A new field of study for my Computer Security
students? I'm sure there must be a way to “set up” car
manufacturers for the Class Action lawsuits that will surely follow.
Perhaps a letter asking them to confirm rumors of dangerously weak
security?
What To Do
if Your Car Tries to Kill You
The scary news last week was that a couple of guys
demonstrated they could hack
into a Jeep and take control of it. Later, more
details came out that suggested you might want to avoid Chrysler
cars altogether.
The industry appears to be waiting for the first
major catastrophic accident before putting resources into fixing this
problem at the proper level. They are slowly forming
industry groups to look at it -- but at the current rate, their
fix will come long after a lot of us are dead.
Not really related, but my veteran students might
find this amusing.
… Law of cyber warfare practitioners surely
breathed a sigh of relief when they found that only 15 of the 1,176
pages in DOD’s new Law of War Manual addressed cyber warfare. DOD
appears to have concluded that the law in this area is still
developing (or, perhaps, not developing), and that trying to capture
it precisely would lead to the creation of a chapter that would soon
be irrelevant. As a result, the cyber warfare chapter sticks broadly
to the application of the principles of the law of armed conflict to
cyber warfare – although it “inconveniently” introduces
a new legal concept that seems inconsistent with other sections of
the manual.
… The DOD manual discusses the meaning of
cyber attack during armed conflict (in bello), as well. The
definition of attack is important within on-going armed conflicts
because it determines when the principles of the law of armed
conflict apply. The DOD manual notes the term doesn’t encompass
defacing government webpages; briefly disrupting Internet service in
a minor way; briefly disrupting, disabling, or interfering with
communications; or disseminating propaganda. However, the DOD manual
modifies its stance by introducing a unique principle of cyber
warfare – Avoidance of
Unnecessary Inconvenience. “[E]ven if a cyber operation
is not an ‘attack’ or does not cause any injury or damage that
would need to be considered under the proportionality rule, that
cyber operation still should not be conducted in a way that
unnecessarily causes inconvenience to civilians or neutral persons.”
Perhaps the language is just a specific articulation of the
principle of humanity, for example, and is also applicable to kinetic
warfare, but it appears to be new. It’s
not clear that inconvenience has ever been a consideration in
warfare, as emphasized in chapter 5, footnote 306 of the
DOD manual.
Definitely something for my IT Governance students
to analyze. How poor must your security be to take over 6 months to
bring systems back up?
TV5Monde in
chaos as data breach costs roll into the millions
TV5Monde was very visibly hacked back
in April when the French news channel, which broadcasts ten
channels in over 200 countries, was downed by hackers who also gained
control of its social media channels.
… At the time, the hack was believed to be the
work of Islamic State sympathisers although later reports from Trend
Micro and others suggest this was a ‘false
flag' operation, conducted by the APT28/Pawn Storm group, which
is believed to be closely associated with the Russian government.
The attack has been traced back to January 2015
when phishing emails were sent to TV5 Monde journalists. Leaked
documents
suggest German secret services knew about the attack two months
before discovery, while experts, speaking anonymously to
SCMagazineUK.com recently, suggested GCHQ knew about it too.
… “Following the 8 April attack, we are not
allowed to reconnect our services to the Internet network until we
have rebuilt a safer system under ANSSI's [the French agency –
Ed] orders,” he told SC.
… “The attack will cost TV5Monde about €4.5
million in 2015, plus lost commercial revenues which are as yet not
fully known. And the new system will cost us about €2.5million
more each following year.”
The nature of the new
infrastructure was naturally a “very sensitive subject”, said
Bigot only adding that it would build “a much more sophisticated
system which will include an all-round watch to ensure any attack
will be known and dealt with in due time.”
… He added that Sony Pictures Entertainment
took eight weeks to have email, with finance systems so damaged that
financial results had to be postponed.
For my Ethical Hacking and Computer Forensics
students.
Embedded
Tweets can be Easily Faked
Another tool for my Ethical Hacking students and a
new “problem” for my Computer Security students. Not easily
implemented, but doable.
And another security bubble or delusion bursts.
Kim Zetter reports:
The most sensitive work environments, like nuclear power plants, demand the strictest security. Usually this is achieved by air-gapping computers from the Internet and preventing workers from inserting USB sticks into computers. When the work is classified or involves sensitive trade secrets, companies often also institute strict rules against bringing smartphones into the workspace, as these could easily be turned into unwitting listening devices.
But researchers in Israel have devised a new method for stealing data that bypasses all of these protections—using the GSM network, electromagnetic waves and a basic low-end mobile phone. The researchers are calling the finding a “breakthrough” in extracting data from air-gapped systems and say it serves as a warning to defense companies and others that they need to immediately “change their security guidelines and prohibit employees and visitors from bringing devices capable of intercepting RF signals,” says Yuval Elovici, director of the Cyber Security Research Center at Ben-Gurion University of the Negev, where the research was done.
Read more on Wired.
[From
the article:
“[U]nlike some other recent work in this field,
[this attack] exploits components that are virtually guaranteed to be
present on any desktop/server computer and cellular phone,” they
note in their paper.
You should probably get this update.
Android
flaw lets hackers break in with a text message
… "Attackers only need your mobile
number, using which they can remotely execute code via a specially
crafted media file delivered via MMS (text message)," Zimperium
Mobile Security said in a blog post.
"A fully weaponized successful attack could
even delete the message before you see it. You will only see the
notification."
Android code dubbed "Stagefright" was at
the heart of the problem, according to Zimperium.
Stagefright automatically pre-loads video snippets
attached to text messages to spare recipients from the annoyance of
waiting to view clips.
Hackers can hide malicious code in video files and
it will be unleashed even if the smartphone user never opens it or
reads the message, according to research by Zimperium's Joshua Drake.
… Stagefright imperils some 95 percent, or an
estimated 950 million, of Android phones, according to the security
firm.
Zimperium said that it reported the problem to
Google and provided the California Internet firm with patches to
prevent breaches.
"Google acted promptly and applied the
patches to internal code branches within 48 hours, but unfortunately
that's only the beginning of what will be a very lengthy process of
update deployment," Zimperium said.
Local. Privacy in Jefferson
County is about making an effort? Succeeding is no longer
important? I read this as taking six months to create a Best
Practices guide, then awarding yourself a “Seal” that protects
nothing.
Doug Hrdlicka reports:
A
new partnership between Jeffco Public Schools and 26 other districts
nationwide could lead to more rigid security measures for student
data.
For the next six months 27 school districts, working with The Consortium for School Networking, will work toward establishing a nationwide set of standards around student privacy. The end result will be known as the Trusted Learning Environment Seal that public schools can adopt to assure the community that their student’s data is protected.
Read more on Chalkbeat.
Back in 2013, Jeffco caught
flak from parents over joining up with inBloom. The board
eventually cut
ties with inBloom, leading the state education department to end
its contract with the provider.
[From
the article:
The TLE Seal is not a cloud option for districts
to securely store their data, but rather, a stamp of approval for
taking precautions to protect student data.
Currently, Jeffco officials spend
up to four weeks [Strange
wording. Surely it does not take that long to read a contract.
Perhaps the try working through a backlog within four weeks? Bob]
screening any software, free or paid for, for language that allows
teachers and officials to share student information. The district
has created a list of approved programs and cloud services.
“The TLE Seal is one more step in our process to
ensure that Jeffco Public Schools is implementing best practices for
protecting student and staff data,” said McMinimee.
At the end of the six months schools will be able
to implement the TLE Seal to ensure the protection of their students’
data.
This is going to be amusing. Like granting a
Power of Attorney without the paperwork. Might be a fun hack though.
Facebook's
'legacy contact' feature goes live in the UK allowing users to
appoint digital heirs
Earlier this year, Facebook announced it
would be creating a feature called "legacy contacts".
This meant that any of the 35
million UK Facebook users would be able to appoint a friend or
loved one to maintain their social media account after they die.
As of today, the feature is now live in the UK -
meaning you can appoint your social media heir today. If you want
your account to be deleted upon your death, you can flick that switch
too - although someone will still need to inform Facebook that you've
moved on.
… Anyone nominated as a legacy contact will be
able to write a post that's displayed at the top of the profile and
change profile images on the page.
They will even be allowed to accept or refuse new
friend requests on behalf of the deceased.
The online executor will however not be able to
edit what the deceased already posted, what friends continue to post
on the page, or remove tagged images. Nor will they be able to
delete the account.
This is big.
Google
AdSense Publishers Must Now Obtain EU Visitors’ Consent Before
Collecting Data
Google has announced
a change to its user
consent policy which will affect website publishers using Google
products and services, including Google AdSense, DoubleClick for
Publishers and DoubleClick Ad Exchange, as well as whose sites or
apps have visitors arriving from the European Union. Under the new
policy, publishers will have to obtain EU end users’ consent before
storing or accessing their data, says Google.
The change, which is in direct response to the
EU’s cookie compliance regulations, follows the arrival of the
Google-published website called CookieChoices,
spotted
earlier this month. That site was launched with the intention of
helping digital publishers obtain tools and access other resources
that will aid in their obligations to obtain user consent, Google
noted at the time.
These tools include code that website publishers
can use to inform visitors about their cookies, as well as those that
can be used to directly obtain consent, like splash screens,
notification bars, or one-time, pop-up alerts that can be used on
mobile apps.
… Google is applying this to its own services,
while also challenging publishers to comply with the updated policy
by a September 30th, 2015 deadline, according to an email sent out
about the change. In addition, this policy will also affect those
with
iOS or Android applications who will have to show a message to
app users upon first launch.
Microsoft is shifting to a nickel & dime
business plan?
Want to
remove the ads from Solitaire in Windows 10? That'll be $1.49 a month
Microsoft is once again bundling Solitaire with
Windows, but if you want an ad-free experience then that's going to
cost you.
Amazon wants to be the “everything store.”
Amazon
launches music streaming service in the UK
Amazon has entered the UK streaming market with
the launch of Prime Music, a new service available to Amazon Prime
customers as part of their annual £79 subscription.
Prime Music will provide access to more than one
million songs and about 500 specially created playlists.
Amazon's answer to Spotify, Deezer and Google Play
follows the launch of Apple Music and Jay-Z's Tidal this year.
However, there are some big holes in the Amazon
Prime catalogue.
The likes of Amy Winehouse, Abba, Katy Perry,
Kanye West and Eminem - all part of the Universal Music Group - are
unavailable at launch.
Huh. And I thought it went back before Attila the
Hun.
The
Evolution of Modern Terrorism
… One hundred years before 9/11, terrorism was
present in America. Given this history with terrorism, I will discuss
the roots of modern terrorism, the scholarly perspective on the
evolution of terrorism, and the importance of understanding the
motivations and strategies of terrorists.
… UCLA political science professor, David
Rapoport, writes that the French Revolution “introduced terror to
our vocabulary.” Rapoport writes extensively about how modern
terrorism has evolved through four waves.
The Four
Waves of Modern Terrorism
Rapoport’s writing, The
Four Waves of Modern Terrorism (PDF), looks at
specific time periods that can be categorized into specific phases
precipitated by events. These waves are:
- Anarchist Wave
- Anticolonial Wave
- New Left Wave
- Religious Wave
Perspective. The report is yours for a mere
£3970.
38 billion
IoT devices will be deployed by 2020
According to recent research data by Juniper
Research, the world will see a 285 per cent increase in the Internet
of Things (IoT) devices by the end of 2020, which will mean 38
billion more devices.
The surprising fact about this increment, is that
most of the growth in these devices will be coming from business
sectors such as smart grids, smart buildings, etc. and not the usual
headline grabbing ‘smart home’ devices.
… According to V3,
the Juniper analyst told them that all the businesses that are
embracing this new change of IoT must make sure that they have the
right systems in place to use the reams of additional data that they
will be gathering.
[The
Juniper report:
The
Internet of Things: Consumer, Industrial & Public Services
2015-2020 report.
Perspective. What would Walter Cronkite say?
Evolving
Role of News on Twitter and Facebook
by Sabrina
I. Pacifici on Jul 27, 2015
Pew Research Center: “The share of Americans for
whom Twitter and Facebook serve as a source of news is continuing to
rise. This rise comes primarily from more current users encountering
news there rather than large increases in the user base overall,
according to findings from a new survey. The report also finds that
users turn to each of these prominent social networks to fulfill
different types of information needs. The new
study, conducted by Pew Research Center in association with the
John S. and James L. Knight Foundation, finds that clear majorities
of Twitter (63%) and Facebook users (63%) now say each platform
serves as a source for news about events and issues outside the realm
of friends and family. That share has increased substantially from
2013, when about half of users (52% of Twitter users, 47% of
Facebook users) said they got news from the social platforms.
Although both social networks have the same portion of users getting
news on these sites, there are significant differences in their
potential news distribution strengths. The proportion of users who
say they follow breaking news on Twitter, for example, is nearly
twice as high as those who say they do so on Facebook (59% vs. 31%) –
lending support, perhaps, to the
view that Twitter’s great strength is providing as-it-happens
coverage and commentary on live events.”
A handout for our CS & IT students?
Learn with
Coding Projects: 9 Udemy Courses for The Beginner Programmer
Includes some LinkedIn tips.
Hidden
Features For Your Favorite Social Networks
Check out the infographic below for a look at some
features for Facebook, Twitter, Google+, and LinkedIn that you
probably aren’t using.
Via Salesforce.com
A little suggestion based on Big Data? Take every
advantage you can.
The Science
of the Perfect LinkedIn Photo
… As TIME put it recently:
“Choosing an exemplary photo just got more involved: new research suggests looking at least a ‘little’ happy in your picture will make you appear more trustworthy to prospective employers.”
No comments:
Post a Comment