Emails Link Palantir and Schmidt Daughter to Facebook Cambridge Analytica Fiasco

  • Emails indicate that Eric Schmidt’s daughter Sophie once suggested that Cambridge Analytica’s parent company work with Palantir.
  • Cambridge Analytica later developed a relationship with a Palantir staffer that produced the idea to use an app to harvest Facebook user data.
  • Both Cambridge Analytica and Palantir are owned by conservative billionaires who funded Donald Trump’s election campaign.

LONDON — Both Peter Thiel’s data-mining company Palantir and a daughter of the former Google chairman Eric Schmidt had connections to Cambridge Analytica’s misuse of Facebook user information, according to documents seen by The New York Times.

Putting the ‘I’ in CISO: Why the Security Leader Must Become an Influencer

One of the most important attributes of a chief information security officer (CISO) is the ability to govern by influence rather than edict. This skill is especially important given that, according to an August 2017 Ponemon report, many organizations struggle with conflicts related to turf and silo issues — nearly half of CISOs still report to chief information officers (CIOs) — and the lines of responsibility for cybersecurity are not always clearly defined.

Women Experience More Incivility at Work — Especially from Other Women

Executive Summary

Most employees, at one point or another, have been the victim of incivility at work. In research, one finding that has been frequently documented is that women tend to report experiencing more incivility at work than their male counterparts. However, it has been unclear to as to who is perpetrating the mistreatment towards women at work, and why. A recent study sheds some light on this, showing that women reported experiencing more incivility from other women than from their male coworkers. In addition, when women acted more assertively at work—expressing opinions in meetings, assigning people to tasks, and taking charge—they were even more likely to report receiving uncivil treatment from other women at work. Men who deviated from gender norms were not punished by their peers similarly.

Windows Device Management: From XP to 10 and Everything in Between

When it comes to Windows device management, PC administrators have traditionally relied on tools that use agent-based technology to deliver security. Beyond laptops and desktops, IT teams have long had access to mobile device management (MDM), which enables simple and robust administration of smartphones and tablets. Helping IT bridge the gap across all device form factors, Microsoft built application programming interfaces (APIs) into Windows 10 that allow security teams to manage laptops and desktops the same way they’ve managed smartphones and tablets for years.

3 people face charges in waterslide death of Kansas boy, 10

TOPEKA, Kan. (AP) — A water park company co-owner accused of rushing the world’s tallest waterslide into service and a designer accused of shoddy planning have been charged in the decapitation of a 10-year-old boy on the ride in 2016.With the latest charges unsealed Tuesday, three men connected with Texas-based Schlitterbahn Waterparks and Resorts and its park in Kansas City, Kansas, have been indicted by a Kansas grand jury, along with the park and the construction company that built the ride. Caleb Schwab died on the 17-story ride when the raft he was riding went airborne and hit an overhead loop.The Kansas attorney general’s office said Schlitterbahn co-owner Jeffrey Henry, 62, and designer John Schooley were charged with reckless second-degree murder, along with Henry & Sons Construction Co., which is described as the private construction company of Schlitterbahn. Second-degree murder carries a sentence of 9 years to 41 years in prison.They also were charged with 17 other felonies, including aggravated battery and aggravated endangerment of a child counts tied to injuries other riders sustained on the giant slide, called Verr�ckt, which is German for “insane.” The indictment accuses Henry of making a “spur of the moment” decision to build the ride, and that he and Schooley lacked technical or engineering expertise in amusement park rides.Henry was ordered held in a Texas jail without bond Tuesday, pending extradition to Kansas. The attorney general’s office said Schooley is not in custody. Schooley didn’t have a listed phone number and no one answered the phone at Henry & Sons Construction Co. Eric B Terry, who represented the company in an earlier unrelated case, didn’t immediately return a phone or email message.The same grand jury last week indicted the Kansas City park and Tyler Austin Miles, its former operations manager, on 20 felony charges. The charges include a single count of involuntary manslaughter in Caleb’s death. Miles has been released on $50,000 bond, according to one of his attorneys, Tricia Bath.Schlitterbahn spokeswoman Winter Prosapio said in a statement Tuesday that the latest indictment “is filled with information that we fully dispute.” The statement said Henry had designed waterpark rides “the world over” and that “nearly every waterpark that exists today has an attraction or feature based on his designs or ideas.”“The incident that happened that day was a terrible and tragic accident,” the statement said. “We mourn the loss of this child and are devastated for his family. We know that Tyler, Jeff, and John are innocent and that we run a safe operation – our 40 years of entertaining millions of people speaks to that.”According to the indictments, Henry decided in 2012 to build the world’s tallest water slide to impress the producers of a Travel Channel show. Henry’s desire to “rush the project” and a lack of expertise caused the company to “skip fundamental steps in the design process.”The indictment said, “not a single engineer was directly involved in Verr�ckt’s dynamic engineering or slide path design.” The indictment said that in 2014, when there were news reports emerging about airborne rafts, a company representative “discredited” them and Henry and his designer began “secretly testing at night to avoid scrutiny.”The indictment listed 13 injuries during the 182 days the ride was in operation, including two concussions. In one of those cases, a 15-year-old girl went temporarily blind while riding.Caleb, the son of Kansas Republican state Rep. Scott Schwab, was decapitated after the raft on which he was riding went airborne on a day when admission was free for state legislators and their families.The family reached settlements of nearly $20 million with Schlitterbahn and various companies associated with the design and construction of the waterslide. The two women who rode on the same raft with Caleb suffered serious injuries and settled claims with Schlitterbahn for an undisclosed amount.“Clearly the issues with Schlitterbahn go far beyond Caleb’s incident, and we know the attorney general will take appropriate steps in the interest of public safety,” the family said in a statement released Monday through their attorneys.The indictment said Schooley was responsible for doing “the math” that went into the slide’s design and signed an operations manual claiming the ride met all American Society for Testing and Materials standards. But the indictment lists a dozen instances in which the design violated those standards and says investigators could find no evidence that so-called dynamic engineering calculations were made to determine the physics a passenger would experience. The indictment said Schooley lacked the technical expertise to properly design a complex amusement ride such as Verr�ckt.The indictment said Schooley admitted, “If we actually knew how to do this, and it could be done that easily, it wouldn’t be that spectacular.”Prosapio said Schlitterbahn does not expect any changes to the Kansas City park’s season, which is set to open May 25 and runs through Labor Day. The Verr�ckt slide has been closed since Caleb died.Mike Taylor, a spokesman for the Unified Government of Wyandotte County and Kansas City, Kansas, says it does not believe it has the legal authority to shut down a business, other than for an epidemic or contagious disease outbreak.The company also operates water parks in Galveston, Corpus Christi, South Padre Island and New Braunfels, Texas, according to its website.Associated Press writers David Warren and Terry Wallace in Dallas also contributed to this report.Follow John Hanna on Twitter:

Use rtl-sdr to turn your cheap DVB-T dongle into a high quality entropy source

rtl-entropy is software using rtl-sdr to turn your DVB-T dongle into a high quality entropy source. It samples atmospheric noise, does Von-Neumann debiasing, runs it through the FIPS 140-2 tests, then optionally (-e) does Kaminsky debiasing if it passes the FIPS tests, then writes to the output. It can be run as a Daemon which by default writes to a FIFO, which can be read by rngd to add entropy to the system pool.

20 Critical Security Controls: Control 15 – Wireless Access Control

Today, I will be going over Control 15 from version 7 of the CIS top 20 Critical Security Controls – Wireless Access Control. I will go through the ten requirements and offer my thoughts on what I’ve found.Key Takeaways for Control 15Reduce your attack surface. So much of control 15 is about limiting your usage of wireless technologies. Where you are using wireless, utilize best practices with encryption to prevent attacks on wireless data.Search out for more tools. Using a vulnerability scanner or wireless intrusion detection system for detecting rogue access points is overkill for these tools. If you already have them at your disposal, then reuse them without having to spend more money. If you don’t have them and you need to address control 15 immediately, there are plenty of other tools that can do the same job at a fraction of the price.Requirement Listing for Control 151. Maintain an Inventory of Authorized Wireless Access PointsDescription: Maintain an inventory of authorized wireless access points connected to the wired network.Notes: Creating a baseline is the starting point in securing any part of the enterprise network. Even if this is done in an Excel spreadsheet, getting data down on paper to reference later should be done.2. Detect Wireless Access Points Connected to the Wired NetworkDescription: Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access points connected to the wired network.Notes: This may also be the starting point for requirement one, as well. In fact, this may even be part of Control 1 as you are deploying tools to detect devices on the network. However, don’t think that you are limited to just network vulnerability scanning tools to find wireless access points. There are plenty of other tools out there as well that can do the same job.3. Use a Wireless Intrusion Detection SystemDescription: Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access points.Notes: A WIDS can be used for so much more than detecting access points. If you have the budget to deploy WIDS, utilize it for more than a network scanning tool. Public networks are a great candidate for WIDS, which monitor protocol-level attacks, for a typical IDS would be blind to this type of attack.4. Disable Wireless Access on Devices if it is Not RequiredDescription: Configure wireless access on devices that do not have a business purpose for wireless access.Notes: Reduce your attack surface. This goes with the same thought process of disabling ports and services that are not critical for that specific machine. Most servers and desktops have no need for a wireless connection. A potential data exfiltration tactic you may need to worry about is a mobile hotspot plugged into a computer to send data through a cell phone carrier rather than the enterprise network.5. Limit Wireless Access on Client DevicesDescription: Configure wireless access on client machines that do not have an essential wireless business purpose to allow access only to authorized wireless networks and to restrict access to other wireless networks.Notes: This one can be tougher to control, as devices such as laptops and cell phones are mobile in nature. If employees are traveling for business, limiting their wireless networks to just the business is going to limit their productivity. I see this as being a requirement only for wireless devices that do not leave the physical premises.6. Disable Peer-to-peer Wireless Network Capabilities on Wireless ClientsDescription: Disable peer-to-peer (adhoc) wireless network capabilities on wireless clients.Notes: Consumer-grade devices may need this functionality, but very few enterprise devices will. Typically, this is not used by a remote attacker; this would be classified as an insider threat. Again, as with the previous requirement, this if for those who are trying to exfiltrate data on non-business networks.7. Leverage the Advanced Encryption Standard (AES) to Encrypt Wireless DataDescription: Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.Notes: Encrypt early, encrypt often. AES is the de-facto standard for wireless communications. While naming specific protocols or tools can be frowned upon in a standard, I don’t see AES being overtaken by something else before another version of CIS comes out.8. Use Wireless Authentication Protocols that Require Mutual, Multi-Factor AuthenticationDescription: Ensure that wireless networks use authentication protocols such as Extensible Authentication Protocol – Transport Layer Security (EAP/TLS) that requires mutual, multi-factor authentication.Notes: See the notes for requirement 7. Unless a client device is required for business purposes to not have the highest-grade security, then use the strongest tools and technologies to your advantage.9. Disable Wireless Peripheral Access to DevicesDescription: Disable wireless peripheral access of devices (such as Bluetooth and NFC) unless such access is required for a business purpose.Notes: See requirement 5. However, this is more focused towards closer range technologies rather than WiFi. There are some risks associated with running Bluetooth and NFC, so if you don’t need it, turn it off.10. Create Separate Wireless Network for Personal and Untrusted DevicesDescription: Create a separate wireless network for personal or untrusted devices. Enterprise access from this network should be treated as untrusted and filtered and audited accordingly.Notes: I see this one as probably one of the more critical requirements for this control. Guest networks have no business communicating with the corporate network. I have yet to see a business case where they would even need to be allowed in and audited, as is recommended by the requirement here. I would put guests on a completely different network that has no pathway into the corporate network, especially if the guest network is open to customers in a public setting. See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber attack vectors by downloading this guide here.Read more about the 20 Critical Security Controls here:Control 20 – Penetration Tests and Red Team ExercisesControl 19 – Incident Response and ManagementControl 18 – Application Software SecurityControl 17 – Implement a Security Awareness and Training ProgramControl 16 – Account Monitoring and ControlControl 15 – Wireless Access Control