itwbennett writes: Calling regulations a 'knee-jerk reaction' and potential 'innovation killer,' Representative Greg Walden, an Oregon Republican, showed the resistance Bruce Schneier faced in when he testified before Congress about internet of things security today. And, completely missing the point about what is at risk, Walden added, 'I don't think I want my refrigerator talking to some food police.'
itwbennett writes: In a blog post published four days after the election, Facebook founder and CEO Mark Zuckerberg defended the social network as a neutral party that doesn't bear the same responsibilities as a media outlet and said that Facebook should be 'extremely cautious about becoming arbiters of truth ourselves.' But the company is walking a fine line, says CIO.com's Matt Kapko:
Politics aside, the contradictions Zuckerberg made about the social network's influence and its potential impact on users could become a glaring problem. If the content, including any misinformation, that Facebook distributes to more than 1.79 billion people every month can't influence the outcome of an election, just how effective are the $6.8 billion in ads it sold during the third quarter of 2016?
itwbennett writes: Over the course of a few weeks, Amihai Neiderman, the head of research at Israeli cybersecurity firm Equus Technologies, made a project of finding a way to compromise a wireless hotspot that he noticed on his way home from work one day. Neiderman presented his findings and reverse-engineering efforts Thursday at the DefCamp security conference in Bucharest, Romania. You can read about it here. The bottom line: a buffer overflow in a single router model could have endangered thousands of Wi-Fi users.
itwbennett writes: Using fake cell towers to track and identify mobile phone users has been rendered passe by research Piers O'Hanlon and Ravishankar Borgaonkar from the University of Oxford's Department of Computer Science. The pair found that, for the purpose of tracking only, Wi-Fi networks can also be used to trick mobile devices into exposing their IMSI numbers. That's thanks to protocol and configuration weaknesses in mobile data offloading technologies such as automatic Wi-Fi connections and Wi-Fi calling that mobile operators are increasingly adopting to reduce costs and congestion on their cellular networks.
itwbennett writes: In November 2015, two weeks before he retired, an employee at the Office of the Comptroller of the Currency, which is a part of the Department of the Treasury, downloaded a large amount of data to two thumb drives, which he is now unable to locate. The agency reported the case to Congress on Friday, saying the loss represented 'a major information security incident' and described the data as 'controlled unclassified information, including privacy information.' The FDIC has had similar problems with bank records walking out the door on removable media. In those cases, the agency considered the data breaches to be 'inadvertent' copying of personal banking information that happened when departing employees were copying personal information to removable media, Lawrence Gross Jr., according to the FDIC's CIO.
itwbennett writes: The maintainers of Linux distributions are rushing to patch a privilege escalation vulnerability, tracked as CVE-2016-5195, that has has existed in the Linux kernel for the past nine years and is already being exploited in the wild. The Red Hat security team describes the flaw as a 'race' condition, 'in the way the Linux kernel's memory subsystem handles the copy-on-write (COW) breakage of private read-only memory mappings.' This allows an attacker who gains access to a limited user account to obtain root privileges and therefore take complete control over the system. The vulnerability was fixed last week by the Linux kernel developers and patches for Linux distributions, including Red Hat, Debian, Ubuntu, Gentoo and Suse, have been released or are in the process of being released.
itwbennett writes: Photographs of nearly half of all U.S. adults — 117 million people — are collected in police facial recognition databases across the country with little regulation over how the networks are searched and used, according to a new study from the Center on Privacy & Technology at Georgetown Law. About 20 states, including Texas, Florida, Illinois, Ohio, and Pennsylvania allow police to search drivers license photo databases. Police in a handful of other states and cities San Fransisco, Los Angeles, San Diego, and Chicago can search criminal mug shots, the report said. Police agencies don't need a search warrant to search facial recognition databases, the report said. 'We are not aware of any agency that requires warrants for searches or limits them to serious crimes,' the authors wrote. 'This has consequences.'
itwbennett writes: If you needed more proof about the dangers of default passwords, take a minute to browse through this list of passwords that allowed the Mirai botnet to take control of nearly 400,000 IoT devices. (Mirai was one of two botnets behind the largest DDoS attack on record.) The passwords come form the botnet's source code, which was released by the author last week.
itwbennett writes: After Yahoo raised eyebrows in the security community with its claim that state-sponsored hackers were responsible for the history-making breach, security firm InfoArmor now says it has evidence to the contrary. InfoArmor claims to have acquired some of the stolen information as part of its investigation into 'Group E,' a team of five professional hackers-for-hire believed to be from Eastern Europe. The database that InfoArmor has contains only 'millions' of accounts, but it includes the users' login IDs, hashed passwords, mobile phone numbers and zip codes, said Andrew Komarov, InfoArmor's chief intelligence officer. Earlier this week, Chase Cunningham, director of cyber operations at security provider A10 Networks called Yahoo's claim of state-sponsored actors a convenient, if trumped up, excuse: 'If I want to cover my rear end and make it seem like I have plausible deniability, I would say 'nation-state actor' in a heartbeat.'
itwbennett writes: You know that bit in every episode of Inspector Gadget when the Inspector takes credit for Penny's problem-solving suggestions? It's meant for laughs, but the insidious effect is not escaping notice of young children, says CIO.com's Sharon Florentine, whose son called out the mansplaining, suggesting that the Inspector needs to put on his 'listening ears'. Silencing women in the workplace is so deeply ingrained that the women of the Obama administration developed an elaborate strategy to make sure they got credit for their ideas, wrote Juliet Eilperin in the Washington Post. That strategy worked, but they had to do it purposefully every day in every meeting. Sounds exhausting. Maybe the better approach is root out the boorish behavior before it takes hold — and that means starting with children's entertainment.
itwbennett writes: 'Yahoo has blamed its massive data breach on a 'state-sponsored actor.' But the company isn't saying why it arrived at that conclusion. Nor has it provided any evidence,' writes Michael Kan. This despite claiming in a December 2015 blog post that the company has protocols in place that can detect state-sponsored hacking and a policy of warning users 'when we have a high degree of confidence.' It's this reluctance to share details that has security experts suspecting it's a convenient, if trumped up, excuse. 'If I want to cover my rear end and make it seem like I have plausible deniability, I would say 'nation-state actor' in a heartbeat,' said Chase Cunningham, director of cyber operations at security provider A10 Networks.