Tuesday, September 18, 2018

And my students wonder why I don’t have a cellphone.
Report – Almost half of US cellphone calls will be scams by next year
Cision Newswire: “First Orion, a leading provider of phone call and data transparency solutions, today announced their inaugural 2018 Scam Call Trends and Projections Report, detailing the need for new, adaptive technologies to combat the exponential increase in scam calls. First Orion powers call protection solutions to tens of millions of mobile subscribers in the U.S. market and has carefully analyzed over 50 billion calls made to these customers over the past 18 months. By combining specific call patterns and behaviors with other phone number attributes, First Orion now predicts that nearly half of all calls to mobile phones will be fraudulent in 2019 unless the industry adopts and implements more effective call protection solutions. To combat this rapidly growing epidemic, First Orion will fully deploy its groundbreaking, in-network technology known as CallPrinting™—which quickly and accurately identifies new scam techniques and thwarts fraudulent calls—into a Tier-One U.S. carrier’s network this fall where the company projects it will significantly mitigate the volume of scam traffic beginning in the 4th quarter of 2018. Over the past year, First Orion’s data shows a drastic increase in mobile scam calls—from 3.7% of total calls in 2017 to 29.2% in 2018—and that number is projected to reach 44.6% by early 2019…”

Automated policing…
Artificial Intelligence and Policing: Hints in the Carpenter Decision
Joh, Elizabeth E., Artificial Intelligence and Policing: Hints in the Carpenter Decision (August 24, 2018). __ Ohio State Journal of Criminal Law __, 2018. Available at SSRN: https://ssrn.com/abstract=3238212
“In the 2018 Carpenter case, Chief Justice Roberts focuses on the quality of the information sought by the police as a means of deciding the case in Carpenter’s favor. Less obviously, however, the majority opinion also stresses the nature of the policing involved in Carpenter’s case: new technologies that do not just enhance human abilities. The majority makes no explicit clams about this focus. But the Carpenter decision reveals the Supreme Court’s first set of views on how it might evaluate police use of artificial intelligence. That contention, and the questions it raises, form the subject of this essay.”
[From the article:
In these ways the tools of artificial intelligence are changing the nature of policing itself.
Another way to think of this development is that policing is becoming increasingly automated.
today the increasing interest in social network analysis, locational predictive policing, and threat analysis means that even those the task of assessing suspicious behavior is subject to automation as well.
In finding that we possess Fourth Amendment protections in locational data even when recorded by third parties, the Court chose to describe the data collection technique in Carpenter as superhuman, passive, and automated. This is noteworthy: these descriptions also characterize the very technologies of artificial intelligence that are becoming more commonplace in policing.

UK Serious Fraud Office trialling AI for data-heavy cases
naked security – sophos: “The BBC says it looks like a kids’ digital game: a mass of blue and green rubber balls bounce around the screen like they’re on elastic bands in a galaxy of paddle balls. It’s no game, however. It is a new artificial intelligence (AI) tool that connects, and then visualizes, the parties and their interactions in a complex fraud inquiry. The UK’s Serious Fraud Office (SFO) recently gave the BBC a look at the system, called OpenText Axcelerate, which staff have been training on Enron: a massive corporate fraud case from 2001 that’s no longer actively being investigated. The lines between the colored balls represent links between two people involved in the fraud inquiry, including the emails they sent and received, the people they carbon-copied, and the more discrete messages in which nobody was cc’ed. SFO investigator Edgar Pacevicius told the BBC that a major advantage of the AI is that it can spot connections between individuals far more quickly than humans can. It’s designed to help investigators keep track of all the parties involved in a given, wide-scale fraud, with all their communications, along with individuals’ interactions with each other. The tool also groups documents with similar content, and it can pick out phrases and word forms that might be significant to an investigation…”

This should be useful.
LII Announces U.S. Constitution Annotated
U.S. Constitution Annotated – “This edition of the Congressional Research Service’s U.S. Constitution Annotated is a hypertext interpretation of the CRS text, updated to the currently published version. It links to Supreme Court opinions, the U.S. Code, and the Code of Federal Regulations, as well as enhancing navigation through search, breadcrumbs, linked footnotes and tables of contents… The content of the U.S. Constitution Annotated was prepared by the Congressional Research Service (CRS) at the Library of Congress, and published electronically in plaintext and PDF by the Government Printing Office. Dating back to 1911, the initial online annotations were published in 1992. This edition is a hypertext interpretation of the CRS text, updated to the currently published version. It links to Supreme Court opinions, the U.S. Code, and the Code of Federal Regulations, as well as enhancing navigation through linked footnotes and tables of contents. LII is grateful to Professor William Arms and the CS 5150 “Save the Constitution” team: Anusha Chowdhury, Garima Kapila, Tairy Davey, Brendan Rappazzo, and Max Anderson for their work on the project. Special thanks go to Josh Tauberer of GovTrack and Daniel Schuman of Demand Progress for their help with the data.”

I suppose that’s one way to save on your Christmas shopping.
A man is wanted by police after being filmed sending his daughter inside a BarBerCut Lite cabinet, where she was able to get her tiny hands on some prizes and retrieve them before the pair (and another child, believed to be the man’s son) left the scene.
… You can see footage of the incident, uploaded and modified by the Salem PD, below:

For my students.

Student researchers should look at these too.
10 Investigative Tools You Probably Haven’t Heard Of
Global Investigative Journalism Network: “Investigations, the saying goes, are just regular stories with a lot more labor put in. Investigative reporters spend inordinate amounts of time sifting through documents, verifying sources and analyzing data — and that’s if they can even get the data. As an investigative reporter with way too many stories I want to do, these are the tools I use to keep up with sources, stories and leads at a rapid rate. Let’s take a look at 10 of the best new tools for unearthing, accelerating, and keeping track of investigations…”

Monday, September 17, 2018

This is a new one.
Your Social Security Number isn’t suspended. Ever.
FTC.gov: “A caller says that he’s from the government and your Social Security Number (SSN) has been suspended. He sounds very professional. So you should do exactly what he says to fix things…right? Wrong. T he FTC has gotten reports about scammers trying to trick people out of their personal information by telling them that they need to “reactivate” their supposedly “suspended” SSNs. The scammers say the SSN was suspended because of some connection to fraud or other criminal activity. They say to call a number to clear it up – where they’ll ask you for personal information. Thing is, Social Security Numbers do not get suspended. This is just a variation of a government imposter scam that’s after your SSN, bank account number, or other personal information. In this variation of the scheme, the caller pretends to be protecting you from a scam while he’s trying to lure you into one. … If someone has tried to steal your personal information by pretending to be from the government, report it to the FTC.”

I suspect this process is to labor intensive for social media. Automating the process isn’t easy either.
Satellite Images and Shadow Analysis: How The Times Verifies Eyewitness Videos
The New York Times: Understanding the times Visual investigations based on social media posts require a mix of traditional journalistic diligence and cutting-edge internet skills.
“Visual investigations based on social media posts require a mix of traditional journalistic diligence and cutting-edge internet skills. In an effort to shed more light on how we work, The Times is running a series of short posts explaining some of our journalistic practices. Read more of this series here. Was a video of a chemical attack really filmed in Syria? What time of day did an airstrike happen? Which military unit was involved in a shooting in Afghanistan? Is this dramatic image of glowing clouds really showing wildfires in California. These are some of the questions the video team at The New York Times has to answer when reviewing raw eyewitness videos, often posted to social media. It can be a highly challenging process, as misinformation shared through digital social networks is a serious problem for a modern-day newsroom. Visual information in the digital age is easy to manipulate, and even easier to spread. What is thus required for conducting visual investigations based on social media content is a mix of traditional journalistic diligence and cutting-edge internet skills, as can be seen in our recent investigation into the chemical attack in Douma, Syria. The following provides some insight into our video verification process. It is not a comprehensive overview, but highlights some of our most trusted techniques and tools…”

Extend this to online site with updates sent as new legislation created, debated and approved.
50-state survey of social media privacy legislation
“Social media and related issues in the workplace can be a headache for employers. Seyfarth Shaw LLP’s Social Media Practice Group is pleased to provide you with an easy-to-use guide to social media privacy legislation and what employers need to know. The Social Media Privacy Legislation Desktop Reference 2017-2018:
  • Describes the content and purpose of the various states’ social media privacy laws.
  • Delivers a detailed state-by-state description of each law, listing a general overview, what is prohibited, what is allowed, the remedies for violations, and special notes for each state.
  • Provides an easy-to-use chart listing the states that have enacted social media privacy laws and the features of the law in all such states.
  • Offers our thoughts on the implications of this legislation in other areas, including trade secret misappropriation, bring your own device issues and concerns, social media discovery and evidence considerations, and use of social media in internal investigations.”

This is a common story. “Belief” overriding “science.”
Hard Words Why aren’t kids being taught to read?
American Public Media Reports – “…The basic assumption that underlies typical reading instruction in many schools is that learning to read is a natural process, much like learning to talk. But decades of scientific research has revealed that reading doesn’t come naturally. The human brain isn’t wired to read. Kids must be explicitly taught how to connect sounds with letters — phonics. “There are thousands of studies,” said Louisa Moats, an education consultant and researcher who has been teaching and studying reading since the 1970s. “This is the most studied aspect of human learning.” But this research hasn’t made its way into many elementary school classrooms. The prevailing approaches to reading instruction in American schools are inconsistent with basic things scientists have discovered about how children learn to read. Many educators don’t know the science, and in some cases actively resist it. The resistance is the result of beliefs about reading that have been deeply held in the educational establishment for decades, even though those beliefs have been proven wrong by scientists over and over again. Most teachers nationwide are not being taught reading science in their teacher preparation programs because many deans and faculty in colleges of education either don’t know the science or dismiss it. As a result of their intransigence, millions of kids have been set up to fail….” [includes a Podcast]

'The Digital Revolution Has Introduced New Addictions.' Fortnite Is Being Cited in Divorce Cases
Fortnite apparently is not just a video game phenomenon. It seems it’s also a relationship killer.
According to Divorce Online, a U.K.-based “online divorce website”, the video game Fortnite: Battle Royale has been cited in at least 200 divorce petitions filed through the site since January. That’s about 5% of the divorce petitions the website received in the same period.
… In July, the free-to-access game passed the billion-dollar threshold through in-game sales alone, and some colleges are even starting to offer scholarships to top players.

The same story from two perspectives.
The Robot Takeover Is Coming: Machines Will Do Half Our Work by 2025
Machines and automated software will be handling fully half of all workplace tasks within seven years, a new report from the World Economic Forum forecasts.

A.I. and robotics will create almost 60 million more jobs than they destroy by 2022, report says
Machines will overtake humans in terms of performing more tasks at the workplace by 2025 — but there could still be 58 million net new jobs created in the next five years, the World Economic Forum (WEF) said in a report on Monday.
Developments in automation technologies and artificial intelligence could see 75 million jobs displaced, according to the WEF report "The Future of Jobs 2018." However, another 133 million new roles may emerge as companies shake up their division of labor between humans and machines, translating to 58 million net new jobs being created by 2022, it said.

How Donald Trump learned that it is okay to lie as long as the lies are believed by voters?
Al Gore's claim about Hurricane Florence doused by scientists
Another climate-change claim by former Vice President Al Gore is coming under fire, this one involving Hurricane Florence.
Mr. Gore said Friday that two major storms from the Atlantic and Pacific oceans had never made landfall at the same time, referring to Hurricane Florence, the Category 1 hurricane that struck North Carolina on Friday, and Super Typhoon Mangkhut, which hit the Philippines early Saturday.
… “Al Gore just (fraudulently) claimed without any evidence that we’ve never had hurricanes in both the Atlantic and Pacific making landfall at the same time,” tweeted Mr. Maue, an adjunct scholar at the free-market Cato Institute.
University of Colorado Boulder meteorologist Roger A. Pielke Sr. also took issue with the claim by Mr. Gore, known for his 2006 climate-change film, An Inconvenient Truth, and the 2017 follow-up, An Inconvenient Sequel.
… Numerous articles and even books have been written fact-checking and challenging Mr. Gore’s climate predictions and pronouncements, including meteorologist Roy Spencer’s An Inconvenient Deception, and “Al Gore’s Science Fiction: A Skeptic’s Guide to an Inconvenient Truth,” a 154-page paper by the Competitive Enterprise Institute’s Marlo Lewis Jr.

In 601 days, President Trump has made 5,001 false or misleading claims

FEMA to test 'Presidential Alert' system next week
… Next Thursday, the Federal Emergency Management Agency will do its first test of a system that allows the president to send a message to most U.S. cellphones.
More than 100 mobile carriers, including all the major wireless firms, are participating in the roll out, FEMA stated in a message on its website posted Thursday.
"The EAS [Emergency Alert System] is a national public warning system that provides the President with the communications capability to address the nation during a national emergency," FEMA said.
… Users whose phones are on will twice hear a tone and vibration and then see an English-only (for now) message: "THIS IS A TEST of the National Wireless Emergency Alert System. No action is needed.”
… The test is supposed to take place at 2:18 p.m. EDT on Sept. 20. Under the Warning, Alert, and Response Network (WARN) Act of 2006, cellphone users cannot opt out of the presidential alerts.

Sunday, September 16, 2018

Why “error handling” is part of the security checklist.
A new CSS-based web attack will crash and restart your iPhone
Sabri Haddouche tweeted a proof-of-concept webpage with just 15 lines of code which, if visited, will crash and restart an iPhone or iPad. Those on macOS may also see Safari freeze when opening the link.
The code exploits a weakness in iOS’ web rendering engine WebKit, which Apple mandates all apps and browsers use, Haddouche told TechCrunch. He explained that nesting a ton of elements — such as
tags — inside a backdrop filter property in CSS, you can use up all of the device’s resources and cause a kernel panic, which shuts down and restarts the operating system to prevent damage.
“Anything that renders HTML on iOS is affected,” he said. That means anyone sending you a link on Facebook or Twitter, or if any webpage you visit includes the code, or anyone sending you an email, he warned.

Someone should tell the FBI because this will allow them to grab the encryption key on laptops.
F-Secure Says Almost All Computers Are Vulnerable to New Cold Boot Attack
According to security firm F-Secure, almost every computer is vulnerable to this type of attack.
At the heart of this attack is the way computers manage RAM via firmware. Cold boot attacks aren’t new — the first ones came along in 2008. Back then, security researchers realized you could hard reboot a machine and siphon off a bit of data from the RAM. This could include sensitive information like encryption keys and personal documents that were open before the device rebooted. In the last few years, computers have been hardened against this kind of attack by ensuring RAM is cleared faster. For example, restoring power to a powered-down machine will erase the contents of RAM.
The new attack can get around the cold boot safeguards because it’s not off — it’s just asleep. F-Secure’s Olle Segerdahl and Pasi Saarinen found a way to rewrite the non-volatile memory chip that contains the security settings, thus disabling memory overwriting. After that, the attacker can boot from an external device to read the contents of the system’s RAM from before the device went to sleep.
Rather than letting computers go to sleep, F-Secure recommends using hibernation. Hibernation will clear encryption keys from RAM, but other files could still be at risk. Shutting your computer all the way off is still the best defense.

Should make for some interesting arguments.
New York sues U.S. to stop fintech bank charters
New York state’s top banking regulator on Friday sued the federal government to void its decision to award national bank charters to online lenders and payment companies, saying it was unconstitutional and put vulnerable consumers at risk.
… She said New York could best regulate those markets, but the OCC decision left consumers “at great risk of exploitation” by weakening oversight of predatory lending, allowing the creation of more “too big to fail” institutions, and undermining the ability of local banks to compete.
… OCC spokesman Bryan Hubbard said in an email that the regulator, part of the U.S. Department of Treasury, would vigorously defend its authority to grant national charters to qualified companies “engaged in the business of banking.”
Vullo’s complaint joins a slew of litigation from regulators in Democratic-controlled or -leaning states challenging Trump administration policies.
It seeks a declaration that the OCC exceeded its authority under the National Bank Act and violated the Constitution’s 10th Amendment by usurping state powers.

Saturday, September 15, 2018

Never a good idea?
FreshMenu Hid Data Breach Affecting 110,000 Users
FreshMenu, a food delivery provider based in India, has come under social media attack for keeping under wraps a data breach two years ago that exposed the personal information of over 110,000 users.
The incident originally was brought to light in 2016 by data breach tracker HaveIBeenPwned, which discovered that the breach exposed names, email addresses, phone numbers, home addresses, and order histories, the Times of India reported on Wednesday. That news report led to the strong response on social media.
Troy Hunt, who runs HaveIBeenPwned, says he had informed FreshMenu back in July 2016 that the breach had taken place, but the company decided not to notify impacted customers.
… But security practitioners say that even if payment information wasn't breached, the incident should have been promptly reported to those affected.
"Customers have every right to know what data of theirs has been compromised or leaked," says Rahul Sharma, founder of the Perspective, a firm which focuses on cyber policy. "This should be a practice followed by every company, and I feel a law addressing this issue must come out soon."
"Who are they to decide whether my leaked data is important or critical? If I am trusting them with my data, I have every right to know when my data gets compromised, however small the breach is."

Unfortunately, minimal is the key word.
Catalin Cimpanu reports:
A multi-year study on the stock price evolution for breached companies reveals that data breaches have a long-term impact on a company’s stock price, even if it’s somewhat minimal.
The study, carried out by the research team behind the CompariTech web portal, looked only at companies listed on the New York Stock Exchange (NYSE) that suffered and publicly disclosed breaches of one million records and over in the past three years.
Read more on ZDNet.
[From the article:
"In the long term, breached companies underperformed the market," the CompariTech team concluded in their report.
… Study authors noted that the impact of data breaches likely diminished over time, but the damage was still visible in the stock's NASDAQ performance indicator even after three years, in some cases.

The Cold War in the Internet Age. How close to the “trigger” are they willing to come?
German Troops Face Russian 'Hybrid War' in Lithuania: Merkel
German Chancellor Angela Merkel said Friday Berlin was boosting military cyber capabilities to respond to Russian hybrid warfare that is targeting its troops deployed on NATO's eastern flank.
"Here you are also confronted with a situation that represents another part of the Russian military doctrine: the idea of hybrid warfare," she told German troops stationed in Lithuania as part of a NATO force deployed to deter Russia.
NATO allies have accused Russia of using "hybrid warfare" techniques, including subversion, propaganda and cyber warfare, to undermine the West without triggering a full NATO military response.
Russia has repeatedly denied that it stages such attacks and has accused the US-led alliance of provoking an arms race.
… Soon after their arrival, German troops were subjected to false rape accusations while media reports said Moscow also targeted NATO soldiers' smartphones.

(Related) Follows the Russian pattern. (They also attacked the lab doing Olympic drug testing.)
Dutch 'Expelled Two Russian Spies Over Novichok Lab Plot'
Dutch intelligence services arrested two alleged Russian spies on suspicion of planning to hack a Swiss laboratory investigating the poisoning of double agent Sergei Skripal, reports and officials said Friday.
The two agents, believed to be working for Russia's GRU military intelligence service, targeted the Spiez laboratory near Bern, Dutch-based NRC newspaper and Swiss daily Tages-Anzeiger said.
At the time, Spiez was analysing data related to poison gas attacks in Syria, as well as the March 4 attack using the nerve agent Novichok on Russian double agent Sergei Skripal and his daughter in Salisbury, they reported.
The laboratory does analytical work for the Hague-based Organisation for the Prohibition of Chemical Weapons (OPCW), the global chemical arms watchdog.

Interesting argument.
Carrie Goldberg and her law firm represent Matthew Herrick in Matthew Herrick v. Grinder LLC, a case that may shake things up with Section 230 of the CDA’s protections for platforms. Tor Ekeland Law, PLLC are co-counsel in the case.
Goldberg writes:
Our client, Matthew Herrick, was stalked and harassed by his ex-boyfriend through the Grindr app. The ex-boyfriend had created impersonating profiles to arrange sex dates with over a thousand men who came to Matthew’s home and workplace. Matthew reported it to Grindr over 100 times. He also got an Order of Protection and made criminal complaints against his ex, but the strangers kept coming. The impersonating profiles told them that Matthew had drugs to share and wanted to role-play rape fantasies. When our firm served Grindr’s team with a court order demanding they exclude Matthew’s ex from using their product, they said they didn’t have the technology to do so. They own the patent to geo-locating technology! And yet, they can’t screen users?!
We said, “If you can’t control your product, it’s dangerous.” So we, along with co-counsel Tor Ekeland Law, PLLC, sued Grindr using theories of products liability. This case challenges Section 230 of the Communications Decency Act (CDA), which tech companies claim exempts them from being liable for harm that happens on their platforms. The CDA, passed in 1995, was initially created to protect online bulletin boards from defamation cases. Over the last twenty-two years, the law has become broader and broader because of the way courts have interpreted it, granting protections to a broader array of internet service providers for a broader array of harmful activities.
Read more on her blog, where you can also download the relevant filings.

For future Computer Security classes.
Secureworks Launches New Security Maturity Model
Secureworks has launched the Secureworks Security Maturity Model. It is released, announces Secureworks, in response to "research which shows that more than one-third of US organizations (37%) face security risks that exceed their overall security maturity. Within that group, 10% face a significant deficiency when it comes to protecting themselves from the threats in their environment."
Secureworks is offering a complementary evaluation (an online process supported by a security expert) to help organizations benchmark their own security maturity. The model incorporates elements of well-known frameworks like National Institute of Standards and Technology (NIST) and ISO 27001/02 with insight from Secureworks' global threat intelligence. It comprises four levels: guarded, informed, integrated and resilient.
Further information, and a route map for attaining security maturity, can be found in a white paper titled '5 Critical Steps to a More Mature Security Posture' (PDF).

The price of entry into the China market?
Google built a prototype of a censored search engine for China that links users’ searches to their personal phone numbers, thus making it easier for the Chinese government to monitor people’s queries, The Intercept can reveal.
The search engine, codenamed Dragonfly, was designed for Android devices, and would remove content deemed sensitive by China’s ruling Communist Party regime, such as information about political dissidents, free speech, democracy, human rights, and peaceful protest.
Previously undisclosed details about the plan, obtained by The Intercept on Friday, show that Google compiled a censorship blacklist that included terms such as “human rights,” “student protest,” and “Nobel Prize” in Mandarin.

Facebook’s Crackdown on Misinformation Might Actually Be Working
… The study, released as a working paper Friday afternoon, examines how Facebook and Twitter users interacted with articles from 570 sites that have been identified by at least one credible source as a purveyor of “fake news”—that is, patently false, intentionally misleading, or hyperpartisan content. It finds that engagement on stories from those sites rose steadily on both Facebook and Twitter until shortly after the 2016 U.S. presidential election. Beginning in early 2017, however, those sites’ engagement began to drop off on Facebook—even as it kept rising on Twitter.
While the authors caution that the study is “far from definitive,” it’s noteworthy as perhaps the first large-scale empirical study that directly examines the efficacy of Facebook’s ongoing campaign against misinformation. Its findings could serve as a guidepost as the company continues to reckon with its influence on civil society.

(Related) On the other hand…
Tech’s New Problem: North Korea
North Korea operatives have sought to use U.S. technology and social media networks to evade U.S.-led sanctions and generate income, taking advantage of many of the same shortcomings that allowed Russians to interfere in the 2016 election.
Cloaking their identities, the North Koreans have been able to advertise jobs and find clients on job-search exchanges such as Upwork and Freelancer.com.

Dogbert suggests a message for my students.

Friday, September 14, 2018

Would this be an act of war?
Ever since the forced bankruptcy of the investment bank Lehman Brothers triggered the financial crisis 10 years ago, regulators, risk managers, and central bankers around the globe have focused on shoring up banks’ ability to withstand financial shocks.
But the next crisis might not come from a financial shock at all. The more likely culprit: a cyber attack that causes disruptions to financial services capabilities, especially payments systems, around the world.

This should make the Computer Security manager the CEO’s best friend!
One-Third of Data Breaches Led to People Losing Jobs: Kaspersky
Nearly one-third of data breaches suffered by companies around the world have resulted in someone losing their job, according to a study conducted earlier this year by Kaspersky Lab.
The cybersecurity firm has interviewed nearly 6,000 people across 29 countries for its annual Global Corporate IT Security Risks Survey. Respondents worked for companies of various sizes, including small businesses with less than 50 employees and major corporations with over 1,000 workers.
The study found that, globally, 31% of incidents led to employees being laid off. China was the country with the highest percentage of senior IT security staff being laid off as a result of a data breach. People holding a senior IT role lost their job in roughly one-third of cases, with similar percentages across the globe.
Kaspersky’s survey shows a significant difference in the chances of C-level executives and presidents losing their job over a data breach in various parts of the world. In North America, for instance, 32% of CEOs and other C-level managers were laid off following a data breach – this is the region where the C-suite is most likely to lose its job.
Companies in China, APAC and North America are also most likely to have problems with attracting new customers following a data breach, according to Kaspersky’s report.

Cyber attacks cost German industry almost $50 billion: study
Two thirds of Germany’s manufacturers have been hit by cyber-crime attacks, costing industry in Europe’s largest economy some 43 billion euros ($50 billion), according to a survey published by Germany’s IT sector association on Thursday.

Catch up to Colorado.
Report: Kansas Plans to Spend $4.6M on Election Security
The U.S. Election Assistance Commission released the Kansas plan for its share of the $380 million allocated by Congress to strengthen voting systems amid ongoing threats from Russia and others. Nearly all the other states had released plans for their election security grants last month, but Kansas had gotten an extension to turn in its report.
Nearly $1.07 million has been budgeted to ensure every voting machine in Kansas has a verifiable paper audit trail, according to the budget breakdown. The majority of counties in the state already have a paper-based system, Kobach said.

How would the government prove I knew the password to a device? (Easy to see how they would make the assumption if it was my phone.)
Orin S. Kerr, Compelled Decryption and the Privilege Against Self-Incrimination, forthcoming in the Texas Law Review, available at SSRN: https://ssrn.com/abstract=3248286.
This essay considers the Fifth Amendment barrier to orders compelling a suspect to enter in a password to decrypt a locked phone, computer, or file. It argues that a simple rule should apply: An assertion of privilege should be sustained unless the government can independently show that the suspect knows the password. The act of entering in a password is testimonial, but the only implied statement is that the suspect knows the password. When the government can prove this fact independently, the assertion is a foregone conclusion and the Fifth Amendment poses no bar to the enforcement of the order. This rule is both doctrinally correct and sensible policy. It properly reflects the distribution of government power in a digital age when nearly everyone is carrying a device that comes with an extraordinarily powerful lock.
Orin had tweeted that he would welcome feedback on the article, particularly critical ones from techies.

The State of the Digital Workplace 2018

Perspective. (Denver doesn’t look good on their graphic)
Buried under bodies
… Over a five-year period, each detective in Detroit has been tasked with solving an average of about eight new slayings annually — a caseload exceeding what policing experts say should be no more than five homicides per detective, per year.
Major police departments that are successful at making arrests in homicides generally assign detectives fewer than five cases annually, according to a Washington Post analysis of homicide caseloads in 48 cities, including Detroit.
The Post study found that departments with lower caseloads tended to have higher arrest rates, while departments with higher caseloads tended to have lower arrest rates — 39 of the 48 departments fell within that pattern.

This could be a game changer, but how does it know what you intended the program to do?
Facebook’s new ‘SapFix’ AI automatically debugs your code
Facebook has quietly built and deployed an artificial intelligence programming tool called SapFix that scans code, automatically identifies bugs, tests different patches and suggests the best ones that engineers can choose to implement. Revealed today at Facebook’s @Scale engineering conference, SapFix is already running on Facebook’s massive code base and the company plans to eventually share it with the developer community.

(Related) Soon, computers will do the programming based on vague requirements.
Microsoft acquires AI startup Lobe to help people make deep learning models without code
Microsoft today announced it has acquired Lobe, creator of a platform for building custom deep learning models using a visual interface that requires no code or technical understanding of AI. Lobe, a platform that can understand hand gestures, read handwriting, and hear music, will continue to develop as a standalone service, according to the company’s website.

I might find a use for this.
Voicepods - Automatically Turn Text Into Voice Recordings
Voicepods is a neat service that will create voice recordings based on the text that you write. Voicepods offers eight voices in which you can have your text read-aloud. The voice recording that is generated from your text can be listened to online and you can download it as an MP3 to use wherever MP3 playback is supported. Watch my video that is embedded below to learn how easy it is to make a voice recording on Voicepods.

Something to listen to?
Agility in the Age of the Cloud
September 14, 2018 Runtime 0:57:19
In this webinar, you’ll learn:
  • How we will all have to react in real time to ever-richer data flows
  • How the cloud can help to break down data and organizational silos
  • The potential impacts of cloud-based collaboration on product development and innovation
  • Which ethical questions the cloud creates, and how to think about them

Thursday, September 13, 2018

Another, “We forgot the default was No Security.”
Veeam Leaks 200 GB Customer Database, Goldmine for Phishers
A database containing 200 gigabytes of customer data, estimated to harbor around 445 million records, has been exposed online by backup and recovery company Veeam, thanks to an improperly secured server hosted on Amazon.
The database apparently contained names, email address, IP addresses, referrer URL addresses, customer organization size, and much more.

If you ask me, it’s a good thing.
U.S. Silently Enters New Age of Cyberwarfare
… This past month, buried beneath an ant mound of political scandal and news cacophony, President Trump set in motion a plan to gut Presidential Policy Directive 20, an Obama-era policy limiting the use of destructive offensive cyberweapons like Stuxnet. What exactly will replace PPD-20 remains clouded in uncertainty, but one thing seems clear: The military’s gloves are off. Without PPD-20, the U.S. military can now use hacking weapons with far less oversight from the State Department, Commerce Department, and intelligence agencies. A paper released earlier this year by U.S. Cyber Command, the hacking arm of the U.S. military, outlines a proposed policy of increased military intervention, and paints a landscape of nations under constant cyberassault. It’s not a stretch to say the removal of PPD-20 may fundamentally restructure the way America conducts war in cyberspace. Whether or not that is a good thing depends on whom you ask.

For my Computer Security students. Much of their work is insuring that evidence (logs) exists! (And to stop nonsense like this when it doesn't!)
Lisa Joy reports:
An east-central Alberta woman feels vindicated after winning a wrongful termination case against a medical centre society where she worked as a receptionist. The woman claimed she was terminated without just cause and publicly humiliated. Red Deer Judge Andreassen agreed and awarded her $25,600 in compensation.
The Consort and District Medical Centre Society, months after terminating Sherri Galloway, claimed she violated privacy laws by viewing confidential patient medical records. Judge Andreassen, however, not only ruled there was no evidence to back up the board’s claims but also slammed their actions.
Read more on Red Deer Advocate.

Are we at the point where “If you don’t Tweet, you won’t be counted?”
Researchers Are Now Turning to Twitter to Track Immigrant Migration
More than 250 million people migrated away from their birth country in 2017, according to the United Nations. However, tracking migration through surveys, like an official census, is costly and can take years to complete. To answer those concerns, researchers from the Institute for Cross-Disciplinary Physics and Complex Systems have developed a new method—tracking migration using data from the social media platform Twitter, which provides more frequent, nuanced, and perhaps more accurate information.

You hear that Russia? Let this be fair warning that we will definitely consider maybe doing something if you mess with us again.
Trump signs order to combat election interference
President Donald Trump has signed an executive order aimed at discouraging foreign countries and actors from tampering with U.S. elections, two top national security officials said in a conference call with reporters Wednesday.

(Related) So why don’t I have that warm fuzzy feeling?
Facebook ‘Better Prepared’ to Fight Election Interference, Mark Zuckerberg Says
… On Wednesday, Mr. Zuckerberg, Facebook’s chief executive, published a roughly 3,300-word blog post cataloging all the steps the company has taken.

Perspective. I see the same effort from my Chinese students
China Is Overtaking the U.S. in Scientific Research
… Qingnan Xie of Nanjing University of Science & Technology and Richard Freeman of Harvard University have studied China’s contribution to global scientific output. They document a rapid expansion between 2000 and 2016, as the Chinese share of global publications in physical sciences, engineering and math quadrupled. By 2016, the Chinese share exceeded that of the U.S.
Furthermore, the authors argue that these metrics -- which are based on the addresses of the authors -- understate China's impact. The data don't count papers written by Chinese researchers located in other countries with addresses outside China and exclude most papers written in Chinese publications. The researchers adjusted for both factors and conclude that Chinese academics now account for more than one-third of global publications in these scientific fields.

Keeping up.
Council for Economic Education
The Council for Economic Education is pleased to offer professional development webinars for teachers nationwide. The webinars cover multiple topics on how to integrate personal finance and economics in the classroom and create a fun learning experience for your students.
When you attend the webinar(s), you will leave with relevant lessons, resources and tools that can be implemented the next day. Also, New York State teachers earn one Continuing Education Unit (CEU) for each webinar. If you are interested, but cannot attend the live webinar, please register to get access to the archived version. You must attend a live webinar or listen to a recorded webinar for at least 45 minutes in order to receive a certificate.

For the Disaster Recovery toolkit.
12+ tools and resources useful during hurricanes and other disasters

Another source of classic science fiction. (And other genre)
PDF Books World

Wednesday, September 12, 2018

This could be very useful for future Computer Security classes. Since this is Finals week, it’s a bit late this quarter.
Clare Ward writes:
Once again, Verizon has opened the doors on the reality of a data breach with the launch of the Verizon 2018 Data Breach Digest (DBD) series, enabling businesses to read undisclosed stories from the company’s cyber-investigative vault.
The Data Breach Digest series puts cybercrime in context, outlining the (anonymized) specifics of data breaches and cybersecurity incidents for cyber defenders across all businesses to benefit from Verizon’s insights.
Cybercrime victims often believe they are the victim of an isolated attack; however, in reality this is not the case – thousands of companies experience data breaches or cybersecurity incidents every month. Unfortunately, most breaches are never publicly disclosed, preventing others from learning from the facts. This plays to the advantage of cybercriminals, enabling them to reuse successful breach tactics time and time again on new, unsuspecting organizations.
By opening up Verizon’s cybercrime files via the Data Breach Digest scenarios, we are offering a panoramic insider’s view of the cyber threat activities in an effort to share what we have seen with other organizations around the global. Our hope is that we can learn together – and in doing so, better equip ourselves in the fight against cybercrime.
Read more on Verizon. As of today, here are the stories available, as described by Verizon:
  • Credential Theft – the Monster Cache: Credential theft is an increasingly common target for cybercriminals, but is actually relatively easy to prevent. This story outlines how the development of cyberattack models, which outline threat actor goals, capabilities, and methods were combined with organization profiling to help organizations protect themselves against attack. This case demonstrates how an awareness of an attack vector common to the target’s specific industry could have prevented a major data breach.
  • Insider Threat – the Card Shark: For this case, Verizon experts conducted a Payment Card Industry (PCI) forensic investigation on unauthorized ATM withdrawals. What they found was a network and physical security structure flawed from start to finish. This case walks readers through the investigation to see the many process and policy challenges that enabled this attack.
  • Crypto-Jacking Malware – the Peeled Onion: Sometimes attackers care less about proprietary information and more about processing power. This incident demonstrated how a strong firewall can be undone with missed security patches, turning a client’s system into a stealthy cryptocurrency miner.
  • Third-Party Palooza – the Minus Touch: Digital forensics starts with the data – but what if there’s no data to be found? A blank hard drive and an uncooperative co-location data center starts the Verizon team on a hunt for the what/where – and what was done with it!

Much easier than the con in the movie.
Phishing Is the Internet’s Most Successful Con
… In this age, the online equivalent of The Sting is a phishing site: a fake reality that lives online, set up to capture precious information such as logins and passwords, bank-account numbers, and the other functional secrets of modern life. You don’t get to see these spaces being built, but—like The Sting’s betting room—they can be perfect in every detail. Or they can be thrown together at the last minute like a clapboard set.

For my students.
The Ethics of Artificial Intelligence: An Interview of Kurt Long
… I am delighted to be interviewing Kurt Long about the topic of AI. Long is the creator and CEO of FairWarning, a cloud-based security provider that provides data protection and governance for electronic health records, Salesforce, Office 365, and many other cloud applications. Long has extensive experience with AI and has thought a lot about its ethical ramifications.

The pendulum swings again.
EU approves controversial Copyright Directive, including internet ‘link tax’ and ‘upload filter’
The European Parliament has voted in favor of the Copyright Directive, a controversial piece of legislation intended to update online copyright laws for the internet age.
The directive was originally rejected by MEPs in July following criticism of two key provisions: Articles 11 and 13, dubbed the “link tax” and “upload filter” by critics. However, in parliament this morning, an updated version of the directive was approved, along with amended versions of Articles 11 and 13. The final vote was 438 in favor and 226 against.
… The directive itself still faces a final vote in January 2019 (although experts say it’s unlikely it will be rejected). After that it will need to be implemented by individual EU member states, who could very well vary significantly in how they choose to interpret the directive’s text.
The most important parts of this are Articles 11 and 13. Article 11 is intended to give publishers and papers a way to make money when companies like Google link to their stories, allowing them to demand paid licenses. Article 13 requires certain platforms like YouTube and Facebook stop users sharing unlicensed copyrighted material.
Critics of the Copyright Directive say these provisions are disastrous. In the case of Article 11, they note that attempts to “tax” platforms like Google News for sharing articles have repeatedly failed, and that the system would be ripe to abuse by copyright trolls.
Article 13, they say, is even worse. The legislation requires that platforms proactively work with rightsholders to stop users uploading copyrighted content. The only way to do so would be to scan all data being uploaded to sites like YouTube and Facebook. This would create an incredible burden for small platforms, and could be used as a mechanism for widespread censorship. This is why figures like Wikipedia founder Jimmy Wales and World Wide Web inventor Tim Berners-Lee came out so strongly against the directive.

Clever yes, but computer wizards?
Street gangs turn to high-tech cybercrime to make a living
Street gangs are growing more sophisticated and moving into cyberspace. Following an extensive three-year investigation, the State of California Department of Justice arrested and indicted 32 suspects on 240 counts, including identity theft, fraud and hacking. The individuals are linked to criminal street gangs the BullyBoys and the CoCo Boys, California Attorney General Xavier Becerra announced this week.
In total, the suspects are charged with “63 counts of conspiracy to commit grand theft; 54 counts of hacking, computer access and fraud; 56 counts of grand theft; 59 counts of burglary; and eight counts of identity theft,” according to the press release.