Yet Another Security Blog

It might surprise you to know that you don't own your own image.  How you look, is not legally protected.  The way the paparazzi make their money is by taking photos of others often without their consent.  Legally, there is little people can do to stop this and there are only very narrowly defined laws to stop it.  In general, in the United States at least, the highest law (the US Constitution) says that a persons right to free speech should be preserved at most any cost.  That brings us to new technology.  A reddit user named DeepFake started uploading hyper-realistic porn with famous faces on different bodies.  The technology used was modified in to an app that now let's anyone with even a moderately powerful system create images and movies with the face of one person on the body of another.  The implications outside of creating fake porn are enormous.  First, what if the fake porn was no some famous actor or actress but rather your daughter who is just one of the girls on

What is worse than finding an application that can take down your industrial control systems?  Releasing it on the web (not even the dark web) for anyone to get and use.... Thrisis (a military grade cyber warfare package aimed at SCADA devices) was put on to a virus tracking site for all the world to download.  Since this was developed by State actors, it probably was not already on the dark web. Cyberscoop has more info... https://www.cyberscoop.com/trisis-virus-total-schneider-electric/

We have known that criminal cyber organizations have been banding together to share resources.  According to some assessments, there are whole cyber security services companies that share employees, have profit sharing, offer days off, etc.  It might be time that the white hats do the same... https://www.cyberscoop.com/new-global-cybersecurity-center-announced-davos/

One of my consistent rants is that we no longer own our image.  When I first started going to college in the 80's one of my legal type classes discussed the fact that people who enter certain professions (actors, artists, politicians, reporters, etc.) give up the right to have a private life.  Their every move is watched and analyzed.  People make judgements on them based solely on data and not on who they are. These days this goes for all of us.  We are now traced from prenatal to well after death.  We have lost our individuality and are now part of a vast sea of data owned by companies.  People fear the government getting too much information, but what happens when the one who owns your data is a private organization?  If they loose it what legal recourse do you have?  And, as I have pointed out before, what happens if the government gains access to it? The Hill has an article about both the pros and cons of this new world we find ourselves in... http://thehill.com/opinion/te

One of the constant challenges of those of us who create, teach, or enforce passwords and their policies for use is the protection of the password.  I have given talks that try and disuade organizations against making uses change passwords all the time because the tendency is to then write them down.  Here is a classic example of what I see every day.  Now, thanks to AP photographer Jennifer Sinco Kelleher ( https://twitter.com/JenHapa?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor ) everyone else in the world also gets to see it:

One of my chief concerns is that a lot of data that people would be uncomfortable if the government collected (and in some cases it would be illegal) is routinely collected by private entities.  If these private companies then resell this data, would it be legal for the government to contract for it like any other group?  Would it be ethical?  An article today talks about Amazon Dot data and if Amazon does share this info with the government.  This talks about court orders, but the chain of reasoning is the same.  Just some food for thought... From ZNet: Amazon won't say if it hands your Echo data to the government "Three years ago, the retail giant became the last major tech company to reveal how many subpoenas, search warrants, and court orders it received for customer data in a half-year period. While every other tech giant had regularly published its government request figures for years, spurred on by accusations of participation in government surveillance, Am

I try never to second guess an organizations decision when faced with a security or disaster challenge.  That being said, I believe the less these bad actors get paid the less likely they are to do ransom attacks. Image from the Greenfield Reporter  http://www.greenfieldreporter.com/2018/01/16/01162018dr_hancock_health_pays_ransom / Here is a story about a hospital that paid even with backups.  The reason given is a valid concern for many organizations.  If you get large enough, the backups can take days to complete.  That is something that needs to be taken in to consideration when creating a threat profile and response matrix.  While they don't say how it happens, the SamSam that was used normally travels by RDP. Bleeping has a right up on the issue here: https://www.bleepingcomputer.com/news/security/hospital-pays-55k-ransomware-demand-despite-having-backups/

It is somewhat surprising how many web sites are still not performing the simple step of securing the server.  Firefox is taking a major step in forcing the hands of those web sites by only exposing new features to HTTPS sites. "Effective immediately, all new features that are web-exposed are to be restricted to secure contexts," said Anne van Kesteren, a Mozilla engineer and author of several open web standards. Check out BleepingComputer for more information  https://www.bleepingcomputer.com/news/software/mozilla-restricts-all-new-firefox-features-to-https-only/