Apparently,
“thinking” has been banned at Sony. Follows “managing” into
the dumpster.
Sony
May Have Succumbed to DDoS Temptation
Sony
has used Amazon Web Services to
launch Distributed Denial of Service attacks on sites carrying
files stolen from its network, according to Re/code.
…
Amazon reportedly issued a statement to Re/code denying the claim,
but the language it used was vague: "The activity being reported
is not currently happening on AWS."
…
NSA director Admiral Michael Rogers earlier this year warned
against revenge hacking at a cybersecurity event hosted by the
United States Chamber of Commerce.
The
abundance of cloud infrastructure for hire makes it easier to launch
DDoS attacks, Incapsula's Gaffan said, adding that it "wouldn't
be hard for Sony to hire some serious power to initiate these
attacks."
(Related)
Dribs and drabs. It's how you keep the hack on the front page.
Steve
Ragan reports:
In a breach notification letter sent to employees this week, Sony
Pictures outlines the full scope of data that was compromised by
attackers shortly before the Thanksgiving holiday.
[…]
“In addition, unauthorized individuals may have obtained (ix) HIPAA
protected health information, such as name, Social Security Number,
claims, appeals information you submitted to SPE (including diagnosis
and disability code), date of birth, home address, and member ID
number to the extent that you and/or your dependents participated in
SPE health plans, and (x) health/medical information that you
provided to us outside of SPE health plans.”
So
HIPAA protections were supposed to be in place for some data, and
this breach should be reported to HHS.
Read
more on CSO.
Sony’s notification
to SPE employees is available on the web site of the California
Attorney General’s Office (pdf).
[From
the CSO article:
The
group claims to have spent more than a year accessing Sony's network,
and has been leaking batches of internal documents and communications
since November 26. To date, the group has leaked more than 200GB of
data, including pre-release movies, executive emails, sales and
marketing data, and nearly everything from human resources.
…
While not mentioned in the letter directly, the leaked data also
included criminal background checks, offer letters (salary and job
details), and records related to personnel reviews and opinions
within HR.
A
copy of the breach notification letter is
here.
(Related)
Covering up more than just a emails trading snarky comments about
“stars.”
Thomas
Fox-Brewster reports yet another Sony breach that was disclosed in
the hackers’ email dump. Prior to the Brazil breach in February
2014 (also revealed in corporate emails and also not disclosed
publicly by Sony at the time), there was apparently an incident
involving their German web site in January:
… An email from Courtney Schaberg, VP of legal compliance at Sony
Pictures, to general counsel Leah Weil, dated 16 January 2014,
reported a compromise of the Sonypictures.de site.
The website was swiftly taken down after it emerged the site had been
hacked to serve up malware to visitors. Schaberg also expressed
concern that email addresses and birthdates for 47,740 individuals
who signed up to the site’s newsletter had been accessed by the
attacker.
On Friday 17 January 2014, Schaberg told Weil that it was unclear
whether personal information had been taken as an investigation by a
third party would not start until the following Monday, but it was
unlikely Sony would disclose the breach publicly.
Read
more about this incident and Sony’s response to it on Forbes.
And
this is exactly the kind of newsworthy reporting that this blogger
thinks is justified, despite Sony’s semi-threatening warning to
media outlets about using or disseminating the hacked material.
For
my Computer Security students. “Told ya!”
Small
Business Leaders Turn a Blind Eye to Data Risks
Most
small and midsized businesses (SMBs) are swimming in financial data,
but not all of them take steps to safeguard it, according to the 2014
State of Risk report (registration required) from
Chicago-based IT security services provider Trustwave.
The
company surveyed 476 IT and security professionals, three-quarters of
which work at SMBs (up to 1,000 employees).
…
Forty-five percent of businesses reported that their board or senior
management plays only a partial role
in data security. Nine percent said there was no
involvement from higher-ups at all.
Small
businesses struggle to track and control sensitive data, with 63
percent of respondents reporting they lack effective tools and
procedures. Nineteen percent don't even bother.
…
Seventy-one percent of respondents said they store and process
intellectual property, while 58 percent revealed that they handle
sensitive business-to-business data, all of which make tempting
targets. "Theft of non-payment data has skyrocketed," said
Rosenberg. "The market for these types of information has
grown," giving hackers an incentive to grab information that has
little, if anything, to do with cash.
What
would it take to move beyond “Best Practices” to “So obvious,
even really bad managers insist on it?” This paper seems to
suggest that anything disclosed about a breach would be entirely new.
My guess is that 99% of breaches could have been prevented, detected
almost immediately, or drastically reduced in scope if adequate risk
analysis followed by implementation of “generally accepted”
security practices had occurred. (Where would the owners of the T.
J. Hooper have been able to find that a “Marine Radio” could save
them a barge full of money?)
Legislation
to Facilitate Cybersecurity Information Sharing: Economic Analysis
CRS
– Legislation
to Facilitate Cybersecurity Information Sharing: Economic Analysis.
N. Eric Weiss, Specialist in Financial Economics. December 11, 2014.
“Data
breaches, such as those at Target, Home Depot, Neiman Marcus, and
JPMorgan Chase, affecting financial records of tens of millions of
households seem to occur regularly. Companies typically respond by
trying to increase their cybersecurity by hiring consultants and
purchasing new hardware and software. Policy analysts have suggested
that sharing information about these breaches could be an effective
and inexpensive part of improving cybersecurity. Firms share
information directly on an ad hoc basis and through private-sector,
nonprofit organizations such as Information Sharing and Analysis
Centers (ISACs) that can analyze and disseminate information. Firms
sometimes do not share information because of perceived legal risks,
such as violating privacy or antitrust laws, and economic incentives,
such as giving useful information to their competitors. A firm that
has been attacked might prefer to keep such information private out
of a worry that its sales or stock price will fall. Further, there
are no existing mechanisms to reward firms for sharing information.
Their competitors can take advantage of the information, but not
contribute in turn. This lack of reciprocity, called “free riding”
by economists, may discourage firms from sharing. In addition, the
information shared may not be applicable to those receiving it, or it
might be difficult to apply. Because
firms are reluctant to share information, other firms suffer from
vulnerabilities that could be corrected. Further, by not
sharing information about effective cybersecurity products and
techniques, the size and quality of the market for cybersecurity
products suffer. Some industry leaders call for mandatory sharing of
information concerning attacks. Other experts advocate a strictly
voluntary approach, because they believe it could impose fewer
regulatory costs on businesses and cost less for taxpayers. Several
bills have been introduced in the 113th Congress to encourage
information sharing. H.R. 624, the Cyber Intelligence Sharing and
Protection Act, and S. 2588, the Cybersecurity Information Sharing
Act of 2014, aim to increase information sharing by directing the
Department of Homeland Security and the Department of Justice to
develop procedures for receiving and sharing information and by
providing liability
protection for private entities acting in good faith for a
cybersecurity purpose. H.R. 624 passed the House, and S.
2588 was reported out of the Senate Select Committee on
Intelligence.”
This
is in Canada. It would never, ever happen here. Would it?
Dan
Dicks reports:
Merging medical information with your drivers license information.
It’s all about increased concentration in this North American
Union. Dan Dicks of Press For Truth talks to Kelly Scott Kolodiazny,
a medical cannabis user who renewed his drivers license only to find
his medical marihuana ID planted on the drivers’ license card. He
can’t get answers as to why his drivers abstract now has his
medical information.
Read
more on Press
for Truth.
If
the Internet was a country, could we extradite data? Because if a
company is constantly moving data from data center to data center
(country to country) to balance the workload of its “Cloud
servers,” we will need a way to grab it when necessary. (Or we
could just ask the NSA to send us a copy.)
Hanni
Fakhoury writes:
Microsoft has been battling with the federal government over the
Department of Justice’s high profile attempt to get access to
emails stored abroad in Ireland for the better part of 2014. The US
government has claimed a US warrant is sufficient to get emails even
when stored in another country, while Microsoft has resisted, arguing
the US warrant power does not reach that far. The case has made
business rivals into temporary allies
and forced Ireland’s Minister for Foreign Affairs and Data
Protection to ask
the European Commission to formally support Microsoft.
Today we joined the Brennan
Center for Justice, the ACLU,
and The Constitution
Project in a new amicus
brief filed in the Second Circuit Court of Appeals supporting
Microsoft. We warn the appeals court that two pieces of faulty logic
in the lower court’s reasoning could have dangerous implications
for digital privacy.
Read
more on EFF.
Too
big to fail? Perhaps Putin's ego is...
Russia
has more problems than low oil prices
The
ruble plunged by about 12% Monday, meaning it's lost nearly 50%
against the dollar this year. Early Tuesday in Russia, the central
bank hiked its key interest rate for a sixth time this year to 17%
from 10.5%.
A
double-whammy of collapsing oil prices and Western sanctions is
driving up inflation. Cash is flooding
out of the country and the risk that some Russian companies may
default is increasing.
…
President Vladimir Putin has already ordered government departments
to cut their budgets by 5%, and more cuts could follow. Defense and
national security has so far been spared the ax -- Russia is pumping
trillions
of rubles into modernizing its military.
Visit
museums without leaving your recliner... Or at least avoiding
Washington.
Freer
and Sackler Galleries to Release Complete Digitized Collection Jan.
1, 2015
News
release: “The Freer Gallery of Art and Arthur M. Sackler
Gallery, the Smithsonian’s museums of Asian art, will release their
entire collections online Jan. 1, 2015, providing unprecedented
access to one of the world’s most important holdings of Asian and
American art. The vast majority of the 40,000 artworks have never
before been seen by the public, and more than 90 percent of the
images will be in high resolution and without
copyright restrictions for noncommercial use. The Freer
and Sackler galleries are the first Smithsonian and the only Asian
art museums to digitize and release their entire collections, and in
so doing join just a handful of museums in the U.S. “We’re
poised at a digital tipping point, and the nature of what it means to
be a museum is changing,” said Julian
Raby, the Dame Jillian Sackler Director of the Arthur M. Sackler
Gallery and Freer Gallery of Art.
…
In addition, some of the
most popular images will also be available for download as free
computer, smartphone and social media backgrounds.
(Related)
5
Sources To View Digitized Historical Collections
For
my students to find that “perfect image.”
Seven
Alternatives to Google Image Search - Comparison Chart
On a
fairly regular basis I am asked for recommendations for alternatives
to Google Image search. I've published lists of alternatives in the
past. This
chart is designed to provide a quick overview and comparison of
good sources of images for students' slideshows and other multimedia
projects. You can download the chart through the Box.com widget
below or grab
a Google Docs copy here.
Actually
may be more than I really wanted to know about Wikipedia. But it
does remind me that I wanted to create/claim a few pages. When they
look up “(it's a secret)” my face will be there looking back at
them. Dovetails with my plan to have students write their own
textbook.
Everything
You Need To Know About Wikipedia And More
…
Wikipedia is an online encyclopedia in which anybody
can start a page, or edit one, on any subject. The page is then
examined by an editor who decides whether or not the page stays.
For
my students who are learning to program.
The
new
interim guidelines made available on Monday attempt to clarify
when the office will grant patents on software ideas and when those
patent applications will be denied for simply translating an abstract
idea onto a computer.
For
my students practicing their English.
Doulingo
- The Most Downloaded Educational Android App of 2014
Last
week Google
revealed the most downloaded apps, games, movies, albums, and
books of the year on Google Play. Duolingo
was at the top of the education category for apps.
Duolingo
is a free service
designed to help students learn Spanish, English, French, Italian,
Irish, Dutch, Danish, German, and Portuguese. The service can be
used in your web browser, as an iOS app, and obviously as an Android
app.
To
learn a new language on Duolingo
you read, listen to, and translate words and phrases. For example if
I want to learn Spanish I'll be shown Spanish words with
translations. I can can hear the words pronounced too. Then to
practice I type and or speak translations. The activities start out
with simple words and phrases. As I become more proficient, Duolingo
gives me more challenging phrases.
No comments:
Post a Comment