Sometimes
it's a challenge to explain how companies detect a breach. For
example, this seems to suggest the hackers took advantage of
employees using the same passwords on both secure business and
insecure non-business websites.
J.P.
Morgan Found Hackers Through Breach of Road-Race Website
J.P.
Morgan Chase & Co. discovered one of the biggest known cyber
attacks to hit a U.S. bank in part due to a foot race the bank
sponsors.
…
because the intruders had used some of the same offshore servers to
hack both the bank and the website of the J.P. Morgan Corporate
Challenge, according to people familiar with the matter.
…
But the new material also raises fresh concerns about the ability of
companies and law-enforcement officials to fend off hackers driven to
steal the personal financial details of consumers. Hackers were in
the bank’s network for about two months undetected, only revealing
themselves because of an apparent slip-up by the hackers and a report
by a security vendor in early August.
…
J.P. Morgan and its security vendors discovered the cache included
information from the Corporate Challenge website, which is managed by
an outside company and isn’t connected to the bank’s network.
The bank says it doesn’t believe that the corporate challenge
website was an entry point for hackers into the bank’s servers.
In
August, bank executives led by Chief Operating Officer Matt Zames and
Chief Information Security Officer Greg Rattray linked the race
website breach back to several overseas I.P. addresses. Then
they queried J.P. Morgan’s own network logs to see if there had
been any communication with those addresses.
There
were. The bank discovered that hackers had been in its
system since at least June.
(Related)
Luck
Played Role in Discovery of Data Breach at JPMorgan Affecting
Millions
…
the intrusion at the nation’s largest bank could have gone on for
longer if not for a critical discovery by a Milwaukee security
consulting firm that helped JPMorgan uncover the full extent of its
breach. That firm, Hold Security, uncovered a repository of a
billion stolen passwords and usernames that it said had
been pilfered by a loose-knit gang of Russian hackers. The
hackers, according to the consulting firm, had infiltrated more than
420,000 websites.
…
The criminal database also included the certificate for the website
of the Corporate Challenge site’s vendor, Simmco Data Systems,
indicating a serious breach that allowed
hackers to pose as the race website operator and intercept traffic,
such as race participants’ login credentials, said a person briefed
on the data the security firm collected.
…
More disturbing, the stolen Simmco Data certificate was first
compromised in April, suggesting that the hackers could have begun
their attack on the bank at least four months before the bank noticed
any unusual activity within its own network.
…
The bank spends $250
million annually on security defense. But after the
attack, Jamie
Dimon, JPMorgan’s chief executive, said he was considering
doubling that amount — an indication of the increasing
threat from the attacks. [Spending
vast amounts for half-vast security? Bob]
(Related)
Could the same technique be used here? (Yes Bob, it could.)
Definately worth a read.
Feedback
Friday: Hackers Infiltrate White House Network - Industry Reactions
…
An
unclassified computer network at the White House was breached
recently and the main suspects are hackers allegedly working for the
Russian government.
… Experts
have pointed out that while the attackers breached an unclassified
network, it doesn't necessarily mean that they haven't gained access
to some useful data, even if it's not classified. They have also
outlined the methods and strategies used by both the attackers and
the defenders in such a scenario.
And
I just finished explaining to my Computer Security students that
there are three ways you can securely identify people trying to
access your systems. 1) by what they know, like a password. 2) by
what they have, like a key or dongle. 3) by what they are, like
fingerprints, facial recognition, etc. Looks like this ruling wipes
out number 3.
Judge
Rules Suspect Can Be Required To Unlock Phone With Fingerprint
…
A Virginia Circuit Court judge ruled
Tuesday that police officers cannot force criminal suspects to
divulge cellphone passwords, but they can force them to unlock the
phone with a fingerprint scanner.
If
applied by other courts, the ruling could become important as more
device makers incorporate fingerprint readers that can be used as
alternatives to passwords.
…
The Fifth Amendment to the U.S. Constitution gives people the right
to avoid self-incrimination. That includes divulging secret
passwords, Judge Steven C. Frucci ruled. But providing
fingerprints and other biometric information is considered outside
the protection of the Fifth Amendment, the judge said.
If
Google says it, it must be true! I may want to add this to my
Statistics class.
Google
thinks it’s found a way to gather data on people using its products
while also protecting their privacy.
…
The project, called the “Randomized Aggregatable
Privacy-Preserving Ordinal Response” or RAPPOR, “enables learning
statistics about the behavior of users’ software while guaranteeing
client privacy,” said Google security researcher Ăšlfar Erlingsson
in
a blog post.
RAPPOR
uses a trick that randomly sends incorrect data from some users.
The false data makes it difficult for Google to identify individual
users, while still gathering general information.
Essentially,
Google will be able to look
at “the forest of client data … without permitting the
possibility of looking at individual trees,” according
to a paper
Google will present on the project at a conference next week.
(Related)
The Google Blog...
…
We believe that RAPPOR has the potential to be applied for a number
of different purposes, so we're making it freely available for all to
use. We'll continue development of RAPPOR as a standalone
open-source project so
that anybody can inspect test its reporting and analysis mechanisms,
and help develop the technology. We’ve written up the technical
details of RAPPOR in a report
that will be published next week at the ACM
Conference on Computer and Communications Security.
“It's
not a bug, it's a feature!” Just ask any salesman.
Craig
Timberg reports:
After security researcher Jeffrey Paul upgraded the operating system
on his MacBook Pro last week, he discovered that several of his
personal files had found a new home – on the cloud. The computer
had saved the files, which Paul thought resided only on his own
encrypted hard drive, to a remote server Apple controlled.
“This is unacceptable,” thundered Paul, an American based in
Berlin, on his personal
blog a few days later. “Apple
has taken local files on my computer not stored in iCloud and
silently and without my permission uploaded them to their servers –
across all applications, Apple and otherwise.”
He was not alone in either his frustration or surprise. Johns
Hopkins University cryptographer Matthew D. Green tweeted
his dismay after realizing that some private notes had found
their way to iCloud. Bruce Schneier, another prominent cryptography
expert, wrote a blog
post calling the automatic saving function “both dangerous
and poorly documented” by Apple.
Read
more on Washington
Post.
If
Orin Kerr is right, there is a lot we don't know about new types of
warrants.
Orin
Kerr writes:
The Electronic Frontier Foundation published
a report earlier this week alleging an astonishing increase in
the use of sneak-and-peek search warrants. Sneak-and-peek searches
are sometimes known as “covert searches” or “black bag jobs.”
The government breaks into a home, conducts a covert search, and
leaves no sign of entry until days or weeks later. According to the
EFF report, such searches have become routine in the last few years:
First, the numbers: Law enforcement made 47 sneak-and-peek searches
nationwide from September 2001 to April 2003. The 2010 report
reveals 3,970 total requests were processed. Within three years that
number jumped to 11,129. That’s an increase of over 7,000
requests. Exactly what privacy advocates argued in 2001 is
happening: sneak and peak warrants are not just being used in
exceptional circumstances—which was their original intent—but as
an everyday investigative tool.
[...]
Sounds pretty bad, right? Well, not so fast. I fear EFF’s report
may just misunderstand the significance of the
annual “delayed notice warrant” report published by the
Administrative Office of the U.S. Courts (AO). I suspect the numbers
don’t mean what EFF thinks they mean.
Read
more on WaPo The
Volokh Conspiracy.
When
does free speech become propaganda? If I give you a forum, is that
“material support?”
Over
the past several months, there has been increasing focus on terrorist
use of social media. In the immediate aftermath of the execution of
reporter James Foley by ISIL in July, the State Department
acknowledged
that, along with the Department of Defense, it reached out to social
media sites, specifically Twitter and YouTube, to alert them to
accounts posting the execution video and related images in violation
of the sites’ “own usage polic[ies].”
…
18 U.S.C.
§ 2339B, however, could provide the requisite legal authority,
assuming the inquiry is limited only to accounts that purport to be
or are clearly linked to FTOs (i.e. HSM Press, which is al-Shabaab’s
media wing, or Andalus Media, the media wing of al-Qaeda in the
Islamic Maghreb). Section 2339B outlaws “knowingly provid[ing]
material support or resources to a foreign terrorist organization.”
(Related)
Connecting a post to terrorists isn't going to be easy.
…
The social media giant on Friday announced that it was launching a
way for people on Tor, an online network that allows users to
navigate the Web anonymously, to check their Facebook accounts.
Facebook created a website with a “.onion” domain to allow
anonymous Web servers to connect to the social network.
…
“It’s important to us at Facebook to provide methods for people
to use our site securely,” Muffett wrote in a Facebook
post.
These
will look like the sky darkening swarms of passenger pigeons, but
they will be much harder to drive to extinction.
Here
Come the Swarming Drones
…
Vijay Kumar, and the researchers in his General
Robotics, Automation, Sensing, and Perception Lab (GRASP) are
developing "swarms" of unmanned aerial vehicles (UAVs) that
work in concert. These devices take hundreds of measurements each
second, calculating their position in relation to each other, working
cooperatively toward particular missions, and just as important,
avoiding each other despite moving quickly and in tight formations.
Kumar and his colleagues are using intel from Pratt's lab,
particularly around how ants communicate and cooperate without any
central commander, to make swarming UAVs even more autonomous.
I
suspect there will be an entire industry built to mentor and support
small businesses. Integration of tools like this will be fundamental
as everyone with a mobile device asks, “What should I know about
these guys before I do business with them?”
Respond
to Reviews Instantly with 'Google My Business' App
Too
busy to respond to customer reviews? Google wants to help. For busy
business owners who use Google+ Local, there's now an easier way to
connect with customers on the go.
Google
announced this week new updates to the Google My Business app, which
now lets businesses better engage with customers by allowing owners
to respond to reviews anytime, anywhere from their mobile devices.
(Related)
Do they all have similar Apps?
5
Influential Review Sites That Matter to Your Reputation
Are
we that lonely? That desperate for companionship? That unable to
put down the mobile device and talk to a real person?
The
Typical Tinder User Spends 77 Minutes Tinding Every Day
…
The average Tinder user spends an astonishing 77 minutes a day on
the app, a spokesperson for the company told The Huffington Post.
That's a lot of time, especially considering the app moves fast.
Users are presented with dating profile after profile, and they swipe
left if they're not interested and right if they are. If two people
swipe right on each other, they match and connect via the app's chat
function.
…
By comparison Instagram users spend
an average of 21 minutes a day on the photo-editing and sharing
app.
Humor
for me.
…
The US
Department of Education
released
the latest version of its “gainful
employment”
rules this week, pleasing
nobody. No
longer will career training programs be held accountable for
their student loan default rates. They’ll just be judged on
graduates’ debt-to-earnings ratios. About
1400 programs, mostly at for-profit
schools, will be
affected, meaning that if they don't meet these new guidelines, their
students will not be eligible for federal
financial aid.
(More on this over on Educating
Modern Learners. Free subscription required.)
…
Stanford University
and Dartmouth
College issued
an apology to Montana
voters after a mailer they sent out about candidates on the state’s
ballot.
…
The upcoming E-learning
and Digital Cultures MOOC
has a “teacher
bot” that is “is programmed to automatically respond to
tweets sent to the course hashtag, and designed to offer help and
advice, or engage in conversation.” [Automating
teachers? Bob]
…
The ACLU and EFF are accusing
a Tennessee
school district of violating students’ rights with its new policy
that “ allows
school officials to search any electronic devices students bring to
campus and to monitor
and control what students post on social media sites.”
…
Francis Schmidt, who teaches at Bergen
Community College,
will not
lose his job because of a photo he took of his daughter wearing a
Games of Thrones
t-shirt saying “I will take what is mine with fire & blood.”
The school apparently interpreted this as a threat and in turn put
him on leave, made him see a mental health counselor, then threatened
him with suspension or termination.
…
MIT’s
Les Perelman, one of the leading critics of automated
essay graders,
writes
that “The
Educational Test Service
(ETS) won’t let me continue to test a product that they are trying
to sell to schools and colleges across America. Specifically, the
company will not allow me access to the Automated Scoring Engine
(AES) unless I agree to let them censor my findings.”
For
all my students. (Includes a guide to TOR) Not yet(?) available for
download as a PDF or eBook.
Journey
Into the Hidden Web: A Guide For New Researchers
Amazing!
Scott Adams has been in one of my classes! Must have been!