Wednesday, September 12, 2018

This could be very useful for future Computer Security classes. Since this is Finals week, it’s a bit late this quarter.
Clare Ward writes:
Once again, Verizon has opened the doors on the reality of a data breach with the launch of the Verizon 2018 Data Breach Digest (DBD) series, enabling businesses to read undisclosed stories from the company’s cyber-investigative vault.
The Data Breach Digest series puts cybercrime in context, outlining the (anonymized) specifics of data breaches and cybersecurity incidents for cyber defenders across all businesses to benefit from Verizon’s insights.
Cybercrime victims often believe they are the victim of an isolated attack; however, in reality this is not the case – thousands of companies experience data breaches or cybersecurity incidents every month. Unfortunately, most breaches are never publicly disclosed, preventing others from learning from the facts. This plays to the advantage of cybercriminals, enabling them to reuse successful breach tactics time and time again on new, unsuspecting organizations.
By opening up Verizon’s cybercrime files via the Data Breach Digest scenarios, we are offering a panoramic insider’s view of the cyber threat activities in an effort to share what we have seen with other organizations around the global. Our hope is that we can learn together – and in doing so, better equip ourselves in the fight against cybercrime.
Read more on Verizon. As of today, here are the stories available, as described by Verizon:
  • Credential Theft – the Monster Cache: Credential theft is an increasingly common target for cybercriminals, but is actually relatively easy to prevent. This story outlines how the development of cyberattack models, which outline threat actor goals, capabilities, and methods were combined with organization profiling to help organizations protect themselves against attack. This case demonstrates how an awareness of an attack vector common to the target’s specific industry could have prevented a major data breach.
  • Insider Threat – the Card Shark: For this case, Verizon experts conducted a Payment Card Industry (PCI) forensic investigation on unauthorized ATM withdrawals. What they found was a network and physical security structure flawed from start to finish. This case walks readers through the investigation to see the many process and policy challenges that enabled this attack.
  • Crypto-Jacking Malware – the Peeled Onion: Sometimes attackers care less about proprietary information and more about processing power. This incident demonstrated how a strong firewall can be undone with missed security patches, turning a client’s system into a stealthy cryptocurrency miner.
  • Third-Party Palooza – the Minus Touch: Digital forensics starts with the data – but what if there’s no data to be found? A blank hard drive and an uncooperative co-location data center starts the Verizon team on a hunt for the what/where – and what was done with it!




Much easier than the con in the movie.
Phishing Is the Internet’s Most Successful Con
… In this age, the online equivalent of The Sting is a phishing site: a fake reality that lives online, set up to capture precious information such as logins and passwords, bank-account numbers, and the other functional secrets of modern life. You don’t get to see these spaces being built, but—like The Sting’s betting room—they can be perfect in every detail. Or they can be thrown together at the last minute like a clapboard set.




For my students.
The Ethics of Artificial Intelligence: An Interview of Kurt Long
… I am delighted to be interviewing Kurt Long about the topic of AI. Long is the creator and CEO of FairWarning, a cloud-based security provider that provides data protection and governance for electronic health records, Salesforce, Office 365, and many other cloud applications. Long has extensive experience with AI and has thought a lot about its ethical ramifications.




The pendulum swings again.
EU approves controversial Copyright Directive, including internet ‘link tax’ and ‘upload filter’
The European Parliament has voted in favor of the Copyright Directive, a controversial piece of legislation intended to update online copyright laws for the internet age.
The directive was originally rejected by MEPs in July following criticism of two key provisions: Articles 11 and 13, dubbed the “link tax” and “upload filter” by critics. However, in parliament this morning, an updated version of the directive was approved, along with amended versions of Articles 11 and 13. The final vote was 438 in favor and 226 against.
… The directive itself still faces a final vote in January 2019 (although experts say it’s unlikely it will be rejected). After that it will need to be implemented by individual EU member states, who could very well vary significantly in how they choose to interpret the directive’s text.
The most important parts of this are Articles 11 and 13. Article 11 is intended to give publishers and papers a way to make money when companies like Google link to their stories, allowing them to demand paid licenses. Article 13 requires certain platforms like YouTube and Facebook stop users sharing unlicensed copyrighted material.
Critics of the Copyright Directive say these provisions are disastrous. In the case of Article 11, they note that attempts to “tax” platforms like Google News for sharing articles have repeatedly failed, and that the system would be ripe to abuse by copyright trolls.
Article 13, they say, is even worse. The legislation requires that platforms proactively work with rightsholders to stop users uploading copyrighted content. The only way to do so would be to scan all data being uploaded to sites like YouTube and Facebook. This would create an incredible burden for small platforms, and could be used as a mechanism for widespread censorship. This is why figures like Wikipedia founder Jimmy Wales and World Wide Web inventor Tim Berners-Lee came out so strongly against the directive.




Clever yes, but computer wizards?
Street gangs turn to high-tech cybercrime to make a living
Street gangs are growing more sophisticated and moving into cyberspace. Following an extensive three-year investigation, the State of California Department of Justice arrested and indicted 32 suspects on 240 counts, including identity theft, fraud and hacking. The individuals are linked to criminal street gangs the BullyBoys and the CoCo Boys, California Attorney General Xavier Becerra announced this week.
In total, the suspects are charged with “63 counts of conspiracy to commit grand theft; 54 counts of hacking, computer access and fraud; 56 counts of grand theft; 59 counts of burglary; and eight counts of identity theft,” according to the press release.


No comments: