"As the Internet of Things continues to expand, so too will the sources of potentially material evidence. Xively, a part of LogMeIn, claims to connect 400 million devices, from usual suspects like computers down to individual light switches. The usefulness of that information those devices collect will continue to increase as IoT manufacturers improve their ability to connect device interaction with individuals. Just last Thursday, LogMeIn announced Xively Identity Manager which seeks to link device usage to individuals.
Take a nap? Turn off a light? Turn down the A/C? The Internet of Things knows and it's keeping a record."
This will be interesting to watch. Lawyers are already struggling with eDiscovery from mobile devices and things we've already had for years. As the Internet of Things starts tracking lots of information about us, how will that data play out, and how will we verify that the data is correct? How many people really think about whether the reporting can be hacked, making it appear that our car was in a specific area, when it really wasn't, for example?
Never a dull moment!
This article reminded me of a statistic I saw during a presentation on insider threats last week. In a recent survey, over one third of employees would willingly sell their passwords/access to anyone, some for as little as $150.
See the problem here is that while so many people are starting to wake up to the data security problem that we have, and some are even starting to realize that the people who have access to that data are the most important link to that data when it comes to keeping it secure, I don't know that many are correlating that fact with just how disengaged some of their employees are.
An employee who would sell their access credentials for cash, is an employee who doesn't care at all about the organization they work in, and in many cases, why should they? Yes, it's unprofessional, and illegal, and I can give you a host of other reasons why anyone should at least care enough not to do this, but I also understand it. I've worked at jobs I've hated, for organizational "leaders" I had no respect for, for managers who showed no respect for the people doing the actual work, and so on. It's a miserable existence, and after I left, I felt zero sympathy for the company when bad things happened.
Given those sort of working conditions, is it any wonder your employee would sell you out?
"Fingerprints are another type of data entirely. They're used to identify people at crime scenes, but increasingly they're used as an authentication credential. If you have an iPhone, for example, you probably use your fingerprint to unlock your phone. This type of authentication is increasingly common, replacing a password -- something you know -- with a biometric: something you are. The problem with biometrics is that they can't be replaced. So while it's easy to update your password or get a new credit card number, you can't get a new finger.
And now, for the rest of their lives, 5.6 million US government employees need to remember that someone, somewhere, has their fingerprints. And we really don't know the future value of this data. If, in twenty years, we routinely use our fingerprints at ATM machines, that fingerprint database will become very profitable to criminals. If fingerprints start being used on our computers to authorize our access to files and data, that database will become very profitable to spies."
This is bad, and really we have to question the government for storing all that fingerprint data in one central location. This is the main problem for those of you who think you have nothing to hide and the government can collect whatever data they want. When they don't protect it properly, now some bad actor has a copy of personal information and potentially a fingerprint to go along with it. That opens the doors to a lot of things we normally assume as being secure. It also opens the door to that data being planted in various places as well. Who wants to have to worry about that?
"For several years, TrueCrypt was the gold standard in PC disk decryption suites. That changed nearly 18 months ago, when the individuals who developed the software abruptly quit. The developers declared that the existing software was ““not secure as it may contain unfixed security issues,” provided a final version of the software to decrypt data, and shut the project down. This was all the more puzzling when two extensive security audits found no bugs of significance. As of today, that’s changed."
Welp, there goes that. In the time since TrueCrypt shut down, what have you been using for encryption?
I don't really know why this isn't a job requirement for people with a security clearance already. Shouldn't the ability to understand and use technology appropriately be the part of most job performance evaluations? Shouldn't the inability to do that result in not getting a good evaluation?
If so, shouldn't someone granted a security clearance lose that clearance if they perform poorly at actually keeping things secure?
"Financial data has a finite lifespan because it becomes worthless the second the customer detects the fraud and cancels the card or account. Most forums for such data have a high enough surplus of stolen payment cards that they have fire sales.
But information contained in health care records has a much longer shelf life and is rich enough for identity theft. Social Security numbers can't easily be cancelled, and medical and prescription records are permanent. There's also a large market for health insurance fraud and abuse, which may be more lucrative than simply selling the records outright in forums."
Some great resources to learn more about cybersecurity and ethical hacking at your own pace. Definitely going to be bookmarking this myself!
I didn't manage to get to sessions where data security was the main topic, but I know it was a large topic of conversation all around the conference. Law firms are being held reaponsible by clients for keeping data that belongs to those clients secure, but it's a tough thing to do when you don't even know what data you have or where it's been stored. Trying to do that is the first challenge many firms are facing.
Not surprising at all is it? If you want to target sensitive data, a third party who doesn't have the same strong sense of protecting it, and an industry that has a reputation for somewhat lax security measures, would be a pretty tempting place to start.
The exposure to being hacked raises a lot of questions about the so-called Internet of Things. If everything is connected to the Net, then everything is tracking you. That information is valuable in and of itself to hackers looking to embarrass or blackmail people.
But, as bad as that is, what is worse is the ability of hackers to actually take control of those devices, especially when talking about medical devices, or transportation. Given the number of hacks that have already been reported, and the severity of them, I have little faith that anyone can truly protect our information or devices.
Maybe I'm just a pessimist. What do you think?
Can we really be surprised? This is why I've written before that while using mobile technology to replace banks for many people impossible, the security has to get better!
Keep those Andriod devices safe people!
This seems scary. If you don't think cyber security concerns you, you should probably be aware of how many things currently, or shortly will be, connected to the internet. Yes, it's cool to be able to control your house from your smartphone, or start your car from inside using it on a cold day, but if the communication is going across the internet insecurely, that means anyone else can too! We're not just talking about a defaced website, or even credit card information, we're talking about things that can kill you.
Frankly, until this is secured as much as possible, the self-driving car is a non-starter. I kind of like the idea of the self-driving car, but not so much if it can be hacked and actually controlled by someone else.
Malwarebytes has been one of my go-to resources for years when helping people clean up infected machines. Interesting to see them dip into a tool for Macs, which obviously can, and do, get malware as well!
Stop what you are doing and grab this patch. This security flaw is already out in the wild, attached to some of the nastiest malware out there. Get the update if you have Flash installed. (And you probably do!)
What's interesting about this is the timing. Obviously with Deflategate there was an inability to get texts from Tom Brady's phone, but having a mobile forensics expert wouldn't have changed that. You need access to the phone. Is the NFL planning on making that part of the CBA, that players have to turn over their phones to provide information to the league in an investigation? Would they actually agree to that? I don't think I would. It's not a matter of having something to hide either, we all have data that just shouldn't be public, or in anyone else's hands, on our devices. Just because I work for a company doesn't give them access to my personal phone. Putting that clause in a player's contract is overreaching, IMHO.
I've always been bothered by the idea of QR codes. I felt that they undermined everything we tried to teach users about online security. Don't open email attachments that you weren't expecting, don't blindly follow links without checking where they go, or just go to the website and login without clicking a link in an email, but then the marketing people got into the QR game and realized they could get people to "play" with their smartphones and scan a code, and that code could take them anywhere the marketer wanted to take them, and suddenly that seemed like something we should encourage? No, no and no. As this story points out, as a user, you have no idea where that QR code is taking you, are you really ok with that?
The facts about how shabby the security procedures at the OPM are appalling. The US government is constantly asking us to trust them to know what's best and protect us, but how can we when facts like these come out? No security staff until 2013 and not using encryption? WTH?
Click in to find related links.