Posted by Kevin on October 10, 2014.
The ITsecurity daily security briefing: Friday, October 10, 2014.
If you find this security briefing useful, please spread the word via social media. If you have any comments or recommendations, please email kevtownsend at gmail dot com.
Selfies to replace passwords?
The White House Cybersecurity Coordinator Michael Daniel spoke at an event hosted by the Christian Science Monitor and The Center for National Policy. Two notable comments:
“‘Frankly, I would really love to kill the password dead as a primary security method– because it’s terrible. But when we think about replacing it, it has to be replaced with something that’s actually easy for people to use.’ Biometric technology, such as fingerprint scanners, could play a role — and even cameras on cell phones could be used to take an identify-verifying selfie, Daniel said.
“Encryption itself is a best practice, Daniel said, but the issue for the government is: ‘We don’t want to have something that puts it utterly beyond the reach of law enforcement in the appropriate circumstances.’”
Christian Science Monitor:
Dutch court confirms there is no ‘right to be forgotten’
Last month the Dutch Court of Amsterdam rejected an appeal that sought to force Google to fully remove links to an individual’s earlier criminal convictions. Google had only partially complied with a direct request.
“The [Google Spain] judgment does not intend to protect individuals against all negative communications on the Internet, but only against ‘being pursued’ for a long time by ‘irrelevant’, ‘excessive’ or ‘unnecessarily defamatory’ expressions.”
“All in all,” write Joran Spauwen and Jens van den Brink of Kennedy Van der Laan Attorneys-at-law, “this ruling is good news, because it provides a more workable interpretation of the Google Spain judgment and the right to be forgotten under Dutch law, justifiably leaving a lot more room for the freedom of speech.”
Dairy Queen Customer Data Compromised by Backoff Malware
“International Dairy Queen, the ice cream chain owned by Warren Buffett’s Berkshire Hathaway Inc. (BRK/A), said customer data were compromised by hackers.
“The breach with the so-called Backoff malware affected 395 of more than 4,500 U.S. locations, the unit of Omaha, Nebraska-based Berkshire said today in a statement. The systems contained customer names, and the numbers and expiration dates of their payment cards. Less than 600,000 cards were affected, said Dean Peters, a spokesman for Dairy Queen.
“The Backoff software has been used to target more than 1,000 businesses, according to the U.S. Secret Service.”
Nadella, women in tech, and karma
“’It’s not really about asking for a raise, but knowing and having faith that the system will give you the right raise,’ Nadella told a confounded (and predominantly female) audience at the Grace Hopper Celebration of Women in Computing on Thursday…
“Audience murmurs suggested confusion and displeasure with career advice that both goes against everything women are told in the “Lean In” era, and seems woefully out of touch.”
Selfies posted online are being mass-scanned for marketing insights
“Those who publicly post seflies on sites including Instagram, Flickr, Pinterest, Tumblr and Twitter may be sharing more than they realize.
“Mass-scanning of the photos allows marketers to identify brand and product preferences of those depicted. Companies can then use the information to develop more effective advertising campaigns, by linking products that customers like to use at the same time, or even target advertising at specific individuals, the Wall Street Journal (sub. req.) reports…
“’This is an area that could be ripe for commercial exploitation and predatory marketing,’ Joni Lupovitz of the child advocacy group Common Sense Media told the newspaper.”
Signed Malware = Expensive “Oops” for HP
“Computer and software industry maker HP is in the process of notifying customers about a seemingly harmless security incident in 2010 that nevertheless could prove expensive for the company to fix and present unique support problems for users of its older products.
“Earlier this week, HP quietly produced several client advisories stating that on Oct. 21, 2014 it plans to revoke a digital certificate the company previously used to cryptographically sign software components that ship with many of its older products. HP said it was taking this step out of an abundance of caution because it discovered that the certificate had mistakenly been used to sign malicious software way back in May 2010.”
New variant of Rovnix
“Researchers have unearthed a new version of the Rovnix malware that has a couple of additional features, including a new domain generation algorithm and a secure transmission channel for communicating with the command-and-control servers.
“Rovnix is a malware variant that often has been distributed by other kinds of malware. Last year Microsoft warned users about a campaign that involved the Upatre malware, which typically is delivered through spam messages. Once installed on a new machine, Upatre sometimes will reach out to its C2 server and download Rovnix. That malware then will try to inject itself into the explorer.exe process.
“The newer version of Rovnix, analyzed by researchers at CSIS in Denmark, has some differences from the older variants. Peter Kruse of CSIS said that the Rovnix creators have made changes to help evade detection by various security products.”
All your identities are ours
“In response to Paragraph 11 of the Complaint, Defendants [government and a DEA agent] admit that Plaintiff [Sondra Arquiett] did not give express permission for the creation of the Facebook page, but state the Plaintiff implicitly consented by granting access to the information stored in her cell phone and by consenting to the use of that information to aid in an ongoing criminal investigations.”
In other words, if you do your civic duty and cooperate with law enforcement like a good citizen, you are giving permission for law enforcement to steal your identity and impersonate you online without any further reference.
Sondra Arquiett v. US Government and Timothy Sinnigen:
Domain seized using what seems to be a ‘technicality’
“One of the most-used Popcorn Time forks has lost control of its domain name. Time4popcorn.eu was suspended by the EURid registry this afternoon and as a result millions of users can no longer use the application. The developers have already relocated to a new domain and hope to resolve the issue quickly.”
It appears that EURid seized the domain name because the owners’ registration details were wrong: “Upon verification of the contact data for your .eu domain name, we have reason to believe that your contact data is inaccurate.”
“One of the questions that remains is why EURid believes that the contact information is inaccurate. Is this the result of a routine check, or were they tipped off by an entertainment industry group? The latter doesn’t seem unlikely.”
Maybe your privates aren’t as private as you thought
“A D.C. judge dismissed charges Thursday against a Virginia man accused of taking photos up women’s skirts at the Lincoln Memorial, ruling that the women had no ‘reasonable expectation of privacy’…
“’This Court finds that no individual clothed and positioned in such a manner in a public area in broad daylight in the presence of countless other individuals could have a reasonable expectation of privacy,’ the judge wrote in her ruling to suppress evidence.”
The Washington Times:
Further details will be available here as they become known.
NTNU, Trondheim, Norway, December 8-10, 2014
Submitted in: News |