Once upon a time, we would roll tanks to the
border to express our annoyance. What is the Cyberspace equivalent?
Cyberspace
Becomes Second Front in Russia’s Clash With NATO
… Along with reported computer breaches of a
French TV network and the White House, a number of attacks now being
attributed to Russian hackers and some not previously disclosed have
riveted intelligence officials as relations with Russia have
deteriorated. These targets include the Polish stock market, the
U.S. House of Representatives, a German steel plant that suffered
severe damage and The New York Times.
U.S. officials worry that any attempt by the
Russian government to use vulnerabilities in critical infrastructure
like global stock exchanges, power grids and airports as pressure
points against the West could lead to a broader conflict...
I think we need to create a Best Practices guide
for organizations (and their lawyers).
Andrew Sadauskas reports:
In the immediate aftermath of a security breach, companies should ensure they don’t use weasel words and have in place strong internal communications and clearly-defined staff guidelines, according to Atlassian head of security intelligence Daniel Grzelak.
Read more at ITNews.
Why? Because I actually agree with pretty much everything he
advises, and if more companies took his advice, there’d be a lot
less snark on my blog. [and
on mine! Bob]
(Related) But this is not always possible.
Consider hiding it in other news like Target did by announcing their
breach on the day President Obama was inaugurated. It almost worked!
Christopher Escobedo Hart writes that a
well-handled breach can actually improve a company’s bottom line.
A recent study goes a step further, suggesting that if handled well a data breach can actually help the bottom line. This counter-intuitive conclusion, conducted by Sebastian Gay at the University of Chicago, is based on data from breaches occurring between 2005-2014. The paper finds that “firms manage to avoid the full negative effect of a privacy breach event disclosure by releasing on the same day an abnormal amount of positive news to the market.” In other words, sometimes companies have maintained a store of “good news” that they bundle together and release at around the same time that they disclose a data breach, which not only offsets the negative effect of the bad news of a data breach, but actually increases the bottom line.
Read more on Foley, Hoag Security,
Privacy and the Law.
See? It's not just Hillary, it's anyone who is
computer illiterate.
From the
yeah-this-probably-needs-to-be-investigated
dept.:
Hillary Rodham Clinton’s e-mail scandal didn’t stop the head of the CIA from using his own personal AOL account to stash work-related documents, according to a stoner high-school student who claims to have hacked into them.
CIA Director John Brennan’s private account held sensitive files — including his 47-page application for top-secret security clearance — until he recently learned that it had been infiltrated, the hacker told The Post.
Other e-mails stored in Brennan’s non-government account contained the Social Security numbers and personal information of more than a dozen top American intelligence officials, as well as a government letter about the use of “harsh interrogation techniques” on terrorism suspects, according to the hacker.
Read more of this report by Philip Messing, Jamie
Schram and Bruce Golding on NY
Post.
The twitter accounts being used to disclose the
hack, @phphax (“Cracka”) and @_CWA_ are still online this
morning, as are files purporting to be Brennan’s email contact list
and call logs of Avril Haines, the White House Deputy National
Security Advisor.
Assuming, for now, that these reports are
accurate, I’m not sure what this will do to the brouhaha over
Clinton’s private email server.
[From
the Post article:
… The FBI and other federal agencies are now
investigating the hacker, with one source saying criminal charges are
possible, law enforcement sources said.
“I think they’ll want to make an example out
of him to deter people from doing this in the future,” said a
source who described the situation as “just wild” and “crazy.”
“I can’t believe he did this to the head of
the CIA,’’ the source added. “[The]
problem with these older-generation guys is that they don’t know
anything about cybersecurity, and as you can see, it can be
problematic.”
Confusing. How will they differentiate between
“nation-state” and “teenager working for a nation-state?” Is
this a small/medium/huge problem?
Facebook to
Warn Users of State Sponsored Attacks
According
to the social network, users will be informed on any suspected
compromise from an attacker believed to be working on behalf of a
nation-state. The company is already monitoring accounts for
potentially malicious activity while offering users the possibility
to proactively secure their accounts, and the new security measure is
building on this foundation.
In
addition to a warning on the possible malicious activity, Facebook
will provide users with the possibility to turn on Login Approvals,
which would ensure that third-parties cannot login into a user’s
account. As soon as the account is accessed from a new device or
browser, the user receives a security code on the phone, so that only
they could login.
Alex
Stamos, Chief Security Officer at Facebook, explains in a blog
post that the warnings are not being sent out because Facebook's
platform or systems have been compromised, but that user’s computer
or mobile device might have been infected with malware.
Interesting. I can neither confirm nor deny...
Mathematically, this might not be as difficult as you might think.
How is NSA
breaking so much crypto?
There have been rumors for years that the NSA can
decrypt a significant fraction of encrypted Internet traffic. In
2012, James Bamford published an
article quoting anonymous former NSA officials stating that the
agency had achieved a “computing breakthrough” that gave them
“the ability to crack current public encryption.” The Snowden
documents also hint at some extraordinary capabilities: they show
that NSA has built extensive infrastructure to intercept and decrypt
VPN traffic and suggest that the agency can decrypt at least some
HTTPS and SSH connections on demand.
However, the documents do not explain how
these breakthroughs work, and speculation about possible backdoors or
broken algorithms has been rampant in the technical community.
Yesterday at ACM CCS, one of the leading security research venues, we
and twelve coauthors presented a
paper that we think solves this technical mystery.
… For the nerds in the audience, here’s
what’s wrong: If a client and server are speaking Diffie-Hellman,
they first need to agree on a large prime number with a particular
form. There seemed to be no reason why everyone couldn’t just use
the same prime, and, in fact, many applications tend to use
standardized or hard-coded primes. But
there was a very important detail that got lost in translation
between the mathematicians and the practitioners: an adversary can
perform a single enormous computation to “crack” a particular
prime, then easily break any individual connection that uses that
prime.
“As long as you are volunteering that data, you
won't mind if we copy it into our criminal database, right?” Have
we paid for DNA testing or have we agreed to add our DNA to their
database forever?
When companies like Ancestry.com and 23andMe first
invited people to send in their DNA for genealogy tracing and medical
diagnostic tests, privacy advocates warned
about the creation of giant genetic databases that might one day be
used against participants by law enforcement. DNA, after all, can be
a key to solving crimes. It “has serious information about you and
your family,” genetic privacy advocate Jeremy Gruber told me back
in
2010 when such services were just getting popular.
Now, five years later, when 23andMe
and Ancestry
both have over a million customers, those warnings are looking
prescient. “Your relative’s DNA could turn you into a suspect,”
warns Wired,
writing about a case from earlier this year, in which New Orleans
filmmaker Michael Usry became a suspect in an
unsolved murder case after cops did a familial genetic search
using semen collected in 1996. The cops searched an Ancestry.com
database and got a familial match to a saliva sample Usry’s father
had given years earlier. Usry was ultimately determined to be
innocent and the Electronic Frontier Foundation called it a “wild
goose chase” that demonstrated “the very real threats to
privacy and civil liberties posed by law enforcement access to
private genetic databases.”
… As NYU law professor Erin Murphy told the
New
Orleans Advocate regarding the Usry case, gathering DNA
information is “a series of totally reasonable steps by law
enforcement.” If you’re a cop trying to solve a crime, and you
have DNA at your disposal, you’re going to want to use it to
further your investigation. But the fact that your signing up for
23andMe or Ancestry.com means that you and all of your current and
future family members could become genetic criminal suspects is not
something most users probably have in mind when trying to find out
where their ancestors came from.
“It has this really Orwellian state feeling to
it,” Murphy said to the Advocate.
If the idea of investigators poking through your
DNA freaks you out, both Ancestry.com
and 23andMe have options to delete your information with the sites.
23andMe says it will delete information within 30 days upon request.
This could cause a few problems. Imagine schools
introducing technology that does a good job teaching students but
fails to meet the state's standards. They buy the technology and
then most of their students won't use it.
Rich Lord reports:
The homework assignments, essays, musings and instant messages today’s students are entering into educational websites and applications would be subject to new data privacy standards under legislation introduced today in Harrisburg.
State Rep. Dan Miller, D-Mt. Lebanon, and Tedd Nesbit, R-Grove City, have introduced two-bills that would stop short of outlawing controversial data practices, but would require that districts inform parents if they use technology that doesn’t meet the standards, and allow students to opt out.
Read more on Government
Technology.
[From
the article:
Nearly two-thirds of the districts could show no
process for vetting the privacy policies of education technology
vendors. Only
eight systems could show that they were training teachers to protect
student data.
Most of the vendors had no provision for deleting
unneeded student data or protecting it in a corporate acquisition or
bankruptcy sale, and only a tiny minority pledged to notify schools
in the event of a data breach.
I don't see this as a problem for quite some time.
(Except for TV game shows)
The End of
Expertise
… Talk to people in such professional service
industries as private banking, auditing, consulting, even
engineering, and you begin to hear concerns about the commoditization
of professional knowledge.
… Increasingly, tax preparation is being
automated, and even auditing is going the way of algorithmic review
and big data “sweeps” instead of sampling. Artificial
intelligence is writing much of the content that you’re reading
(although not this!), and Jancis Robinson, the wine expert and
writer, recently wrote that she has “gone
from being a unique provider of information to having to fight for
attention.”
Interesting
blog post. I've been looking for a follow-up to Paul David's “The
Dynamo and the Computer” I think this might be it. Interesting
read anyway.
The
Deployment Age
A couple of weeks ago James Gross, co-founder of
Percolate, had me speak at their
Transition conference.
I talked about Carlota Perez, her theories, and the transition to
the deployment period that we are currently undergoing. The talk, as
I remember it, (plus some stuff I had to cut for time) is below.
I’ve also added some additional material as sidenotes.
Perez’
theory describes the path a technological revolution, like the
Industrial Revolution, takes and the social, economic and
institutional changes that go along with it. The jury is
still out on the theory, and there are plenty of reasons to doubt it.
But if it successfully predicts what happens over the next ten years
it will have in good part proved its power.
[Paul
David's paper:
http://www.researchgate.net/publication/4724731_The_Dynamo_and_the_Computer_An_Historical_Perspective_on_Modern_Productivity_Paradox
Do you think this will upset my Computer Security
students?
Google is
recording your voice and questions
by Sabrina
I. Pacifici on Oct 18, 2015
“Google searches are like a stream of
consciousness. We plug every idle curiosity, every thought, and
every question into the search engine. Google has always kept
careful record of these searches, which helps sell ads. But Google
also keeps an audio log of the questions you ask its voice search
function, OK Google, and now you can listen to those recordings
online. Back in June, Google launched a new portal for all Google
account-related activities. It’s where you can manage your privacy
settings, see what you’ve searched for, and where Google has logged
your location. The Guardian pointed
out Oct. 12 that these archives include a section for voice
searches, and it’s a little unnerving to listen to every silly
thing you’ve asked since the service launched…”
- Note to self and others – everything you say and do via digital devices is collected – by various organizations for reasons ranging from marketing to surveillance. We have automatically been opted-out of “privacy.” And it is always a good idea to seek the assistance of a Librarian – in person is a bonus – we listen to and respond to questions on a mind boggling range of issues, with expertise, and without an agenda.
For my Math students.
The 20
Websites You Need to Learn Math Step by Step
No comments:
Post a Comment