Geeks at war! At least we have shifted to the
offense. (The first acknowledgment anyway)
W. J. Hennigan reports:
Military commanders have mounted a cyberoffensive against Islamic State in Iraq and Syria in recent weeks by deploying hackers to penetrate the extremist group’s computer and cellphone networks, according to the Pentagon.
The cyberassault, which Defense Secretary Ashton Carter authorized last month, marks the first time teams from U.S. Cyber Command have been integrated into an active battlefield since the command was established in 2009.
Read more on The
Columbian.
Reasonably large, poorly secured.
Joseph Cox reports:
A hacker on the dark web forum Hell claims to have sold the email addresses and plaintext passwords of over 27 million users of dating site Mate1.com.
“Their server was compromised and the MySQL database was dumped,” the hacker, who asked to remain anonymous, told Motherboard. “I had shell/command access to their server.”
Read more on Motherboard.
There doesn’t seem to be any statement on
Mate1.com’s web site as of the time of this posting.
[From
the article:
On Monday, this reporter clicked the "forgotten
password" feature on Mate1's login page. The
full, plaintext password was then emailed, further
corroborating that the site does indeed store passwords without any
hashing.
Need some insider/personal data? Just ask!
Snapchat
Admits Getting Scammed and Leaking Employee Data
On Sunday, the ephemeral messaging app revealed on
its blog
that the data of some of its employees, current and past, has been
compromised. On Friday, a scammer impersonated the company’s CEO,
Evan Spiegel, and sent a phishing email asking for payroll
information to an employee in that department. Unfortunately,
neither Snapchat’s security system, nor the employee realized it
was a scam, and the data was “disclosed externally,” the company
explains.
Snapchat says
it took action within four hours, confirming it was an isolated
phishing incident and reporting it to the FBI.
Want to own the police computers? Someone on the
inside will fall for your phishing email.
Aaron Leibowitz reports:
Hackers
stole the encryption key to a software system at the Melrose
Police Station on Thursday evening, compelling the
department to pay the hackers one Bitcoin to regain control, Chief
Michael Lyle told the Free Press on Monday.
The
attack came in the form of an email sent to the entire department
around 7 p.m. Thursday, Lyle said. One
person opened the email, [I'll
bet there was more than one. Bob] setting off a virus
that voided the department’s control of a program it uses to log
incident reports, known as TriTech.
Read more on Wicked
Local – Melrose.
[From
the article:
The Melrose Police did not lose any data, but
officers were forced to put all log entries and incident reports in
Microsoft Word documents until the problem was addressed, according
to Lt. Mark DeCroteau.
They also had to book arrested parties on paper –
“the old fashioned way,” DeCroteau said.
Are critical switches (circuit breakers, valves,
etc.) available over the Internet?
Utilities
Cautioned About Potential for a Cyberattack After Ukraine’s
The Obama
administration has warned the nation’s power companies, water
suppliers and transportation networks that sophisticated cyberattack
techniques used to bring down part of Ukraine’s
power grid two months ago could easily be turned on them.
After an extensive
inquiry, American investigators concluded that the attack in Ukraine
on Dec. 23 may well have been the first power blackout triggered by a
cyberattack — a circumstance many have long predicted. Working
remotely, the attackers conducted “extensive reconnaissance” of
the power system’s networks, stole the credentials of system
operators and learned how
to switch off the breakers, plunging more than 225,000
Ukrainians into darkness.
For my Computer Security students. Re-program to
remove that “assume” when the other vehicle is controlled by a
mere human?
Google
Self-Driving Car Hits A Bus In Los Angeles And It's At Fault: Here's
What Happened
… The Google AV was driving in the far right
side of the three-lane boulevard, preparing to take a right turn onto
Castro Street. However, it couldn't smoothly do so because of
sandbags that surrounded a storm drain, and it had to move to the
center to make the turn.
The Lexus did let a couple of cars pass before it
proceeded to maneuver around the obstruction, but a bus approaching
at 15 mph was right behind it. According to the accident report, the
bus was visible in the left mirror. It then collided with the bus,
incurring damage on its front-left fender, wheel and sensor.
"A public transit bus was approaching from
behind. The Google AV test driver saw the bus approaching in the
left side mirror, but believed the bus would stop or slow to allow
the Google AV to continue. Approximately three seconds later, as the
Google AV was reentering the center of the lane, it made contact with
the side of the bus," the report says
(PDF).
… Placed in the same situation that drivers
face every day, the Google AV predicted that the bus would allow it
to pass first, as it's positioned ahead of the incoming vehicle. The
occupant also thought the same. Apparently, they were both wrong.
Google says the company itself and the AV in
question are at fault to a certain degree, making this the first case
under that condition.
The (probably) never-ending story continues.
Might be interesting to see what Apple argued in this case. (I
assume their lawyers were there?)
N.Y. judge
backs Apple in encryption fight with government
The U.S. government cannot force Apple Inc (AAPL.O) to unlock an
iPhone in a New York drug case, a federal judge in Brooklyn said on
Monday, a ruling that bolsters the company's arguments in its
landmark legal showdown with the Justice Department over encryption
and privacy.
The government sought
access to the phone in the Brooklyn case in October, months before a
judge in California ordered Apple to take special measures to give
the government access to the phone used by one of the shooters in the
San Bernardino, California, attacks.
U.S. Magistrate Judge
James Orenstein in Brooklyn ruled that he did not have the legal
authority to order Apple to disable the security of an iPhone that
was seized during a drug investigation.
His ruling echoed many
of the arguments that Apple has made in the San Bernardino case,
particularly his finding that a 1789 law called the All Writs Act
cannot be used to force Apple to open the phone. Orenstein also
found that Apple was largely exempt from complying with such requests
by a 1994 law that updated wiretapping laws.
… Orenstein said
his ruling in Apple’s favor was not a decision on "whether the
government should be able to force Apple to help it unlock a specific
device; it is instead whether the All Writs Act (AWA) resolves that
issue and many others like it yet to come."
Orenstein concluded
that "the government posits a reading of the latter phrase so
expansive – and in particular, in such tension with the doctrine of
separation of powers – as to cast doubt on the AWA's
constitutionality if adopted."
He also wrote: "The
implications of the government's position are so far-reaching –
both in terms of what it would allow today and what it implies about
Congressional intent in 1789 – as to produce impermissibly absurd
results."
Orenstein also found
that Communications Assistance for Law Enforcement Act, passed in
1994, exempted Apple from this sort of request.
[The
ruling:
(Related) A peek ahead.
Here's what
Apple’s top lawyer will tell Congress tomorrow
(Related) Note that this is largely built in to
sites like Google. It is not individuals encrypting their
communications.
Study finds
about half of Web traffic is encrypted
About 49 percent of Internet traffic is encrypted,
according to a
new study released Monday.
That is a 36 percentage point jump from April
2014, when only about 13 percent of traffic was being encrypted. The
results Monday confirm other studies that have seen a large uptick in
encryption, with the increase predicted to continue.
The study found that 24 of the top 50 sites
encrypt their traffic by default, usually signaled on a users’
browser by a lock and the letters “https” ahead of the web
address. The study also found 42 of the top 50 sites either encrypt
by default or shift to encryption after log in.
(Related) ...and if you don't encrypt, it's your
own fault! (Would lawyers expect the same “exemption?”)
Joseph Lazzarotti of Jackson Lewis highlights an
important note in recent OCR guidance:
What is a covered entity’s obligation under the Breach Notification Rule if it transmits an individual’s PHI to a third party designated by the individual in an access request, and the entity discovers the information was breached in transit?
If a covered entity discovers that the PHI was breached in transit to the designated third party, and the PHI was “unsecured PHI” as defined at 45 CFR 164.402, the covered entity generally is obligated to notify the individual and HHS of the breach and otherwise comply with the HIPAA Breach Notification Rule at 45 CFR 164, Subpart D. However, if the individual requested that the covered entity transmit the PHI in an unsecure manner (e.g., unencrypted), and, after being warned of the security risks to the PHI associated with the unsecure transmission, maintained her preference to have the PHI sent in that manner, the covered entity is not responsible for a disclosure of PHI while in transmission to the designated third party, including any breach notification obligations that would otherwise be required. Further, a covered entity is not liable for what happens to the PHI once the designated third party receives the information as directed by the individual in the access request.
Read more on Lexology.
My guess is he enjoyed the way Scalia asked the
questions.
Justice
Clarence Thomas breaks 10-year streak, asks question in court
Another look into the future of the Internet of
Things. Perhaps my bottle will send a “Bring me another Fat Tire
Dear” to my wife as I near the end of my beer?
With
'Smart' Brita Pitcher, Amazon Aims To Change How Consumers Buy
Everyday Essentials
This is not your mother’s water pitcher. [I
expect to see this in many ads. Bob]
Amazon is testing the waters for ways to render
brick-and-mortar shopping virtually obsolete — at least when it
comes to everyday necessities.
The online giant has launched the new
Wi-Fi-enabled Brita
Infinity pitcher, which is designed to automatically order a new
filter through its Amazon
Dash Replenishment reordering program when the existing filter
nears its capacity.
Coca Cola tried this last week with their
12-packs. Perhaps more kids have smartphones in Sweden?
Kids will
soon be able to turn their Happy Meals into VR goggles in Sweden
Fast food juggernaut McDonald's is rolling out a
pilot program in Sweden that turns Happy Meal boxes into virtual
reality goggles. With a few flips and folds, kids can transform the
box into a smartphone holder, which provides a kinda-sorta VR
experience similar to Google
Cardboard.
Because my students should at least talk like they
understand this stuff!
Are You
Confused by the Windows App Terminology?
No comments:
Post a Comment