Wednesday, September 07, 2016

“It’s not hacking if we just pay hackers for hacking.” 
DPA reports:
Denmark will pay an anonymous source for information about hundreds of Danish nationals mentioned in a data leak from a Panama-based law firm linked to tax-dodging schemes, the Danish minister of taxation said Wednesday.
Karsten Lauritzen welcomed the fact that parliament’s tax committee broadly supported the scheme, but noted “there is a risk when doing deals with an anonymous seller.”
Read more on About Croatia.
[From the article: 
Jim Sorensen, a division head at the authority, told broadcaster DR that a sample received earlier this year proved to be credible.
"We feel the data is good and we can use it for tax cases and to get an overview of tax evasion in general," he said.


There’s hacking and then there’s counter-hacking.  You might even say it’s Ethical Hacking. 
Hacker takes down CEO wire transfer scammers, sends their Win 10 creds to the cops
   The director of SEC Consult's Singapore office has made a name striking back at so-called "whaling" scammers by sending malicious Word documents that breach their Windows 10 boxes and pass on identity information to police.
Whaling is a well-oiled social engineering scam that sees criminals dupe financial controllers at large lucrative organisations.  Whalers' main method is to send emails that appear to originate from chief executive officers, bearing instructions to wire cash into nominated bank accounts.
It works.  The FBI estimates some $2.2bn (£1.7bn, A$2.9bn) in losses have arisen from nearly 14,000 whaling cases in the seven months to May this year.  Some $800m (£601m, A$1bn) in losses occurred in the 10 months to August 2015.
   "Someone impersonated the CEO of an international company requesting urgent wire transfers and a couple of hours later they realise it was a scam … we worked together with law enforcement to trick the fraudsters," Lukavsky says.
"We sent them a prepared PDF document pretending to be transaction confirmation and they opened it which led to Twitter handles, usernames, and identity information."
"We were able to get the Windows 10 usernames and hashes which are tied by default to Outlook."
Those Windows 10 password hashes only last a few hours when subjected to tools like John the Ripper.
The information Lukavsky passed on to police from that attack late last year lead to the arrest of the scammers located in Africa.


I agree with Dissent.  Also, this is a very rare mention of Change Control as a security tool.  Knowing that a someone has modified your software might give you clue that you have been hacked!
I occasionally come across breach notifications that impress me quite favorably.
This notification by Nourse Farms is a good example of a strong incident response described in a strong letter that will be more likely to reassure customers than infuriate them.


Wasn’t this already obvious?
Dustin Volz reports:
The U.S. Office of Personnel Management (OPM) did not follow rudimentary cyber security recommendations that could have mitigated or even prevented major attacks that compromised sensitive data belonging to more than 22 million people, a congressional investigation being released on Wednesday has found.
Two breaches at the federal agency detected in 2014 and 2015 were made worse by lax security culture and ineffective leadership, which failed to harness available tools that could have stopped or limited the intrusions, according to the report from the Republicans on the U.S. House of Representatives’ Committee on Oversight and Government Reform, a copy of which was seen by Reuters.
Read more on Reuters, keeping in mind that this was not a panel of our most respected security experts but a politically charged process.  Not surprisingly, the Democrats did not concur with the Republicans.  As Volz reports:
Representative Elijah Cummings, the top Democrat on the oversight panel, rejected the report’s findings in a memo to other Democrats. He claimed the report had factual deficiencies and did not account for mistakes made by federal contractors.
Infosecurity is hard enough without politicians who can’t even manage to fund urgently needed public health initiatives trying to score political points after a data breach.
All that said, do read Brian Krebs’ coverage of the report, as he pulls out the kind of findings that you may find interesting about what went amiss.

(Related)  Learn from the failure of others, what a concept!
The Denver Channel reports that Noodles & Company has been sued by financial institutions who allege that they suffered injury as a result of a databreach first reported in May – a breach they claim could have been avoided had Noodles & Company learned from all the hacks of other major retailers and deployed adequate security.


What should Congress know?
Classifieds website asks Supreme Court to block congressional subpoena
The classified advertising website Backpage.com is asking the Supreme Court to block a congressional subpoena for documents into the website’s process of screening for sex trafficking ads.
Backpage.com claims the court order violates CEO Carl Ferrer’s First Amendment rights.
“This case highlights a disturbing — and growing — trend of government actors issuing blunderbuss demands for documents to online publishers of content created by third parties (such as classified ads) in a manner that chills First Amendment rights,” the company claims in its petition to chief Justice John Roberts for immediate stay on Tuesday.
   The October 2015 subpoena seeks any documents concerning the website's editing of ads, relating to its policies, manuals, memoranda, and guidelines, as well as any material involving “reviewing, blocking, deleting or modifying” ads, according to court documents.
“The record suggests Backpage would not have been the target of PSI’s fishing expedition if did not host ads that some find distasteful.


The Balkanization of data?  Take that, government subpoena! 
Azure, Office 365: Microsoft's two new cloud regions tackle data privacy issues
Microsoft has officially opened two new cloud regions, offering Azure and Office 365 from multiple datacenter locations in the UK for the first time.
The new UK regions take to 28 the number of Microsoft generally-available regions for its cloud infrastructure and platform services.
For UK enterprise customers, the regional services are also designed to provide a better option for meeting requirements to store certain data locally.
   However, Microsoft is also taking a different approach to providing its services in Europe.  Two of Microsoft's six new regions include two new datacenters in Germany slated for launch by the end of the year.
These two German regions be operated by 'data trustee' Deutsche Telekom subsidiary T-Systems.  Under this arrangement, Microsoft won't have access to customer data and any government request for such data will need to go through T-Systems.


Would you call the ACLU “activists?” 
Activists to FBI: Show Us Your Warrant for Mass Hack of TorMail Users
Mass hacking is now one of the FBI's established tactics for fighting crime on the dark web.  In February 2015, the agency hit at least 4,000 computers all over the world in an attempt to identify visitors of a child pornography site.
But questions remain about another FBI operation from 2013, in which the agency may have hacked users of a dark web email service called TorMail even if they weren’t suspects of a crime.  Now, the American Civil Liberties Union (ACLU) is trying to unseal the court docket sheet containing the search warrant used to deploy malware against users of the service.  If the ACLU were then to get access to the warrant itself, it may reveal the true scale of the FBI’s controversial hacking campaign.

(Related)  King George didn’t need no stinking warrant!
Lindsay Whitehurst reports:
The Drug Enforcement Administration wants to block the American Civil Liberties Union of Utah from stepping into a court case over whether investigators can do warrantless searches of a database of all prescription drug records in the state.
More than 40 states keep similar databases, but Utah recently passed a law requiring investigators to get a warrant before they search it.
DEA lawyers argue they’re exempt from that law because they’re a federal agency, but state officials contend they have to follow it like other investigators.
Read more of AP’s report on the Salt Lake Tribune.


Some teens hide their text, parents of some of them find ways to hack into their texts.  Are we talking a significant number?
So kids take steps to protect their privacy, and rather than respect that, some parents take countermeasures to invade their privacy in the name of protecting them?
CBS reports:
Parents are using spyware in an effort to monitor their children’s social media interactions.
CBS2’s Emily Smith reported different types of spyware can combat against free apps that hide texts and phone calls children don’t want their parents to see.  One app looks like a calculator with a percentage sign next to it. 
[…]
Marlowe said once a child starts paying for their cellphone it’s time for parents to take a step back, but until that day, parenting experts said it’s all fair game.
Experts added that at the very least parents should have their children’s passwords and know what to look for in the ever-changing digital world.
Read more on CBS.
“At the very least, parents should have the passwords?”  I never once asked my kids for their passwords.  What a terrible parent I was…


A model for selling used textbooks?  Garage sales R us? 
Japan’s Mercari Brings Its Bazaar App to the U.S.
TOKYO—In an increasingly competitive global e-commerce market, it is rare for an Asian startup to challenge American giants such as Amazon.com Inc. and eBay Inc. on their own turf.
That is what Tokyo-based Mercari Inc. is trying to do with its app for people buying and selling used goods like $35 purses and $15 videogames—and it is making some inroads.
Downloads of Mercari’s flea-market app reached 19 million in the U.S. at the end of August, up from 12 million a month earlier, the company said Tuesday.  Downloads in Japan have climbed to 35 million.  At one point recently, Mercari’s app rose as high as No. 3 in rankings for U.S. downloads, according to analytics firm App Annie.
   Significantly, Mercari focuses almost exclusively on smartphone users—a big difference from other used-goods sites like eBay and Craigslist that date back to the desktop computer era.  The app is designed so sellers can upload photos quickly and buyers can make one-click purchases.  It also handles the payment process.
Once a buyer purchases a listed item, the money goes first to Mercari, which informs the seller that payment has been received, greenlighting shipment.  The seller is paid only after the buyer confirms receipt—preventing instances where sellers pocket payments without shipping anything.


It is certainly making my grading of papers a real pain in the butt.
Bad Writing Is Destroying Your Company’s Productivity
   I surveyed 547 businesspeople in the first three months of this year.  I looked specifically at people who write at least two hours per week in addition to email.  They told me that they spend an average of 25.5 hours per week reading for work.  (About a third of that is email.)
And 81% of them agree that poorly written material wastes a lot of their time.  A majority say that what they read is frequently ineffective because it’s too long, poorly organized, unclear, filled with jargon, and imprecise.
Entry-level employees get little training in how to write in a brief, clear, and incisive way.  Instead, they’re immersed in first-draft emails from their managers, poorly edited reports, and jargon-filled employee manuals.  Their own flabby writing habits fit right in.  And the whole organization drowns in productivity-draining blather.


Just because…

No comments: