Thursday, June 21, 2018

The next big hacker target? “Drive the car of your dreams!”
Car Consortium That Includes Apple Announces Digital Car Key Specification for Smartphones
The Car Connectivity Consortium (CCC), an organization that includes Apple, today announced the publication of a new Digital Key Release 1.0 specification, which is a standardized solution designed to let drivers download a digital vehicle key onto their smartphones.
… The new Digital Key specification, which uses NFC, was developed to create a "robust ecosystem" around interoperable digital key use cases. It will let drivers lock, unlock, start the engine, and share access to their cars using smart devices like the iPhone with reliable user authentication methods.




My solution? Make the exam much harder.
Algeria Shut Down the Internet to Prevent Students from Cheating on Exams
Algeria shut the Internet down nationwide to prevent high-school students from cheating on their exams.
The solution in New South Wales, Australia was to ban smartphones.




Not sure I follow this…
The National Security Archive launches New CyberWar Map
“The National Security Archive’s Cyber Vault Project is announcing the launch of the CyberWar Map. This resource is both a visualization of state-sponsored cyberattacks and an index of Cyber Vault documents related to each topic (represented as nodes on the map). Clicking on each node will reveal hyperlinks and document descriptions. In some cases where key analysis was done under copyright, the link will direct readers to sources external to the National Security Archive. In a few other cases nodes do not yet have documents to display. The CyberWar Map is a living research aid: documents and nodes will be added on a regular basis. This is a particularly useful way of presenting information related to cyber actors, tools and incidents. The complexity of the field makes it increasingly challenging to conceptualize a “bird’s eye view” of the cyber-battlefield; therefore, the topic lends itself especially well to a dynamic graphic representation.”




A useful link for my Computer Security class.
Brief Overview of GDPR
Impact on E-Workplace and BYOD: GDPR’s strict adherence to EU citizens privacy protections impact US businesses directly and requires extremely strict policies, which is sure to impact BYOD policies. For instance, GDPR compliance may make certain employees have explicit permission to process, control and contain data within particular time frames. Not only this, but in order to adhere to GDPR, companies may need to be strict enough to include emergency erasing capabilities, GPS tracking, and thorough logging of all communication.




The Law gig?
Launching Soon: ‘Text A Lawyer’ Aims To Be The Uber Of Legal Help
Slated to launch next month is a service that allows consumers to get answers to their legal questions by text for a flat price of $20.
The service, called Text A Lawyer, is modeled after ride-sharing service Uber in that it uses two separate mobile apps, one for consumers to submit legal questions and another for lawyers who are in a waiting pool ready to give answers.
The goal, says founder Kevin Gillespie, is to make it simple for low- and moderate-income consumers to get answers to legal questions. Text-messaging is a medium many are comfortable with, he says, and it has the added advantage of providing both the consumer and lawyer with a transcript of the Q&A.
… Consumers will pay $20 to submit a legal question. After consumers open the app, it prompts them to select the state in which they reside and the kind of lawyer they are looking for (family, criminal, immigration, etc.). It then asks them to describe their question in a few sentences. A final screen is a conflicts check, asking the names of any alleged victims, adverse parties and witnesses, and the consumer’s relationship to any of these people.




Perspective.
Joint Chiefs of Staff – Permanent global cyberspace superiority is not possible
Steven Aftergood – Secrecy News Blog: “Military planners should not anticipate that the United States will ever dominate cyberspace, the Joint Chiefs of Staff said in a new doctrinal publication. The kind of supremacy that might be achievable in other domains is not a realistic option in cyber operations. “Permanent global cyberspace superiority is not possible due to the complexity of cyberspace,” the DoD publication said. In fact, “Even local superiority may be impractical due to the way IT [information technology] is implemented; the fact US and other national governments do not directly control large, privately owned portions of cyberspace; the broad array of state and non-state actors; the low cost of entry; and the rapid and unpredictable proliferation of technology.” Nevertheless, the military has to make do under all circumstances. “Commanders should be prepared to conduct operations under degraded conditions in cyberspace.” This sober assessment appeared in a new edition of Joint Publication 3-12, Cyberspace Operations, dated June 8, 2018. (The 100-page document updates and replaces a 70-page version from 2013.)…”




Perspective. Why I have my students working with Apps and IoT.
HPE: $4 Billion Says Intelligent Edge is the Future of Computing
Hewlett Packard Enterprise on Tuesday unveiled a new strategy it’s planning to spend $4 billion to pursue over the next four years.
The company will invest that much in technology and services to enable the intelligent edge, a catch-all phrase used to describe the myriad of things like smart sensors and cameras or devices that aggregate and process data they produce upstream in the network, such as routers, gateways, or servers. What makes them “edge” devices is their location at the source of the data rather than in a big data center somewhere far away. What makes them “intelligent” is the computing capacity and software to analyze the data in near-real-time, as it’s being generated, and make decisions based on insights gleaned from that analysis.




Perspective. A new industry and already arrogant.
Bird scooters refuses to suspend operations after city's request
Bird electric scooters will not suspend its operations in Indianapolis as requested by the city in a letter sent Tuesday evening.
"We look forward to continuing to serve our new Indy riders as we work with city leaders to create a regulatory framework that works best for the people of Indianapolis and helps them meet their goals," Bird spokesman Kenneth Baer said in a statement sent to the IndyStar.
… The city's letter requesting the suspension cited "a number of public safety, legal, and regulatory concerns."
It also referenced an ordinance currently pending approval of the City-County Council's Public Works Committee that would make unlawful "a dockless bicycle share or hire program on a street, roadway, or other city-owned property or rights-of-way."
… Bird scooters continued operations in Nashville after the city sent a cease and desist letter two days after the service launched. The company suspended operations after the city impounded more than 400 scooters.




Perspective. Does the government ever look at the cost?
Housing A Separated Migrant Child Costs The US More Than An Admiral’s BAH
To take a migrant child from her parents at a U.S. point of entry, place her in a just-erected government tent city, and keep her separated from family costs the federal government a whopping $775 per child per night, according to the Department of Health and Human Services — more than twice what it would cost to house the children in detention with their families, and nearly six times more than a brigadier general’s or rear admiral’s housing allowance for New York City.




Fake News? How does this get past management?
Burger King pulls Russia World Cup ad promoting sex with players
Burger King has apologized for an online ad offering burgers to Russian women who get impregnated by soccer players during the World Cup the country is hosting until July 15. The promotion on the global fast food chain's account on VK – a local rival of Facebook – suggested Russia could benefit from some good "football genes."
"As part of its social responsibility (campaign), Burger King is offering a reward to women who get impregnated by football stars," said Burger King.
"Every woman will get three million rubles (around $45,000) and a lifetime's supply of Whopper burgers. Women who manage to get the best football genes will ensure Russia's success in future generations."
… "We apologise for our statement. It turned out to be too offensive," Burger King said.
The ad appeared to be ineptly trying to poke fun at an infamatory statement by a lawmakers who urged women not to have sex with foreign fans.


Wednesday, June 20, 2018

Send in the Space Patrol! Perhaps we could insist that China pay for a (fire)Wall?
China-based campaign breached satellite, defense companies: Symantec
A sophisticated hacking campaign launched from computers in China burrowed deeply into satellite operators, defense contractors and telecommunications companies in the United States and southeast Asia, security researchers at Symantec Corp said on Tuesday.
Symantec said the effort appeared to be driven by national espionage goals, such as the interception of military and civilian communications.
Such interception capabilities are rare but not unheard of, and the researchers could not say what communications, if any, were taken. More disturbingly in this case, the hackers infected computers that controlled the satellites, so that they could have changed the positions of the orbiting devices and disrupted data traffic, Symantec said.




Could this happen to anyone? (Hint: Yes!)
When you think of consequences of employees clicking on phishing emails, did you ever think about how an entire state government might wind up having their email domain blacklisted? It happened to Oregon because oregon.gov was used to send out spam after an employee clicked on a phishing email. Hillary Borrud reports:
Oregon’s state technology workers are scrambling to fix a problem that is preventing thousands of government employees from corresponding with members of the public via email.
Several private email providers have blacklisted the state email domain Oregon.gov after a state employee apparently clicked on a phishing email earlier this month that allowed a hacker to access the state’s computer system.
“The malicious link hijacked the state-owned PC and generated over eight million spam emails from an Oregon.gov email address,” state officials wrote in an email explaining the situation to employees on Friday.
Now, private citizens with certain email providers can’t receive emails from state employees.
Read more on OregonLive.




Perspective. Why so much employee activism? Is this the new “Trump Reality?”
Microsoft CEO Satya Nadella downplayed his company’s work with U.S. Immigration and Customs Enforcement in a company-wide email sent this evening, saying that Microsoft’s contract with ICE deals only with email, calendar, and messaging—not with separating children from their parents.
Nadella’s email came after more than 100 employees sent him an open letter demanding that Microsoft cancel its $19.4 million contract with ICE. In a January blog post, Microsoft asserted that it was proud to work with ICE and that it was providing ICE with deep learning technology to aid with facial recognition.
But Microsoft executives are now claiming that its ICE contract does not include facial recognition technology.
… However, Nadella stopped short of vowing to cancel the ICE contract, as employees had requested in their letter—nor did he explain why the company’s January blog post claimed Microsoft offered facial recognition services to ICE.


(Related)
Amazon Faces Backlash Over 'Rekognition' Software's Use By Law Enforcement




Perspective.
11 States Pull National Guard Off Border Missions To Protest Child Separations
Eleven US states have cancelled agreements to send members of the National Guard to the US-Mexico border as part of a growing backlash over the Trump administration’s policy of separating migrant families trying to enter the US.
Initially three states — New York, Massachusetts, and Colorado — pulled their forces from current or planned deployments at the border, but they were soon joined by many more.
… In an executive order on Monday, John Hickenlooper, Democratic governor for Colorado, barred state resources from being used to separate immigrant families.




How much variation is acceptable? Should we rely on AI to set bail?
You’ve Been Arrested. Will You Get Bail? Can You Pay It? It May All Depend On Your Judge.
… not all judges in New York City treat bail the same way. A FiveThirtyEight analysis of 105,581 cases handled by The Legal Aid Society, the largest public defender organization in New York, found that how much bail you owe — and whether you owe it at all — can depend on who hears your case the day you’re arraigned.
New York’s judges are assigned to arraignment shifts, hearing every case that comes into the court during that time. Because the assignments are random — judges hear cases solely based on when people are arrested and how busy the court is — we can identify whether defendants are being treated equally regardless of who hears their case. They are not.




Some Python tools…
OpenEDGAR: Open Source Software for SEC EDGAR Analysis
Computational Legal Studies: “Our next paper — OpenEDGAR – Open Source Software for SEC Edgar Analysis is now available. This paper explores a range of #OpenSource tools we have developed to explore the EDGAR system operated by the US Securities and Exchange Commission (SEC). While a range of more sophisticated extraction and clause classification protocols can be developed leveraging LexNLP and other open and closed source tools, we provide some very simple code examples as an illustrative starting point.
Click here for Paper: < SSRN > < arXiv >
Access Codebase Here: < Github >
Abstract: OpenEDGAR is an open source Python framework designed to rapidly construct research databases based on the Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system operated by the US Securities and Exchange Commission (SEC). OpenEDGAR is built on the Django application framework, supports distributed compute across one or more servers, and includes functionality to (i) retrieve and parse index and filing data from EDGAR, (ii) build tables for key metadata like form type and filer, (iii) retrieve, parse, and update CIK to ticker and industry mappings, (iv) extract content and metadata from filing documents, and (v) search filing document contents. OpenEDGAR is designed for use in both academic research and industrial applications, and is distributed under MIT License at https://github.com/LexPredict/openedgar




Tools for my techies.
GitHub’s free education bundle is now available to all schools
Software development isn’t just about writing code. It’s also about what you do with that code — testing, documenting, and proper source management. These skills are often left by the wayside in the classroom.
GitHub wants to change that, and has announced that it’s expanding GitHub Education, and will begin offering it to all schools.
Previously, GitHub Education was offered to a limited number of selected degree or certificate-granting educational instutitions.
GitHub Education is a bundle of company’s tools and training. It comes with free access to GitHub Enterprise or Business Hosted, as well as teacher training for the platform via GitHub Campus Advisors.
… Of course, GitHub isn’t the only source management company targeting the education market. Earlier this month, rival GitLab announced it was offering its Ultimate and Gold packages to classroom customers.


Tuesday, June 19, 2018

If it sounds too good to be true…
Adidas fans hit by phishing scam
Why users always fall for the lamest phishing scams is beyond comprehension, but hackers take advantage of this weakness and hide their scheming behind the usual fake prizes and too-good-to-be-true giveaways. This time, it was Adidas’ turn to feature in a major phishing scam that targeted users in specific regions.
A fake Adidas campaign promising free shoes instantly became popular through WhatsApp, and it’s not even the first time such a phishing scheme was used this year. To celebrate its 69th anniversary, the sports company was allegedly giving away 2,500 pairs of shoes to users who filled out a four-question survey.
All they had to do was click on a link to claim the prize and share it on WhatsApp with their contacts
… No matter how many times users tried to share the campaign, they had no way to confirm that the share actually went through. It was just part of the scam. The very detail that they couldn’t choose color or size should have been a hint that it wasn’t a legitimate campaign – either that or the misspelled company name in the spoofed link.
Users were promised free sneakers in exchange for $1 to claim them, but all they were left with was a recurring $50-per-month subscription fee. Through the scam, hackers got access to users’ payments and contact details. The subscription users are automatically signed up for the “organizejobs” service, which has been identified as a scam.




Not the best ‘Business Continuity’ example.
'We do not know when this is going to be fixed,' American says of CLT flight problems
American Airlines struggled to recover Monday from a recurring computer problem that left one of its key regional carriers unable to fly to or from Charlotte Douglas International Airport, stranding hundreds of passengers for the second time in a week.
The problem, airline spokeswoman Katie Cody said, traced back to the crew scheduling and tracking system at PSA Airlines, a wholly-owned subsidiary that operates flights under the American Eagle brand. The issue is with hardware at PSA's headquarters in Dayton, Ohio, and it's left the carrier unable to get flight crews and planes matched up. About 350 flights into and out of Charlotte have been canceled since Sunday, Cody said.
… PSA canceled about 70 flights on Sunday, a bit more than 10 percent of the total at Charlotte Douglas. A similar number were planned to be canceled Monday night, Cody said.
For PSA, it was the second time in a week trouble struck. A technical issue with the regional carrier caused more than 120 Charlotte flights to be canceled last week, on Thursday, and the issue continued into Friday morning.
The outage indicates there might not be a backup software system for crew scheduling at PSA, Harteveldt said. The problem also appears to be bigger than American first realized, he said.
“This is apparently a more complex problem than initially thought, and it could take several days, based on my understanding, potentially even a week, to really fix this,” he said.




What different? Only the excuses.
A U.S. Department of Health and Human Services Administrative Law Judge (ALJ) has ruled that The University of Texas MD Anderson Cancer Center (MD Anderson) violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties to OCR. This is the second summary judgment victory in OCR’s history of HIPAA enforcement and the $4.3 million is the fourth largest amount ever awarded to OCR by an ALJ or secured in a settlement for HIPAA violations.
MD Anderson is both a degree-granting academic institution and a comprehensive cancer treatment and research center located at the Texas Medical Center in Houston. OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted electronic protected health information (ePHI) of over 33,500 individuals. OCR’s investigation found that MD Anderson had written encryption policies going as far back as 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011, and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013. The ALJ agreed with OCR’s arguments and findings and upheld OCR’s penalties for each day of MD Anderson’s non-compliance with HIPAA and for each record of individuals breached.
...
MD Anderson claimed that it was not obligated to encrypt its devices, and asserted that the ePHI at issue was for “research,” and thus was not subject to HIPAA’s nondisclosure requirements. MD Anderson further argued that HIPAA’s penalties were unreasonable. The ALJ rejected each of these arguments and stated that MD Anderson’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized, but that it restated many times.”
The Notice of Proposed Determination and the ALJ’s opinion may be found on the OCR website at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/mdanderson/index.html
SOURCE: HHS
Previous coverage of the incidents referenced in this case can be found on DataBreaches.net here.




Will this rise to the level of a significant concern? Will surveillance technology find itself limited to small, closely held companies or even foreign companies?
Amazon shareholders call for halt of facial recognition sales to police
In a letter delivered to CEO Jeff Bezos late Friday, the shareholders, many of whom are advocates of socially responsible investing, say they're concerned about the privacy threat of government surveillance from the tool.
Amazon's technology, called Rekognition and introduced in 2016, detects objects and faces in images and videos. Customers, which include law enforcement in Orlando, Florida and Washington County, Oregon, can upload face databases to automatically identify individuals.
… The shareholders, which include the Social Equity Group and Northwest Coalition for Responsible Investment, are joining groups such as the ACLU in efforts to stop the company from selling the service — pointing out the risks of mass surveillance.
… "We are concerned the technology would be used to unfairly and disproportionately target and surveil people of color, immigrants, and civil society organizations," the shareholders write. "We are concerned sales may be expanded to foreign governments, including authoritarian regimes."
In a blog post earlier this month, Matt Wood, a general manager of artificial intelligence at Amazon Web Services, said Amazon's policy prohibits the use of its service for activities that are illegal, violate the rights of others, or may be harmful.




Plus ça change, plus c'est la même chose. What else could you expect when the “punishment” required a few days of pretending to be sorry and moving to a new office.
Cambridge Analytica staffers are on the job – working on 2020 campaign
Quartz: “Hang on to your data, dear Facebook friends. Cambridge Analytica—the political consultancy that collapsed into bankruptcy in May after a scandal about its nefarious information-collection methods—is apparently metamorphosing. The company that Marc Zuckerberg admitted targeted 87 million Facebook users’ data, and whose work could well have influenced elections in the US and UK, may be currently disgraced. But it also appears to be putting a new face on its same old data-gathering gig. The Associated Press (AP) on June 15 reported that top staffers from the fallen consultancy are back on the job at a newly-formed company with a name that’s eerily reminiscent of the last place they worked—Data Propria. As the name implies, the new company is similarly preoccupied with gathering information, specifically to target voters and consumers. Basically, it’s the same mission that Cambridge Analytica had. Matt Oczkowski—head of product at the predecessor firm—is leading Data Propria, which also employs Cambridge Analytica’s former chief data scientist, David Wilkinson, and others from the scandal-ridden company…”


(Related) What does political awareness have in common with digital savvyness?
Distinguishing Between Factual and Opinion Statements in the News
“The politically aware, digitally savvy and those more trusting of the news media fare better; Republicans and Democrats both influenced by political appeal of statements In today’s fast-paced and complex information environment, news consumers must make rapid-fire judgments about how to internalize news-related statements – statements that often come in snippets and through pathways that provide little context. A new Pew Research Center survey of 5,035 U.S. adults examines a basic step in that process: whether members of the public can recognize news as factual – something that’s capable of being proved or disproved by objective evidence – or as an opinion that reflects the beliefs and values of whoever expressed it. The findings from the survey, conducted between Feb. 22 and March 8, 2018, reveal that even this basic task presents a challenge. The main portion of the study, which measured the public’s ability to distinguish between five factual statements and five opinion statements, found that a majority of Americans correctly identified at least three of the five statements in each set. But this result is only a little better than random guesses. Far fewer Americans got all five correct, and roughly a quarter got most or all wrong. Even more revealing is that certain Americans do far better at parsing through this content than others. Those with high political awareness, those who are very digitally savvy and those who place high levels of trust in the news media are better able than others to accurately identify news-related statements as factual or opinion…”


(Related) Will anyone learn from these examples?
Cyber Attack Aims to Manipulate Mexican Election
On Wednesday June 13, in the run-up to Mexico's July 1 presidential election, a website operated by the rightist National Action Party (PAN) was taken off-line for several hours by a DDoS attack. The outage occurred at the time of a televised presidential debate, and just following a point at which the PAN candidate held up a placard with the website address claiming it held proof of potential corruption.
PAN secretary Damian Zepeda later suggested that front-running leftist candidate Andres Manuel Lopez Obrador (AMLO) was behind the attack
The source of the DDoS attack is unknown and possibly unknowable – but it is a reminder of the extent to which the internet can be used to influence or even control public opinion.
The accusations of Russian involvement in both the Trump election in the U.S. and the UK Brexit referendum are still fresh. Perhaps more directly relevant is the controversy over the DDoS attack on the FCC website just as it was gathering public comment on the (then) proposed elimination of the net neutrality rules.
The FCC claimed it had been taken off-line by a DDoS attack. Critics of the FCC plans have suggested it was purposely taken off-line to avoid registering mass public dissent over the FCC rules. If the Mexico event was a direct parallel to these claims, it could suggest that PAN couldn't prove the criticisms it was making, and took down the website itself.
This last possibility is not a serious proposal – but it illustrates the plausible deniability and difficulty of attribution that comes with cyber activity. The DDoS attack could have been delivered by Russia (because it has a history of interference); by AMLO (to prevent access to his competitor's website); by the U.S. (because it would almost certainly prefer a right-leaning to a left-leaning neighbor); or by PAN itself (as a false flag). Or, of course, none of the above -- a straightforward DDoS attack by cybercriminals.




I wonder what caused/allowed this?
KPMG's audit work unacceptable, says watchdog
The auditing work of one of the world's "Big Four" accounting firms has been sharply criticised by the industry's watchdog.
KPMG audits had shown an "unacceptable deterioration" and will be subject to closer supervision, the Financial Reporting Council said.
The FRC added all the Big Four - which also include PwC, EY and Deloitte - needed to reverse a decline.
KPMG said it was "disappointed" and was taking steps to improve audit quality.
… "There has been an unacceptable deterioration in quality at one firm, KPMG," the FRC said in a statement. "50% of KPMG's FTSE 350 audits required more than just limited improvements, compared to 35% in the previous year."
… "They must address urgently several factors that are vital to audit, including the level of challenge and scepticism by auditors, in particular in their bank audits. We also expect improvements in group audits and in the audit of pension balances."
… KPMG came in for criticism over its audit of collapsed construction firm Carillion earlier this year, and the FRC has opened an investigation into the group under the Audit Enforcement Procedure.
The auditor was also recently fined £3.2m by the watchdog over its audit of insurance firm Quindell. Last year, the FRC opened an investigation into KPMG's audit of the accounts of aero-engine maker Rolls-Royce.
… the accounting industry has faced a lot of criticism in the last few years over whether their verdicts on companies' accounts can be trusted.


Monday, June 18, 2018

A sneak attack on SWIFT.
Banco de Chile admits losing $10 million in disk-wiping malware attack
Banco de Chile, the second largest bank in the country, released a public statement confirming a major malware attack that breached its computer systems on May 24, shutting down bank operations. The hackers used a disk-wiping malware to cause the outage in order to distract attention from their original target – the SWIFT money transferring system.
According to the bank’s CEO Eduardo Ebensperger, $10 million were stolen and linked to accounts based in Hong Kong.
“We found some strange transactions on the Swift system, and that’s when we realized that the virus wasn’t all of it, but fraud was being attempted,” he confirmed in an interview last week (translation).




Why is this so common in Chicago? Has it been like this since the time of Mrs. O’Leary’s cow?
If there is a Keystone Cops equivalent of a k-12 data breach, a recent incident involving Chicago Public Schools may be a strong contender.
Last week, this site noted a breach that seemed puzzling in its description. Since that time, some informed parents have reached out to me to provide me with more details about the incident.
It all started when Chicago Public Schools (CPS) sent a letter to parents of students who were eligible to select other schools for the 2018-2019 school year. The letter was intended to instruct the parents how to review the schools that their child was eligible for and how to indicate their choice.
Based on what was provided to DataBreaches.net by Cassie Creswell, co-director of Raise Your Hand Action, a Chicago-based public education advocacy group, it appears that instead of the letter having an attachment, the letter (only) contained a link to a file on Blackboard. That file contained 3,700 students’ and parents’ information. So every recipient who clicked on the link in the email would have seen – and could have downloaded – a file with thousands of students and parents’ information.
Why that file should be up on Blackboard with absolutely no login required was not explained by CPS in their breach notification letter.
According to Cressell, the fields were in the following format:
First_Name Last_Name HomePhone WorkPhone MobilePhone SMSPhone EmailAddress ReferenceCode Building
The names are the student’s name, the phone numbers and email are for the parent, and the reference code is the child’s CPS student ID number, Creswell explained. The field labeled “Building” contained a list of one or more types of selective schools: AC, Regional Gifted Centers, Classical.
Frustratingly, it appeared that although CPS fairly quickly realized that they had had a data breach, they didn’t quite understand the nature of the breach. Initially, as their notification letter suggested, they seemed to believe that parents had actually received an attached file with 3,700 students’ information. Hence, they asked parents to basically “do the right thing” and delete the attachment without looking at it.
But there was no attachment, and it took CPS more than 4 hours to figure out that instead of asking parents to delete a nonexistent attachment, they needed to remove the unsecured file from Blackboard or otherwise lock it down.
So while CPS may have believed that they had responded appropriately to the breach by asking parents to delete an attached file, in actuality, the file remained where it had always been – up on Blackboard. And any parents who hadn’t already accessed that file when they first got an email from CPS might have become curious and taken a look at the file in the more than 5 hours it allegedly took CPS to actually secure the file.
To make matters even worse, there’s some indication that this was not the first time CPS had made this exact type of error. DataBreaches.net was provided with a text copy of an email sent by CPS on March 10, 2017 that contacted parents about selective enrollment, and that supposedly contained an attachment, but actually contained a link to a live file on Blackboard:
*File attachments:*
SEHS Confirmation Reminder.csv
This certainly appears to be the same scenario as the recent breach, and DataBreaches.net has reached out to CPS to ask them to confirm or deny whether this was the same kind of breach.
In a statement to DataBreaches.net, Creswell summarized parental frustration and fears:
We are deeply concerned about yet another improper sharing incident of student data in Chicago Public Schools. The district’s response to being notified of the breach was especially concerning because (1) it was clear that they initially didn’t understand how the data had been shared (on the web vs as an email attachment), and it took hours for them to disable the web site. And (2) this is at least the second time that they’ve made this exact mistake.
CPS has a $950K contract with Blackboard Connect, but it seems that they haven’t received either the training or the support needed to properly use this product, one which interfaces with their own Student Information System.
This is just an error that’s come to light publicly; what else is happening that the parents and the public don’t even see?
As noted above, DataBreaches.net reached out to CPS to ask them to confirm or deny that this was the second time that parents had been given a link to a file on Blackboard instead of being provided an attached form to complete. DataBreaches.net also posed two additional questions to Tony Howard, Executive Director, CPS Office of Access and Enrollment:
In terms of the current/most recent incident: Who determined that a file should be uploaded to Blackboard and made available without any login required? Was that an executive decision or did some hapless employee just screw up or….?
and
Is someone going to reconfigure connect.blackboard to require at least a password to access files on it? I’m concerned that someone could have uploaded a spreadsheet with hundreds of thousands of student names, IDs, and medical or SpEd information or other sensitive info.
No response was immediately received, but that is not surprising on a weekend and holiday. This post will be updated if a reply is received.




So, now that we are free to react, how will they react to our reaction?
Pentagon Puts Cyberwarriors on the Offensive, Increasing the Risk of Conflict
The Pentagon has quietly empowered the United States Cyber Command to take a far more aggressive approach to defending the nation against cyberattacks, a shift in strategy that could increase the risk of conflict with the foreign states that sponsor malicious hacking groups.
Until now, the Cyber Command has assumed a largely defensive posture, trying to counter attackers as they enter American networks. In the relatively few instances when it has gone on the offensive, particularly in trying to disrupt the online activities of the Islamic State and its recruiters in the past several years, the results have been mixed at best.
But in the spring, as the Pentagon elevated the command’s status, it opened the door to nearly daily raids on foreign networks, seeking to disable cyberweapons before they can be unleashed, according to strategy documents and military and intelligence officials.
… It is unclear how carefully the administration has weighed the various risks involved if the plan is acted on in classified operations. Adversaries like Russia, China and North Korea, all nuclear-armed states, have been behind major cyberattacks, and the United States has struggled with the question of how to avoid an unforeseen escalation as it wields its growing cyberarsenal.
Another complicating factor is that taking action against an adversary often requires surreptitiously operating in the networks of an ally, like Germany — a problem that often gave the Obama administration pause.




Sounds fluffy to this old auditor. Are we going to wait a year to find out if they have any impact?
Facebook quietly made a huge concession to shareholders as it aims to avoid another data disaster
… On Friday, Facebook quietly changed the name of its audit committee — which is chaired by former White House chief of staff Erskine Bowles — to the audit and risk oversight committee.
The committee's responsibilities have also been increased to encompass three major issues:
  1. It will review how Facebook "services can be used to facilitate harm or undermine public safety or the public interest." This could be read as a reference to fake news and election interference. [If that’s what they meant, that what they would have said. Bob]
  2. It will investigate Facebook's "privacy program" following the Cambridge Analytica, in which the accounts of 87 million users were compromised.
  3. Facebook's "cybersecurity risk exposures" will also be analysed by the committee.
Bowles' group of executives, which also include Marc Andreessen, Kenneth Chenault, and Jeffrey Zients, will conduct these reviews at least once a year.




Something my students might do.
Legal Analytics vs. Legal Research: What’s the Difference?
Law Technology Today: “Legal analytics involves mining data contained in case documents and docket entries, and then aggregating that data to provide previously unknowable insights into the behavior of the individuals (judges and lawyers), organizations (parties, courts, law firms), and the subjects of lawsuits (such as patents) that populate the litigation ecosystem. Litigators use legal analytics to reveal trends and patterns in past litigation that inform legal strategy and anticipate outcomes in current cases. While every litigator learns how to conduct legal research in law school, performs legal research on the job (or reviews research conducted by associates or staff), and applies the fruits of legal research to the facts of their cases, many may not yet have encountered legal analytics. Data-driven insights from legal analytics do not replace legal research or reasoning, or lawyers themselves. They are a supplement, both prior to and during litigation…”




If you don’t die on schedule, will they call for a “Terminator?”
Google Is Training Machines To Predict When A Patient Will Die
A woman with late-stage breast cancer came to a city hospital, fluids already flooding her lungs. She saw two doctors and got a radiology scan. The hospital's computers read her vital signs and estimated a 9.3 percent chance she would die during her stay.
Then came Google's turn. A new type of algorithm created by the company read up on the woman – 175,639 data points – and rendered its assessment of her death risk: 19.9 percent. She passed away in a matter of days. [So the correct number was 100%? Bob]
The harrowing account of the unidentified woman's death was published by Google in May in research highlighting the health-care potential of neural networks, a form of artificial intelligence software that's particularly good at using data to automatically learn and improve. Google had created a tool that could forecast a host of patient outcomes, including how long people may stay in hospitals, their odds of re-admission and chances they will soon die.
What impressed medical experts most was Google's ability to sift through data previously out of reach: notes buried in PDFs or scribbled on old charts. The neural net gobbled up all this unruly information then spat out predictions. And it did it far faster and more accurately than existing techniques. Google's system even showed which records led it to conclusions.




It turns out that the project in Software Architecture was rather timely after all. Perhaps Facebook will hire some of my students to point out the errors in their system?
A million Indians testing Whatsapp payments; what 's the feedback like?
Almost one million people in India are "testing" WhatsApp's payments service, and the company is working with the Indian government, NPCI and multiple banks to further expand the feature to more users, a company official said.
WhatsApp payment service, which rivals the likes of Paytm, has been in beta testing over the last few months.
… WhatsApp had received permission from NPCI to tie up with banks to facilitate financial transactions via Unified Payments Interface (UPI).
Paytm founder Vijay Shekhar Sharma had earlier this year alleged that WhatsApp's UPI payment platform has security risks for consumers and is not in compliance with the guidelines.
The Reserve Bank of India has mandated all payment system operators to ensure that data related to payments is stored only in India giving firms six months to comply with it.
… WhatsApp had stated that sensitive user data such as the last 6 digits of a debit card and UPI PIN is not stored at all.
While it admitted to using the infrastructure of Facebook for the service, it asserted that the parent firm does not use payment information for commercial purpose.




Another shot at Amazon?
Google places a $550 million bet on China's second-largest e-commerce player
… The two tech companies said they would work together to develop retail infrastructure that can better personalize the shopping experience and reduce friction in a number of markets, including Southeast Asia.
For its part, JD.com said it planned to make a selection of items available for sale in places like the U.S. and Europe through Google Shopping — a service that lets users search for products on e-commerce websites and compare prices between different sellers.
… At the same time, JD.com also teamed up with U.S. retail giant Walmart in the grocery business. Reports said Walmart opened a small high-tech supermarket in China where consumers can use smartphones to pay for items that are mostly available on its virtual store on online platform JD Daojia, an affiliate of JD.com.




This link could be handy since we no longer teach our students how to use PowerPoint.




Does this mean I will have to look at my students?
Huge Flipgrid News! - All Features Now Free
Flipgrid has been acquired by Microsoft. That's good news for the founders of Flipgrid and great news for all of us who enjoy using Flipgrid. As of this morning all Flipgrid features are now free for all users! If you are a person who paid for a Flipgrid Pro account, you'll be getting a prorated refund of your subscription.
Some of the features of Flipgrid that are now available to all users include:
  • Unlimited grids!
  • More time limit options
    • Set a time limit between fifteen seconds and five minutes.
  • Scheduled launch and freeze dates.
According to their statement Flipgrid will continue to work and Chromebooks, iPads, iPhones, Android phones and tablets, and in the web browser on your Windows or Mac computer.
If you haven't tried Flipgrid, take a look at my video to see what it's all about.
… Flipgrid already supports Microsoft Teams.


Sunday, June 17, 2018

What price security? This seems disproportionate to me.
Jim Schultz reports that Lockport School District got snookered into wasting millions of dollars on surveillance instead of education:
Even though Lockport is a very small school district (just 4,600 students overall), next fall when our students return to class they will be greeted with something no other schools in the nation have, a $2.7 million system of high-tech facial recognition cameras. The story behind those cameras is a cautionary tale of what can happen when your fears over school security let you be taken for a ride by clever salesmen.
Read more of his opinion piece on The Public.




“English, as she is spoke”
Judge says ‘literal but nonsensical’ Google translation isn’t consent for police search
Machine translation of foreign languages is undoubtedly a very useful thing, but if you’re going for anything more than directions or recommendations for lunch, its shallowness is a real barrier. And when it comes to the law and constitutional rights, a “good enough” translation doesn’t cut it, a judge has ruled.
The ruling (PDF) is not hugely consequential, but it is indicative of the evolving place in which translation apps find themselves in our lives and legal system.
The case in question involved a Mexican man named Omar Cruz-Zamora, who was pulled over by cops in Kansas. When they searched his car, with his consent, they found quite a stash of meth and cocaine, which naturally led to his arrest.
But there’s a catch: Cruz-Zamora doesn’t speak English well, so the consent to search the car was obtained via an exchange facilitated by Google Translate — an exchange that the court found was insufficiently accurate to constitute consent given “freely and intelligently.”
… It doesn’t mean that consent is impossible via Google Translate or any other app — for example, if Cruz-Zamora had himself opened his trunk or doors to allow the search, that likely would have constituted consent.




Why not just give it to the people who ask for it?
Stuart Leavenworth reports:
REYKJAVÍK, ICELAND — Sometime in the future, U.S. researchers will be able to press a button and reliably identify the thousands of people who carry cancer-causing genes, including those that trigger breast cancer.
In Iceland, that day is already here. With a relatively uniform population and extensive DNA databases, Iceland could easily pinpoint which of its people are predisposed to certain diseases, and notify them immediately. So far, the government has refused to do so. Why? Iceland confronts legal and ethical obstacles that have divided the nation and foreshadow what larger countries may soon face.
On one side of the debate there, you have those who argue that of course you should tell people, but their argument strikes me as seriously flawed:
“That is utter, thorough bulls–t,” Dr. Kári Stefánsson, a world-renowned Icelandic neurologist and biotech leader who has been at the center of the nation’s DNA debate, told McClatchy in an interview in his Reykjavík office. “There is a tradition in American society, there is a tradition in Icelandic society, to save people who are in life-threatening situations, without asking them for informed consent. Should there be a different rule if the danger is because of a mutated gene?”
But Dr. Stefánsson’s argument fails when you consider that in these genetic cases, you are generally not talking about warning someone of imminent life-threatening decisions that need to be made. This is definitely NOT comparable to the situation in which a person is unconscious when brought to an emergency room, and the medical personnel are permitted legally and ethically to assume that they do have consent to treat, because failure to make that assumption is likely to lead to death of the patient.
If we are talking about notifying people that they are predisposed to certain diseases, well, they genereally do have some time to think about whether they would want to be warned or not. Does Dr. Stefánsson think that he has a duty to inform that somehow trumps a person’s right to decide that they do not want to know their future or fate?
The more difficult question I see is what do we do about notifying parents – and teenagers – about the likelihood that teens or youth are at risk. If there is nothing that can be done to change the eventual outcome – i.e., if the person will still get the disease no matter whether you tell/warn them or not, what have you accomplished by alerting them? I suppose one could argue that you allow the person to make more informed life decisions, e.g., maybe they will decide not to have children if they know there is a very high risk that they would be passing along a currently incurable genetic disorder that might cause pain or suffering for any offspring. Or perhaps they will decide that if they are going to lose cognitive function early, they may not want to spend ten years in academic studies but would enjoy life more if they focus on other things.
There’s much to think about and discuss. And I think an argument could be made that supports Dr. Stefánsson’s firm belief that people should be informed, but he hasn’t made his case by trying to make the analogy he tries to make.
Read more on McClatchyDC




Who knew there was a Center for the study of Drones?
Bard College's Center for the Study of the Drones released a report about law enforcement acquiring drones and what they found is troubling.
… Why do university police need license plate readers, drones and a command vehicle?
There it is, law enforcement's mantra being used over and over again. Police need this spy gear to keep the public safe.
Good luck trying to find out which university police department has purchased a drone. Most university police departments can and do ignore FOIA requests. (Click here, here & here to learn more.)




Following the next “Next Big Thing?”
The Bike Share War Is Shaking Up Seattle Like Nowhere Else
… Ofo's business is dockless bike sharing, and it was about to launch its US operations in Seattle. Dockless bike share is just the latest of a dozen new approaches to urban mobility in increasingly congested cities. Ride-hailing services, app-powered carpools, on-demand car rentals, electric bikes, scooters, and even self-driving taxis are all jockeying for riders on the streets of American cities. Together they are reinventing the way we navigate urban environments, reducing private car usage, improving traffic and commute times, and cutting emissions.
But where alternatives to car ownership are well-established in the US's major metropolises, bike shares are still finding their niche. Paris, London, and New York have all adopted bike share programs that use docks, bulky stations that are built into parking spaces that dictate where the bikes' users must start and end rides. Though they cost a fraction of a more traditional, multibillion-dollar transit project, the stations are still expensive to install and maintain, and their fixed locations limit the number of riders they can attract.
What makes a dockless bike share program appealing is that, beyond the bikes themselves, it doesn't need any infrastructure. With nothing to build, a city can introduce a new way of getting around virtually overnight. A smartphone app tells users where cheap, GPS-enabled bikes are located and lets them rent one.




Will Wikipedia become the source of all trusted knowledge?
Facebook and Google must do more to support Wikipedia
The digital commons has become a common problem, clogged by disinformation, stripped of privacy and squeezed by insatiable shareholders. Online propagandists stoke violence, data brokers sway elections, and our most intimate personal information is for sale to the highest bidder. Faced with these difficulties, big tech is increasingly turning to Wikipedia for support.
You may not realise how ubiquitous Wikipedia is in your everyday life, but its open, collaboratively-curated data is used across semantic, search and structured data platforms  on the web. Voice assistants such as Siri, Alexa and Google Home source Wikipedia articles for general knowledge questions; Google’s knowledge panel features Wikipedia content for snippets and essential facts; Quora contributes to and utilises the Wikidata open data project to connect topics and improve user recommendations.
More recently, YouTube and Facebook have turned to Wikipedia for a new reason: to address their issues around fake news and conspiracy theories. YouTube said that they would begin linking to Wikipedia articles from conspiracy videos, in order to give users additional – often corrective – information about the topic of the video. And Facebook rolled out a feature using Wikipedia’s content to give users more information about the publication source of articles appearing in their feeds.




Perspective. Hoist on their own petard? Sending junk mail to get me to authorize you to send me junk mail is probably not the best possible strategy.
No one is opening those emails about privacy updates, and marketers are getting nervous
  • The GDPR requires companies to send emails to people on their mailing list who have never bought anything, asking permission to keep emailing them.
  • Most Americans are not opening those emails, and some are using them to unsubscribe.
  • As a result, some email marketers stand to lose 80 percent of their marketing lists -- or face huge fines from the EU if they keep trying to email these people without permission.


Saturday, June 16, 2018

As expected.
Trump-Kim Summit Attracts Wave of Cyber-Attacks on Singapore
The number of cyber-attacks targeting Singapore skyrocketed from June 11 to June 12, during the meeting between U.S. President Donald Trump and North Korean President Kim Jong-un in a Singapore hotel, and most of these attacks originated from Russia, F5 Labs reports.
Russia has long been said to keep the United States under a continuous barrage of cyber-attacks, and even attracted a series of sanctions following the hacking aimed at the 2016 presidential election, which was supposedly the doing of state-sponsored Russian threat actors.
Thus, it’s no wonder the Trump-Kim summit earlier this week was targeted as well, but the number of assaults coming from Russia is indeed impressive: 88% of the total number of observed cyber-attacks came from this country. Furthermore, 97% of all the attacks that originated from Russian during the timeframe targeted Singapore, data from F5 Labs and Loryka reveals.
We cannot prove they were nation-state sponsored attacks, however the attacks coincide with the day President Donald Trump met with North Korean President Kim Jong-un in a Singapore hotel. The attacks targeted VoIP phones and IoT devices, which appears to be more than a mere coincidence,” F5 says.




The cost of a software hack.
In 2017, the U.S. hit Volkswagen with a $4.3 billion fine as part of the company’s plea agreement for violating of the Clean Air Act. It was a rough ride for the automaker, caught using defeat devices on its diesel engines, but it brought the scandal more or less to a close in America.
An ocean away, it seemed nothing would come of the endless raids by German authorities on VW-owned facilities. Apparently, the wheels of justice just turn a little slower in Europe, as the automaker was fined 1 billion euros on Wednesday. It’s one of the largest financial penalties ever imposed on a company by German authorities.
According to Reuters, Volkswagen is not contesting the penalty. “Following thorough examination, Volkswagen AG accepted the fine and it will not lodge an appeal against it. Volkswagen AG, by doing so, admits its responsibility for the diesel crisis and considers this as a further major step toward the latter being overcome,” the automaker said in a statement.




This might work in classrooms! Do they really need one jammer per cell?
Federal officials: Prison cellphone jamming test a success
Federal officials say they conducted a successful test earlier this year of a jamming technology some hope will help combat the threat posed by inmates with smuggled cellphones.
A report obtained Friday by The Associated Press details the January 17 test of micro-jamming technology at a federal prison in Cumberland, Maryland. Officials say they were able to shut down phone signals inside a prison cell, while phones about 20 feet away worked normally.




I think this might be wise. (Not something I often say about California.)
California officials move to reject court ruling on coffee and cancer risk
California officials bucked a recent court ruling Friday and offered reassurance to concerned coffee drinkers that their fix won't give them cancer. The unprecedented action by the Office of Environmental Health Hazard Assessment to propose a regulation to essentially clear coffee of the stigma that it could pose a toxic risk followed a review of more than 1,000 studies published this week by the World Health Organization that found inadequate evidence that coffee causes cancer.
The state agency implements a law passed by voters in 1986 that requires warnings of chemicals known to cause cancer and birth defects. One of those chemicals is acrylamide, which is found in many things and is a byproduct of coffee roasting and brewing present in every cup of joe.
If the regulation is adopted, it would be a huge win for the coffee industry which faces potentially massive civil penalties after recently losing an 8-year-old lawsuit in Los Angeles Superior Court that could require scary warnings on all coffee packaging sold in California.
Judge Elihu Berle found that Starbucks and other coffee roasters and retailers had failed to show that benefits from drinking coffee outweighed any cancer risks. He had previously ruled the companies hadn't shown the threat from the chemical was insignificant.
… "The proposed regulation would state that drinking coffee does not pose a significant cancer risk, despite the presence of chemicals created during the roasting and brewing process that are listed under Proposition 65 as known carcinogens," the agency said in a statement. "The proposed regulation is based on extensive scientific evidence that drinking coffee has not been shown to increase the risk of cancer and may reduce the risk of some types of cancer."




Turning trash into treasure. Now that’s smart technology!
Chinese Smart Garbage Recycling Platform Xiaohuanggou Raises $164M Series A Round
… Founded in 2017, Dongguan, Guangdong-based Xiaohuanggou is owned by Paithink Group, an investment company that focuses on fintech. It places smart garbage recycling machines close to residential areas, hotels and business centers. With Xiaohuanggou’s app and WeChat mini-program, users can locate the nearby recycling stations. The machine will automatically weight the garbage and pay users by cash.
Its recycling station has several machines for different types of wastes, including paper, plastic, metal, waste textiles, glass and others. Its staff will then send the garbage to different specialized recycling organizations.




Perspective. The robots are already here! “Human! Fetch me a nice cup of WD40!”
In China, a picture of how warehouse jobs can vanish
JD.com, a Chinese e-commerce gargantuan, has built a big new Shanghai fulfillment center that can organize, pack and ship 200,000 orders a day. It employs four people — all of whom service the robots.




Perspective.
The supply chain is the heart of a company’s operations. To make the best decisions, managers need access to real-time data about their supply chain, but the limitations of legacy technologies can thwart the goal of end-to-end transparency. However, those days may soon be behind us. New digital technologies that have the potential to take over supply chain management entirely are disrupting traditional ways of working. Within 5-10 years, the supply chain function may be obsolete, replaced by a smoothly running, self-regulating utility that optimally manages end-to-end work flows and requires very little human intervention.
With a digital foundation in place, companies can capture, analyze, integrate, easily access, and interpret high quality, real-time data — data that fuels process automation, predictive analytics, artificial intelligence, and robotics, the technologies that will soon take over supply chain management.