Trump signs order on cybersecurity that holds agency heads
accountable for network attacks
President Trump on Thursday signed an executive order on cybersecurity that makes clear that agency
heads will be held accountable for protecting their networks, and calls on
government and industry to reduce the threat from automated attacks on the
Internet.
Picking up on themes advanced by the Obama administration,
Trump’s order also requires agency heads to use Commerce Department guidelines
to manage risk to their systems. It
commissions reports to assess the country’s ability to withstand an attack on
the electric grid and to spell out the strategic options for deterring
adversaries in cyberspace.
A government recommendation.
Vendors approve of NIST password draft security
recommendations – emojis welcome
by Sabrina
I. Pacifici on May 11, 2017
Via CSO – “Standards group recommends
removing periodic password change requirements – A recently released draft of
the National Institute of Standards and Technology’s (NIST’s) digital identity
guidelines has met with approval by vendors.
The
draft guidelines revise password security recommendations and altering many
of the standards and best practices security professionals use when forming
policies for their companies. The new
framework recommends, among other things:
- Remove periodic password change requirements
There have been multiple studies that have shown requiring
frequent password changes to
actually be counterproductive to good password security, said
Mike Wilson, founder of PasswordPing. NIST said this guideline was suggested because
passwords should be changed when a user wants to change it or if there is
indication of breach.
- Drop the algorithmic complexity song and dance
No more arbitrary password complexity requirements needing
mixtures of upper case letters, symbols and numbers. Like frequent password changes, it’s been
shown repeatedly that these types of restrictions often result in worse
passwords, Wilson adds. NIST
said If a user wants a password that is just emojis they should be allowed.
It’s important to note the storage
requirements. Salting, hashing, MAC such
that if a password file is obtained by an adversary an offline attack is very
difficult to complete.
- Require screening of new passwords against lists of commonly used or compromised passwords
One of the best ways to ratchet up the strength of users’
passwords is to screen them against lists of dictionary passwords and known
compromised passwords, he said. NIST
adds that dictionary words, user names, repetitive or sequential patterns all
should be rejected…”
A risk to digital evidence.
Forensics Tool Flaw Allows Hackers to Manipulate Evidence
A vulnerability in Guidance
Software’s EnCase Forensic Imager forensics tool can be exploited by hackers to
take over an investigator’s computer and manipulate evidence, researchers
warned. The vendor has classified the
attack as an “edge case” and it does not plan on patching the flaw any time
soon.
Guidance Software’s forensics products are used by governments, law
enforcement agencies and private companies worldwide, including the U.S.
Department of Justice, the Department of Homeland Security, the London
Metropolitan Police Service, Microsoft, IBM, Apple and Facebook.
The company’s EnCase Forensic Imager is a standalone tool
designed for acquiring forensic images of local drives, and for viewing and
browsing potential evidence files.
Management is not aware?
Sounds familiar.
A third of virtual servers are zombies
New research finds that 25% of all physical servers -- and
30% of all virtual servers -- are comatose. These are systems that have no activity in the
last six months.
… this latest
research looked at virtual servers as well, and they may represent a
significant cost to IT departments.
That's because users may be paying licensing fees on their
virtual servers, as well as on the software they support, said the researchers.
Comatose servers, both virtual and physical, may also
represent "an unappreciated security risk" because they aren't
patched and maintained, according to the research paper by Jonathan Koomey, a research fellow at
Stanford University, and Jon Taylor, a partner at the Athensis Group, a
consulting firm.
… The problem may
be one of motivation: IT managers
aren't necessarily measured on well they control costs.
Does this make local law enforcement more “Federal?” Will all states eventually have access?
Joe Cadillic writes:
According to an article
in Texas Public Radio, law enforcement will now have access to DHS’s massive
biometric database.
“Texas law enforcement are now getting a big assist from the federal government. Texas is the first and only state to get access to a massive Department of Homeland Security biometric database…”
“Texas law enforcement are now getting a big assist from the federal government. Texas is the first and only state to get access to a massive Department of Homeland Security biometric database…”
Letting police have access to
everyone’s biomterics is asinine and the potential for abuse is astronomical.
Read more on MassPrivateI.
Facial recognition instead of door locks? Open the doggie door for Fido, but not for
racoons?
Lighthouse is an Andy Rubin-backed smart security camera that
identifies people and pets
The team at Lighthouse,
a startup out of Android
co-founder Andy Rubin’s Playground accelerator, doesn’t see its new
hardware product as a home security camera. Instead, they see it as an “interactive
assistant.” But Lighthouse, at least at
first, will definitely be perceived as another new entrant in the smart camera
market.
The device, unveiled for the first time today,
sits in the home just like a Nest Cam to monitor what’s going on indoors. That’s where the overlap with Nest ends,
however. Lighthouse incorporates deep learning and 3D-sensing technology to
determine who is in the home, where they are inside, and if that’s a normal
occurrence or not. The camera pairs with
a companion iOS / Android app over Wi-Fi, so users can determine remotely
whether an intruder is in their house. More
innocuously, Lighthouse can also determine whether a dog’s been walked and send
alerts when kids get home.
So much for Privacy.
If you own an HP laptop or tablet you may have had every
single thing you’ve typed on it logged and stored on your hard drive. This is because, according to a report by
security researchers, a keylogger has inadvertently been installed on a number
of HP devices. And it’s still there now.
Keystroke
logging is a generally nefarious activity whereby someone monitors
everything being typed onto a keyboard. Keyloggers can be hardware- or software-based,
and are difficult to detect. Which is
why it’s so unsettling to discover that one is installed on a number of HP
devices.
(Related). HP says,
“Oops!” Oh I feel so much more secure
now!
HP says it has a fix for flaw that caused some PCs to log
every keystroke
… A fix for 2016
models was released today via Windows Update, while a fix for 2015 models will
be released tomorrow on both Windows Update and HP's Web site, HP Vice
President Mike Nash told Axios.
Why it matters: Although HP never
accessed the data and the logs weren't sent anywhere, just having them created
a security threat. The fix not only
deletes the key-logging code but also the files that stored keystrokes. (However, in theory customers using PC backup
software might have copies elsewhere.)
Just a thought: Will insurance companies require heart
sensors like this (and others in future) for everyone they insure?
Study uses Apple Watch heart rate sensor to detect serious
heart condition with 97% accuracy
… As part of
ongoing research, a deep neural network was trained and paired with Apple
Watch's heart rate sensor to automatically distinguish atrial fibrillation from
normal heart rhythm in a pool of test patients. Findings were presented at the Heart Rhythm
Society's Heart Rhythm 2017 conference on Thursday.
To train the DNN, researchers collected data — 139 million
heart rate measurements and 6,338 mobile ECGs — from 6,158 Cardiogram app users enrolled with the UCSF Health eHeart Study.
… "Our
results show that common wearable trackers like smartwatches present a novel
opportunity to monitor, capture and prompt medical therapy for atrial
fibrillation without any active effort
from patients," said the report's senior author Gregory M.
Marcus, MD, MAS Endowed Professor of Atrial Fibrillation Research and Director
of Clinical Research for the Division of Cardiology at UCSF.
(Related).
Sobering Thoughts When a Connected Medical Device Is
Connected to You
An IoT application.
Nectar Labs brings smart liquor tracking to the bar business
When a bartender pours too much liquor in a drink, or
someone slips away with a bottle, it can take a toll on a drinking
establishment’s bottom line. So Nectar Labs has come up with a solution: the
connected pourer and stopper.
It uses ultrasound technology and a software platform to
precisely measure how much alcohol is left in a given bottle for automating
inventory, managing shrinkage (theft or loss) and self-replenishing.
… The Distilled Spirits Council trade
group estimates that the bar business is worth $200 billion a year worldwide,
and shrinkage is as much as $50 billion a year.
… The Nectar cap
transfers data wirelessly to an app via Bluetooth. Nectar’s caps and associated platform are
designed to seamlessly fit a bar’s current operation. The pourer and stopper continuously
communicates with the app, keeping track of inventory in real time. When a bottle is finished and replaced, Nectar
automatically depletes it from inventory, and when inventory is running low,
orders can be placed directly with distributors.
Perspective.
From Silicon Valley to Davos, pundits have been warning
that millions of individuals will be thrown out of work by the rapid advance of
automation and artificial intelligence. As
economic forecasts go, this idea of a robot apocalypse is certainly chilling. It’s also baffling and misguided.
Baffling because it’s starkly at odds with the evidence,
and misguided because it completely misses the problem: robots aren’t
destroying enough...
Executive decisions:
Trump Wants ‘Goddamned Steam,’ Not Digital Catapults on
Aircraft Carriers
Navy officials were “blindsided” on Thursday, a spokesman
told me, by President Donald Trump’s suggestion that he has convinced the Navy
to abandon a long-planned digital launching system in favor of steam on its
newest aircraft carrier.
Oh my!
North Korea Angered With New Sanctions
In rare move, North
Korea sends letter to U.S. House of Representatives about the latest round of
sanctions as tensions between the countries continue to rise.
No doubt my students will be using this to waste the time
they should be using to study!
… the newest
application of ML from Google, worldwide leaders in machine learning, isn’t to
build a new Mars rover or a chatbot that can replace your doctor. Rather, its a tool that anyone can use to
generate custom emoji stickers of themselves.
… Starting today,
when you pull up the list of stickersyou can use to respond to someone, there’s
a simple little option: “Turn a selfie into stickers.” Tap, and it prompts you to take a selfie. Then, Google’s image-recognition algorithms
analyze your face, mapping each of your features to those in a kit illustrated
by Lamar Abrams, a storyboard artist,
writer, and designer for the critically acclaimed Cartoon Network series Steven Universe.
No comments:
Post a Comment