Posts tagged ‘wiley’

SANS Internet Storm Center, InfoCON: green: Threat modeling in the name of security, (Wed, Feb 19th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

I'm sure hoping you've read headlines recently; there's so much to work with here. :-)
As indicated in ISC Diary coverage of the Linksys worm referred to as The Moon, as well as a KrebsonSecurity discussion of a plethora of other vulnerable hardware, threats are everywhere. And as the Internet of Things leads us to pwned refrigerators and home automation gone amok, its time to revisit one of my favorite topics: threat modeling.
Further, Adam Shostack's Threat Modeling: Designing For Security is now available via Wiley and online book sellers. If you plan to be at RSA, Adam will be speaking at RSA on New Foundations for Threat modeling (Wednesday, 26 FEB, at 9:20)
Why should you consider threat modeling for your computing and technology-centric environments? Threats abound, and there are no more important reasons than the viability and reputations of your organizations. The consequences of a successful cyberattack would almost certainly affect your organization's ability to conduct its day-to-day business operations. Ask the Navy how it feels about the four months and $10 million dollars it took to get the Iranians off the Navy Marine Corps Intranet. If such attacks lead to exposure of confidential information, your organization is likely to be perceived as one that failed to do what was necessary to protect itself, which in turn can affect the ability to conduct business in the future. Failure to protect customer information could subject your organization to legal liabilities and potentially significant fines. Imagine the possible cost to Target if you use the approximate $200 cost per exposed customer record x 110 million (40 million, then 70 million) records alleged to be in play in some for or fashion as a result of the Target compromise.
Threat modeling allows you to determine what threats exist that could affect your organization's computing infrastructure, helps you identify threat mitigations to protect resources and sensitive information, and helps you prioritize the identified threats so that you can manage your security efforts in a proactive manner.
Sound like a good plan right? I'm now leading an entire team dedicated to this cause at Microsoft; after having written the IT Infrastructure Threat Modeling Guide in 2009 (revision pending in the March/April timeline) it's finally been agreed that threat modeling and assessment is a natural fit for the practice of Threat Intelligence (data science) & Engineering (build mitigations).
The fortuitous timing of Adam's book release is not lost on me as I engage this recent new work assignment, Threat Modeling: Designing For Security is, in essence, the bible for our practice. I was honored to be the Technical Proofreader for this book which gives me the opportunity to provide you with a few insights with the hope of inspiring you to read it and embrace threat modeling broadly.
Quoting Adam directly, "This book is written for those who create or operate complex technology. That’s primarily software engineers and systems administrators, but it also includes a variety of related roles, including analysts or architects. There’s also a lot of information in here for security professionals, so this book should be useful to them and those who work with them. You will gain a rich knowledge of threat modeling techniques. You’ll learn to apply those techniques to your projects so you can build software that’s more secure from the get-go, and deploy it more securely. You’ll learn to how to make security tradeoffs in ways that are considered, measured, and appropriate and you will learn a set of tools and when to bring them to bear."
Adam asks you to consider a set of related questions that are essential to threat modeling:
1. What are you building?
2. What can go wrong with it once it’s built?
3. What should you do about those things that can go wrong?
4. Did you do a decent job of analysis?

If you embrace these as you mature your threat modeling practice you will maintain perspective throughout. Thinks about those questions as you ponder the interconnectedness of so much of modern technology. Do you need to threat model your brand new refrigerator or Internet connected lighting controller? Yeah, prpbably a good idea. What could possibly go wrong?
The well known STRIDE mnemonic (spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege) remains entirely viable, integral, and omnipresent but other modeling tactics are described in the book too. We've also incorporated Allegro Octave, as well as DREAD, OWASP, CVSS, and others risk assessment methods as part of threat assessment tactics, techniques, and procedures (thank you SimpleRisk).

Your action items are simple: read up on threat modeling, begin to threat model as part of your regular information security focuses, apply mitigations to the findings, and admire your handiwork as threat vectors are diminished. If you have any questions on this front please reach out directly or drop comments here.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: Major Book Publishers Sue Hotfile For Copyright Infringement

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

hfpLast month Hotfile and the MPAA ended their legal dispute with an $80 million settlement.

While the agreement left room for the file-hosting service to continue its operations by implementing a filtering mechanism, the company decided to throw in the towel and shut down.

However, that doesn’t mean the trouble is over for the defunct file-sharing site. Encouraged by Hollywood’s multi-million dollar victory, several of the world’s largest book publishers have now filed a lawsuit of their own against the site and its owner.

Pearson Education, Cengage Learning, John Wiley and Sons, Elsevier and McGraw-Hill lodged a complaint with the U.S. District Court for the Southern District of Florida, accusing Hotfile of vicarious copyright infringement.

“Hotfile built a business off of infringement. The book publishers’ rights were massively infringed by the site and its operators. They should not be allowed to simply pocket their profits and walk away from the harm they caused,” a representative of the book publishers tells TorrentFreak.

The publishers have submitted 50 books as evidence, including ‘Office 2007 for Dummies’ and ‘C++ How to Program,’ for which they demand compensation. This means that Hotfile is facing up to $7.5 million in damages, if they are found guilty.

The complaint itself offers little new and repeats several arguments that were previously made in the MPAA vs. Hotfile case. Among other things, the publishers note that Hotfile knew that their service was widely used for copyright infringement.

“Hotfile was aware that the vast majority of the files on its service were copyrighted. It received millions of takedown notices under the Digital Millennium Copyright Act, received correspondence from users and affiliates identifying copyrighted works and recognized that users were migrating to Hotfile for copyrighted works after competitor RapidShare was sued,” the complaint reads.

The publishers further accuse Hotfile of doing nothing to remove pirated files from its service, and claim that the filehoster lacked a repeat infringer policy, which the court previously saw as a requirement by the DMCA to qualify for safe harbor.

“Hotfile failed to ban with any consistency repeat infringers who accounted for a large percentage of the infringing files on the system. Despite receiving millions of DMCA notices, Hotfile did not track whether any of the uploads came from the same user,” the publishers note.

As a result of these lax policies, a relatively small group of persistent infringers was able to upload dozens of millions of files, the publishers say.

“In fact, by early 2011, nearly 25,000 users had accumulated more than three DMCA notices and many had received 100 or more. This group of uploaders was responsible for posting 50 million files, which amounts to 44 percent of the files on Hotfile,” the complaint states.

Taking into account Hotfile’s legal history, the publishers have a pretty strong case. This may in part explain why they chose to pursue this target. The question is, however, whether Hotfile still has funds left to pay any damages.

Source: TorrentFreak, for the latest info on copyright, file-sharing and VPN services.

Raspberry Pi: Official Raspberry Pi User Guide: 2nd edition out now!

This post was syndicated from: Raspberry Pi and was written by: liz. Original post: at Raspberry Pi

The Raspberry Pi User Guide, co-authored by our very own Eben Upton with Gareth Halfacree, is your complete guide to the Raspberry Pi, from setup and installing software to learning how to use the Pi to play music and video, using it in electronics projects, learning your first programming language, learning about networking – it’s a complete guide to everything you need to get going, and even if Eben wasn’t involved in this book, it’d be our first recommendation for adults and older kids interested in getting started with the Raspberry Pi.

This second edition is a much, much fatter book than the first – there’s almost half a book’s extra content in there. The first edition only covered the earliest revision of our hardware, and much of the software we now take for granted hadn’t been written back when it was published: this new edition is bang up to date, with new chapters covering use of the camera board, how to use NOOBS to set up your Pi, the introduction of the Pi Store and much more.

We’ve got the Raspberry Pi User Guide for sale in the Swag Store: it’s a great gift for anybody you know who might be getting a Raspberry Pi this Christmas. If you’d like to support our educational mission and help us produce free learning materials and more schools equipment, we’d love it if you could buy from us. It’s also available in the usual places: Amazon currently have it on sale, but it’s been so popular that it’s out of stock there at the time of writing. We hope you buy a copy: and we hope you enjoy it as much as we have.

TorrentFreak: GOP Politician and Attorney Accused of Being a “For Dummies” Book Pirate

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

Following in the footsteps of the RIAA, dozens of porn publishers and lesser-known movie studios, in 2011 John Wiley and Sons became the first book publisher to chase down alleged file-sharers in the United States.

The company has filed well over a dozen lawsuits in U.S. courts, together targeting hundreds of so-called John Doe defendants. Wiley is famous for its “For Dummies” series of books and the defendants in these actions are all accused of downloading or sharing the titles without permission.

Wiley attorney William Dunnegan previously told TorrentFreak that the company’s approach has three aims – to educate, obtain settlements, and prevent further infringement of the company’s products.

While it’s not possible to say how many of Wiley’s targets have chosen to settle, there are some that dig in their heels and refuse to pay up. As reported here in 2012, at least three Doe defendants were named by Wiley, with the company threatening to take their cases to jury trial.

One of those was the innocuous-sounding Ralph Mohr, but throw in a previously-unlisted middle initial, and one discovers that far from being just another defendant primed to be squeezed for a few thousand dollars, this one has public standing.

Ralph M. Mohr is a Republican commissioner on the Erie County Board of Elections. According to Wiley, the politician is also guilty of pirating one of their books, Essential Calculus For Dummies.

The dispute dates back to October 2011 when Wiley filed a case against 27 John Doe defendants. In November 2011 Judge William H. Pauley ordered the Does’ ISPs to hand over their personal details to Wiley.

The case progressed into 2012, with Wiley eventually naming four defendants, Mohr included. But by May 2012 cases against the other three defendants were all marked as ‘terminated’, leaving the politician as the only remaining defendant.

Mohr says he tried to explain to Wiley that his computer wasn’t working on the date of the alleged offense and that his children were either too young to be interested in calculus or away at school at the time.

“I thought it was a scam at first,” Mohr told Buffalo News. “I didn’t even have an operable computer when this happened.”

And this is where it gets really interesting. Mohr says he is determined to put up a fight to clear his name and protect his reputation, something that no other “copyright troll” defendant (RIAA targets aside) has yet done in a courtroom. A first time ever testing of BitTorrent-related evidence looks like it could be on the cards.

Adding to the excitement is that Mohr is a former county legislator and no stranger to the legal system. In 2012 he was described as “the most experienced election law attorney in New York State.”

Brushing up on copyright law may very well be his next goal.

Source: GOP Politician and Attorney Accused of Being a “For Dummies” Book Pirate