A
very interesting version of the Sony hack. Consider: It is much
harder to hide your penetration activity in a low volume of target
data. Most of your “penetration” has to be via devices (and
their logs) that the target does not have access to. Still, I find
it difficult to believe the North koreans are both “incredibly
careful” and “sloppy” at the same time.
The
trail that led American officials to blame North
Korea for the destructive cyberattack on Sony Pictures
Entertainment in November winds back to 2010, when the National
Security Agency scrambled to break into the computer systems of a
country considered one of the most impenetrable targets on earth.
Spurred
by growing concern about North Korea’s maturing capabilities, the
American spy agency drilled into the Chinese networks that connect
North Korea to the outside world, picked through connections in
Malaysia favored by North Korean hackers and penetrated directly into
the North with the help of South Korea and other American allies,
according to former United States and foreign officials, computer
experts later briefed on the operations and a
newly disclosed N.S.A. document.
…
The extensive American penetration of the North Korean system also
raises questions about why the United States was not able to alert
Sony as the attacks took shape last fall, even though the North had
warned, as early as June, that the release of the movie “The
Interview,” a crude comedy about a C.I.A. plot to assassinate the
North’s leader, would be “an act of war.”
…
Only in retrospect did investigators determine that the North had
stolen the “credentials” of a Sony systems administrator, which
allowed the hackers to roam freely inside Sony’s systems.
In
recent weeks, investigators have concluded that the hackers spent
more than two months, from mid-September to mid-November, mapping
Sony’s computer systems, identifying critical files and planning
how to destroy computers and servers.
“They
were incredibly careful, and patient,” said one person
briefed on the investigation.
…
Mr. Comey told the same Fordham conference that the
North Koreans got “sloppy” in hiding their tracks, and
that hackers periodically “connected directly and we could see
them.”
…
The skeptics say, however, that it would not be that difficult for
hackers who wanted to appear to be North Korean to fake their
whereabouts. Mr. Comey said there was other evidence he could not
discuss.
(Related)
This isn't (or at least should not be) news, but I'll toss it in as
a reminder.
The
Digital Arms Race: NSA Preps America for Future Battle
Spiegel
Online – The
NSA’s mass surveillance is just the beginning. Documents from
Edward Snowden show that the intelligence agency is arming America
for future digital wars — a struggle for control of the Internet
that is already well underway, by Jacob Appelbaum, Aaron Gibson,
Claudio Guarnieri, Andy Müller-Maguhn, Laura Poitras, Marcel
Rosenbach, Leif Ryge, Hilmar Schmundt and Michael Sontheimer, January
17, 2015.
“According
to top secret documents from the archive of NSA whistleblower Edward
Snowden seen exclusively by SPIEGEL, they are planning for wars of
the future in which the Internet will play a critical role, with the
aim of being able to use the net to paralyze computer networks and,
by doing so, potentially all the infrastructure they control,
including power and water supplies, factories, airports or the flow
of money… The US Army, Navy, Marines and Air Force have already
established their own cyber forces, but it is the NSA, also
officially a military agency, that is taking the lead. It’s no
coincidence that the director of the NSA also serves as the head of
the US Cyber Command. The country’s leading data spy, Admiral
Michael Rogers, is also its chief cyber warrior and his close to
40,000 employees are responsible for both digital spying and
destructive network attack. One NSA presentation proclaims that “the
next major conflict will start in cyberspace.” To that end, the US
government is currently undertaking a massive effort to digitally arm
itself for network warfare. For the 2013 secret intelligence budget,
the NSA projected it would need around $1 billion in order to
increase the strength of its computer network attack operations. The
budget included an increase of some $32 million for “unconventional
solutions” alone.”
I
have my own “war stories” along this line. My solution was to
call internal audit departments rather than the top brass. These are
the guys who will have to investigate the claim in any case, might as
well start them with all the data.
I
haven’t kept strict statistics, but in general, most entities that
I try to notify of a breach fail to respond at all. Others may
respond that they’re looking into claimed hacks, but then fail to
get back to me with a definitive answer or statement.
Here’s
another case in point:
On
January 10, I emailed the Commissioner
of Insurance for Kansas, as well as the ks.gov contact, webmaster
for their site, and one other.
In
my email, I pointed them to a claimed hack that had been posted on
#TeamCarbonic’s web site at
http://yourattorney.nl/dumps/kansins.txt
The
data that had been dumped included residents complaining about auto
insurance rate hikes due to credit score rating and how unfair that
seemed. Some of the residents complaining included personal
information as well as their contact details, such as the individual
who noted his wife had been in a coma for two years.
As
breaches go, this was not a huge one. There were no SSN in the data
dump and no financial account information. But there was personal
information such as names, postal and email addresses, phone numbers,
and their experience with insurance rate hikes. There was also other
kinds of financial information in another database.
Did
the Commissioner of Insurance’s office respond to the notification
from this site? Did any of those cc’d on the notification respond
to the notification?
No,
they did not.
Did
they investigate and do anything?
We
have no clue.
This
does not inspire confidence, does it?
Perspective.
How will this change the world?
http://www.cnbc.com/id/102348346?__source=google|editorspicks|&par=google&google_editors_picks=true#.
Janjuah
on 2015: Oil at $30; bonds to go crazy
If
you thought 2014 was volatile, hold on to your hats this year as the
price of oil could hit $30 a barrel and the bond markets will
outperform, according to Bob Janjuah, a closely-watched strategist
from Nomura Securities.
…
On Monday morning, benchmark Brent crude futures were trading at
$50.06 per barrel and U.S. crude was trading at $48.47 a barrel.
Last week, oil prices dropped to around $45 a barrel – near
six-year lows – but prices rebounded Friday after the International
Energy Agency said that there were signs "the tide will turn"
in the oil market.
…
Janjuah believed that Saudi Arabia – the leading member of OPEC --
would be content to maintain that pressure on the U.S. along with
other major oil producers such as Russia.
For
my Students. Both the Data Management and the Business Intelligence
classes should find a way to use this infographic in their projects.
(Very strong hint here students)
Will
This New Internet of Things Platform Justify Intel Corporation's $8.6
Billion Security Tech Buyout Binge?
Intel
spent $880 million on embedded
systems specialist Wind River in 2009. Two years later, the chip
giant picked up security software veteran McAfee for another $7.7
billion.
This
multibillion-dollar buyout binge didn't
make much sense at the time. But behind the scenes, Intel had a
plan. The company recently presented a brand-new Internet
of Things platform that might justify those princely buyout sums
-- and then some.
http://www.intel.com/content/www/us/en/internet-of-things/infographics/iot-platform-infographic.html
As
Intel's handy infographic above shows, the Internet of Things
consists of several connected parts. There are devices collecting
data in the field, systems that store and manage the information
flow, and number-crunching servers or workstations where you extract
business decisions or personal benefits from the whole process. In
many cases, the information flows both ways, and everything is
networked together into a larger system.
At
least two of these process blocks -- data collection and
management/storage -- are often exposed to the wide-open Internet.
That crucial ability to
gather data from anywhere and analyze it with tools that would never
fit in a wristwatch is what gives the Internet of Things much of its
power.
Perspective.
Sears is using tablets to scan bar codes and allow customers to sign
with a finger. This is the same idea but uses smartphones which
every small business should have.
PayPal
Here EMV Reader Coming to Small Business
PayPal
announced this week that its mobile credit card processing system,
PayPal
Here, will soon include support for EMV (chip-and-pin) credit and
debit cards. PayPal also announced that it will make the PayPal Here
SDK available on Windows mobile devices.
Here's
what we know so far about PayPal Here's upcoming changes and how they
will affect your business. [27
Ways to Accept Mobile Payments]
For
my Math students.
Top
>10 Mathematics Websites
An
updated version – always a work in progress – but these are sites
I use for my teaching to help my students learn. A new format, so
the presentation is more complete in itself. If you would like a
copy of the presentation: Top
10 Mathematics Websites 2015
[Aslo
available on:
http://www.slideshare.net/ColleenYoung/top-10-mathematics-wesites?ref=https://colleenyoung.wordpress.com/2015/01/18/top-10-mathematics-websites-3/
Dilbert
perfectly illustrates our perception of managers.
No comments:
Post a Comment