Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

Germany passes strict cyber-security law to protect ‘critical infrastructure’

From the post:

In the wake of ever-increasing cyber-security threats, Germany has passed legislation ordering that over 2,000 essential service providers implement new minimum information security standards or face penalties if they fail to do so within two years.

The law passed its final hurdle in the upper house of the German parliament, the Bundesrat, on Friday after having passed the lower house in June.

The law will affect institutions listed as “critical infrastructure,” such as transportation, health, water utilities, telecommunications providers, as well as finance and insurance firms. It gives companies two years to introduce cyber security measures or face fines of up to €100,000 ($111,000).

The Bundesrat-approved IT security law obliges firms and federal agencies to certify for minimum cyber-security standards and obtain Federal Office of Information Security (BSI) clearance. The companies must also notify the Office of suspected cyber-attacks on their systems.
…

This is where Dogbert would say: “There are times when no snide comment seems adequate.”

I ask because Teri Robinson in Cyber attack on U.S. power grid could rack up $1 trillion in losses, study says, cites:

“Business Blackout: the insurance implications of a cyber attack on the U.S. power grid,” a study (PDF) from the Centre for Risk Studies at Cambridge University and insurer Lloyd’s of London, found that such an attack would have an impact on multiple types of insurance.

A very stylish report, complete with black pages trimmed in red rather than blank pages. It evaluates a fanciful scenario against the US powergrid, with no basis for evaluating the feasibility of the attack as described.

I asked about how you define “cyber attack” because Appendix A lists the obligatory “Cyber attacks against Industrial Control Systems since 1999.” (starts on page 45)

If you review that list carefully, out of an alleged fourteen (14) “cyber attacks,” four (4) of them were physical attacks on infrastructure, eight (8) of them, including insiders, were true cyber attacks and the other two (2) were misc.

Eight (8) cyber attacks against control systems shouldn’t be peg the threat meters for anyone.

But to return to Teri’s article for a moment, she closes with these observations:

And a risk that has American voters worried. A Morning Consult poll found that 32 percent of voters consider cyber attacks a major threat, putting them just behind terrorism, which, at 36 percent, was the top threat.

Among GOP voters, terrorism garnered 45 percent of the vote with cyber attacks getting just 25 percent. Democrats believe cyber attacks (38 percent) to be the bigger threat, while terrorism claimed 31 percent of the vote.

The FBI, DHS, along with the national news media have certainly done well at selling cyber and terrorist attacks as clear and present dangers.

All the more amazing due to the lack of any terrorist attacks worthy of mention since 9/11 and the complete lack of cyber attacks against control systems in public utilities.

Remember, no electricity means no Bevis and Butthead. Be careful what you wish for.

PS: Don’t waste time and money on cyber nightmare scenarios against the U.S. power grid. Yes, they need good cyber security like everyone else, but they have far worse issues of physical security. Congress has published maps of the critical infrastructures and details on non-cybersecurity issues. Check with your local government documents librarian.

Although most of my readers probably have the original torrent, I thought a list of mirrors for the #HackingTeam data dump could be useful:

• http://ht.musalbas.com
• ht.transparencytoolkit.org/
• http://ht.swr.sx
• http://bit.ly/1LTcEuc

I have personally verified all the mirrors to exist and that they list what appears to be the hacked content. The accuracy of these mirrors and your safety in examining the contents remains solely your affair.

Full mirror of torrent

https://aedv23ynnl27e7vt.onion.cab/ || http://aedv23ynnl27e7vt.onion/

One site, http://ht.musalbas.com, has already received a DMCA complaint (reported on Twitter by Zach Whittaker.

As a public service to the broader community, please mirror these archives in whole or in part. If you can’t host a mirror, reach out to the mirroring sites to express your interest and support for their efforts.

Do you think this hack may be an effort to push the OPM hack to the back pages of the news? 😉 No, I’m not that paranoid nor do I think the US government is that well organized.

Enjoy!

PS: If you do index/analyze part of the data dump, be sure to post the results and munged data to public repositories.

Silkie Carlo posted this image on Twitter as useful for a “how to make a password” discussion:

You only have two (2) options to avoid password embarrassment:

1. Never get hacked. (the worst strategy)
2. Use strong passwords along with a routine of changing them.

If you need advice on what strong passwords, see the FAQ for cryptsetup.

If your own cybersecurity isn’t enough of a motivation for using strong passwords, do you want your name, along with a weak password to come up for years in discussions of weak passwords?

It is a form of fame but I would prefer to avoid the honor.

You?

PS: Embarrassment is perhaps the only known downside to having a weak password, for a user. “Privileged users” had weak passwords at OPM. Ditto for Sony. Now at Hacking Team. Have I missed reports of punitive dismissals?

The theory seems to be that everyone is stupid and therefore individuals should not be penalized for being stupid in particular instances. It may be true that everyone is stupid about somethings but the parameters for strong passwords are known. Stupidity should not be tolerated for problems with known solutions.

Get ready. Mystery high severity bug in OpenSSL to be patched on Thursday by Graham Cluley.

Graham passes on the news that a security fix for a “high” severity bug will be patched in OpenSSL this coming Thursday (9 July 2015).

He also supports the lack of information about the nature of the bug. To avoid giving hackers a chance to exploit it.

When the patch is released, assuming the reaction is similar to Heartbleed, there will still be sites three weeks later that are not patched.

Speculations on the latest “high” severity bug in OpenSSL?

Google Study: Most Security Questions Easy To Hack by Shirley Siluk.

From the post:

There’s a big problem with the security questions often used to help people log into Web sites, or remember or access lost passwords — questions with answers that are easy to remember are also easy for hackers to guess. That’s the key finding of a study that Google recently presented at the International World Wide Web Conference in Florence, Italy.

Google said it analyzed hundreds of millions of secret questions and answers that users had employed to recover access to their accounts. It then calculated how easily hackers could guess the answers to those questions.

In many cases, the answers were relatively easy to hit upon because of unique cultural factors, according to the study. For English speakers, for example, hackers had a 19.7 percent chance of guessing — in just one guess — the right answer to the question, “What is your favorite food?” (Answer: pizza.)

‘Neither Secure nor Reliable’

Google undertook the study because, “despite the prevalence of security questions, their safety and effectiveness have rarely been studied in depth,” noted Anti-Abuse Research Lead Elie Bursztein and Software Engineer Ilan Caron. The conclusion reached after looking at all those millions of questions and answers? “(S)ecret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism,” Bursztein and Caron said Thursday in a post on Google’s Online Security Blog.
…

Shirley goes on to give examples of how the answers to some security questions are culturally determined but also quotes suggestions for making your answers to secret questions more secure.

What is the one insight into Google security can you draw from this article?

Google stored the answers to secret questions as clear text.

Yes?

Otherwise, how did they develop the statistics about secret answer usage?

Another answer isn’t clear from: Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google by Joseph Bonneau, Elie Bursztein, Ilan Caron, Rob Jackson, and Mike Williamson.

Abstract:

We examine the first large real-world data set on personal knowledge question’s security and memorability from their deployment at Google. Our analysis confirms that secret questions generally offer a security level that is far lower than user-chosen passwords. It turns out to be even lower than proxies such as the real distribution of surnames in the population would indicate. Surprisingly, we found that a significant cause of this insecurity is that users often don’t answer truthfully. A user survey we conducted revealed that a significant fraction of users (37%) who admitted to providing fake answers did so in an attempt to make them “harder to guess” although on aggregate this behavior had the opposite effect as people “harden” their answers in a predictable way.

On the usability side, we show that secret answers have surprisingly poor memorability despite the assumption that reliability motivates their continued deployment. From millions of account recovery attempts we observed a significant fraction of users (e.g 40% of our English-speaking US users) were unable to recall their answers when needed. This is lower than the success rate of alternative recovery mechanisms such as SMS reset codes (over 80%).

Comparing question strength and memorability reveals that the questions that are potentially the most secure (e.g what is your first phone number) are also the ones with the worst memorability. We conclude that it appears next to impossible to find secret questions that are both secure and memorable. Secret questions continue have some use when combined with other signals, but they should not be used alone and best practice should favor more reliable alternatives.

Google has moved on to more secure methods for account recovery but the existence of the secret answer data, even from 2013, remains a danger for some users on the Internet.

The recent Hacking Team hack generated a rash of self-righteous tweets about the company’s sales to “repressive” governments.

Before you get overly excited about the sins of the Hacking Team, consider this graphic of arms sales by the United States and Russia:

From US/Russia Arms Sales Race by Allan Smith and Skye Gould.

Buying arms is a good indication of the intent to repress someone so I don’t see many places that don’t have repressive governments.

Speaking of repression, this is the best visualization I have seen to date of the Greek debt crisis:

http://demonocracy.info/infographics/eu/debt_greek/debt_greek.html

Its a very large visualization so I won’t attempt to replicate it here.

The German government is trying to repress the Greek people for the foreseeable future in order to collect on its debt. Think of it as international loan sharking. If you don’t pay, we will break your legs. Or in this particular case, austerity measures that will blight the lives of millions. Sounds repressive to me.

We can debate repression one way or the other but the important resource for US citizens is: Office of Foreign Assets Control – Sanctions Programs and Information. Sanctions programs, well, carry sanctions for violating their terms. On you.

I have serious questions about the sanctions list both in terms of who is included and who is not. However, unless you have a large appetite for risk, you had best follow its guidance (or your government’s similar list).

More than 440K new Android malware strains found in Q1, study finds by Terri Robinson.

From the post:

More than 440,000 new strains of Android malware were discovered by security experts at G DATA analyzing data for the first quarter of 2015.

That the company’s Q1 2015 Mobile Malware Report found so many strains of malware, representing a 6.4 percent jump from the quarter before, is not surprising, considering half of U.S. consumers use a smartphone or tablet to do their banking and 78 percent of those on the Internet make purchases online, giving cybercriminals a large pool of potential victims as well as the opportunity for significant financial gain.

“Mobile banking has become a very profitable target of opportunity,” Andy Hayter, security evangelist at G DATA, told SCMagazine.com in an email correspondence. “With mobile banking applications being new, bad guys are taking advantage, and targeting these apps since the majority of those using them are unaware that you should protect your mobile device from malware.”

The uptick represents 4,900 new Android malware files each day of the quarter, up 400 files daily from those recorded in the second half of 2014. About 200 new malware samples were identified daily, meaning that a new malware sample was discovered every 18 seconds.
…

You know the problem. Apps want to work across multiple versions of Android and with third-party sites (like banks), which multiplies the number of security steps that have to be done right with each targeted interaction.

What are the odds of all those security steps being done right? With a new malware sample every 18 seconds, I would say the odds are heavily stacked against encountering a secure app. Could happen but on the order of the moon becoming a black hole, spontaneously.

Take the same security precautions with your smart phone as you would with any other network connected device. Keep your OS/apps updated on a regular basis. Off-load data not needed for immediate access. Data not on your phone can’t be stolen if your phone is compromised.