Follow by Email

Sunday, April 26, 2015

Russian Hackers involved in the breach The Military United States Pentagon Discloses

The Pentagon has disclosed that Russian hackers were able to breach one of its secure networks earlier this year, and referred to the attack as a "worrisome" incident. "Earlier this year, the sensors that guard DOD's unclassified networks detected Russian hackers accessing one of our networks," said defense secretary Ash Carter yesterday during a speech at Stanford University. Carter warned Russia that the U.S. Department of Defense would retaliate with cyber campaigns should it see fit. "Adversaries should know that our preference for deterrence and our defensive posture don't diminish our willingness to use cyber options if necessary," said Carter. He added in a prepared statement that the Russian hackers had been able to gain access to an "unclassified network" but had been "quickly identified" by a team of cyberattack experts who managed to block the hackers "within 24 hours." The cybersecurity response team had quickly analyzed the hack patterns and code and identified the intruders as Russian, before "kicking them off the network.

Companies Care About Data Privacy Bad: No Idea How To Protect It

Research performed by Dimensional Research demonstrated something most of us know: Just about every business cares about data privacy, and intends to do something to protect sensitive information. But when you cross-tabulate the results to look more closely at what organizations are actually doing to ensure that private data stays private, the results are sadly predictable: While smaller companies care about data privacy just as much as big ones do, they're ill-equipped to respond. What's different is not the perceived urgency of data privacy and other privacy/security matters.
IT is grappling with how to protect sensitive data, making the state of data privacy worrisome no matter how big or small the organization is. Smaller companies care about data privacy just as much as big ones do, but they’re ill-equipped to do much about it. Large enterprises take more measures to deal with the issue, but they aren’t that successful, either.
When we talk about topics like IT governance, data privacy, and information security, there’s a tendency to imagine that these issues apply primarily to large companies with household names. As if smaller organizations don’t … well, not exactly don’t care, but they have so much to juggle, and fewer IT staff available to do the juggling, that such matters get little attention.
As it turns out, that’s not precisely so. Small and mid size businesses care about data privacy. They care a lot.
A recent report among IT and business professionals responsible for corporate data, sponsored by by Druva, shows that 93% of respondents across company size are challenged by data privacy. (You can download the report to see the results yourself, or get a broad overview from this infographic.)
However, differences emerge when we drive a little deeper into the data to learn how company size affects organizational behavior regarding privacy safeguards. Nominally the data is less trustworthy – the sample size for each category gets somewhat small – but the trends are clear enough that you and I can draw some useful (if not precisely scientific) conclusions.
Larger organizations put more energy into protecting the privacy of sensitive data; after all, they have to contend with greater risks. A single stumble can result in major corporate embarrassment, such as millions of customer records being stolen. So we see 77% of businesses with more than 5,000 employees investing more effort into this initiative in 2015, as are 100% of companies with 1,000-5,000 employees.
But data privacy urgency affects smaller businesses, too, because you don’t need to be a big organization to have your finger on personally identifiable or other private data. In even the tiniest companies, those with under 100 employees, 83% are investing more in data privacy protection this year; so are 72% of those with 100-1,000 employees.
What’s different is not the perceived urgency of data privacy and other privacy/security matters. It’s what companies are prepared (and funded) to do about it.
Large companies have more resources, such as the opportunity to offer and enforce employee training. And indeed, when it comes to training employees on data privacy, 82% of the largest organizations do tell the people who work for them the right way to handle personally identifiable data and other sensitive information. Similarly, 71% of the businesses with 1,000-5,000 employees offer such training.
However, even though smaller companies are equally concerned about the subject, that concern does not trickle down to the employees quite so effectively. Half of the midsize businesses offer no such training; just 39% of organizations with under 100 employees regularly train employees on data privacy.
Another example of the difference in organizational behavior is security audits. It’s become commonplace, if not exactly routine, for organizations to conduct regular security audits to ensure compliance with data security standards. These are conventionally done in large organizations (in this study, 91% of the businesses with over 5,000 employees do regular security audits) though they are less frequent in smaller businesses (about half of companies with fewer than 1,000 employees have regular security audits).
On the other hand, data privacy audits are far less common. Just 54% of companies overall do data privacy audits regularly (compared to two thirds who do security audits), most commonly in the largest organizations (among the large enterprises, four in five regularly do data privacy audits… which means about 20% aren’t policing their practices). In contrast, only 28% of businesses with under 100 employees do these kind of audits.
Auditing business practices (in any context) measures how well an organization complies with the way things are supposed to be done.
Obviously, breaches happen even in very large companies with security teams, audits, and privacy controls. More needs to be done before IT has the controls in place to properly protect sensitive data.
So what’s the bottom line? Data privacy is becoming ever more important to businesses of all sizes. While a data breach at a big company may get the headlines, smaller organizations are also at risk; after all, they’re dealing with the same personal data and the same government and industry regulations.
The research suggests that data privacy is being treated as an afterthought to security, an alarming fact considering the rate of cloud adoption and volume of sensitive personal data. Increased attention to the risks and greater investment in employee awareness, audits and technology safeguards can help to address the challenge. That especially important for companies that deal with sensitive data, are moving it to the cloud, and express concern about it. And that’s pretty much everyone.

 For instance: "When it comes to training employees on data privacy, 82% of the largest organizations do tell the people who work for them the right way to handle personally identifiable data and other sensitive information. Similarly, 71% of the businesses with 1,000-5,000 employees offer such training. However, even though smaller companies are equally concerned about the subject, that concern does not trickle down to the employees quite so effectively. Half of the midsize businesses offer no such training; just 39% of organizations with under 100 employees regularly train employees on data privacy.

Saturday, April 11, 2015

Exposing E-mail Tracking by a extension for gmail


Nice idea, but I would like it to work for other browsers and other e-mail programs.

Security Audit Of TrueCrypt

The security audit of the TrueCrypt code has been completed (see here for the first phase of the audit), and the results are good. Some issues were found, but nothing major.
From Matthew Green, who is leading the project:
The TL;DR is that based on this audit, Truecrypt appears to be a relatively well-designed piece of crypto software. The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances.
That doesn't mean Truecrypt is perfect. The auditors did find a few glitches and some incautious programming -- leading to a couple of issues that could, in the right circumstances, cause Truecrypt to give less assurance than we'd like it to.
Nothing that would make me not use the program, though.

Like a smart phone smart lock for door controlled by bluetooth

Neat, but I'll bet it can be hacked.

Opsec Phone


Here's an article on making secret phone calls with cell phones.
His step-by-step instructions for making a clandestine phone call are as follows:
  1. Analyze your daily movements, paying special attention to anchor points (basis of operation like home or work) and dormant periods in schedules (8-12 p.m. or when cell phones aren't changing locations);
  2. Leave your daily cell phone behind during dormant periods and purchase a prepaid no-contract cell phone ("burner phone");
  3. After storing burner phone in a Faraday bag, activate it using a clean computer connected to a public Wi-Fi network;
  4. Encrypt the cell phone number using a onetime pad (OTP) system and rename an image file with the encrypted code. Using Tor to hide your web traffic, post the image to an agreed upon anonymous Twitter account, which signals a communications request to your partner;
  5. Leave cell phone behind, avoid anchor points, and receive phone call from partner on burner phone at 9:30 p.m.­ -- or another pre-arranged "dormant" time­ -- on the following day;
  6. Wipe down and destroy handset.
Note that it actually makes sense to use a one-time pad in this instance. The message is a ten-digit number, and a one-time pad is easier, faster, and cleaner than using any computer encryption program.

Expose Voting Vulnerabilities

Researchers found voting-system flaws in New South Wales, and were attacked by voting officials and the company that made the machines.