How Big a Hurdle Is Encryption Really?
December 12, 2016
At first blush, the recent Wiretap Report 2015 from United States Courts would seem to contradict law enforcement’s constant refrain that encryption is making their jobs difficult. Motherboard declares, “Feds and Cops Encountered Encryption in Only 13 Wiretaps in 2015.” This small number is down from 2014. Isn’t this evidence that law enforcement agencies are exaggerating their troubles? The picture is not quite so simple. Reporter Lorenzo Franceschi-Bicchierai writes:
Both FBI director James Comey, as well as Deputy Attorney General Sally Yates, argued last year that the Wiretap Report is not a good indicator. Yates said that the Wiretap Report only reflects number of interception requests ‘that are sought’ and not those where an investigator doesn’t even bother asking for a wiretap ‘because the provider has asserted that an intercept solution does not exist.
Obtaining a wiretap order in criminal investigations is extremely resource-intensive as it requires a huge investment in agent and attorney time,’ Yates wrote, answering questions from the chairman of the Senate’s Judiciary Committee, Sen. Chuck Grassley (R-IA). ‘It is not prudent for agents and prosecutors to devote resources to this task if they know in advance that the targeted communications cannot be intercepted.
That’s why Comey promised the agency is working on improving data collection ‘to better explain’ the problem with encryption when data is in motion. It’s unclear then these new, improved numbers will come out.
Of course, to what degree encryption actually hampers law enforcement is only one piece of a complex issue—whether we should mandate that law enforcement be granted “back doors” to every device they’d like to examine. There are the crucial civil rights concerns, and the very real possibility that where law enforcement can get in, so too can hackers. It is a factor, though, that we must examine objectively. Perhaps when we get that “better” data from the FBI, the picture will be more clear.
Cynthia Murrell, December 12, 2016
Interview with an Ethical Hacker
July 20, 2016
We’ve checked out a write-up on one of the white-hats working for IBM at Business Insider— “Here’s What It’s Really Like to Be a Hacker at One of the World’s Biggest Tech Companies.” We wonder, does this wizard use Watson? The article profiles Charles Henderson. After summarizing the “ethical hacker’s” background, the article describes some of his process:
“The first thing I do every morning is catch up on what happened when I was sleeping. The cool thing is, since I run a global team, when I’m sleeping there are teams conducting research and working engagements with customers. So in the morning I start by asking, ‘Did we find any critical flaws?’ ‘Do I need to tell a client we found a vulnerability and begin working to fix it?’ From there, I am working with my team to plan penetration tests and make sure we have the resources we need to address the issues we have found. There isn’t an hour that goes by that I don’t find a cool, new way of doing something, which means my days are both unpredictable and exciting.
“I also do a lot of research myself. I like to look at consumer electronic devices, anything from planes to trains to automobiles to mobile devices. I try to find ways to break into or break apart these devices, to find new flaws and vulnerabilities.”
Henderson also mentions meeting with clients around the world to consult on security issues, and lists some projects his team has tackled. For example, a “physical penetration test” which involved stealing a corporate vehicle, and sending “tiger teams” to burgle client buildings. His favorite moments, though, are those when he is able to fix a vulnerability before it is exploited. Henderson closes with this bit of advice for aspiring hackers: “Always be curious. Never take anything at face value.”
Cynthia Murrell, July 20, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
There is a Louisville, Kentucky Hidden Web/Dark
Web meet up on July 26, 2016.
Information is at this link: http://bit.ly/29tVKpx.
IBM Continued to Brag About Watson, with Decreasing Transparency
February 29, 2016
A totally objective article sponsored by IBM on Your Story is titled How Cognitive Systems Like IBM Watson Are Changing the Way We Solve Problems. The article basically functions to promote all of the cognitive computing capabilities that most of us are already keenly aware that Watson possesses, and to raise awareness for the Hackathon event taking place in Bengaluru, India. The “article” endorses the event,
“Participants will have an unprecedented opportunity to collaborate, co-create and exchange ideas with one another and the world’s most forward-thinking cognitive experts. This half-day event will focus on sharing real-world applications of cognitive technologies, and allow attendees access to the next wave of innovations and applications through an interactive experience. The program will also include panel discussions and fireside chats between senior IBM executives and businesses that are already working with Watson.”
Since 2015, the “Watson for Oncology” program has involved Manipal Hospitals in Bengaluru, India. The program is the result of a partnership between IBM and Memorial Sloan Kettering Cancer Center in New York. Watson has now consumed almost 15 million pages of medical content from textbooks and journals in the hopes of providing rapid-fire support to hospital staffers when it comes to patient records and diagnosis. Perhaps if IBM put all of their efforts into Watson’s projects instead of creating inane web content to promote him as some sort of missionary, he could have already cured cancer. Or not.
Chelsea Kerwin, February 29, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Hackers Opt for Netflix and Uber over Credit Card Theft on Dark Web
January 25, 2016
It is no surprise that credit cards and other account information is sold on the Dark Web but which accounts are most valuable might surprise. Baiting us to click, the article It turns out THIS is more valuable to hackers than your stolen credit card details on the United Kingdom’s Express offers the scoop on the going rate of various logins cybercriminals are currently chasing. Hacked Uber, Paypal and Netflix logins are the most valuable. The article explains,
“Uber rolled-out multi-factor authentication in some markets last year which decreased the value of stolen account details on the Dark Web, the International Business Times reported. According to the Trend Micro study, the price for credit cards is so comparatively low because banks have advanced techniques to detect fraudulent activity.”
The sales of these accounts are under $10 each, and according to the article, they seem to actually be used by the thief. Products and experiences, as consumable commodities, are easier to steal than cash when organizations fail to properly protect against fraudulent activity. The takeaway seems to be obvious.
Megan Feil, January 25, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
New and Improved Hacker Methods in China
December 30, 2015
We learn from an article at Yahoo News that, “On China’s Fringes, Cyber Spies Raise Their Game.” Reporters Clare Baldwin, James Pomfret, and Jeremy Wagstaff report that hackers backed by China are using some unique methods, according to Western security experts. Search is but a tiny part of this approach but, perhaps not surprisingly, cloud storage is a factor. The article relates:
“Hackers have expanded their attacks to parking malware on popular file-sharing services including Dropbox and Google Drive to trap victims into downloading infected files and compromising sensitive information. They also use more sophisticated tactics, honing in on specific targets through so-called ‘white lists’ that only infect certain visitors to compromised websites. Security experts say such techniques are only used by sophisticated hackers from China and Russia, usually for surveillance and information extraction. The level of hacking is a sign, they say, of how important China views Hong Kong, where 79 days of protests late last year brought parts of the territory, a major regional financial hub, to a standstill. The scale of the protests raised concerns in Beijing about political unrest on China’s periphery. ‘We’re the most co-ordinated opposition group on Chinese soil, (and) have a reasonable assumption that Beijing is behind the hacking,’ said Lam Cheuk-ting, chief executive of Hong Kong’s Democratic Party, which says it has been a victim of cyber attacks on its website and some members’ email accounts.”
Officially, China’s Defense Ministry denies any connection to the attacks, but that is nothing new. The adaptation of new hacking techniques is part of a continuing cycle; as journalists, scholars, and activists improve their security, hackers adapt. See the article for specifics on some attacks attributed to China-backed hackers, as well as some ways activists are trying to stay ahead.
Cynthia Murrell, December 30, 2015
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Cyber Threat Intelligence Across the Enterprise
December 28, 2015
A blog series from iSightPartners aims to help organizations make the most of Cyber Threat Intelligence. The series is introduced in, “How CTI Helps Six Groups Do Their Jobs Better: A New Blog Series!” Writer Christina Jasinski explains:
“The importance of Cyber Threat Intelligence (CTI) has become more widely recognized in the past year. But not many people realize how many different ways threat intelligence can be utilized across an enterprise. That’s why now is a good time to drill down and describe the wide range of use cases for employing threat intelligence for many different functions within an IT organization.
“Are you a CISO, SOC Analyst or an Incident Responder? Stay tuned….
“This is the first post in an iSIGHT Partners blog series that will delve into how IT security professionals in each of six distinct roles within an organization’s information security program can (and should) apply threat intelligence to their function. Each post will include 3-4 use cases, how CTI can be used by professionals in that role, and the type of threat intelligence that is required to achieve their objectives.”
Jasinski goes on to describe what her series has to offer professionals in each of those roles, and concludes by promising to reveal practical solutions to CTI quandaries. Follow her blog posts to learn those answers.
Cynthia Murrell, December 28, 2015
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
The Ins and Outs of Hacking Software
December 23, 2015
Hacking software is and could be a potential problem. While some government agencies, hacktivist organizations, and software companies are trying to use it for good, terrorist groups, digital thieves, and even law enforcement agencies can use it to spy and steal data from individuals. The Technology Review shares some interesting stories about how software is being used for benign and harmful purposes in “The Growth Industry Helping Governments Hack Terrorists, Criminals, And Political Opponents.”
The company Hacking Team is discussed at length and its Remote Control System software, which can worm its way through security holes in a device and steal valuable information. Governments from around the globe have used the software for crime deterrence and to keep tabs on enemies, but other entities used the software for harmful acts including spying and hacking into political opponents computers.
Within the United States, it is illegal to use a Remote Control System without proper authority, but often this happens:
“When police get access to new surveillance technologies, they are often quickly deployed before any sort of oversight is in place to regulate their use. In the United States, the abuse of Stingrays—devices that sweep up information from cell phones in given area—has become common. For example, the sheriff of San Bernardino County, near Los Angeles, deployed them over 300 times without a warrant in the space of less than two years. That problem is only being addressed now, years after it emerged, with the FBI now requiring a warrant to use Stingrays, and efforts underway to force local law enforcement to do the same. It’s easy to imagine a similar pattern of abuse with hacking tools, which are far more powerful and invasive than other surveillance technologies that police currently use.”
It is scary how the software is being used and how governments are skirting around its own laws to use it. It reminds me of how gun control is always controversial topic. Whenever there is a mass shooting, debates rage about how the shooting would never had happened if there was stricter gun control to keep weapons out of the hands of psychopaths. While the shooter was blamed for the incident, people also place a lot of blame on the gun, as if it was more responsible. As spying, control, and other software becomes more powerful and ingrained in our lives, I imagine there will be debates about “software control” and determining who has the right to use certain programs.
Whitney Grace, December 23, 2015
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
New Years Resolutions in Personal Data Security
December 22, 2015
The article on ITProPortal titled What Did We Learn in Records Management in 2016 and What Lies Ahead for 2016? delves into the unlearnt lessons in data security. The article begins with a look back over major data breaches, including Ashley Madison, JP Morgan et al, and Vtech and gathers from them the trend of personal information being targeted by hackers. The article reports,
“A Crown Records Management Survey earlier in 2015 revealed two-thirds of people interviewed – all of them IT decision makers at UK companies with more than 200 employees – admitted losing important data… human error is continuing to put that information at risk as businesses fail to protect it properly…but there is legislation on the horizon that could prompt change – and a greater public awareness of data protection issues could also drive the agenda.”
The article also makes a few predictions about the upcoming developments in our approach to data protection. Among them includes the passage of the European Union General Data Protection Regulation (EU GDPR) and the resulting affect on businesses. In terms of apps, the article suggests that more people might start asking questions about the information required to use certain apps (especially when the data they request is completely irrelevant to the functions of the app.) Generally optimistic, these developments will only occur of people and businesses and governments take data breaches and privacy more seriously.
Chelsea Kerwin, December 22, 2015
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Internet Sovereignty, Apathy, and the Cloud
December 21, 2015
The OS News post titled Dark Clouds Over the Internet presents an argument that boils down to a choice between international accord and data sharing agreement, or the risk of the Internet being broken up into national networks. Some very worked up commenters engaged in an interesting discussion that spanned government overreaching, democracy, data security, privacy, and for some reason, climate change. One person summarized their opinion thusly:
“Best policy: don’t store data with someone else. There is no cloud. It’s just someone else’s computer.”
In response, a user named Alfman replied that companies are to blame for the current lack of data security, or more precisely, people are generally to blame for allowing this state of affairs to exist,
The privacy issues we’re now seeing are a direct consequence of corporate business models pushing our data into their central silos. None of this is surprising except perhaps how willing users have been to forgo their own privacy. Collectively, it seems that we are very willing to give up our rights for very little in exchange… makes it difficult to achieve critical mass around technologies promoting data independence.”
It is hard to argue with the apathy factor, with data breaches occurring regularly and so little being done by individuals to protect themselves. Good thing these commenters have figured it all out. Next up, solving climate change.
Chelsea Kerwin, December 21, 2015
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Its Hacker Season
August 21, 2015
One of the quintessential cartoon feuds exists between Bugs Bunny and Daffy Duck as they argue whether or not it is duck or rabbit hunting season. Whoever wins gets the lovely prize of having their face blown off, thankfully cartoon violence does not obey the rules of life and death. The ensuing argument ends with hilarious consequences, but everyday another type of big game is always in season: your personal information. Hackers are constantly searching for ways to break into vulnerable systems and steal valuable information.
One a personal level it is frightening to be hacked, but corporations stand risk millions of dollars, customer information, trade secrets, and their reputations if their systems get hacked. There are many companies that specialize in software to prevent potential hackings, but Cybereason offers unique selling points in the article, “Introducing Cybereason: Real-Time Automated Cyber Hunting.”
“This is why Cybereason exists, to bring the fight against hackers off of the frontlines and into the depths of your environment, where they lurk after gaining unnoticed access. Security needs to be about having an ever-watchful eye over your endpoints, servers, and network, and the Cybereason platform will allow you to perform real-time, automated hunting across your entire environment.”
On their Web site they posted a product video that feeds on the US’s culture of fear and they present an Armageddon like situation complete with a female voice over artist with a British accent, a Guy Fawkes mask, and Matrix-like graphics. My favorite bit is when Cybereason is made to resemble a secret intelligence agency of superheroes.
Despite the clichéd video, it does give a thorough visualization of what Cybereason’s software and services can do. The fear factor might be a selling point for some clients, but I’d rather hear hard facts and direct solutions. It takes out the dramatic elements and actually tells me what the product can do for me. You have to love Cybereason’s ending phrase, “Let the hunt begin.” It makes me want to respond with, “May the odds ever be in your favor.”
Whitney Grace, August 21, 2015
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
-
- Subscribe to Beyond Search
Feature archive
News archive
-
