It is possible to
secure this type of service. For example, turning it off until
needed works rather well.
Hacked
Via RDP: Really Dumb Passwords
Businesses spend
billions of dollars annually on software and hardware to block
external cyberattacks, but a shocking number of these same
organizations shoot themselves in the foot by poking gaping holes in
their digital defenses and then advertising those vulnerabilities to
attackers. Today’s post examines an underground service that rents
access to hacked PCs at organizations that make this all-too-common
mistake.
Makost[dot]net is a
service advertised on cybercrime forums which sells access to “RDPs”,
mainly Microsoft Windows systems that have been
configured (poorly) to accept “Remote Desktop
Protocol” connections from the Internet. Windows
ships with its own RDP interface built-in; to connect to another
Windows desktop or server remotely, simply fire up the Remote
Desktop Connection utility in Windows, type in the Internet
address of the remote system, and enter the correct username and
password for a valid user account on that remote system. Once the
connection is made, you’ll see the remote computer’s desktop as
if you were sitting right in front of it, and have access to all its
programs and files.
… How did these
companies end up for sale on makost[dot]net? That is explained
deftly in a report produced earlier this year by Trustwave,
a company which frequently gets called in when companies experience a
data breach that exposes credit card information. Trustwave looked
at all of the breaches it responded to in 2012 and found — just as
in years past — “IP remote access remained the most widely used
method of infiltration in 2012. Unfortunately for victim
organizations, the front door is still open.”
The report continues:
“Organizations that
use third-party support typically use remote access applications like
Terminal Services (termserv) or Remote Desktop Protocol (RDP),
pcAnywhere, Virtual Network Client (VNC), LogMeIn or Remote
Administrator to access their customers’ systems. If
these utilities are left enabled, attackers can access them as though
they are legitimate system administrators.”
… In case the point
wasn’t clear enough yet, I’ve gathered all of the username and
password pairs picked by all 430 RDP-enabled systems that were sold
to this miscreant. As evidenced by the list below, the attackers
simply needed to scan the Internet for hosts listening on port 3389
(Microsoft RDP), identify valid usernames, and then try the same
username as the password. In each of the following cases, the
username and password are the same.
… Unfortunately,
far too many organizations that end up for sale on services like this
one are there because they outsourced their tech
support to some third-party company that engages in this sort of
sloppy security. Fortunately, a quick external port scan
of your organization’s Internet address ranges should tell you if
any RDP-equipped systems are enabled. Here
are a few more tips on locking down RDP installations.
Readers who liked this
story may also enjoy this piece — Service
Sells Access to Fortune 500 Firms — which examined a similar
service for selling hacked RDP systems.
How do I mislead
thee?
Let me count the
ways:
I mislead thee to
the depth and breadth and height
My vocabulary can
distort...
Did someone lie to the
Committee, or are they lying to us? (OR: does, “Never
attribute to malice that which is adequately explained by stupidity.”
apply?) Surely there have been more than 32 attempts. I heard about
several at last night's faculty meeting and we're not the only school
with an Ethical Hacking class.
Ranking
Members Waxman and DeGette Release Memo on Healthcare.gov Security
by Sabrina
I. Pacifici on December 13, 2013
“Today Energy and
Commerce Committee Ranking Member Henry A. Waxman and Oversight and
Investigations Subcommittee Ranking Member Diana DeGette released a
memo to Democratic Committee members regarding the security of
Healthcare.gov. In a classified briefing two days ago, HHS officials
revealed that there have been no successful security
attacks on Healthcare.gov and that no person or group has
maliciously accessed personally identifiable information from the
site. The memo summarizes the non-classified portion of the
briefing. HHS officials told members and staff that there have been
a total of 32 Healthcare.gov Information Security Incidents.
Eleven
incidents are under investigation. [So we don't know
if they have been successful or not Bob]
Of
the remaining events, three were classified as non-incidents; ['cause
we can't identify a breach when we see it... Bob]
one
was an attempted (but unsuccessful) scan of the system; [What
were they scanning for? Bob]
two
were classified as “inappropriate usage” in violation of
acceptable computing use policies; [Most
organizations would classify this as a breach. e.g. Looking at
Britany Spears psych records Bob]
and
fifteen were classified as “unauthorized access” where an
individual accidentally gained access to unauthorized information.
[An accidental breach is
still a breach Bob]
None of these events
involved a significant breach of personal information. HHS officials
indicated that they were conducting ongoing 24-7 system monitoring
and ongoing assessments in order to ensure and strengthen system
security. The memorandum is available online here.”
Are “cop cams” a
good idea or not? Would you be suspicious if police turned off their
cameras and later had to take an arrestee for medical treatment?
Andrew Staub reports:
The
American Civil Liberties Union of Pennsylvania had
hoped lawmakers would craft a statewide policy addressing many of the
organization’s privacy concerns should an expanded wiretapping law
allow police to use wearable cameras.
It
doesn’t look like it will happen, even after the state House this
week tweaked proposed legislation that would allow police to use
recording devices attached to their uniforms, bike helmets or
sunglasses.
Read more on PA
Independent.
[From
the article:
The amendment, put
forward by state
Rep.
Dom Costa, D-Allegheny, made it abundantly clear that
officers are not allowed to record while inside a person’s home —
a point that some thought was somewhat ambiguous before. But the
proposal still does not address when officers can turn the cameras on
or off or how long police can keep footage on file.
Now, it looks like
police surely will have broad discretion over the cameras should the
legislation pass, said Andy Hoover, the ACLU’s
legislative director.
… “It’s not a
total lost cause,” Hoover said. “We can still get strong
policies at the local level, and I have a feeling that activists
at the local level will push hard to get good policies in place
for the use of these cameras. [Activists? Because
legislatures don't know what to do? Bob]
… the push to amend
the state’s wiretapping laws surfaced after the Pittsburgh
Bureau of Police spent more than $100,000 on cameras. [I'll
bet the money came from a DHS grant. “We can, therefore we must!”
Bob]
What are the odds that
cable boxes in the bedroom make the news sometime in the next year?
Rather
than you watching television, it is they who are watching you!
Verizon has recently patented a cable
DVR box that will use audio and video to record and analyze what’s
going on in your living room so that they can
provide targeted ads in real time on the TV to suit what’s
going on. Now, one reason may be advertising and marketing, but
since they can listen and watch, just think, smile you may be on
candid camera!
Read more on Before
It’s News.
Cameras, cameras,
cameras. And now one of my favorite “You ain't got no privacy”
groups, teachers! If students have encrypted their phones or photos,
or even if they have just password protected them, would they be
comfortable refusing to give up their passwords? If they felt
intimidated, would that taint any evidence gathered? I see the
possibility for too many bad scenarios here.
Drew Smith reports:
Avon
authorities are investigating after they received reports of several
Avon High School students who may have
been exchanging nude pictures through cellphones and mobile devices.
Some
students have been suspended and police said they are working with
the school to determine what happened and if any laws
were broken. Officials said the situation could result in
criminal charges being filed against some students.
School
officials seized more than a dozen mobile devices after a parent
informed the administration that some of those devices could
contain naked photos of female students. By law, the school had to
turn over those electronic devices to law enforcement.
Read more on The
Indy Channel.
Talk about blurring the
line between home and school, though! Does it matter
at all that the pictures may have been taken – or exchanged –
while the students were not on school premises? I suspect
some of the sharing went on during school hours or on school
premises, but suppose it had all been off-campus? The schools says
that they are required by law to turn over the cellphones. I haven’t
read the law, but does Indiana law really require schools to turn
over devices that may have evidence of a crime if the crime did not
occur at school or on school premises? Just wondering….
Would there be a market
for this device? Probably not, who would want to be constantly
twitching?
The
New Armor That Lets You Sense Surveillance Cameras
We pass under
surveillance cameras every day, appearing on perhaps hundreds of
minutes of film. We rarely notice them. London-based artist James
Bridle would like to remind us.
Bridle has created
a wearable device he calls the “surveillance spaulder.” Inspired
by the original spaulder—a piece of medieval plate armor that
protected “the wearer from unexpected and unseen blows from
above”—the surveillance spaulder alerts the wearer to similarly
unseen, if electronic, attacks. Whenever its sensor detects the the
type of infrared lighting commonly used with surveillance cameras, it
sends an electric signal to two “transcutaneous electrical nerve
stimulation” pads, which causes the wearer to
twitch.
That is: Whenever the
spaulder detects a security camera, it makes your shoulder jump a
little. You can see the spaulder in action in the video above.
So would a Privacy
Policy that said, “You have no privacy on our system, and we don't
bother securing your data” make FTC enforcement impossible?
Jaikumar Vijayan
Despite growing pushback from companies and powerful industry groups,
the Federal Trade Commission continues to insist that it wants to be
the nation’s enforcer of data security standards.
The
FTC, over the past years, has gone after companies that have suffered
data breaches, citing the authority granted to it under a section of
the FTC Act that prohibits “unfair” and “deceptive” trade
practices. The FTC extracted stiff penalties from some companies by
arguing that their failure to properly protect customer data
represented an unfair and deceptive trade practice.
On
Thursday, FTC Chairwoman Edith Ramirez called for legislation that
would bestow the agency with more formal authority to go after
breached entities.
Read more on
Computerworld.
For my students who
don't want to listen to me...
Spotify
Launches Free Mobile Service For All Tablets And Smartphones
Spotify
just announced that anyone using iOS or Android tablets and
smartphones can use their music streaming app for free. Earlier,
only desktop and laptop users had access to an ad-supported but free
version of Spotify. Tablet users can now also avail the same
listening pleasure as desktop users…but again with ads.
Trust me, this won't
confuse the NSA for a second.
– one of the oldest
forms of communication in the world is Morse Code, but it is being
slowly edged out of existence by the advent of more advanced forms of
communication such as the telephone and the Internet. If you are a
Morse Code enthusiast, then Morse Node is a site where you can invite
someone to your page, and then play Morse Code back to one another.
Timely amusement.
… According
to Code.org, the organization that’s
spearheaded this week’s push to teach more students computer
science, over 13.7 million students have “learned an hour of code”
this week.
… Chicago
Public Schools says
it will add computer science as a core subject, instead of an
elective, in the city’s high schools.
… Timed with this
week’s “Hour of Code,” Codecademy has launched
an iOS app: Codecademy:
Hour of Code.
… The Chronicle of
Higher Education’s Jennifer Howard examines
takedown notices that academics have been receiving from
publisher Elsevier for articles – articles they’ve
written – that they’ve uploaded to the research-sharing site
Academia.edu. (Some scholars are getting takedown
notices for posting their articles to their own blogs too.)
… Whose works will
enter
the public domain in 2014 (in those countries
with a “life plus 70 years” copyright term)? Beatrix Potter,
Sergei Rachmaninoff, and Fats Waller, among others.
(Whose work will enter the public domain in the US? No one’s.)
… Fordham
University has released a study on “Privacy
and Cloud Computing in Public Schools.”
Among the findings: “Districts surrender control of student
information when using cloud services: fewer than 25% of the
agreements specify the purpose for disclosures of student
information, fewer than 7% of the contracts restrict the sale or
marketing of student information by vendors, and many agreements
allow vendors to change the terms without notice.” The study, it’s
probably worth noting, was sponsored by Microsoft.
… “Smartphone Use
Linked to Lower Grades,” reads
the Inside Higher Ed headline of a study by Kent State
University researchers published in the Computers in
Human Behavior journal.