For my Ethical Hackers.
Anyone can get hacked. Make sure you can blame someone else!
Rich McCormick reports:
The
EC-Council, a US professional organization that offers a respected
certification in ethical hacking, was itself hacked
this weekend. Passport and photo ID details of more than 60,000
security professionals who have obtained or applied for the
EC-Council’s Certified Ethical Hacker certification are at risk
after the breach, many of whom work in sensitive political and
military positions. They include members of the US military, FBI,
United Nations, and National Security Agency.
Among
their number is Edward Snowden, whose passport and application email
for the certification were used to deface the EC-Council’s
homepage, alongside the message “Defaced again? Yep, good job
reusing your passwords morons.”
Read more on The
Verge. See also Ars
Technica coverage.
[from
The Verge article:
The US Department of
Defense has the EC-Council's Certified Ethical Hacker qualification
as a mandatory
standard for its Computer Network Defense Service Providers.
According to
Steve Ragan of CSO, the EC-Council's website — which is
currently inaccessible — was found to have vulnerabilities to
various methods of attack last year. This specific defacement is
reportedly a DNS redirect, controlled by an IP that was implicated
in an attack on Flash-based co-operative shooter Realm of the
Mad God earlier this month.
“If you like
something, we do that. If you don't like something, we don't do
that.” Marketing 101 “We even don't do lots of stuff you didn't
know you didn't like.” Marketing 201
Jack Clark reports:
A
former White House security advisor has suggested that you, dear
reader, are naive if you think hosting data outside of the US will
protect a business from the NSA.
“NSA
and any other world-class intelligence agency can hack into databases
even if they not in the US,” said former White House security
advisor Richard Clarke in a speech at the Cloud Security Alliance
summit in San Francisco on Monday. “Non-US
companies are using NSA revelations as a marketing tool.”
But the takeaway quote
of his talk has to be this:
“The
United States government has to get out of the business – if it
were ever in the business – has to get out of the business of
fucking with encryption standards,” Clarke said.
Read more on The
Register.
We have the precedent
of mandatory health insurance for healthy people to lower the cost to
sick people, why not make secure companies pay to lower the cost to
incompetents? (Note: This does not “spread the risk” – I'm
still less likely to get hacked than the average company.)
David Navetta writes:
The
BIG 2014 security stories concerning the Target,
Neiman
Marcus and Michaels
payment card breaches of have highlighted the significant criminal
hacking and fraudulent payment card activity that goes on in the
retail space. Of course, it was not so long ago that the Heartland
Payment Systems breach (2008; 100 million cards exposed) and
the TJX
breach in (2007; 45 million card exposed) dominated the news
cycle. The reactions in the media and with the population then were
very similar to those today. The latest round of mega breaches
occurred, however, despite the existence of the Payment
Card Industry Data Security Standard for a decade. In fact,
according to the Verizon
2014 PCI Compliance Report, only 11.1% of the organizations it
audited between 2011 and 2013 satisfied all 12 PCI requirements. In
other words, just under 90% of the businesses Verizon audited as a
PCI Qualified Security Assessor failed. This begs the question,
despite aggregate expenditures by merchants likely in the hundreds of
millions of dollars (if not over a billion) over the last decade: has
anything really changed?
Read more on
InfoLawGroup,
where David argues that just as states require automobile insurance,
they could similarly require cyberinsurance for breaches.
Alternatively, and as David seems to prefer, the card brands at the
top of the pyramid could make it a contractual requirement for
businesses that want to accept their cards.
As a side note, I need
to point out that David mentions the reports of Michaels Stores being
breached. As of a few days ago when I reached out to them. Michaels
Stores has not confirmed that they have had any breach. That’s not
to say that they may not have had a breach, but just to point out
that it’s possible that we will hear that there’s been no breach
in that case.
(Related) and some
Perspective.
Telecompaper
reports:
Dutch ISP XS4ALL and
the law firm Brinkhof have awarded their annual Internet Thesis prize
to a masters student researching required disclosure of data
breaches. The research found that any such legal
requirement would likely not meet its objectives. The
thesis was based on the number of disclosures in the US before and
after implementation of legal requirements. While the number
increased after the requirement was imposed, the impact was minimal:
over the research period of eight years, only 0.05
percent of businesses in the US reported a data leak, while British
research had already shown that around 80 percent of security
managers have dealt with data breaches.
(Related) There ought
to be a law!
AG
Holder Urges Congress to Create National Standard for Reporting
Cyberattacks
by Sabrina
I. Pacifici on February 24, 2014
“In a video
message released today, Attorney General Eric Holder called on
Congress to create a strong, national standard for quickly alerting
consumers whose information may be compromised by cyberattacks. This
legislation would strengthen the Justice Department’s ability to
combat crime, ensure individual privacy, and prevent identity theft,
while also helping to bring cybercriminals to justice. [Not
sure I completely agree Bob] “Late last year, Target –
the second-largest discount retailer in the United States –
suffered a massive data breach that may have compromised the personal
information of as many as 70 million people, in addition to credit
and debit card information of up to 40 million customers. The
Department of Justice is currently investigating this breach, in
close coordination with the U.S. Secret Service. And we are moving
aggressively to respond to hacking, cyberattacks, and other crimes
that harm American consumers – and expose personal or financial
information to those who would take advantage of their fellow
citizens.” As we’ve seen – especially in recent years –
these crimes are becoming all too common. And they have the
potential to impact millions of Americans every year. Just days
after the Target breach was made public, another major retailer –
Neiman Marcus – reported that it also suffered a suspected
cyberattack during the holiday season. And although Justice
Department officials are working closely with the FBI and prosecutors
across the country to bring cyber criminals to justice, it’s time
for leaders in Washington to provide the tools we need to do even
more: by requiring businesses to notify American consumers and law
enforcement in the wake of significant [A
truly flexible term... Bob] data breaches. “Today, I’m
calling on Congress to create a strong, national standard for quickly
alerting consumers whose information may be compromised. This would
empower [? Bob]
the American people to protect themselves if they are at risk of
identity theft. It would enable law enforcement to better
investigate these crimes – and hold compromised
entities accountable [Is this new? Do any
existing laws go after breached entities like Target? Bob]
when they fail to keep sensitive information safe. And it would
provide reasonable exemptions for harmless breaches, to avoid placing
unnecessary burdens on businesses that do act responsibly.
That's not funny.
Google's
Schmidt: We don't (yet) have a connection inside your brain
When I heard that
Google's Eric Schmidt had sat down to chat with
a curiously trendy-looking Glenn Beck, I was hoping for questions
like: "C'mon, Eric. Are you a commie?"
Instead, what ensued
was a conversation about man and machine achieving perfect harmony,
something that Lenin spectacularly failed to master.
Some might suspect
that, in Google's eyes, such harmony would involve Google being able
to control your arm as it reaches to scratch your head.
Schmidt, though, was at
pains to put that concept to rest.
He said: "Google
does not have a connection inside of your brain."
… Indeed, Schmidt
then offered this follow-up: "We're not that good. Maybe yet.
Maybe never."
For my students (not
many use WhatsApp because of security concerns – should fit right
in to Facebook.)
4
Slick WhatsApp Alternatives that Guard Your Privacy
… Facebook isn’t
exactly known for its information privacy successes — in fact, its
security gaffs have been some of the biggest tech news over the past
few years, and its arcane security settings are infamous. We had to
write a
guide to help you figure them out.
Fortunately, if you no
longer feel comfortable sending data through WhatsApp, you have some
secure alternatives.
Wickr
for iOS / Android
(Free)
Threema
for iOS / Android
($1.99)
Telegram
for iOS / Android
(Free)
surespot
for iOS / Android
(Free)
No comments:
Post a Comment