Where is science taking cybersecurity? Dan Geer, a long-time technologist in the field, takes his shot at capturing where the field is going — and tells a lot about where we are now along the way.
Quoting Bloomberg Press:
Penn State University, which develops sensitive technology for the U.S. Navy, disclosed Friday that Chinese hackers have been sifting through the computers of its engineering school for more than two years.
Over five hundred partners in government and industry have been notified of the breach, and thousands of students are being notified that personal information (including social security numbers) has been carried off.
College Park officials should take this kind of news to heart when reflecting on the fact that we still haven’t fully repaired systems here following the prominent data breach over a year ago. Of course, for as close as we are with the Confucius Institute we’ve probably left things open to save them the bother of breaking in.
LinkedIn turns out to be a bonanza of information about US intelligence officers, as recently revealed in the linked article. A tool called transparency toolkit simply mines the available resumes and analyzes to discover what are the ‘interesting’ codes, likely jobs and a lot more.
A very accessible case study of identity theft … and real theft, based on the unintended consequences of little technical decisions.
Ohio taxpayers who thought they were getting refunds from the state instead got a quiz that they had to pass in order to have tax overpayments returned to them. Part of an ill-conceived program verify identity in the face of a rising tide of identity theft and scams, the quiz asked questions based on – and this is the good part – “information taken from national databases and other sources.” If you choose to participate (you know, like you actually want your property to be returned to you) then giving answers different from what the ‘national resources’ believe are true about you will result in denial of funds, and probably a requirement to bring identity papers into an office personally.
Of course, this kind of request looks indistinguishable from a host of other scams out there, which is why the linked article reports tens of thousands of calls came in to the tax offices and police. In truth, police probably should investigate, since we are unaware of any Ohio regulation that authorizes officials to burden citizens with such obligations as condition of exercise of their rights. What next? Maybe that they can require citizens to demonstrate they can play a musical instrument?
Once people have been assured that these kinds of requests are somehow okay, then the next wave of phishing from scam artists is likely to take a real toll.
That’s what is apparently under consideration. What could go wrong with that?
This is a nice overview of legal cases which might be taken up by the Supreme Court in the new year. Will any surveillance cases involving NSA practices go the distance and win cert? Only time will tell, but the issues presently poised for consideration are laid out in the linked article.
Congrats to the cyber security students at the other campus in College Park. Some fine press for some fine work.
So much for Loh’s assertion that we hired the best staff, used the best technologies and took the most responsible measures to protect the campus. Obviously our leadership didn’t know what those steps ought to have been before, and they still don’t know those steps today. (But watch how fast the massive sports complex goes up in the Big Ten arms race.)
In the latest example, they created a fake Associated Press article in order to send a private link to the target of an investigation who up to that point had been anonymous to them. The target took the bait, and by accessing the link gave up his IP address. It was all down hill from there.