Lorenzo Franceschi-Bicchierai reports:
There’s an oft-repeated adage in
the world of cybersecurity: There are two types of companies, those that have
been hacked, and those that don’t yet know they have been hacked.
MySpace, the social media
behemoth that was, is apparently in the second category. The same hacker who was selling the data of more than 164 million LinkedIn users last week now claims to
have 360 million emails and passwords of MySpace users, which would be one of
the largest leaks of passwords ever. And
it looks like the data is being circulated in the underground by other hackers
as well.
Read more on Motherboard.
There has been a significant increase in ATM thefts
recently. Here’s how to do it.
3 Danger Signs to Look for Each Time You Use an ATM
Encrypt everything.
Use TOR. Pretend to be someone
else (like a law professor or Secretary of State, for example)
A provision snuck into the still-secret text of the
Senate’s annual intelligence authorization would give the FBI the ability to
demand individuals’ email data and possibly web-surfing history from their
service providers without a warrant and in complete secrecy.
If passed, the change would expand the reach of the FBI’s
already highly controversial national security letters.
… In February, FBI
Director James Comey testified
during
a Senate Intelligence Committee hearing on worldwide threats that the FBI’s
inability to get email records with NSLs was a “typo” — and that fixing it was
one of the FBI’s top legislative priorities.
Greene warned
at the time: “Unless we push back against Comey now, before you know it,
the long slow push for an [electronic communication transactional records] fix
may just be unstoppable.”
The FBI used
to think that it was, in fact, allowed to get
email records with NSLs, and did so routinely
until the Justice Department under George W. Bush told
the bureau that it had interpreted its powers overly broadly.
Ever since, the FBI has tried to get that power and has
been rejected, including during
negotiations over the USA Freedom Act.
[If at first you don’t succeed, try
over and over and over and over, until you do.
Bob]
Perhaps we should call politicians and claim they owe a ‘Federal
Stupid Tax?” I wonder how many would
bite?
IRS Warns Taxpayers About New Scam Involving Bogus 'Federal
Student Tax'
… the Internal
Revenue Service (IRS) issued a warning about a new scam making the rounds. The latest IRS impersonation scheme involves
bogus phone calls to demanding payment for a non-existent tax, the “Federal
Student Tax.”
The lack of such a tax hasn’t kept scammers from targeting
students, and threatening to report them to the police if they do not
immediately wire money via MoneyGram or other untraceable method. According to the FTC, the callers generally have some piece
of information that makes the call seem legit. That information might be the name of the
student’s school or info that is designed to make the student feel like the
caller is a real authoritative figure. Sometimes,
if the student hangs up on the caller, the caller follows up with spoofed
caller-ID information advising that 911 or the U.S. Government is calling.
Something my Computer Security students agreed should be
built into every password system.
Microsoft bans ‘12345’ and other common passwords to boost
security
Microsoft wants you to stop using “password” as your
account password, and the company knows just how to do that — ban it outright.
The company wrote in a technical blog, noticed by online news site Mashable, that it will ban users from
setting up some of the most commonly used passwords.
Microsoft hopes the practice will increase security for user accounts, as those
with passwords such as “football” and “12345” are some of the most susceptible
to hackers.
If users try to set up an account with many of the
passwords found on the annual Worst Passwords List put together by SplashData,
Microsoft will show a red warning that says, “Choose a password that’s harder
for people to guess.”
Something my Ethical Hacking class should consider. When we find holes in FBI systems, should we
tell anyone?
From the stop-me-if-you’ve-heard-this-one-before
dept:
Over on Daily Dot this morning, I reported that
the FBI
executed a search warrant at the home of researcher Justin Shafer.
Shafer’s name will be amiliar to
regular readers of DataBreaches.net because he exposed a long-standing security
vulnerability in Dentrix software and challenged Henry Schein’s claims that
their product provided “encryption.” Our combined efforts resulted in the recent
consent order announced by the FTC.
… If Shafer did
nothing wrong, how did a prosecutor convince a magistrate judge to issue a
search
warrant based on probable cause when there was no code bypassed, no
login required, no evidence that any data downloaded had been used in
furtherance of a crime, and no personal data disclosed publicly in
Shafer’s reporting on the incident or this site’s reporting on it? Unfortunately, the probable cause
affidavit is under seal, but this blogger wonders if the magistrate judge
really understood the nature of an anonymous FTP server.
For my next talk on encryption…
The Downside of the FCC’s New Internet Privacy Rules
There may soon be a new cop on the privacy beat — the
Federal Communications Commission. Last
month, the FCC issued a
150-page document proposing sweeping new rules and regulations for
broadband Internet Service Providers (ISPs).
But in my analysis, this is not good news for those who genuinely care
about promoting consumer privacy.
To understand why the FCC’s involvement would create more
problems than it would solve, it helps to understand a massive shift in web
security over the last few years: the overwhelmingly
successful campaign to encrypt data flowing to and from consumers over the
Internet.
My government in action!
Should we say government is slow and poorly managed or no matter how
much money they toss at a problem, still manages to be slow?
OPM IG Report on Information Infrastructure Improvement
Project
by Sabrina I. Pacifici on May 27, 2016
“OPM has still not performed many of the critical capital
project planning practices required by the Office of Management and Budget
(OMB). Of primary concern, prior to
initiating the Infrastructure Improvement Project (Project), OPM did not
perform the mandatory Analysis of Alternatives to evaluate whether moving all
infrastructure and systems to a new environment (initially known as Shell, but
now referred to as IaaS [Infrastructure as a Service]) was the best solution to
address the stated objective of this initiative: to provide a secure operating
environment for OPM systems at a lower cost. In light of recent developments involving the
creation of the National Background Investigations Bureau within OPM to replace
the Federal Investigative Services, the current Federal background
investigations program, and the shifting of the responsibility for developing
and maintaining the associated information technology systems to the Department
of the Defense, this analysis is even more important. In addition, most, if not all, of the
supporting project management activities required by OMB have still not been
completed…”
See also related posting, CRS Insights –
OPM Data Breach
I sense a business opportunity here. Skype into our classes?
FT Business Education – Executive education rankings 2016
by Sabrina I. Pacifici on May 27, 2016
FT Business Education Report, May 23, 2016: ” For the dream
of life long learning to be realised fully, those in the 35-60 age group must
also be given the opportunity to refine and revise their skills through out
their careers, which could well stretch into their seventies. This is not happening enough. Executive education has traditionally been one
niche in which the middle aged have been able to polish theirs kills. But the super charged intensity of the modern
office makes it hard to get away from daily duties. Glenn Hubbard, dean of Columbia Business
School, ruefully observes that its MBA
graduates have a lifetime entitlement to come back and sit in on any class—but
they almost never find the time. “People
don’t take me up on it because they are busy,” he says.”
Might be fun to try.
Amazon Alexa Hits The Browser With Echo Simulator Skill Testing
Tool: Here's How It Works
Amazon recently unveiled Echosim.io, a site that emulates
the functionality of an Amazon Echo speaker, bringing the Alexa voice assistant
technology to desktops.
… It's really easy to tap into Alexa's potential on desktop
systems. Simply go to Echosim.io and
sign in with your Amazon username and password, then hold your mouse over the
microphone button and start interacting with the voice assistant. Obviously, you will need a working microphone
to throw more or less serious questions at the AI.
For anyone who likes to look up.
5 Tools to Watch the Night Sky and Track Events in Astronomy
[And one of my favorites: http://iss.astroviewer.net/observation.php?lon=-104.990251&lat=39.7392358&name=Denver