated from Iraq. His property was inventoried pursuant to Army regulation. His computer was subject to inventory for things “gore, inappropriate, or porn” and for classified material before the computer was returned to him, and child pornography was found. The Court of Appeals for the Armed Forces held that the inventory of the computer violated the Fourth Amendment and M.R.E. 313(c). United States v. Kelly, 2013 CAAF LEXIS 569 (C.A. A.F. May 23, 2013)
Read more on FourthAmendment.com.
[From the article:
It appears that the initial inventory of Kelly's belongings in Iraq by the SCMO was a proper inventory. The SCMO secured Kelly's PE and properly made an accounting of Kelly's belongings. The SCMO's sworn statement indicates that he inventoried Kelly's belongings and "personally ensured" that they were dropped at the Mortuary and he was given a memo that served as a "hand receipt" which was eventually provided to CID.


The first step on that slippery slope? Like fingerprints, a DNA profile will never be deleted.
Mark Memmott reports:
By a 5-4 vote, the U.S. Supreme Court has upheld a Maryland law that allows police to collect DNA, without first getting a warrant, from persons who are arrested.
“When officers make an arrest supported by probable cause to hold for a serious offense and bring the suspect to the station to be detained in custody, taking and analyzing a cheek swab of the arrestee’s DNA is, like fingerprinting and photographing, a legitimate police booking procedure that is reasonable under the Fourth Amendment,” writes Justice Anthony Kennedy in an opinion joined by Chief Justice John Roberts and associate justices Clarence Thomas, Stephen Breyer and Samuel Alito.
Read more on NPR.


I don't get it...
Pete Williams and Andrew Rafferty report:
Lawyers for Jill Kelley — the Florida woman whose complaint to federal authorities about harassing emails last year led to the resignation of former CIA Director David Petraeus — on Monday filed a lawsuit claiming the FBI and Department of Defense officials violated her privacy by failing to keep information about her role in the investigation confidential.
Read more on NBC.


Perhaps I could write up some guidelines for a “Facebook for Employers” page? Include some “Likes” from President Obama and the Pope? Or just some discussions about 'searching for the perfect circumstances for a privacy lawsuit?”
Daniel Solove writes:
In 2012, the media erupted with news about employers demanding employees provide them with their social media passwords so the employers could access their accounts. This news took many people by surprise, and it set off a firestorm of public outrage. It even sparked a significant legislative response in the states.
I thought that the practice of demanding passwords was so outrageous that it couldn’t be very common. What kind of company or organization would actually do this? I thought it was a fringe practice done by a few small companies without much awareness of privacy law.
But Bradley Shear, an attorney who has focused extensively on the issue, opened my eyes to the fact that the practice is much more prevalent than I had imagined, and it is an issue that has very important implications as we move more of our personal data to the Cloud.
Read more on Concurring Opinions.


What should the FDA be doing?
FDA Can’t Hold Back Stream of Mobile Health Apps
It was bound to happen. As smartphones, tablets and all those wearable computer gizmos get more and more powerful — and just as important — become ever more constant in our lives, they will enable apps that no one anticipated. Not even the fine people of the Food and Drug Administration
We wrote about one such app called uChek, after witnessing its founder Myshkin Ingawale at this year’s TED conference perform a urinalysis check on stage with nothing more than a very full plastic cup, test strips, and an iPhone. The app, recently made available in Apple’s iTunes store, uses the iPhone’s powerful camera to analyze standard medical supply chemical strips by first taking photos with your phone at predetermined times, and then comparing the colors that emerge on the urine-soaked strip to a color-coded key. Depending on how the colors match up (and what is being measured), users get a simple positive or negative result, a number, or the descriptors “trace” or “large” corresponding to the levels of such things as glucose, bilirubin, proteins, specific gravity, ketones, leukocytes, nitrites, urobilinogen, and hematuria present in your urine.
When the app launched stateside, Ingawale sent Wired an excited email. What James Woods, the FDA’s 
Deputy Director of 
Patient Safety And Product Quality
 in the Office of In Vitro Diagnostics and Radiological Health
, sent him recently was an “It Has Come to Our Attention Letter.”
Woods, in the very politely worded missive, informs Ingawale that: “Though the types of urinalysis dipsticks you reference for use with your application are cleared, they are only cleared when interpreted by direct visual reading. Since your app allows a mobile phone to analyze the dipsticks, the phone and device as a whole functions as an automated strip reader. When these dipsticks are read by an automated strip reader, the dipsticks require new clearance as part of the test system.”

(Related) Another “What is government's proper role” that highlights how poorly we deal with technology. The 'rules of the road' are unlikely to change, so are we merely looking to afix blame?
The Feds Have No Clue How to Legislate Autonomous Cars
With everyone from Audi to Google to Volvo developing autonomous vehicles, the federal government is cautiously getting behind the wheel to regulate how self-driving cars should be operated and legislated. But its recommendations are far from clear-cut, underscoring just how far behind the times Washington is with regard to emerging technology.
Still, by stepping into the fray and attempting to codify when, where and how autonomous vehicles are developed and deployed, the National Highway Traffic Safety Administration is all but admitting that the day is coming when we’ll all let the robot drive.


Perspective: “We don't need no stinking cameras!”
"the reporters of the Chicago Sun-Times are being given training in iPhone photography, to make up for the firing of the photography staff. From the CoM story: 'The move is part of a growing trend towards publications using the iPhone as a replacement for fancy, expensive DSLRs. It's a also a sign of how traditional journalism is being changed by technology like the iPhone and the advent of digital publishing.'"

(Related) “We need more stinking cameras!”
"The Montreal Policemen's Brotherhood is proposing that officers be equipped with uniform-mounted cameras that can be used to record various interactions. The union says in other jurisdictions where police officers are equipped with point-of-view cameras, the use of force by officers and assaults on officers drops by as much as 60%. One system is currently being tested in Edmonton, Alberta."


How to expand “summary” RSS feeds into full text feeds. (Personnaly, I like the summaries)
[MakeUseOf just changed from full text to a summary feed Bob]
… The reason is that too many unethical sites were “scraping our feed” and passing off MakeUseOf’s stories as their own. This meant that these low quality sites were duplicating our content and ranking for it on Google and other search engines. We don’t have a problem with sites using our articles but in return, we insist on a clear linkback, as well as author attribution. These content thieves were not doing this, and they are not the kind of people to honor any takedown requests. Therefore, we began a fiendishly clever plan and moved to summary feeds.
If you absolutely cannot live without your full text RSS feeds, you can still have them and at the same time help us defeat the scrapers. Simply plug the RSS feed into Full Text RSS Feed. Then put the RSS feed address it gives you into your RSS reader, and hey presto, you have your full MakeUseOf feed back.


For my Computer Security students. Risk analysis does not stop with a determination that an event is “low probability.” You must also consider the cost of recovery.
Presentation: Survey of Government IT Professionals – Disaster Unpreparedness
“So, how confident are Fed IT professionals in their agencies’ DR2 capabilities? How ready and resilient are the systems, and do agencies verify by testing? To find out, MeriTalk surveyed 150 Federal DoD and civilian IT professionals in December 2012. The Disaster Unpreparedness report reveals that few agencies are actually prepared to recover their data in the event of a natural or man-made incident… The amount of data agencies must backup and recover is growing, yet only 8% of Feds are confident they can recover their data today.”


For my Math students. The problem is that many of these websites are targeted to K-12 students and unless I can point to individual videos, my students feel the sites are too juvenile for them. This one at least has a “College” section.
ULearniversity - Online Math Lessons and Practice
ULearniversity is a free site featuring arithmetic and algebra lessons. On ULearniversity you can watch tutorial videos and practice the concepts taught in the videos. ULearniversity provides instant feedback on your practice problems. As a registered ULearniversity user you can track your progress.


For all my students...
… this is the digital age and there’s a substantial demographic that is working from home. That’s nearly 10% in the U.S. alone and rising. [And all of my students. Bob]

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)