Friday, April 17, 2015

Won't Sony be pleased. It's not bad enough that the hackers have your data, now consider the risk if everyone has your data.
Wikileaks has published the complete Sony leaks in a searchable database
Today, Wikileaks published a database of all of the data leaked from Sony Pictures in last year's hack, comprising 173,132 emails and 30,287 separate documents. The documents contain private legal opinions as well as sensitive conversations between executives, many of which were the subject of reports in the wake of the hack. "This archive shows the inner workings of an influential multinational corporation," WikiLeaks founder Julian Assange said in a statement. "It is newsworthy and at the centre of a geo-political conflict. [Did I miss something? I'd categorize the North Korea kerfuffle as business as usual. Bob] It belongs in the public domain. WikiLeaks will ensure it stays there."




For my Computer Security students. Plan, to avoid being caught in this trap!
The Rise of Cyber Extortion
Cyber extortions have taken on multiple forms, all focused on data – encrypting data and holding it hostage, stealing data and threatening exposure, and denying access to data:
Ransomware
Denial-of-service attacks
Holding sensitive data hostage
Holding AWS accounts hostage
As long as companies continue to pay ransoms when attacked, we should expect cyber extortion to continue in 2015.




Any country could pose a threat. The trick is knowing if you can handle it.
Iran Poses Growing Cyber Threat to US: Study
Iran poses a growing threat to America's computer networks and has launched increasingly sophisticated digital attacks and spying on US targets, according to a new report released Thursday.
Iran's far-reaching hacking efforts indicate the regime is searching for vulnerable infrastructure that could be hit in future cyber assaults, said the study by private cyber security company Norse and the American Enterprise Institute think tank.
The study cited data from a network of millions of sensors set up by Norse. The sensors are designed to look like real websites or other computer systems -- for banks or power plants -- that might attract the interest of a hacker.
The data showed Iran was staging cyber assaults and probes from inside Iran as well as outside the country.




For my Ethical Hacking students. A downside of the Internet of Things You Don't Actually Own Yet.
Troy Wilde reports:
Nevada lawmakers are considering legislation that would allow lenders to remotely shut off a person’s vehicle if he or she is a borrower late with their loan payment.
Assembly Bill 228 authorizes a person who finances the sale or lease of a motor vehicle to install a device which can be used to remotely locate or disable it.
Read more on Public News Service. The bill already passed committee and will likely be voted on by the full Assembly in the next few days.
And yeah, what could possibly go wrong?




Another example of “Think before you Tweet!” Not everyone shares your sense of humor.
Really, FBI, I know you’re under heavy criticism and all, but you need to lighten up sometimes.
Within 5 minutes of security expert Chris Roberts (@sidragon1) lightheartedly tweeting on a plane:
Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? “PASS OXYGEN ON” Anyone ?
Rafał Łoś (@RafalLos) jokingly responded:
…aaaaaand you’re in jail.
Nine hours later, we learned that Rafal Los’s prediction was amazingly close to what happened, as Chris tweeted:
and you are right….. 4 hours of discussions and I now no longer have any electronics
Not surprisingly, Chris declined to provide his decryption keys. As of this morning, he is still without his electronics and the feds have yet to provide a warrant.
Fox News has a write-up on the incident, here.
[From the article:
Chris Roberts of the Colorado-based One World Labs, a security intelligence firm that identifies risks before they're exploited, said two FBI agents and two uniformed police officers pulled him off a United Airlines Boeing 737-800 commercial flight Wednesday night just after it landed in Syracuse, and spent the next four hours questioning him about cyberhacking of planes.
… Wednesday night, FBI agents confiscated Roberts’ numerous electronic devices and computer files including his laptop and thumb drives and demanded he give them access to his data. They wanted to forensically image his laptop, but it is a company-owned asset with client information, research and intellectual property, some of which is sensitive in nature and encrypted.
So after consulting with his CEO, Roberts told the agents they would need a warrant, something they still have not presented.
… “You have one element in the FBI reaching out to people like me for help, but another element doing a hell of a job burning those bridges,” Roberts said.




For my Ethical Hacking students.
Andy Greenberg reports:
Hackers have for years bought and sold their secrets in a de facto gray market for zero-day exploits—intrusion techniques for which no software patch exists. Now a new marketplace hopes to formalize that digital arms trade in a setting where it could flourish: under the cover of the Dark Web’s anonymity protections.
Over the last month, a darknet marketplace calling itself TheRealDeal Market has emerged; it focuses on brokering hackers’ zero-day attack methods. Like the Silk Road and its online black market successors, TheRealDeal uses the anonymity software Tor and the digital currency bitcoin to hide the identities of its buyers, sellers, and administrators. But while some other sites have sold only basic, low-level hacking tools and stolen financial details, TheRealDeal’s creators say they’re looking to broker premium hacker data like highly sought-after zero-days, source code, and hacking services. In some cases, these are offered on an exclusive, one-time sale basis.
Read more on Wired.




The debate continues. So, when should a smartphone search be allowed?
Johanna Miller, the advocacy director for the New York Civil Liberties Union, writes:
A student’s cell phone isn’t a wallet or hairbrush. Its contents can be as personal as a diary.
In a Texas school district, for example, a teacher seized a student’s phone and searched her text-message history, discovering a private nude photograph she had sent to a friend. The teacher then shared the phone with the school district police officer.
And to make matters worse, the student got in trouble — she was suspended for 30 days because of “incorrigible behavior.”
In New York City, it’s a relief that the Michael Bloomberg-era ban on cell phones in city schools is over. For nearly a decade, the ban imposed needless burdens on kids and parents and served as an unnecessary flashpoint for confrontation between students and school staff.
But now that Mayor de Blasio is finally allowing city schools to catch up to the reality of the digital age, horror stories like the one in Texas show privacy protections for students must catch up in tandem.
Read more on the NY Daily News. Miller outlines some good suggests for setting standards and policies. Significantly, she rightly points out that constitutional rights do not vary from school to school and it should not be up to individual schools to decide under what conditions they can search a student’s cellphone.


(Related) A change of tune... (“It is wrong” would be sufficient.)
Dave Madsen reports:
WILBRAHAM, Mass (WGGB) — Protecting a student’s right to privacy. The Hampden Wilbraham Regional School Committee saying no to giving the company that oversees PARCC testing access to student’s (sic) social media accounts.
School committee members taking a stand for student’s rights to privacy. In a letter to the Massachusetts department of elementary and secondary education, Marc Ducey, chair of the regional school committee says, “It violated their privacy and is a slap in the face to our test proctors who are diligent in ensuring the test environment is protected. It is wrong.”
Read more on WGGB.




For my Disaster Recovery students.
RUMOUR: the Bloomberg outage was caused by a spilled can of Coke
Bloomberg terminals went down for nearly two and half hours on Friday and the cause is yet to be officially confirmed.
However, a source that works in the markets told Business Insider that the current rumour circulating around Bloomberg's London newsroom and television studio is that it was caused by "someone spilling a can of coke on a server somewhere."




A little light reading for my Data Management students. You know haw to gather data, how do you push it back out?
10 Tactics for Launching a Product Using Social Media




Should I be using this? I think it would just be redundant but it might be a fun way to spring “Pop Homework” on my students: “Read this article and write a short paper describing how their security failed. See you tomorrow!”
WhatsDue - Schedule and Send Reminders to Students
WhatsDue is a free service (available for Android and iOS) that enables teachers to create and send due date reminders to their students. Students receive the reminders as push notifications on their iOS and or Android devices.
Here's how WhatsDue works. First, the teacher registers for a free account on the WhatsDue website and creates a class or classes. Each class is assigned its own unique join code. Teachers then invite students and parents to join the class through the join code. Once students have joined the class they will begin receiving due date reminders on their mobile devices.
Teachers can create multiple classes and schedule multiple reminders for each class from one dashboard on the WhatsDue website. Students opening WhatsDue on their iPhones or Android phones will see reminders of approaching due dates and past due dates.
If you have been leery of using other reminder systems because of privacy concerns with phone numbers or two-way communication, WhatsDue might be for you. It doesn't require phone numbers and it doesn't have two-way communication. It also allows students to be reminded of assignments on a schedule that works for them. For example, they can set the app to remind them of assignments a day before or a couple of hours before an assignment is due.


No comments: