March 30, 2015

Probing the Whole Internet for Weak Spots
The scan showed that more than five million sites were affected, including those operated by the FBI, Apple, and Google. Facebook’s like button, a fixture on many popular sites, was also vulnerable. The results prompted an urgent, careful effort to inform key companies and organizations before the problem was announced publicly. The FREAK flaw allows an attacker to break a secure connection between a Web browser and a vulnerable site, gaining access to encrypted data sent between the two. The attack works by forcing a site to fall back to a weak form of encryption mandated by the U.S. government in the 1990s.


Big data collection makes it hard for you to remain anonymous
The fault for the spread of this ”myth,” they say, is not with findings presented by researchers in primary literature, but “a tendency on the part of commentators on that literature to overstate the findings.” They contend that de-identification, done correctly, is close to bulletproof, reducing the chance of a person being identified to less than 1% – far less than the risk of simply taking out trash containing documents that might have PII in them. They also argue that unwarranted fear of a loss of anonymity may undermine, “advancements in data analytics (that) are unlocking opportunities to use de-identified datasets in ways never before possible … “creating anonymized datasets requires statistical rigor, and should not be done in a perfunctory manner.”


New threat intelligence report skewers industry confusion, charlatans
Today, there are large numbers of TI vendors and advisory papers (often issued through vendors' marketing departments) that describe extremely different products and services, all under the banner of threat intelligence. The research explains, "For example, at a high level, some products come in the form of prose that explains developments in a particular area, while at a lower level, others might be a stream of XML-formatted indicators of compromise, such as IP addresses or binary hashes." What's worse, "Even within similarly placed sources, such as feeds of indicators of compromise, there is very little overlap between competing products. Recent research suggests that in three popular feeds of flagged IP addresses, containing more than 20,000 IP addresses in total, there was as little as a 1% overlap."


Oracle HCM Cloud Adds Social, Mobile Learning Option
Using smartphones or tablets, salespeople are sharing video product demos, retailers are creating how-to-merchandize videos, and field-service staff are capturing maintenance-and-repair videos, for example. Oracle Learning Cloud is designed to enable employees at any level to create such videos, and HR or business leaders can then curate these and other assets, such as images, infographics, documents, or even massively open online courses (MOOCs) into learning tracks geared to specific departments and roles. "A manager can point to these tracks and say, 'I would like people in my organization to learn the following, so please follow this track,'" said Alarcon.


Eliminating Passwords in the Enterprise
While issuing an enterprise credential with a strong password is fairly easy to accomplish, managing that password over the credential's lifetime is more difficult. User password resets, compromised passwords and a lack of synchronized passwords across enterprise systems all cause problems for users, IT departments and security professionals. And users truly hate passwords. There are too many to remember, each system has different rules, and there is a lack of standards for reset processes. A positive associated with passwords is that they are well understood by both providers and end-users. ... But, usability and security of password-backed credentials are in decline and a passwordless future is something that keeps coming up in the IAM conversation. So what will it take?


Leverage Big Data Cross-Industry Panel: Video Now Available
Big data represents a challenge to Kerry Hughes, the advanced computing leader at Dow Chemical, who was also on the panel. For Hughes, connecting big data and high performance computing (HPC) technology with the person with the requisite domain expertise is the tough part to crack. Helping clients to act on fast-moving data is important for panelist Asif Alam, the head of enterprise capabilities at Thomson Reuters. The advent of machine readable financial data generated by more than 400 different exchanges, in combination with outside data such as weather and news, allows Thomson Reuters to help its clients make decisions quickly in our fast-changing world.


What happens with data from mobile health apps?
Mobile health applications as a class are becoming more sophisticated, and vacuuming up information like glucose levels, heart rate and fertility, all while operating unchecked by the statutory restrictions that apply to information collected in a medical setting. Pooled together, those data points could provide potential indicators for conditions such as obesity or Alzheimer's. But the market for that data is fairly opaque, and Bedoya fears that health information in the hands of data brokers could be sold to businesses for dubious purposes, such as insurance companies that might deny applicants coverage or charge steeper premiums based on information collected through health apps.


GitHub recovering from massive DDoS attacks
Anthr@X wrote that it appeared advertising and tracking code used by many Chinese websites appeared to have been modified in order to attack the GitHub pages of the two software projects. The tracking code was written by Baidu, but it did not appear the search engine—the largest in China—had anything to do with it. Instead, Anthr@X wrote that some device on the border of China’s inner network was hijacking HTTP connections to websites within the country. The Baidu tracking code had been replaced with malicious JavaScript that would load the two GitHub pages every two seconds. In essence, it means the attackers had roped in regular Internet users into their attacks without them knowing.


Cyber what? (part 2 of 2)
All the different “cyber” terms sure are confusing and it’s no help that many of the terms used to describe the threat actor behind a cyber attack are often used interchangeably. In part I, we established what constitutes a “cyber attack” within “cyberspace”. Now the real fun begins – we’ll dissect the four most commonly confused terms: “cyber war,” cyber terrorism,” “cyber vandalism” and “cyber espionage” and provide a common lexicon. The objective is to dispel myths and, by establishing common understanding, provide a way for managers to cut to the chase and understand risk without all the FUD. The graph below shows the four terms and attributes at a glance.


Crossing the Cybersecurity Trust Chasm
It is a rare case, where the perpetrators of cyber-theft crossed the line in to threatening violence in real life. Cyber attacks are now a top national issue. People are outraged that cyber terrorism could lead to physical terrorism. They want to know how the government and private sector can safeguard them against such scenarios. Everyone’s interests are seemingly aligned. Let us all seize the moment before it is lost and build trust. A critical piece for rebuilding trust is having the right talent focused on it. Box recognized thattrust is a competitive advantage and appointed a Chief Trust Officer few years ago to build trust with their customer base on their security practices.



Quote for the day:

"Always and never are two words you should always remember never to use." -- Wendell Johnson