Honeypots

In the cyber world, a honeypot

consists of data (for example, in a network site) that appears to be a legitimate part of the site but is actually isolated and monitored, and that seems to contain information or a resource of value to attackers, which are then blocked.

Of course, nothing prevents nefarious persons or entities from using honeypots to draw in honest folks for nefarious purposes.  Purposes like the following.

The trove of leaked Democratic National Committee emails posted to Wikileaks on July 22 has sparked concerns about malware as users access the vast trove of documents.

On the day of the leak, Google’s Transparency Report warned users of dangerous downloads from Wikileaks.org. Google has not revealed specifically what was detected….

The Feds Want to be in your Child’s School Bathroom

…right along with anyone else confused about who should or should not be there.

The Obama administration will send a letter to every public school district in the country telling them to allow transgender students to use bathrooms and locker rooms that match their chosen gender identity, as opposed to their birth certificate.

President Barack Obama (D) threatened in his letter to withhold Federal funding for those school districts impertinent enough to not comply with his decree.  South Dakota v Dole might have an impact on his threat, but Obama has never let legitimacy get in the way of his edicts, and this is another lame duck/what’re-you-gonna-do-about-it-in-my-last-8-months example.

Encryption and Safety

Senators Richard Burr (R, NC) and Dianne Feinstein (C, CA), in their op-ed in The Wall Street Journal, demonstrated their lack of understanding of the relationship between security and safety.  Their piece’s title, Encryption Without Tears, illustrates their basic misunderstanding of the inherent tension between the two, here encryption and safety.

In an increasingly digital world, strong encryption of devices is needed to prevent criminal misuse of data.  But technological innovation must not mean placing individuals or companies above the law.

Neither can technological backdoors be allowed to place government above the law.

Cyberthreat Information Sharing

The public and private sectors need to increasingly declassify and divulge critical information if the U.S. is to set up effective cyberthreat organizations, according to a report released Wednesday by PwC that sets out a blueprint for how those groups could be set up.

That would certainly lead to faster responses to hack attempts—committed by anyone, whether governments foreign or domestic or criminals—and to more efficient hardening against present and future hack attempts.

Unfortunately, FBI Director James Comey has already written off the concept of public sector—at the Federal government level, anyway—cyberthreat sharing.

Government Arrogance Should Disqualify It

…in its case trying to force Apple to disable encryption on its iPhones.

Rather than assist the effort to fully investigate a deadly terrorist attack by obeying this Court’s Order of February 16, 2016, Apple has responded by publicly repudiating that Order…Apple has attempted to design and market its products to allow technology, rather than the law, to control access to data which has been found by this Court to be warranted for an important investigation.

Security Tradeoffs

Here’s one.

A federal judge has ordered Apple Inc to provide software to the Justice Department to help it unlock a phone used by one of the suspects in the San Bernardino, CA, terror attack because investigators suspect the device may hold critical details of the plotting behind the mass murder.

The government’s justification is this:

Law-enforcement agencies say companies such as Apple make it harder to solve crimes including terrorist attacks, child abuse and murder by putting security measures on phones that make it difficult or impossible for investigators to open them and examine data inside.

Gross Incompetence?

As if we didn’t need another reason to disband the Department of Education (see its Dear Colleague letter for an example of its gross dishonesty), here’s another, of utter failure to perform. DoE isn’t taking care of its digital data.

The Education Department doesn’t hold nuclear launch codes. But its vast data trove on student-loan borrowers and their parents—and the nearly $100 billion it disburses in new loans every year—are reason enough to want the bureaucrats to prevent digital intrusions. ….
The stakes go well beyond personal privacy. Federal student loans outstanding exceed $1 trillion, and Team Obama is trying to forgive those debts. It would add injury to injury if cyber-fraudsters were able to pile on for a taxpayer plundering.

Personal Secrecy vs National Security

The latest batch of 3,105 emails includes 275 documents upgraded to “classified” since they landed in the former Secretary’s personal inbox. That brings the total number of classified docs found in the emails to 1,274. A State Department official told Fox News on Thursday that two of those emails were upgraded to “secret,” while most of the others were upgraded to “confidential.”

Because Democratic Party Presidential candidate and then-Secretary of State Hillary Clinton’s desire to keep her doings in our name as a Cabinet Secretary were more important than our national security.

We don’t need four more years of this from within the White House.

Another Thought on Encryption

Apple’s Tim Cook had one [emphasis added].

On your iPhone, there’s likely health information, there’s financial information. There are intimate conversations with your family or your co-workers. There’s probably business secrets, and you should have the ability to protect it. And the only way we know how to do that is to encrypt it. Why is that? It’s because, if there’s a way to get in, then somebody will find the way in. There have been people that suggest that we should have a back door. But the reality is, if you put a back door in, that back door’s for everybody, for good guys and bad guys.

Maybe It’s Time

Banks fear a growing number of employees are unwittingly exposing valuable information to hackers or in some cases leaving digital clues that make a breach possible.

And

Several banks are also increasingly testing whether their employees unintentionally leave them susceptible to hackers by falling prey to “spear-phishing” attempts, in which criminals lure recipients to click on links.

And

Weeks after JP Morgan Chase & Co was hit with a massive data breach that exposed information from 76 million households, the country’s biggest bank by assets sent a fake phishing email as a test to its more than 250,000 employees. Roughly 20% of them clicked on it, according to people familiar with the email.