Why bother? Perhaps to distract the security
folks while they try to infect the computers of anyone who could
influence the court's opinion? Just saying.
Jason Healey and Anni Piiparinen report:
Attribution for cyberattacks is said to be notoriously difficult, but sometimes context and timing are damning evidence.
In July, the Permanent Court of Arbitration in The Hague conducted a hearing on the territorial dispute in the South China Sea between the Philippines and China. On the third day of the hearing, the Court’s website was suddenly knocked offline. The attack, made public by Bloomberg last week, reportedly originated from China and infected the page with malware, leaving anyone interested in the landmark legal case at risk of data theft.
Read more on The
Diplomat.
Update: “Yes we failed to keep to our (privacy
policy) contract with you, but that is a “real” contract. We
think of this as 'shooting the rats as they abandon ship.'”
From the
if-they-have-a-PR-firm-are-they-even-listening-to-them
dept:
TalkTalk
is becoming the poster child for poor PR and how NOT to respond after
a data breach.
In today’s installment, the BBC reports
that the firm will only waive contract termination fees if the
customer has had money stolen from them.
“In the unlikely event that money is stolen from a customer’s bank account as a direct result of the cyber-attack [rather than as a result of any other information given out by a customer], then as a gesture of goodwill, on a case-by-case basis, we will waive termination fees,” the company said on its website.
(Related)
From Out-Law.com:
The Information Commissioner’s Office (ICO) in the UK cannot force companies to pay compensation to consumers affected by a data breach, the watchdog has confirmed.
On Monday, the UK’s culture minister Ed Vaizey told MPs in the House of Commons that it would be “a matter for the Information Commissioner’s Office and TalkTalk to decide on any appropriate levels of compensation” due to customers in relation to the data breach experienced by the telecoms provider.
Read more on Out-Law.com.
Perhaps he misunderstands (deliberately?) The
idea is, “the best defense is a good offense,” not, “The best
defense is an indefensible, attention grabbing rant.” Please
excuse me while I go on my own rant.
CIA Chief
'Outraged' by Personal Email Hack
CIA chief John Brennan said Tuesday he was
"outraged" that hackers broke into his personal email
account, and faulted the media for its coverage of the incident.
[Remember, we're talking
one 15 year old... I'd say he is embarrassed to have been beaten so
easily. Bob]
… "I
was certainly concerned about what people might try to do with that
information," [But
not enough to adequately secure it. Bob]
he told a conference on national security in Washington, criticizing
the media for "giving
air to what is criminal activity." [“How dare they tell
everyone how incompetent I am!” Bob]
… "Because
of some things that were put out, the implication of the reporting
was that I was doing something wrong or inappropriate or in violation
of my security responsibility, which was not certainly the case,"
he said. [In
actuality, merely stupid. Bob]
To arms, Privacy advocates! Meet me at the skeet
range for practice. No doubt Colorado's “make my day” law will
cover me too. (Digest Item #1)
Is it Legal
to Shoot Down Drones?
It may now be legal to shoot
a drone out of the sky. At least in certain cases. This is
according to Judge Rebecca Ward of the Bullitt County District Court,
who recently dismissed all the charges against the so-called “Drone
Slayer”. The question
really is whether the drone is invading
your privacy, which is where ambiguity over the
lawfulness of shooting at drones
still exists.
According to Ars
Technica, Judge Ward has dismissed all charges against William
Meredith, a man from Kentucky who shot a drone down because it was
hovering over his property. Meredith
was initially charged with firing his gun within city limits,
and David Boggs, the owner and pilot of the drone was none too happy
to have it shot down.
The question over whether this drone was invading
Meredith’s privacy came down to its proximity to the property.
Boggs claims the drone was flying 200 feet above the ground, and
claims to have video evidence of this. Meredith claims the drone was
flying “below the tree line,” and called three witnesses who
testified on his behalf.
Boggs is planning to file a civil lawsuit, but the
verdict in this case could be used as a precedent in cases where
drones get shot down by gun-toting citizens concerned for their
safety. While the shooter won out on this occasion, there is still a
huge legal gray area hovering over the issue of drone
technology. So please
don’t take our headline as a call to arms. [Too
late. Bob]
For my Computer Security students. 95% are
deliberately less secure?
What's the
Disconnect with Strict Transport Security?
Even
the average Joe is starting to understand that encryption is
important. If Joe doesn’t use HTTPS, an attacker can see or hijack
his browser session. Session hijacking isn’t a theoretical threat:
Over 5 years ago (an eternity in the #infosec world), Eric Butler
released the Firesheep
session hijacking tool and used Facebook as a target example.
Sitting in a coffee shop, an attacker could use Firesheep to steal
Joe’s Facebook session cookie and then “own” Joe’s account.
Butler’s Firesheep website makes it clear: “On an open wireless
network, cookies are basically shouted through the air, making these
attacks extremely easy.”
Network
administrators and architects certainly got the hint. Facebook went
all-HTTPS shortly after. So did Twitter. Netflix is even talking
about going all-HTTPS. Yay for encryption! Instagram made the
mistake of initially encrypting only their login page. When talk of
an “Instasheep” tool surfaced they, too, switched to all-HTTPS.
That’s
why it’s so puzzling that adoption rate of HTTP Strict Transport
Security (HSTS) remains so low at only 4.7 percent.
(Related)
Encryption is everywhere.
Sean Lawless
of Robinson & Cole writes:
With the release of Android 6.0, code name Marshmallow, Google has mandated that OEMs (Original Equipment Manufacturers) enable full disk encryption. Google is requiring that the feature be enabled as part of the ‘out of box experience’ for customers setting up new mobile devices. Google previously attempted to do the same for Android 5.0, code name Lollipop, but due to performance issues on some manufacturer’s devices, eased their requirement. Regarding Android 6.0, even if the customer skips setting the secure lockscreen, the device will encrypt using a default PIN.
Apple has mandated partial or full disk encryption since iOS version 8.
Read more on JDSupra.
Also for my
Computer Security students. This seems to support my opinion that it
may not be smart to look for cheap “breach prevention” jobs,
rather look for the “now that you've been breached” jobs. They
pay better and you'll never want for work.
The Harsh
Truth of the Cybersecurity Talent Gap
Everyone
is talking about the shortage in security talent. Literally,
everyone. It’s not for naught though, when you look at the sheer
volume of open positions out there. We must have a talent shortage,
right?
I
believe that somewhere beneath the hype and panic the answer is yes.
But there is a harsh truth that very few people are willing to talk
about. First and foremost, the talent shortage is largely
self-created by an IT industry’s desire to find cheap labor by
offshoring work. Second, the people in the current labor pool often
are mismanaged, are not in the most appropriate roles and/or are not
being supported properly. Let me explain.
Something for my Ethical Hacking students to
consider. We will need to identify any system that has been hacked
(modified from its “off the shelf” configuration) in order to
assign liability. If I was a software provider, I would want to
build this in as protection. Better: Collect all the hacks and see
if they improve my product!
DMCA Ruling
Ensures You Can't Be Sued For Hacking Your Car, Your Games Or Your
iPhone
There was a big win for the digital rights
community today, with a ruling that ensured it was legal for anyone
to tinker with their motor, their iPhone or whatever technology
they’d purchased. But the freedoms will only last for three years,
when the fight between anti-tinkering corporations and activists will
resume, absent any major legislative changes.
Prior to today’s decision
by the Librarian of Congress, car manufacturers, the
most vocal being General Motors, had attempted to block an
exemption, the proposed Class 21 in the Digital Millennium Copyright
Act (DMCA), that would allow anyone to play with the code that ran on
vehicles they’d bought.
… Supporters of Class 21, however, argued that
researchers needed access to vehicles’ code to uncover potential
vulnerabilities and that anyone who paid for a product should be able
to alter it how they wished. Cars have become increasingly connected
in recent years, providing more functionality but opening up
potential weaknesses that could be exposed by malicious hackers.
Tinkerers also see the added connectivity as an avenue for
modification.
… And, following months of protest from the
Electronic Frontier Foundation (EFF), the security research
community, benevolent hackers and scores of other activists, the
final decision was to pass the exemption. A separate decision to
renew a previous exemption for jailbreaking
iPhones and other mobile devices was also granted. Another
ruling meant computer game enthusiasts could modify their games
to continue playing them even after support was killed off.
What is it about “Things?” Interesting
article, worth a read.
Why the
Internet of Things is about the Identity of Everything
While Gartner says 4.9
billion connected things are already in use, that actually means
that 99.4
percent of things are still not connected. But that doesn’t
really matter much because Internet of Things is a buzzword, trend,
and hashtag with staying power, and it has “thing” manufacturers
rushing to companies like Qipp
to use their ALLTHINGS
Platform to find ways to connect.
Qipp founder Stefan Zanetti, when speaking at an
APIcon
(the full video is at the end of the article), says that after more
than a decade of research into connected things—years before it
even had a name—manufacturers are flocking to him to ask “When
can I connect this?” whether it’s a bike or a shoe or a guitar or
even chewing gum.
“And that was really the point when we said: OK,
guys, what do you really want with a connected product? You
make good products but why would you want to connect them to the
Internet of Things?”
Zanetti and his team found the same answer across
the board: “They’re producing really cool stuff and they
lose contact with the data when they ship the products,”
as it goes into the hands of the distributer or third-party retailer.
(Related) Why manufacturers might want to
communicate with my tires. (A reason not mentioned in the article
above.)
NTSB: Tire
recalls need overhaul
The National Transportation Safety Board said
Tuesday the U.S. system for tire registration is ineffective and
called for mandatory tire registration, saying that at least 500
crash deaths a year are linked to tire problems.
Unlike car recalls, tire recalls face many
problems. Independent tire dealers are not required to register
tires on buyers’ behalf — and tire makers can’t contact those
drivers if their tires need to be recalled.
For my Statistics students. Probably not enough
to make the subject cool for everyone, but it might gat them thinking
that statistics does have some value.
Jordan,
Cuban, Leonsis Put Millions on Sports Betting's Future
Drawn in large part by the “inevitable”
legalization of sports betting in the U.S., NBA owners Michael
Jordan, Mark Cuban, and Ted Leonsis are investing millions of dollars
into Sportradar AG, a sports data company that counts global
bookmakers among its top customers.
… "Overseas,
gaming and fraud detection have been perfected. [Really?
Bob] So now that they’ve come to the U.S., I just felt
they were just so well-positioned," Leonsis said in an
interview. Unregulated gambling on the NFL is well over $100
billion, Leonsis estimated, and the amount of money at stake makes it
"probably an inevitability" that sports betting will be
legalized in the U.S. Sportradar’s "experience is going to
translate and augur well here because we’re years behind."
… Unlike the NFL, which takes a hard line
against sports betting, the NBA has been warming to the idea of
legalized gambling on games. NBA Commissioner Adam Silver has said
betting on American professional sports is inevitable and that the
league would eventually profit from movements in states like New
Jersey to legalize sports betting. Silver said betting makes fans
more engaged in the games, similar to the effect of fantasy sports.
Cute idea, but it might make finding that rarely
used folder easier. Of course, I could also make my own icon.
How to
Individualize Folder Icons in Windows with Custom Images
I read SciFi all the time; technologyand business
less often; textbooks too often.
The
Ultimate 50 Ways to Find New Books to Read
No comments:
Post a Comment