Wednesday, October 28, 2015

Why bother? Perhaps to distract the security folks while they try to infect the computers of anyone who could influence the court's opinion? Just saying.
Jason Healey and Anni Piiparinen report:
Attribution for cyberattacks is said to be notoriously difficult, but sometimes context and timing are damning evidence.
In July, the Permanent Court of Arbitration in The Hague conducted a hearing on the territorial dispute in the South China Sea between the Philippines and China. On the third day of the hearing, the Court’s website was suddenly knocked offline. The attack, made public by Bloomberg last week, reportedly originated from China and infected the page with malware, leaving anyone interested in the landmark legal case at risk of data theft.
Read more on The Diplomat.




Update: “Yes we failed to keep to our (privacy policy) contract with you, but that is a “real” contract. We think of this as 'shooting the rats as they abandon ship.'”
From the if-they-have-a-PR-firm-are-they-even-listening-to-them dept:
TalkTalk is becoming the poster child for poor PR and how NOT to respond after a data breach.
In today’s installment, the BBC reports that the firm will only waive contract termination fees if the customer has had money stolen from them.
“In the unlikely event that money is stolen from a customer’s bank account as a direct result of the cyber-attack [rather than as a result of any other information given out by a customer], then as a gesture of goodwill, on a case-by-case basis, we will waive termination fees,” the company said on its website.


(Related)
From Out-Law.com:
The Information Commissioner’s Office (ICO) in the UK cannot force companies to pay compensation to consumers affected by a data breach, the watchdog has confirmed.
On Monday, the UK’s culture minister Ed Vaizey told MPs in the House of Commons that it would be “a matter for the Information Commissioner’s Office and TalkTalk to decide on any appropriate levels of compensation” due to customers in relation to the data breach experienced by the telecoms provider.
Read more on Out-Law.com.




Perhaps he misunderstands (deliberately?) The idea is, “the best defense is a good offense,” not, “The best defense is an indefensible, attention grabbing rant.” Please excuse me while I go on my own rant.
CIA Chief 'Outraged' by Personal Email Hack
CIA chief John Brennan said Tuesday he was "outraged" that hackers broke into his personal email account, and faulted the media for its coverage of the incident. [Remember, we're talking one 15 year old... I'd say he is embarrassed to have been beaten so easily. Bob]
"I was certainly concerned about what people might try to do with that information," [But not enough to adequately secure it. Bob] he told a conference on national security in Washington, criticizing the media for "giving air to what is criminal activity." [“How dare they tell everyone how incompetent I am!” Bob]
"Because of some things that were put out, the implication of the reporting was that I was doing something wrong or inappropriate or in violation of my security responsibility, which was not certainly the case," he said. [In actuality, merely stupid. Bob]




To arms, Privacy advocates! Meet me at the skeet range for practice. No doubt Colorado's “make my day” law will cover me too. (Digest Item #1)
Is it Legal to Shoot Down Drones?
It may now be legal to shoot a drone out of the sky. At least in certain cases. This is according to Judge Rebecca Ward of the Bullitt County District Court, who recently dismissed all the charges against the so-called “Drone Slayer”. The question really is whether the drone is invading your privacy, which is where ambiguity over the lawfulness of shooting at drones still exists.
According to Ars Technica, Judge Ward has dismissed all charges against William Meredith, a man from Kentucky who shot a drone down because it was hovering over his property. Meredith was initially charged with firing his gun within city limits, and David Boggs, the owner and pilot of the drone was none too happy to have it shot down.
The question over whether this drone was invading Meredith’s privacy came down to its proximity to the property. Boggs claims the drone was flying 200 feet above the ground, and claims to have video evidence of this. Meredith claims the drone was flying “below the tree line,” and called three witnesses who testified on his behalf.
Boggs is planning to file a civil lawsuit, but the verdict in this case could be used as a precedent in cases where drones get shot down by gun-toting citizens concerned for their safety. While the shooter won out on this occasion, there is still a huge legal gray area hovering over the issue of drone technology. So please don’t take our headline as a call to arms. [Too late. Bob]




For my Computer Security students. 95% are deliberately less secure?
What's the Disconnect with Strict Transport Security?
Even the average Joe is starting to understand that encryption is important. If Joe doesn’t use HTTPS, an attacker can see or hijack his browser session. Session hijacking isn’t a theoretical threat: Over 5 years ago (an eternity in the #infosec world), Eric Butler released the Firesheep session hijacking tool and used Facebook as a target example. Sitting in a coffee shop, an attacker could use Firesheep to steal Joe’s Facebook session cookie and then “own” Joe’s account. Butler’s Firesheep website makes it clear: “On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.”
Network administrators and architects certainly got the hint. Facebook went all-HTTPS shortly after. So did Twitter. Netflix is even talking about going all-HTTPS. Yay for encryption! Instagram made the mistake of initially encrypting only their login page. When talk of an “Instasheep” tool surfaced they, too, switched to all-HTTPS.
That’s why it’s so puzzling that adoption rate of HTTP Strict Transport Security (HSTS) remains so low at only 4.7 percent.


(Related) Encryption is everywhere.
Sean Lawless of Robinson & Cole writes:
With the release of Android 6.0, code name Marshmallow, Google has mandated that OEMs (Original Equipment Manufacturers) enable full disk encryption. Google is requiring that the feature be enabled as part of the ‘out of box experience’ for customers setting up new mobile devices. Google previously attempted to do the same for Android 5.0, code name Lollipop, but due to performance issues on some manufacturer’s devices, eased their requirement. Regarding Android 6.0, even if the customer skips setting the secure lockscreen, the device will encrypt using a default PIN.
Apple has mandated partial or full disk encryption since iOS version 8.
Read more on JDSupra.




Also for my Computer Security students. This seems to support my opinion that it may not be smart to look for cheap “breach prevention” jobs, rather look for the “now that you've been breached” jobs. They pay better and you'll never want for work.
The Harsh Truth of the Cybersecurity Talent Gap
Everyone is talking about the shortage in security talent. Literally, everyone. It’s not for naught though, when you look at the sheer volume of open positions out there. We must have a talent shortage, right?
I believe that somewhere beneath the hype and panic the answer is yes. But there is a harsh truth that very few people are willing to talk about. First and foremost, the talent shortage is largely self-created by an IT industry’s desire to find cheap labor by offshoring work. Second, the people in the current labor pool often are mismanaged, are not in the most appropriate roles and/or are not being supported properly. Let me explain.




Something for my Ethical Hacking students to consider. We will need to identify any system that has been hacked (modified from its “off the shelf” configuration) in order to assign liability. If I was a software provider, I would want to build this in as protection. Better: Collect all the hacks and see if they improve my product!
DMCA Ruling Ensures You Can't Be Sued For Hacking Your Car, Your Games Or Your iPhone
There was a big win for the digital rights community today, with a ruling that ensured it was legal for anyone to tinker with their motor, their iPhone or whatever technology they’d purchased. But the freedoms will only last for three years, when the fight between anti-tinkering corporations and activists will resume, absent any major legislative changes.
Prior to today’s decision by the Librarian of Congress, car manufacturers, the most vocal being General Motors, had attempted to block an exemption, the proposed Class 21 in the Digital Millennium Copyright Act (DMCA), that would allow anyone to play with the code that ran on vehicles they’d bought.
… Supporters of Class 21, however, argued that researchers needed access to vehicles’ code to uncover potential vulnerabilities and that anyone who paid for a product should be able to alter it how they wished. Cars have become increasingly connected in recent years, providing more functionality but opening up potential weaknesses that could be exposed by malicious hackers. Tinkerers also see the added connectivity as an avenue for modification.
… And, following months of protest from the Electronic Frontier Foundation (EFF), the security research community, benevolent hackers and scores of other activists, the final decision was to pass the exemption. A separate decision to renew a previous exemption for jailbreaking iPhones and other mobile devices was also granted. Another ruling meant computer game enthusiasts could modify their games to continue playing them even after support was killed off.




What is it about “Things?” Interesting article, worth a read.
Why the Internet of Things is about the Identity of Everything
While Gartner says 4.9 billion connected things are already in use, that actually means that 99.4 percent of things are still not connected. But that doesn’t really matter much because Internet of Things is a buzzword, trend, and hashtag with staying power, and it has “thing” manufacturers rushing to companies like Qipp to use their ALLTHINGS Platform to find ways to connect.
Qipp founder Stefan Zanetti, when speaking at an APIcon (the full video is at the end of the article), says that after more than a decade of research into connected things—years before it even had a name—manufacturers are flocking to him to ask “When can I connect this?” whether it’s a bike or a shoe or a guitar or even chewing gum.
“And that was really the point when we said: OK, guys, what do you really want with a connected product? You make good products but why would you want to connect them to the Internet of Things?
Zanetti and his team found the same answer across the board: “They’re producing really cool stuff and they lose contact with the data when they ship the products,” as it goes into the hands of the distributer or third-party retailer.


(Related) Why manufacturers might want to communicate with my tires. (A reason not mentioned in the article above.)
NTSB: Tire recalls need overhaul
The National Transportation Safety Board said Tuesday the U.S. system for tire registration is ineffective and called for mandatory tire registration, saying that at least 500 crash deaths a year are linked to tire problems.
Unlike car recalls, tire recalls face many problems. Independent tire dealers are not required to register tires on buyers’ behalf — and tire makers can’t contact those drivers if their tires need to be recalled.




For my Statistics students. Probably not enough to make the subject cool for everyone, but it might gat them thinking that statistics does have some value.
Jordan, Cuban, Leonsis Put Millions on Sports Betting's Future
Drawn in large part by the “inevitable” legalization of sports betting in the U.S., NBA owners Michael Jordan, Mark Cuban, and Ted Leonsis are investing millions of dollars into Sportradar AG, a sports data company that counts global bookmakers among its top customers.
… "Overseas, gaming and fraud detection have been perfected. [Really? Bob] So now that they’ve come to the U.S., I just felt they were just so well-positioned," Leonsis said in an interview. Unregulated gambling on the NFL is well over $100 billion, Leonsis estimated, and the amount of money at stake makes it "probably an inevitability" that sports betting will be legalized in the U.S. Sportradar’s "experience is going to translate and augur well here because we’re years behind."
… Unlike the NFL, which takes a hard line against sports betting, the NBA has been warming to the idea of legalized gambling on games. NBA Commissioner Adam Silver has said betting on American professional sports is inevitable and that the league would eventually profit from movements in states like New Jersey to legalize sports betting. Silver said betting makes fans more engaged in the games, similar to the effect of fantasy sports.




Cute idea, but it might make finding that rarely used folder easier. Of course, I could also make my own icon.
How to Individualize Folder Icons in Windows with Custom Images




I read SciFi all the time; technologyand business less often; textbooks too often.
The Ultimate 50 Ways to Find New Books to Read


No comments: