Thursday, November 20, 2014

You can't rely on those “assurances” released with initial details of a breach. It seems the damage is always worse than initially suspected. Another way to look at it: How can they even hit that they know the extent of the breach if they are still analyzing?
Aliya Sternstein reports:
Compensation files for U.S. Postal Service workers might also have been breached during a recent hack that exposed the Social Security numbers and other personal data on about 800,000 USPS employees, a postal inspector said Wednesday.
[...]
We’re still conducting forensic analysis of the impacted servers,” said Randy Miskanic, incident commander on the case and the USPS secure digital solutions vice president. “There is the possibility of additional compromise, specifically as it relates to some workers’ compensation files.”
Read more on NextGov.


Big Data must include Big Breaches.
RiskBased Security reports:
We have been so busy here at Risk Based Security recently that we neglected to release our latest Data Breach QuickView report to the public last month! The report already shows that 2014 is the highest year ever for exposed records. The 1,922 incidents reported during the first nine months of 2014 exposed over 904 million records. While 60.2% of breaches exposed only between 1 and 1,000 records, twenty breaches exposed one million or more records with four finding a place on the Top 10 All Time Breach List.
About the Data Breach QuickView Report
The Data Breach QuickView report is intended to be an executive level summary of the key findings from RBS’ analysis of 2014’s data breach incidents. Contact Risk Based Security for your customized analysis of the 2014 data breaches.
You can view the 2014 Data Breach QuickView report here: https://www.riskbasedsecurity.com/reports/2014-Q3DataBreachQuickView.pdf


Unfortunately, this response also fits the facts exactly: “Of course we can't talk about it. We are doing something so illegal that the case would get thrown out.” Looks like they tossed all of their evidence. Good luck with the prosecution.
Justin Fenton reports:
Baltimore prosecutors withdrew key evidence in a robbery case Monday rather than reveal details of the cellphone tracking technology police used to gather it.
The surprise turn in Baltimore Circuit Court came after a defense attorney pressed a city police detective to reveal how officers had tracked his client.
City police Det. John L. Haley, a member of a specialized phone tracking unit, said officers did not use the controversial device known as a stingray. But when pressed on how phones are tracked, he cited what he called a “nondisclosure agreement” with the FBI.
You don’t have a nondisclosure agreement with the court,” Baltimore Circuit Judge Barry G. Williams replied. Williams threatened to hold Haley in contempt if he did not respond. Prosecutors decided to withdraw the evidence instead.
Read more on Baltimore Sun.
[From the article:
Law enforcement officials in Maryland and across the country say they are prohibited from discussing the technology at the direction of the federal government, which has argued that knowledge of the devices would jeopardize investigations.
… Some critics say the use of such technology might be appropriate, with court approval, to help law enforcement locate a suspect. But in the secrecy surrounding its use, they say, it's not always clear that law enforcement officials have secured the necessary approval, or stayed within their bounds.
… Police say phone records show that the phone that was used to call in the delivery was also used to make and receive hundreds of calls to and from Taylor's phone. [If the defendant had called Mom, would she now be a “co-defendant?” Bob]
… Finally, Seidel said prosecutors would drop all evidence found during the search of the home — including, authorities have said, a .45-caliber handgun and the cellphone. The prosecutor said the state would continue to pursue the charges.
Wessler, of the ACLU, said Williams was right to ignore the nondisclosure agreement with the FBI.
"You can't contract out of constitutional disclosure obligations," Wessler said. "A secret written agreement does not invalidate the Maryland public records law [and] does not invalidate due process requirements of giving information to a criminal defendant."


A Hypothetical: All it took was a handshake in the middle east and we have something far better than sanctions to put pressure on Russia. (It's easy to out maneuver a country that thinks it does not need to cooperate with anyone.)
Russia has little to offer in oil price war
… Russian wells will freeze if they stop pumping oil, and the country cannot store the output it would otherwise export.
… But despite needing oil prices of $100 a barrel to balance its budget, Russia has changed little since 2008 when the Organization of the Petroleum Exporting Countries urged Moscow to join forces to cut supply to shore up prices.
Then and now, the world's biggest producer lacks the ability to increase or turn down its own production.
… Some experts argue that Russia could even need oil prices as high as $115 to balance the budget, since social and military spending have soared, while Western sanctions over Ukraine have cut off Moscow from funds it borrows in Western financial markets.


“Default is de-stupid way!”
Thousands Of People Worldwide With Home Security Cameras Are Being Spied On By A Russian Website
The UK government has warned that Russian website Insecam is collecting the feeds of thousands of webcams worldwide, allowing any internet user to see into private homes.
The Daily Mail reports that the site works by collecting the feeds of webcams that have either poor or non-existent security.
It's common for people to purchase internet-connected security cameras to monitor their houses and businesses. But what they often don't realise is that the default security settings on those devices can leave them wide open to for anyone on the internet to view them.


Might be fun to try. What happens if you hit a false positive?
This New Tool Tells You If The Government Is Spying On Your Computer
… Amnesty International release the product today in a fight back against "repressive governments" who are misusing spyware against society.
Detekt scans computers for traces of major spyware and sends alerts to users if something is picked up.


Perhaps learning to “govern data” begins at home? But if your house is “smarter” than you are, your house may flash “12:00,” just like your old VCR.
Wink Connects and Simplifies Your Smart Home
The smart home market is currently full of innovative companies, all working to create the best way to make your home more powerful and more efficient, but they don’t always work together well.
… you can buy the Wink hub, a $50 smart home controller that unifies all of your wireless devices — most of which had no way to communicate with each other before. The hub allows them to “speak the same wireless language,” letting you do some pretty cool things that involve multiple devices (which we’ll get to below). Wink also offers a $300 touchscreen relay controller that replaces a light switch in your home; you can then control all of your connected devices from the single relay point.
… By using the Wink hub to link all of your devices together, you can create sets of actions – a bit like your own private If This Then That system for your home.
One example that Wink gives on its website is having your lights and air conditioning turn on whenever you unlock your front door. In addition to combining these behaviors, you can also set timers for various activities, so the blinds will go up and the kitchen lights will turn on when you get up in the morning.

(Related)
Battle of the Smart Home Hubs: What’s Out There and What’s Coming?


I've been asking my students and they all say, “Save yourself!” The logic will certainly become an issue in any lawsuit.
Google teaches ethics to driverless cars. Can they react better than humans?
A large truck speeding in the opposite direction suddenly veers into your lane.
Jerk the wheel left and smash into a bicyclist?
Swerve right toward a family on foot?
Slam the brakes and brace for head-on impact?
[Force the truck to have 'self-driving' software? Bob]
It's relatively easy to write computer code that directs the car how to respond to a sudden dilemma. The hard part is deciding what that response should be.


Legal arguments – you try explaining them to my students. Think of the poor cellphone user who worries that an ex-wife or the NSA will guess his password, and so sets up security such that the fingerprint confirms that he is the one entering the password. Is the fingerprint protected in that circumstance?
A couple of weeks back, there was a flurry of media coverage of a Virginia state court opinion where the judge granted an order to compel a defendant’s fingerprint to unlock his cellphone while simultaneously denying a request to compel the defendant to turn over his passcode. We requested a copy of the decision from the court, which we’re posting for you today below.
In his opinion, the judge addressed whether a cellphone’s passcode and/or fingerprint authentication are testimonial communication, and thereby covered by the Fifth Amendment’s privilege against self-incrimination. In the end, the judge determined that a defendant “cannot be compelled to ‘divulge through his mental processes’ the passcode for entry” to data on a locked cellphone. Disclosure of the fingerprint, however, “does not require the witness to divulge anything through his mental processes.” As a result, the judge ordered the defendant to provide his fingerprint to unlock his cellphone.


Coming soon to a classroom near me.
How IoT Will Change Big Data Analytics
What do SAS, Cisco, Duke Energy and AT&T have in common? They are all big proponents of the Internet of Things (IoT), also often called the Industrial Internet.
The central idea behind IoT is that sensors and microchips can be placed anywhere and everywhere to create a collective network that connects devices and generates data. Instead of that data sitting in an information silo where it is accessible to only a few specialists, it becomes part of a Big Data "lake" where it can be analyzed in the context of other information.
"The Internet of Things means everything will have an IP address," said Jim Davis, executive vice president and chief marketing officer, SAS.
He laid out the value proposition for oil rigs which generate eight terabytes of data per day. IoT could open the door to greater productivity and more effective predictive maintenance. If something breaks down, it can lead to millions in losses. By placing sensors on rigs and monitoring them, it is possible to better understand what’s happening and keep the equipment running.
Not All IoT Data Is Important
A key challenge with IoT, he believes, is data management: determining what type of data is important, what should be transmitted immediately, what should be stored and for how long, and what information should be discarded. Otherwise, you could end up with an almost infinite pile of data to analyze, when only a relatively small portion is of real importance.
"Some data just needs to be read and thrown away," Khan said.

(Related) ...and here's why we analyze!
Finding the Money in the Internet of Things


For the Security toolkit. (I ask my students to look at articles like this and to their horror they discover that they have security and privacy vulnerabilities. Imagine that.)
5 Best Open Source Web Browser Security Apps

No comments: