Tuesday, September 30, 2014
For my Ethical Hackers. Something fishy here! According to their website, http://www.invocode.com/, law enforcement agencies use their software “to keep track of offenders on parole.” Corporations use it to monitor employee cellphone use. It appears that the marketing rather than the software functions are what is tipping this into “illegal” territory.
Spyware executive arrested, allegedly marketed mobile app for “stalkers”
The chief executive officer of a mobile spyware maker was arrested over the weekend, charged with allegedly illegally marketing an app that monitors calls, texts, videos, and other communications on mobile phones "without detection," federal prosecutors said.
The government said the prosecution [PDF] of Hammad Akbar, 31, of Pakistan, was the "first-ever" case surrounding advertising and the sales of mobile spyware targeting adults—in this case an app called StealthGenie.
“Selling spyware is not just reprehensible, it’s a crime,” Assistant Attorney General Leslie Caldwell said in a statement. “Apps like StealthGenie are expressly designed for use by stalkers and domestic abusers who want to know every detail of a victim’s personal life—all without the victim’s knowledge."
… The app, which the government said took minutes to install, required "physical control" of the phone.
"The purchaser could then review communications intercepted from the monitored phone without ever again having physical control over the phone," the government said.
While parents may use surveillance software to monitor their minor children's mobile phones, InvoCode also marketed the spyware to "potential purchasers who did not have any ownership interest in the mobile phone to be monitored, including those suspecting a spouse or romantic partner of infidelity."
(Related) A review of mobile tracking Apps concludes, “StealthGenie – It simply isn’t worth the money!” Are they arresting the creators of the Apps that work better?
Mobile Tracking Software
(Related) Although these guys rate it at about the middle of the pack.
Phone Monitoring Software Companies Reviews - September 2014
Similar to Jimmy John's? Another case of “We don't know what happened. Oh, and before we forget completely, here one that happen earlier...”
Another Card System Hack at Supervalu, Albertsons
Card data of Supervalu and Albertsons shoppers may be at risk in another hack, the two supermarket companies said Monday.
The companies said that in late August or early September, malicious software was installed on networks that process credit and debit card transactions at some of their stores.
… The companies also disclosed a data breach in August. They said the two incidents are separate. Supervalu said that incident may have affected as many as 200 grocery and liquor stores. It said hackers accessed a network that processes Supervalu transactions, with account numbers, expiration dates, card holder names and other information.
That breach occurred between June 22 and July 17, and Supervalu said it immediately began working to secure that portion of its network. The companies said Monday that they are still investigating that incident and don't know if cardholder data was taken.
Definitely an article for my Intro to Computer Security students. (and not just because punctuation matters) As always, read it from the source.
We Take Your Privacy and Security. Seriously.
“Please note that [COMPANY NAME] takes the security of your personal data very seriously.” If you’ve been on the Internet for any length of time, chances are very good that you’ve received at least one breach notification email or letter that includes some version of this obligatory line. But as far as lines go, this one is about as convincing as the classic break-up line, “It’s not you, it’s me.”
I was reminded of the sheer emptiness of this corporate breach-speak approximately two weeks ago, after receiving a snail mail letter from my Internet service provider — Cox Communications. In its letter, the company explained:
“On or about Aug. 13, 2014, “we learned that one of our customer service representatives had her account credentials compromised by an unknown individual.
… So, I called the number on the back of the letter, and was directed to Stephen Boggs, director of public affairs at Cox.
Boggs said that the trouble started after a female customer account representative was “socially engineered” or tricked into giving away her account credentials to a caller posing as a Cox tech support staffer. Boggs informed me that I was one of just 52 customers whose information the attacker(s) looked up after hijacking the customer service rep’s account.
The nature of the attack described by Boggs suggested two things: 1) That the login page that Cox employees use to access customer information is available on the larger Internet (i.e., it is not an internal-only application); and that 2) the customer support representative was able to access that public portal with nothing more than a username and a password.
Boggs either did not want to answer or did not know the answer to my main question: Were Cox customer support employees required to use multi-factor or two-factor authentication to access their accounts?
(Related) “Our security is so good, you can break it by 'accident.'”
Debra O’Connor reports:
State computer experts found no evidence of criminal activity when private student data was exposed on the website of a student loan program, according to the Minnesota Office of Higher Education.
“We did the big deep-dive security analysis and discovered, of all the log-ins to that site, there were only three that were unauthorized,” said communications director Sandy Connolly. An investigation showed that three students accidentally gained access to the information.
“We don’t have any evidence at all of any hacking,” Connolly said.
The office last week mailed letters to the 1,328 students who may have had their data viewed on the SELF student loan site, telling them how to protect their credit and how to get a copy of a report explaining the problem.
Read more on Pioneer Press.
Perhaps I'll grab a copy for my Computer Security or my Computer Forensics students to play with.
FBI Launches Malware Investigator Tool
At the Virus Bulletin conference that took place in Seattle last week, the FBI introduced a tool designed to provide users with detailed technical information on malware.
In 2011, the FBI deployed a tool called the Binary Analysis Characterization and Storage System (BACSS). The tool provides technical information on malware functionality, which investigators and incident responders can use in their activities.
Since BACSS has been a success, the FBI decided to develop Malware Investigator, an unclassified automated malware analysis tool that can be used not only by other law enforcement agencies which might need it for cybercrime investigations, but also by researchers trying to understand the threat landscape, and private sector partners seeking to improve their cyberattack mitigation capabilities.
A slideshow. If you want to learn a more about Privacy and the Internet of Things, join us on Friday, October 10th for this Privacy Foundation seminar: http://www.law.du.edu/documents/privacy-foundation/flyer-and-schedule.pdf
A Brief History of the Internet of Things
Over the last few years, the Internet of things has evolved from an intriguing concept into an increasingly sophisticated network of devices and machines. As more and more "things" get connected to the Internet—from Fitbit activity monitors and home lighting systems to industrial machines and aircraft—the stakes grow exponentially larger. Cisco Systems estimates that approximately 12.1 billion Internet-connected devices were in use in April 2014, and that figure is expected to zoom to above 50 billion by 2020. The networking firm also notes that about 100 things currently connect to the Internet every second, and the number is expected to reach 250 per second by 2020. Eventually, the IoT will encompass about 99 percent of all objects, which currently totals approximately 1.5 trillion things.
… Following is a brief timeline of important IoT events. - See more at: http://www.baselinemag.com/networking/slideshows/a-brief-history-of-the-internet-of-things.html?google_editors_picks=true#sthash.ocnyLXW3.dpuf
Typically, I would flag this for my Disaster Recovery students. In this case, I'm also adding a Homeland Security flag. Think of it as “target identification” for terrorists.
Air traffic meltdown puts FAA vulnerability in spotlight
Demands for answers and promises of technology breakthroughs bounced across Washington on Monday as the nation's air traffic control system continued its gradual recovery from the fire at an Aurora radar facility that has grounded thousands of flights since Friday.
And while experts commended the Federal Aviation Administration for launching an investigation into the alleged act of arson at the agency's Chicago Center facility, some also threw cold water on claims made Monday that a next-generation, satellite-based radar system could stifle another rogue attack.
… The debate about security and vulnerability at the nation's air traffic control facilities came amid ongoing efforts to repair the damage done at the Chicago station, which handles high-altitude air traffic in seven states.
The FAA's goal is to get Chicago Center fully functional by Oct. 13.
Is this as interesting as I think it is?
Defining Section 5 of the FTC Act: The Failure of the Common Law Method and the Case for Formal Agency Guidelines
To have a sitting FTC Commissioner criticizing his own agency is stunning – and refreshing. Jan M. Rybnicek, attorney advisor at the FTC, and Commissioner Joshua D. Wright have an article in George Mason Law Review, Vol. 21, No. 5, 2014, “Defining Section 5 of the FTC Act: The Failure of the Common Law Method and the Case for Formal Agency Guidelines.” And yes, it addresses the pro-common law argument advanced by law professors Daniel Solove and Woodrow Hartzog in their scholarly work.
Here’s the abstract:
As the Federal Trade Commission (“FTC” or the “Commission”) celebrates its 100th anniversary, it does so amid a renewed interest in finally defining what constitutes a standalone “unfair method of competition” under Section 5 of the FTC Act. For a century, the business community and agency staff have been without any meaningful guidance about what conduct violates the Commission’s signature competition statute. As consensus begins to build about the appropriate parameters of Section 5, some commentators have opposed articulating a principled standard for the application of the FTC’s authority to prosecute standalone unfair methods of competition for fear that doing so would too severely restrict the agency’s enforcement agenda. These commentators prefer for Section 5 to develop though the common law method, and point to the successful development of the traditional antitrust laws as evidence that the common law approach is the standard and preferred means for developing competition law. This Article discusses why, after a century-long natural experiment, it is clear that the common law method cannot be expected to define the scope of the FTC’s unfair methods of competition authority. This Article explains that the failure of the common law process in the Section 5 context is due to fundamental differences between the inputs and outputs associated with traditional litigation and those associated with Section 5 enforcement actions. In particular, this Article explains that Section 5 disputes have almost always been resolved through settlements and, unlike reasoned judicial decisions, that such settlements do not help the public distinguish between what conduct is lawful and unlawful and generally are not treated as binding precedent by the FTC. As a result, this Article argues that the Commission should issue formal agency guidelines to serve as a superior analytical starting point and finally give meaning and purpose to Section 5.
You can download the full article from SSRN.
Each Quarter, the faculty is reminded that we take a much more “risk averse” attitude. Actually, rather than a legal review, our librarians ask the copyright holder for permission.
Law Firm Copying and Fair Use: An Examination of Different Purpose and Fair Use Markets
by Sabrina I. Pacifici on Sep 29, 2014
Jones, D. R., Law Firm Copying and Fair Use: An Examination of Different Purpose and Fair Use Markets (September 29, 2014). South Texas Law Review, Vol. 56, No. 2, 2014 – Forthcoming; University of Memphis Legal Studies Research Paper No. 144. Available for download at SSRN: http://ssrn.com/abstract=2503089
“In several recent lawsuits, publishers sued law firms for copyright infringement. The lawsuits focused on making unlicensed copies of scholarly articles to file with patent applications, including copies for the firms’ internal use and for the firms’ clients. In two of these cases, lower court judges determined that the making of unlicensed copies was fair use. The decisions hinged on transformative use, focusing on the defendant’s purpose for using the works. There was no alteration or change in the works. The judges found fair use, despite the possible availability of licensing. These patent application cases fit within a larger category of cases involving the use of copyrighted works in judicial and quasi-judicial proceedings. This article uses these cases as a vehicle to review the use of purpose in fair use analysis. It advocates that the review of the character and purpose of a use should include a deeper examination of the policies and societal interests underlying the use. This broader consideration is especially important if a plaintiff asserts the presence of a ready market for the payment of fees for use of a copyrighted work. This article explores the determination of a fair use market as a way to support the unlicensed use of copyrighted works although a ready market exists for the payment of fees. These cases offer an excellent model for the analysis necessary to determine a fair use market.”
I'm sure there must be a use for this somewhere...
– is a word count and character counter tool. Basically put your cursor in the box and start typing. Word Counter will immediately count the number of words and characters when you type. You may copy and paste a doc you’ve already composed into the word counter box and it’ll display the word count and character count for that bit of writing.
An interesting test of political correctness. Can you avoid replacing the word “cultural” with any of the politically incorrect terms we're not supposed to use? (Me neither...)