To Manage or not to Manage…
Equifax
identity-theft hackers exploited flaw experts flagged in March
Security workers discovered, and created a fix
for, the vulnerability that allowed attackers into the Equifax
network two months before the company was hit by hackers.
Equifax told USA TODAY late Wednesday that the
criminals who potentially
gained access to the personal data of up to 143 million Americans
had exploited a website application vulnerability known as Apache
Struts CVE-2017-5638.
The fix for that flaw was first released March 10,
though it was later modified, according
to the National Vulnerability Database.
Equifax said that the
unauthorized access began in mid-May. That's a period of two
months in which the company could have, and should have, say experts,
dealt with the problem.
… "Equifax has been intensely
investigating the scope of the intrusion with the assistance of a
leading, independent cybersecurity firm to determine what information
was accessed and who has been impacted," the company said late
Wednesday.
The
company also indicated that it had not yet had determined the full
impact of the breach.
(Related). Poor management everywhere.
Ayuda!
(Help!) Equifax Has My Data!
… Earlier today, this author was contacted by
Alex Holden,
founder of Milwaukee, Wisc.-based Hold
Security LLC. Holden’s team of nearly 30 employees includes
two native Argentinians who spent some time examining Equifax’s
South American operations online after the company disclosed the
breach involving its business units in North America.
It took almost no time for them to discover that
an online portal designed to let Equifax employees in Argentina
manage credit report disputes from consumers in that country was
wide open, protected by perhaps the most easy-to-guess password
combination ever: “admin/admin.”
(Related).
Thank You
for Calling Equifax. Your Business Is Not Important to Us
Our government, always watching out for our
security, has noticed (after only 20 years!) that Kaspersky Lab is a
Russian Company! (Perhaps they read it on their website.) They also
noticed that like all the US anti-virus vendors, they work with the
government.
Kaspersky
Lab Has Been Working With Russian Intelligence
Russian cybersecurity company Kaspersky
Lab boasts 400 million users worldwide. As many as 200 million
may not know it. The huge reach of Kaspersky’s technology is
partly the result of licensing agreements that allow customers to
quietly embed the software in everything from firewalls to sensitive
telecommunications equipment—none of which carry the Kaspersky
name.
That success is starting to worry U.S. national
security officials concerned about the company’s links to the
Russian government. In early May six U.S. intelligence and law
enforcement agency chiefs were asked in an open Senate hearing
whether they’d let their networks use Kaspersky software, often
found on Best Buy shelves. The answer was a unanimous and resounding
no.
… Most major cybersecurity companies maintain
close ties to home governments, but the emails are at odds with
Kaspersky Lab’s carefully controlled image of being free from
Moscow’s influence.
(Related). Note that they never say Kaspersky is
doing anything other than what they say they do (protect against
viruses, etc.). Also note that this is the first Directive of 2017 –
I find that curious.
DHS
Statement on the Issuance of Binding Operational Directive 17-01
Social Media as a weapon?
NYT – How
the Kremlin built one of the most powerful information weapons of the
21st century
by Sabrina
I. Pacifici on Sep 13, 2017
RT,
Sputnik and Russia’s New Theory of War How the Kremlin built one of
the most powerful information weapons of the 21st century — and why
it may be impossible to stop. Jim Rutenberg. September 13, 2017.
“…After RT [Russia’s state-financed
international cable network] and Sputnik
gave platforms to politicians behind the British vote to leave the
European Union, like Nigel
Farage, a committee of the British Parliament released a report
warning that foreign governments may have tried to interfere with the
referendum. Russia and China, the report argued, had an
“understanding of mass psychology and of how to exploit
individuals” and practiced a kind of cyberwarfare “reaching
beyond the digital to influence public opinion.” When President
Vladimir V. Putin of Russia visited the new French president,
Emmanuel Macron, at the palace of Versailles in May, Macron spoke out
about such influence campaigns at a news conference. Having
prevailed weeks earlier in the election over Marine Le Pen — a
far-right politician who had backed Putin’s annexation of Crimea
and met with him in the Kremlin a month before the election —
Macron complained
that “Russia Today and Sputnik were agents of influence which on
several occasions spread fake news about me personally and my
campaign…. RT might not have amassed an audience that remotely
rivals CNN’s in conventional terms, but in the new, “democratized”
media landscape, it doesn’t need to. Over the past several years,
the network has come to form the hub of a new kind of state media
operation: one that travels through the same diffuse online channels,
chasing the same viral hits and memes, as the rest of the
Twitter-and-Facebook-age media. In the process, Russia has built the
most effective propaganda operation of the 21st century so far, one
that thrives in the feverish political climates that have descended
on many Western publics…”
(Related). We broke up the USSR, Russia wants to
break up the US?
… One other arena these
actors may have targeted: secession movements within the U.S. At
this point, it’s little secret that a number of American secession
movements — including Puerto Rico, Hawaii, and both white and
black nationalists — have constructed links with Russian
actors, including those funded by the Kremlin. Tracing these links
has become an unexpected hobby of mine, and I’ve written on the
topic a handful of times, from The
Diplomat to Slate
to The
Daily Beast.
Perhaps they will issue another Directive?
Homeland
Security hit with lawsuit over phone, laptop searches
The American Civil Liberties Union and the
Electronic Frontier Foundation sued
the Department of Homeland Security on Wednesday for searching
the phones and laptops of 11 plaintiffs at the US border without a
warrant.
The group of plaintiffs includes 10 US citizens
and one lawful permanent resident, several of whom are Muslims or
people of color. Among the group are journalists, a veteran and a
NASA engineer. All were reentering the US following business or
personal travel. Some plaintiffs had their devices confiscated for
weeks or months. None were accused of wrongdoing following the
searches.
… CBP, which is a Department of Homeland
Security agency, states on its website that "no court has
concluded that the border search of electronic devices requires a
warrant." But many travelers, including the plaintiffs in this
case, have cited concerns about officers reading private emails and
messages on their phones and laptops.
Something strange here? What kind of “progress”
would make secrecy no longer useful?
The
Government Has Dropped Its Demand That Facebook Not Tell Users About
Search Warrants
… According to court papers filed jointly by
Facebook and the US attorney's office in Washington on Wednesday,
prosecutors determined that the underlying investigation that
prompted the search warrants — the details of which are under seal
— had "progressed ... to the point where the [nondisclosure
orders] are no longer needed."
The announcement came less than 24 hours before an
appeals court in Washington, DC, was set to hear arguments in the
case. According to the joint filing, a lower court judge vacated the
nondisclosure orders at the government's request, making Facebook's
appeal of those orders moot.
How many people should have access to your social
media accounts and what training should they receive? I’m going to
suggest my Computer Security class for starters. (If no one on the
staff was required/asked to take the blame, I’m guessing it was not
a staffer who hit like.)
Sen. Ted
Cruz’s (R-Texas) Twitter mishap late Monday night involving a
pornographic account is nightmare fuel for congressional staffers who
are increasingly tasked with managing social media for their bosses.
Twitter and Facebook have become crucial
communication tools for members of Congress, helping them stake out
their positions, interact with constituents and attract media
attention. As a result, staffers spend many of their work hours
managing and cultivating lawmakers’ social media presences.
But in an era where an inadvertent retweet or
insensitive Facebook comment can balloon into controversy, the task
can be perilous. And smartphone apps have only further blurred the
line between work and personal accounts.
… Cruz this week began trending on social
media after his official political Twitter account “liked” a
two-minute pornographic video. The Texas Republican blamed the
incident on a “staffing issue,” with many speculating the failure
to switch from an official account to a personal one could be
responsible for the action.
“There are a number of people on the team that
have access to the account, and it appears that someone inadvertently
hit the like button,” Cruz told reporters on Tuesday.
Ooh! All kinds of nifty science-fictiony kinds of
scenarios leap to mind. If I can make one of those ‘Mission
Impossible’ face masks, I could drain your bank account, steal your
car, drive to your house and unlock the front door, etc. Thanks
Apple!
What
happens if a cop forces you to unlock your iPhone X with your face?
Imagine you've been detained
at customs, waiting to cross the border. Or maybe you've been
pulled over for a traffic violation. An officer waves your cellphone
at you.
“Look at this. Is this yours?” he asks.
Before you can respond, a tiny infrared sensor in
the phone has scanned your face. Matching those readings against the
copy of your face that is stored in its archive, the phone concludes
that its owner is trying to unlock it. The device lowers its
defenses, surrendering its contents in moments to the law enforcement
officer holding your phone. [Would
that then be considered “in plain sight?” Bob]
Tips for my Computer Security students.
Online
translation applications may pose security risk
by Sabrina
I. Pacifici on Sep 13, 2017
Quartz:
“…On Sept. 3, the
Norwegian news agency NRK reported that sensitive Statoil
information—contracts, workforce reduction plans, dismissal
letters, and more—were available online because employees had used
the free translation service Translate.com, which stored
the data in the cloud. The news traveled fast in
Scandinavian countries. In response, the Oslo
Stock Exchange even blocked employee access to Translate.com and
Google Translate…”
For my Computer Security students.
If you don’t already use Keybase, you will have
to go through a few initial steps to get the app up and running for
use on Facebook, Twitter, Reddit, Github, and HackerNews.
Something for continuing education?
Google’s Inside
Search offers two training modules: Power Searching with
Google and Advanced Power Searching.
No comments:
Post a Comment