"As the situation between the DPRK and the US has become more tense, we've definitely seen an increase in number of probe attempts from cyber actors coming out of the DPRK," an official at an aerospace and defense firm told Security Ledger. The so-called "probes" were targeting the company's administrative network and included spear phishing attacks via email and other channels. The goal was to compromise computers on the corporate network... So far, the attacks have targeted "weakest links" within the firms, such as Human Resources personnel and general inquiry mailboxes, rather than targeting technical staff directly. However, experts who follow the DPRK's fast evolving cyber capabilities say that the country may have more up their sleeve.
CNBC also reports that America's congressional defense committees have authorized a last-minute request for $4 billion in extra spending for "urgent missile defeat and defense enhancements to counter the threat of North Korea."
Other countries newly interested in purchasing missile defense systems include Japan, Sweden, Poland, and Saudi Arabia.
Even though it's facing more than 240 class-action lawsuits, Equifax's revenue actually increased 3.8% from July to September, to a whopping $834.8 million, while their net income for that period was $96.3 million -- which is still more than the $87.5 million that the breach cost them, according to a new article shared by chicksdaddy: The disclosure, made as part of the company's quarterly filing with the US Securities and Exchange Commission, is the first public disclosure of the direct costs of the incident, which saw the company's stock price plunge by more than 30% and wiped out billions of dollars in value to shareholders. Around $55.5m of the $87.5m in breach-related costs stems from product costs â" mostly credit monitoring services that it is offering to affected individuals. Professional fees added up to another $17.1m for Equifax and consumer support costs totaled $14.9m, the company said. Equifax also said it has spent $27.3 million of pretax expenses stemming from the cost of investigating and remediating the hack to Equifax's internal network as well as legal and other professional expenses.
But the costs are likely to continue. Equifax is estimating costs of $56 million to $110 million in "contingent liability" in the form of free credit monitoring and identity theft protection to all U.S. consumers as a good will gesture. The costs provided by Equifax are an estimate of the expenses necessary to provide this service to those who have signed up or will sign up by the January 31, 2018 deadline. So far, however, the company has only incurred $4.7 million through the end of September. So, while the upper bound of those contingent liability costs is high, there's good reason to believe that they will never be reached.
The Post reports that some business customers "have delayed new contracts until Equifax proves that they've done enough to shore up their cybersecurity."
But in their regulatory filing Thursday, Equifax admitted that "We cannot assure that all potential causes of the incident have been identified and remediated and will not occur again."
FBI special agent Christopher Combs complained to the Chronicle that "law enforcement increasingly cannot get in to these phones."
A law professor at the Georgia Institute of Technology argues there's other sources of information besides a phone, and police officers might recognize this with better training. As just one example, Apple says the FBI could've simply just used the dead shooter's fingerprint to open his iPhone. But after 48 hours, the iPhone's fingerprint ID stops working.
"We're entering a new era," said Emily Neumann, an immigration lawyer in Houston who has been practicing for 12 years. "There's a lot more questioning, it's very burdensome." She said in past years she's counted on 90 percent of her petitions being approved by Oct. 1 in years past. This year, only 20 percent of the applications have been processed. Neumann predicts she'll still have many unresolved cases by the time next year's lottery happens in April 2018.
Surprisingly, Facebook is among friends. Every payroll period, Amazon, Microsoft, and Oracle provide an electronic feed of their employees' hourly work and wage information to Equifax. So do Wal-Mart, Twitter, AT&T, Harvard Law School, and the Commonwealth of Pennsylvania. Even Edward Snowden's former employer, the sometimes secretive N.S.A. contractor Booz Allen Hamilton, sends salary and other personal data about its employees to the Equifax Work Number database. It now contains over 296 million employment records for employees at all wage levels, from CEOs to interns. The database helps streamline various processes for employers and even federal government agencies, says Equifax. But databases like the Work Number also come with considerable risks. As consumer journalist Bob Sullivan puts it, Equifax, "with the aid of thousands of human resource departments around the country, has assembled what may be the most powerful and thorough private database of Americans' personal information ever created." On October 8, a month after Equifax announced its giant data breach, security expert Brian Krebs uncovered a gaping hole in the separate Work Number online consumer application portal, which allowed anyone to view a person's salary and employment history "using little more than someone's Social Security number and date of birth -- both data elements that were stolen in the recent breach at Equifax."
Gardner moved on to Barros and asked whether he has implemented encryption for data at rest since he took over the position on Sept. 26. Barros began to answer by saying that Equifax has done a "top-down review" of its security, but Gardner interrupted, saying it was a yes or no question. Barros stumbled again and said it was being reviewed as part of the response process and Gardner pushed again. "Yes or no, does the data remain unencrypted at rest?" "I don't know at this stage," Barros responded. "Senator, if I may. It's my understanding that the entire environment [in] which this criminal attack occurred is much different; it's a more modern environment with multiple layers of security that did not exist before. Encryption is only one of those layers of security," Smith said.
In the interview, Rosenstein also said he "favors strong encryption." "I favor strong encryption, because the stronger the encryption, the more secure data is against criminals who are trying to commit fraud," he explained. "And I'm in favor of that, because that means less business for us prosecuting cases of people who have stolen data and hacked into computer networks and done all sorts of damage. So I'm in favor of strong encryption." "This is, obviously, a related issue, but it's distinct, which is, what about cases where people are using electronic media to commit crimes? Having access to those devices is going to be critical to have evidence that we can present in court to prove the crime. I understand why some people merge the issues. I understand that they're related. But I think logically, we have to look at these differently. People want to secure their houses, but they still need to get in and out. Same issue here." He later added that the claim that the "absolutist position" that strong encryption should be by definition, unbreakable, is "unreasonable." "And I think it's necessary to weigh law enforcement equities in appropriate cases against the interest in security," he said.
schwit1 adds: "Well, this is a two-edged sword, isn't it? Government spends too much and takes too long to buy its simple office needs, but streamlining that process and cutting costs puts more money in the pocket of Jeff Bezos."
Some cities prefer to build their own broadband network, which delivers internet like a utility to residents, and is maintained through subscription costs. But ever since SB 152 was enacted, Colorado communities have to first bring forward a ballot measure asking voters to exempt the area from the state law before they can even consider starting a municipal broadband service. So that's what many of them have done. In addition to the 31 counties that have voted to overrule the state restrictions, dozens of municipalities in the state have also passed similar ballot measures. Including cities, towns, and counties, more than 100 communities in Colorado have pushed back against the 12-year-old prohibition, according to the Institute for Local Self Reliance.
On Sunday, researchers Daniel J. Bernstein and Tanja Lange reported they developed an attack that was 25 percent more efficient than the one created by original ROCA researchers. The new attack was solely the result of Bernstein and Lange based only on the public disclosure information from October 16, which at the time omitted specifics of the factorization attack in an attempt to increase the time hackers would need to carry out real-world attacks. After creating their more efficient attack, they submitted it to the original researchers. The release last week of the original attack may help to improve attacks further and to stoke additional improvements from other researchers as well.
"Ordered that any person or entity in active concert or participation with Defendant Sci-Hub and with notice of the injunction, including any Internet search engines, web hosting and Internet service providers, domain name registrars, and domain name registries, cease facilitating access to any or all domain names and websites through which Sci-Hub engages in unlawful access to, use, reproduction, and distribution of ACS's trademarks or copyrighted works," the injunction reads.
Using the example of Sony, which was famously hacked by North Korea in late 2014, Alexander said that if Sony had gone after the hackers, it might have prompted them to throw artillery into South Korea once they saw someone attacking them back. "We can give Sony six guys from my old place there," he said, presumably referring to the NSA, "and they'd beat up North Korea like red-headed stepchild -- no pun intended." But that's not a good idea because it could escalate a conflict, and "that's an inherently governmental responsibility. So if Sony can't defend it, the government has to." Instead, Keith argued that the U.S. government should be able to not only hit back at hackers -- as it already does -- but should also have more powers and responsibilities when it comes to stopping hackers before they even get in. Private companies should share more data with the U.S. government to prevent breaches, ha said.
It's the same group responsible for the Panama Papers, and the Guardian reports that in these 13.4 million new files, journalists have discovered:
- "How Twitter and Facebook received hundreds of millions of dollars in investments that can be traced back to Russian state financial institutions."
- "Aggressive tax avoidance by multinational corporations, including Nike and Apple."
- "Extensive offshore dealings by Donald Trump's cabinet members, advisers and donors, including substantial payments from a firm co-owned by Vladimir Putin's son-in-law to the shipping group of the US commerce secretary, Wilbur Ross."
- "The tax-avoiding Cayman Islands trust managed by the Canadian prime minister Justin Trudeau's chief moneyman."
"The publication of this investigation, for which more than 380 journalists have spent a year combing through data that stretches back 70 years, comes at a time of growing global income inequality," reports the Guardian. "Meanwhile, multinational companies are shifting a growing share of profits offshore -- €600 billion in the last year alone -- the leading economist Gabriel Zucman will reveal in a study to be published later this week. "Tax havens are one of the key engines of the rise in global inequality," he said."
One of the security hounds discussing the case on Reddit pointed out that this was not an isolated incident, even for WhatsApp. A search for "WhatsApp" on Google Play currently shows no fewer than seven spoof apps using slight variations on the developer name "WhatsApp Inc.", including versions with extra spaces, asterisks, or commas. All of them have four-star review averages, presumably thanks to industrial-scale subversion of Play's review system.
Ekeland points out that just $5,000 worth of damage could carry a 10-year prison sentence.
Friday the New York Times also reported that the worker responsible wasn't even a Twitter employee, but a hired contractor, adding that "nearly every" major tech company uses contractors for non-technical positions, including Google, Apple, and Facebook.
Last year, U.S. District Judge David Nuffer had ruled against SCO (whose original name was Santa Cruz Operation) in two summary judgment orders, and the court refused to allow SCO to amend its initial complaint against IBM. SCO soon appealed. On Monday, the 10th US Circuit Court of Appeals found that SCO's claims of misappropriation could go forward while also upholding Judge Nuffer's other two orders.
Here's Slashdot's first story about the trial more than 14 years ago, and a nice timeline from 2012 of the next nine years of legal drama.
So, do SaaS, IaaS, and PaaS providers make it their business to go through your data? If you read their privacy policies (as I have), the good news is that most don't seem to. But have you actually read through them to know who, like Google, does have the right to scan and act on your data? Most enterprises do a good legal review for enterprise-level agreements, but much of the use of cloud services is by individuals or departments who don't get such IT or legal review. Enterprises need to be proactive about reading the terms of service for cloud services used in their company, including those set up directly by individuals and departments. It's still your data, after all, and you should know how it is being used and could be used...
The article argues that "Chances are you or your employees have signed similar terms in the many agreements that people accept without reading."
Canvas fingerprinting blocking is the second feature Mozilla engineers have borrowed from the Tor Project. Previously, Mozilla has added a mechanism to Firefox 52 that prevents websites from fingerprinting users via system fonts. Mozilla's efforts to harden Firefox are part of the Tor Uplift project, an initiative to import more privacy-focused feature from the Tor Browser into Firefox.
What makes this bizzare is that SFLC started SFC, SFLC was SFC's law firm and filed for the very same trademark on their behalf, and both organizations were funded by Linux Foundation at the start.
There are a few other wild things that have happened related to this. Eben Moglen, president of SFLC and for decades the General Counsel of the Free Software Foundation, is no longer associated with FSF. Linux Foundation has on its executive board a company that is being sued in Germany for violating the GPL, with the case presently under appeal, and the lawsuit is funded by SFC. And remember when Linux Foundation removed the community representative from its executive board, when Karen Sandler, executive director of SFC, said she'd run?
If you need a clue, the SFC are the good guys in this. There's a lot to look into.
The report, prepared by a board-appointed special committee, concludes that "none of the four executives had knowledge of the incident when their trades were made, that preclearance for the four trades was appropriately obtained, that each of the four trades at issue comported with Company policy, and that none of the four executives engaged in insider trading." The committee says it reviewed 55,000 documents to reach its conclusions, including emails and text messages, and conducted 62 in-person interviews. "The review was designed to pinpoint the date on which each of the four senior officers first learned of the security investigation that uncovered the breach and to determine whether any of those officers was informed of or otherwise learned of the security investigation before his trades were executed," the report states.
"One might think that my voice would be welcomed at Aaron Swartz Day given all that the late internet/freedom of information activist and I share in common," writes Gottesfeld. "For starters, we were both indicted under the same controversial federal law, the CFAA, by the same Boston U.S. Attorney's Office and indeed under the tenure of the same notorious U.S. Attorney, Carmen Ortiz. Both of us have been persecuted for doing the moral thing; Aaron for trying to make taxpayer-funded research available to the general public and me for stopping the torture of an innocent child."
But things are going to be different for Hilton and other companies like it come May 2018 when provisions of the EU's General Data Protection Rule (or GDPR) go into effect, as Digital Guardian points out on their blog. Under that new law, data "controllers" like Hilton (in other words: organizations that collect data on customers or employees) can be fined up to 4% of annual turnover in the year preceding the incident for failing to meet the law's charge to protect that data. What does that mean practically for a company like Hilton? Well, the company's FY 2014 revenue (or "turnover") was $10.5 billion. Four percent of that is a cool $420 million dollars -- or $1,200, rather than $2, for every customer record lost. Needless to say, that's a number that will get the attention of the company's Board of Directors and shareholders.