By now we're all well aware of what makes a bad password … it's us.
A glance at SplashData's annual reporting on the world's worst passwords shows just how laughably bad at creating passwords us humans really are. But what's worse, as Steve Ragan's analysis of leaked passwords shows, is that many passwords on the naughty list adhere to the carefully crafted password policies in use in companies today.
How can security leaders do better? For one thing, we can stop blaming users, says Michael Santarcangelo. Instead, we can focus on providing them with technology that makes the job easier.
That's where this guide comes in. more
Tuesday, May 10, 2016
US Government Study of Spyware - Possible Precursor to New Laws
Why GAO Did This Study
Smartphone tracking apps exist that allow a person to not only surreptitiously track another person’s smartphone location information, but also surreptitiously intercept the smartphone’s communications—such as texts, e-mails, and phone calls. This type of monitoring—without a person’s knowledge or consent—can present serious safety and privacy risks...
The federal government has undertaken educational, enforcement, and legislative efforts to protect individuals from the use of surreptitious tracking apps, but stakeholders differed over whether current federal laws need to be strengthened to combat stalking. Educational efforts by the Department of Justice (DOJ) have included funding for the Stalking Resource Center, which trains law enforcement officers, victim service professionals, policymakers, and researchers on the use of technology in stalking. With regard to enforcement, DOJ has prosecuted a manufacturer and an individual under the federal wiretap statute for the manufacture or use of a surreptitious tracking app.
Some stakeholders believed the federal wiretap statute should be amended to explicitly include the interception of location data and DOJ has proposed amending the statute to allow for the forfeiture of proceeds from the sale of smartphone tracking apps and to make the sale of such apps a predicate offense for money laundering. Stakeholders differed in their opinions on the applicability and strengths of the relevant federal laws and the need for legislative action. Some industry stakeholders were concerned that legislative actions could be overly broad and harm legitimate uses of tracking apps. However, stakeholders generally agreed that location data can be highly personal information and are deserving of privacy protections. more full study
Smartphone tracking apps exist that allow a person to not only surreptitiously track another person’s smartphone location information, but also surreptitiously intercept the smartphone’s communications—such as texts, e-mails, and phone calls. This type of monitoring—without a person’s knowledge or consent—can present serious safety and privacy risks...
The federal government has undertaken educational, enforcement, and legislative efforts to protect individuals from the use of surreptitious tracking apps, but stakeholders differed over whether current federal laws need to be strengthened to combat stalking. Educational efforts by the Department of Justice (DOJ) have included funding for the Stalking Resource Center, which trains law enforcement officers, victim service professionals, policymakers, and researchers on the use of technology in stalking. With regard to enforcement, DOJ has prosecuted a manufacturer and an individual under the federal wiretap statute for the manufacture or use of a surreptitious tracking app.
Some stakeholders believed the federal wiretap statute should be amended to explicitly include the interception of location data and DOJ has proposed amending the statute to allow for the forfeiture of proceeds from the sale of smartphone tracking apps and to make the sale of such apps a predicate offense for money laundering. Stakeholders differed in their opinions on the applicability and strengths of the relevant federal laws and the need for legislative action. Some industry stakeholders were concerned that legislative actions could be overly broad and harm legitimate uses of tracking apps. However, stakeholders generally agreed that location data can be highly personal information and are deserving of privacy protections. more full study
Wednesday, April 27, 2016
CBRE Made the Forbes Best Employers List - Partly with Good Infosec
via Forbes, April 19, 2016...
Cone of Silence chairs + a Clear Desk Policy = Security, and a competitive advantage in the eyes of their customers. Smart.
CBRE Group, Inc. is an American commercial real estate company with headquarters in Los Angeles, California. As of its successful 2011 bid to acquire part of ING, CBRE was the world's largest real estate investment manager. Wikipedia
Cone of Silence chairs + a Clear Desk Policy = Security, and a competitive advantage in the eyes of their customers. Smart.
CBRE Group, Inc. is an American commercial real estate company with headquarters in Los Angeles, California. As of its successful 2011 bid to acquire part of ING, CBRE was the world's largest real estate investment manager. Wikipedia
Monday, April 25, 2016
Please tell us that You Didn't Sign a "Monitoring Consent Form"
via mobipicker.com...
"We will look at an app called xnspy that is used for spying on Android phones since a lot of businesses are starting to focus on employee productivity during office hours, more and more companies have implemented signing of monitoring consent forms as a part of their hiring process. They then give their employees company-owned smartphones/tablets with a pre-installed monitoring app.
When it comes to tracking and monitoring for use by businesses and for spying on Android phones, we found xnspy to be the torch bearer. It has all the fundamental features that such an app should have, it has a small footprint, it’s discrete, does not use up resources. All these factors count a lot when it comes to monitoring and tracking, it would be a nightmare for the device user if the app slowed down the device and drained the battery.
Xnspy works in the background providing the app user with data such as call records and recordings, text messages from SMS, IM Chats and emails, a complete list of Contacts stored on the device along with a list of all installed apps. Besides these functions the app provides the browsing history and bookmarks of the device user; it also gives the location history of where the device has been.
All of this is made accessible through a web-based dashboard that can be virtually accessed from anywhere in the world. The app user can use a single dashboard to control multiple devices. Xnspy offers two packages a Basic Edition and a Premium Edition." more
"We will look at an app called xnspy that is used for spying on Android phones since a lot of businesses are starting to focus on employee productivity during office hours, more and more companies have implemented signing of monitoring consent forms as a part of their hiring process. They then give their employees company-owned smartphones/tablets with a pre-installed monitoring app.
When it comes to tracking and monitoring for use by businesses and for spying on Android phones, we found xnspy to be the torch bearer. It has all the fundamental features that such an app should have, it has a small footprint, it’s discrete, does not use up resources. All these factors count a lot when it comes to monitoring and tracking, it would be a nightmare for the device user if the app slowed down the device and drained the battery.
Xnspy works in the background providing the app user with data such as call records and recordings, text messages from SMS, IM Chats and emails, a complete list of Contacts stored on the device along with a list of all installed apps. Besides these functions the app provides the browsing history and bookmarks of the device user; it also gives the location history of where the device has been.
All of this is made accessible through a web-based dashboard that can be virtually accessed from anywhere in the world. The app user can use a single dashboard to control multiple devices. Xnspy offers two packages a Basic Edition and a Premium Edition." more
Edward Snowden Will Sue Norway
Edward Snowden will sue Norway in an attempt to secure free travel to the country, a Norwegian law firm representing him told Reuters Thursday.
The ex-contractor at the U.S. National Security Agency (NSA) has been invited to Norway to receive an award for his work defending free speech, but his attorneys said he is worried that traveling there would allow the Norwegian government to extradite him to the U.S., where he is wanted on charges of espionage.
The Norwegian branch of the global organization of writers PEN International, which hopes to give Snowden the free speech award, said in a statement that “we will do our utmost to ensure that Snowden may receive the prize in person.” more
The ex-contractor at the U.S. National Security Agency (NSA) has been invited to Norway to receive an award for his work defending free speech, but his attorneys said he is worried that traveling there would allow the Norwegian government to extradite him to the U.S., where he is wanted on charges of espionage.
The Norwegian branch of the global organization of writers PEN International, which hopes to give Snowden the free speech award, said in a statement that “we will do our utmost to ensure that Snowden may receive the prize in person.” more
Finally, an American Spy is Honored – Show Us the Money
It took nearly a century to get a woman on the front of the $20 bill, but only about a year for a small New Jersey company to contribute a vital two cents to the effort.
Since April 2015, Montclair-based Mosaic Strategies Group has helped manage a website for Women on 20s to make the country's currency co-ed — one that finally paid off big last week when the U.S. Treasury announced Harriet Tubman would replace Andrew Jackson on the $20 bill.
Gov. Chris Christie...
"As long as the $20 bill still works when I hand it to somebody, I quite frankly don't really care who's on it," Christie said Friday. more
True to its nature, Comedy Central’s Drunk History, shed some light on a lesser-known chapter of Tubman’s life in a September 2015 episode entitled “Spies.”
In one segment, ... a slightly inebriated Crissle West relates Tubman’s less-heralded exploits. “Harriet Tubman does not get her just due,” West explains. “You hear her name and think she led the slaves to freedom. But you most certainly do not know that she was a spy for the Union.” more
Since April 2015, Montclair-based Mosaic Strategies Group has helped manage a website for Women on 20s to make the country's currency co-ed — one that finally paid off big last week when the U.S. Treasury announced Harriet Tubman would replace Andrew Jackson on the $20 bill.
Gov. Chris Christie...
"As long as the $20 bill still works when I hand it to somebody, I quite frankly don't really care who's on it," Christie said Friday. more
True to its nature, Comedy Central’s Drunk History, shed some light on a lesser-known chapter of Tubman’s life in a September 2015 episode entitled “Spies.”
In one segment, ... a slightly inebriated Crissle West relates Tubman’s less-heralded exploits. “Harriet Tubman does not get her just due,” West explains. “You hear her name and think she led the slaves to freedom. But you most certainly do not know that she was a spy for the Union.” more
Did Edison Also Invent Corporate Spying?
He's known for the light bulb, recordings, motions pictures and discoveries too numerous to mention. But did Thomas Edison also condone corporate spying on his enemies? Did he help create corporate espionage?
While he may not have invented it ... information from one of his employees can certainly be interpreted that way.
That employee was Joseph F. McCoy, who was hired at 20 years of age to work for the Edison Company. Not much is known about him except some basic details, but as Sloat-Olsen told the story of his jobs over the years, McCoy emerges as a shadowy figure, but influential in numerous ways...
In electric light dealings, companies like American Electric, U.S. Electric Company and Westinghouse were all on Edison's radar, so Sloat-Olsen says McCoy was sent to work at each of those companies, without their knowing he was an Edison employee, to find out about their plans or if they could be bought out. more
While he may not have invented it ... information from one of his employees can certainly be interpreted that way.
McCoy is on the left. |
In electric light dealings, companies like American Electric, U.S. Electric Company and Westinghouse were all on Edison's radar, so Sloat-Olsen says McCoy was sent to work at each of those companies, without their knowing he was an Edison employee, to find out about their plans or if they could be bought out. more
DIY - Tiny FM Spy Bug for Under $20.
from the creator...
"I wanted to know how small a FM spy bug could be build when manually assembled.
This is what I came up with, it measures about 0.05 square inches and is powered by a single 1.55V silver oxide battery.
Frankly, this is just a fun object, I don`t have a practical use for it.
I`m sure professionally made spy bugs could even be smaller and work at higher frequencies which allows the antenna to be made smaller." more
The complete instructions and Gerber files (for PCB manufacturing) for this FM spy bug are available on Gumroad and Payhip:
https://gum.co/GRouL
https://payhip.com/b/YXVd
"I wanted to know how small a FM spy bug could be build when manually assembled.
This is what I came up with, it measures about 0.05 square inches and is powered by a single 1.55V silver oxide battery.
Frankly, this is just a fun object, I don`t have a practical use for it.
I`m sure professionally made spy bugs could even be smaller and work at higher frequencies which allows the antenna to be made smaller." more
The complete instructions and Gerber files (for PCB manufacturing) for this FM spy bug are available on Gumroad and Payhip:
https://gum.co/GRouL
https://payhip.com/b/YXVd
Thursday, April 21, 2016
Every Goverment Has These Spy Warnings... but love is blind.
via boingboing...
In this Chinese government comic book, women are warned that mysterious foreign strangers who pitch woo at them are secretly Western spies trying to get at their government secrets.
The reader is warned that they could go to jail for 10 years if they are foolish enough to let these Lotharios trick them into revealing state secrets.
It's a charmingly sexist and xenophobic piece of work, with shades of Jack Chick. More interesting is the parallels to the materials that the US Government has produced for their own employees to warn them about the spies who might use breached data from the Office of Personnel Management to chat them up at conferences and trick them out of America's state secrets. more
You can see the full comic here. ~Kevin
In this Chinese government comic book, women are warned that mysterious foreign strangers who pitch woo at them are secretly Western spies trying to get at their government secrets.
The reader is warned that they could go to jail for 10 years if they are foolish enough to let these Lotharios trick them into revealing state secrets.
It's a charmingly sexist and xenophobic piece of work, with shades of Jack Chick. More interesting is the parallels to the materials that the US Government has produced for their own employees to warn them about the spies who might use breached data from the Office of Personnel Management to chat them up at conferences and trick them out of America's state secrets. more
You can see the full comic here. ~Kevin
Information Security and Cryptography Seminar - Zurich, Switzerland
Time to make your travel plans...
As a friendly reminder, we are pleased to announce our seminar in Information Security and Cryptography. A full description of the seminar, including a detailed listing of topics covered, is available at www.infsec.ch.
INFORMATION SECURITY AND CRYPTOGRAPHY, FUNDAMENTALS AND APPLICATIONS (June 13-15, 2016)
This seminar provides an in-depth coverage of Information Security and Cryptography. Concepts are explained in a way understandable to a wide audience, as well as mathematical, algorithmic, protocol-specific, and system-oriented aspects.
The topics covered include cryptography and its foundations, system and network security, PKIs and key management, authentication and access control, privacy and data protection, and advanced topics in cryptography.
The seminar takes place in Zurich, Switzerland. The lectures and all course material are in English.
With kind regards,
Ueli Maurer and David Basin
Advanced Technology Group
As a friendly reminder, we are pleased to announce our seminar in Information Security and Cryptography. A full description of the seminar, including a detailed listing of topics covered, is available at www.infsec.ch.
INFORMATION SECURITY AND CRYPTOGRAPHY, FUNDAMENTALS AND APPLICATIONS (June 13-15, 2016)
This seminar provides an in-depth coverage of Information Security and Cryptography. Concepts are explained in a way understandable to a wide audience, as well as mathematical, algorithmic, protocol-specific, and system-oriented aspects.
The topics covered include cryptography and its foundations, system and network security, PKIs and key management, authentication and access control, privacy and data protection, and advanced topics in cryptography.
The seminar takes place in Zurich, Switzerland. The lectures and all course material are in English.
With kind regards,
Ueli Maurer and David Basin
Advanced Technology Group
FutureWatch: Your Brain Will Replace Your Fingerprints for ID
Psychologists and engineers at Binghamton University in New York have hit a milestone in the quest to use the unassailable inner workings of your brain as a form of biometric identification. They came up with an electroencephalograph system that proved 100 percent accurate at identifying individuals by the way their brains responded to a series of images.
“It's a big deal going from 97 to 100 percent because we imagine the applications for this technology being for high-security situations,” says Sarah Lazlo, assistant professor of psychology at Binghamton who led the research with electrical engineering professor Zhanpeng Jin.
Perhaps only one other such experiment in the long quest for this ultimate biometric has hit the 100 percent mark, and the Binghamton system has some advantages over even that one. For one it proved itself with less complex equipment and in a larger group, identifying 50 people. But perhaps more importantly this new form of ID can do something fingerprints and retinal scans can’t: It can be “cancelled.” That’s important because hackers have shown that fingerprints can be stolen and faked. more
“It's a big deal going from 97 to 100 percent because we imagine the applications for this technology being for high-security situations,” says Sarah Lazlo, assistant professor of psychology at Binghamton who led the research with electrical engineering professor Zhanpeng Jin.
Perhaps only one other such experiment in the long quest for this ultimate biometric has hit the 100 percent mark, and the Binghamton system has some advantages over even that one. For one it proved itself with less complex equipment and in a larger group, identifying 50 people. But perhaps more importantly this new form of ID can do something fingerprints and retinal scans can’t: It can be “cancelled.” That’s important because hackers have shown that fingerprints can be stolen and faked. more
Tuesday, April 19, 2016
"I've got your number," The Telephone Wiretap Hack
A US Congressman has learned first-hand just how vulnerable cellphones are to eavesdropping and geographic tracking after hackers were able to record his calls and monitor his movements using nothing more than the public ten-digit phone number associated with the handset he used.
The stalking of US Representative Ted Lieu's smartphone was carried out with his permission for a piece broadcast Sunday night by 60 Minutes. Karsten Nohl of Germany-based Security Research Labs was able to record any call made to or from the phone and to track its precise location in real-time as the California congressman traveled to various points in the southern part of the state. At one point, 60 minutes played for Lieu a crystal-clear recording Nohl made of one call that discussed data collection practices by the US National Security Agency. While SR Labs had permission to carry out the surveillance, there's nothing stopping malicious hackers from doing the same thing.
The representative said he had two reactions: "First it's really creepy," he said. "And second it makes me angry. They could hear any call. Pretty much anyone has a cell phone. It could be stock trades you want someone to execute. It could be a call with a bank." more
The stalking of US Representative Ted Lieu's smartphone was carried out with his permission for a piece broadcast Sunday night by 60 Minutes. Karsten Nohl of Germany-based Security Research Labs was able to record any call made to or from the phone and to track its precise location in real-time as the California congressman traveled to various points in the southern part of the state. At one point, 60 minutes played for Lieu a crystal-clear recording Nohl made of one call that discussed data collection practices by the US National Security Agency. While SR Labs had permission to carry out the surveillance, there's nothing stopping malicious hackers from doing the same thing.
The representative said he had two reactions: "First it's really creepy," he said. "And second it makes me angry. They could hear any call. Pretty much anyone has a cell phone. It could be stock trades you want someone to execute. It could be a call with a bank." more
Why Blackberry is No Apple
BlackBerry appeared Monday, April 18, to acknowledge it helped Canadian federal police crack a Montreal crime syndicate that had been using its messaging system,
while insisting its smartphone security remains impenetrable.
In a blog post, BlackBerry chief executive John Chen reiterated the company's long-held stance "that tech companies as good corporate citizens should comply with reasonable lawful access requests." more
while insisting its smartphone security remains impenetrable.
In a blog post, BlackBerry chief executive John Chen reiterated the company's long-held stance "that tech companies as good corporate citizens should comply with reasonable lawful access requests." more
Chinese Spy Sentenced to Death... by China
A Chinese man has been sentenced to death for leaking more than 150,000 classified documents to an unidentified foreign power, state television said on Tuesday, offering unusual details of a kind of case rarely mentioned in public.
The man, a computer technician from Sichuan named as Huang Yu, worked for a government department which handled state secrets, but he was a bad employee and was sacked, the report said. more
The man, a computer technician from Sichuan named as Huang Yu, worked for a government department which handled state secrets, but he was a bad employee and was sacked, the report said. more
Monday, April 18, 2016
Spycam Lawsuit: Employee Known Video Voyeur - Store Manager Did Nothing
A Colorado Springs woman is suing Reebok International, a Reebok Outlet Store, and a teenage store employee over a Peeping Tom incident... Christina Selvig said she caught a glimpse of Austin Kyle Baker looking over the top of the wall into her changing room...
She immediately informed the store manager who did nothing more than take her name and number and promised to get back with her the next day, which didn’t happen.
Selvig wasn’t sitting around waiting for action on the store’s part, she had already informed the police, who also didn’t take her complaint that seriously initially, chalking the incident up to an accident.
...three days later, Baker confessed to spying on Christina, in addition to several more women. An investigation revealed that at least one other employee was aware that Baker was a video voyeur, and continued to allow the behavior.
Law enforcement told her that he had turned over his phone... Forensics came back with footage of her, as well as deleted videos of other women. more
Here comes another big pockets settlement. If your company offers employees, visitors and/or customers "expectation of privacy" areas, you better begin doing your due diligence. Start here.
She immediately informed the store manager who did nothing more than take her name and number and promised to get back with her the next day, which didn’t happen.
Selvig wasn’t sitting around waiting for action on the store’s part, she had already informed the police, who also didn’t take her complaint that seriously initially, chalking the incident up to an accident.
...three days later, Baker confessed to spying on Christina, in addition to several more women. An investigation revealed that at least one other employee was aware that Baker was a video voyeur, and continued to allow the behavior.
Law enforcement told her that he had turned over his phone... Forensics came back with footage of her, as well as deleted videos of other women. more
Here comes another big pockets settlement. If your company offers employees, visitors and/or customers "expectation of privacy" areas, you better begin doing your due diligence. Start here.
Subscribe to:
Posts (Atom)