Saturday, November 01, 2014
Sometimes it's a challenge to explain how companies detect a breach. For example, this seems to suggest the hackers took advantage of employees using the same passwords on both secure business and insecure non-business websites.
J.P. Morgan Found Hackers Through Breach of Road-Race Website
J.P. Morgan Chase & Co. discovered one of the biggest known cyber attacks to hit a U.S. bank in part due to a foot race the bank sponsors.
… because the intruders had used some of the same offshore servers to hack both the bank and the website of the J.P. Morgan Corporate Challenge, according to people familiar with the matter.
… But the new material also raises fresh concerns about the ability of companies and law-enforcement officials to fend off hackers driven to steal the personal financial details of consumers. Hackers were in the bank’s network for about two months undetected, only revealing themselves because of an apparent slip-up by the hackers and a report by a security vendor in early August.
… J.P. Morgan and its security vendors discovered the cache included information from the Corporate Challenge website, which is managed by an outside company and isn’t connected to the bank’s network. The bank says it doesn’t believe that the corporate challenge website was an entry point for hackers into the bank’s servers.
In August, bank executives led by Chief Operating Officer Matt Zames and Chief Information Security Officer Greg Rattray linked the race website breach back to several overseas I.P. addresses. Then they queried J.P. Morgan’s own network logs to see if there had been any communication with those addresses.
There were. The bank discovered that hackers had been in its system since at least June.
Luck Played Role in Discovery of Data Breach at JPMorgan Affecting Millions
… the intrusion at the nation’s largest bank could have gone on for longer if not for a critical discovery by a Milwaukee security consulting firm that helped JPMorgan uncover the full extent of its breach. That firm, Hold Security, uncovered a repository of a billion stolen passwords and usernames that it said had been pilfered by a loose-knit gang of Russian hackers. The hackers, according to the consulting firm, had infiltrated more than 420,000 websites.
… The criminal database also included the certificate for the website of the Corporate Challenge site’s vendor, Simmco Data Systems, indicating a serious breach that allowed hackers to pose as the race website operator and intercept traffic, such as race participants’ login credentials, said a person briefed on the data the security firm collected.
… More disturbing, the stolen Simmco Data certificate was first compromised in April, suggesting that the hackers could have begun their attack on the bank at least four months before the bank noticed any unusual activity within its own network.
… The bank spends $250 million annually on security defense. But after the attack, Jamie Dimon, JPMorgan’s chief executive, said he was considering doubling that amount — an indication of the increasing threat from the attacks. [Spending vast amounts for half-vast security? Bob]
(Related) Could the same technique be used here? (Yes Bob, it could.) Definately worth a read.
Feedback Friday: Hackers Infiltrate White House Network - Industry Reactions
… An unclassified computer network at the White House was breached recently and the main suspects are hackers allegedly working for the Russian government.
… Experts have pointed out that while the attackers breached an unclassified network, it doesn't necessarily mean that they haven't gained access to some useful data, even if it's not classified. They have also outlined the methods and strategies used by both the attackers and the defenders in such a scenario.
And I just finished explaining to my Computer Security students that there are three ways you can securely identify people trying to access your systems. 1) by what they know, like a password. 2) by what they have, like a key or dongle. 3) by what they are, like fingerprints, facial recognition, etc. Looks like this ruling wipes out number 3.
Judge Rules Suspect Can Be Required To Unlock Phone With Fingerprint
… A Virginia Circuit Court judge ruled Tuesday that police officers cannot force criminal suspects to divulge cellphone passwords, but they can force them to unlock the phone with a fingerprint scanner.
If applied by other courts, the ruling could become important as more device makers incorporate fingerprint readers that can be used as alternatives to passwords.
… The Fifth Amendment to the U.S. Constitution gives people the right to avoid self-incrimination. That includes divulging secret passwords, Judge Steven C. Frucci ruled. But providing fingerprints and other biometric information is considered outside the protection of the Fifth Amendment, the judge said.
If Google says it, it must be true! I may want to add this to my Statistics class.
Google thinks it’s found a way to gather data on people using its products while also protecting their privacy.
… The project, called the “Randomized Aggregatable Privacy-Preserving Ordinal Response” or RAPPOR, “enables learning statistics about the behavior of users’ software while guaranteeing client privacy,” said Google security researcher Úlfar Erlingsson in a blog post.
RAPPOR uses a trick that randomly sends incorrect data from some users. The false data makes it difficult for Google to identify individual users, while still gathering general information.
Essentially, Google will be able to look at “the forest of client data … without permitting the possibility of looking at individual trees,” according to a paper Google will present on the project at a conference next week.
(Related) The Google Blog...
… We believe that RAPPOR has the potential to be applied for a number of different purposes, so we're making it freely available for all to use. We'll continue development of RAPPOR as a standalone open-source project so that anybody can inspect test its reporting and analysis mechanisms, and help develop the technology. We’ve written up the technical details of RAPPOR in a report that will be published next week at the ACM Conference on Computer and Communications Security.
“It's not a bug, it's a feature!” Just ask any salesman.
Craig Timberg reports:
After security researcher Jeffrey Paul upgraded the operating system on his MacBook Pro last week, he discovered that several of his personal files had found a new home – on the cloud. The computer had saved the files, which Paul thought resided only on his own encrypted hard drive, to a remote server Apple controlled.
“This is unacceptable,” thundered Paul, an American based in Berlin, on his personal blog a few days later. “Apple has taken local files on my computer not stored in iCloud and silently and without my permission uploaded them to their servers – across all applications, Apple and otherwise.”
He was not alone in either his frustration or surprise. Johns Hopkins University cryptographer Matthew D. Green tweeted his dismay after realizing that some private notes had found their way to iCloud. Bruce Schneier, another prominent cryptography expert, wrote a blog post calling the automatic saving function “both dangerous and poorly documented” by Apple.
Read more on Washington Post.
If Orin Kerr is right, there is a lot we don't know about new types of warrants.
Orin Kerr writes:
The Electronic Frontier Foundation published a report earlier this week alleging an astonishing increase in the use of sneak-and-peek search warrants. Sneak-and-peek searches are sometimes known as “covert searches” or “black bag jobs.” The government breaks into a home, conducts a covert search, and leaves no sign of entry until days or weeks later. According to the EFF report, such searches have become routine in the last few years:
First, the numbers: Law enforcement made 47 sneak-and-peek searches nationwide from September 2001 to April 2003. The 2010 report reveals 3,970 total requests were processed. Within three years that number jumped to 11,129. That’s an increase of over 7,000 requests. Exactly what privacy advocates argued in 2001 is happening: sneak and peak warrants are not just being used in exceptional circumstances—which was their original intent—but as an everyday investigative tool.
Sounds pretty bad, right? Well, not so fast. I fear EFF’s report may just misunderstand the significance of the annual “delayed notice warrant” report published by the Administrative Office of the U.S. Courts (AO). I suspect the numbers don’t mean what EFF thinks they mean.
Read more on WaPo The Volokh Conspiracy.
When does free speech become propaganda? If I give you a forum, is that “material support?”
Over the past several months, there has been increasing focus on terrorist use of social media. In the immediate aftermath of the execution of reporter James Foley by ISIL in July, the State Department acknowledged that, along with the Department of Defense, it reached out to social media sites, specifically Twitter and YouTube, to alert them to accounts posting the execution video and related images in violation of the sites’ “own usage polic[ies].”
… 18 U.S.C. § 2339B, however, could provide the requisite legal authority, assuming the inquiry is limited only to accounts that purport to be or are clearly linked to FTOs (i.e. HSM Press, which is al-Shabaab’s media wing, or Andalus Media, the media wing of al-Qaeda in the Islamic Maghreb). Section 2339B outlaws “knowingly provid[ing] material support or resources to a foreign terrorist organization.”
(Related) Connecting a post to terrorists isn't going to be easy.
… The social media giant on Friday announced that it was launching a way for people on Tor, an online network that allows users to navigate the Web anonymously, to check their Facebook accounts. Facebook created a website with a “.onion” domain to allow anonymous Web servers to connect to the social network.
… “It’s important to us at Facebook to provide methods for people to use our site securely,” Muffett wrote in a Facebook post.
These will look like the sky darkening swarms of passenger pigeons, but they will be much harder to drive to extinction.
Here Come the Swarming Drones
… Vijay Kumar, and the researchers in his General Robotics, Automation, Sensing, and Perception Lab (GRASP) are developing "swarms" of unmanned aerial vehicles (UAVs) that work in concert. These devices take hundreds of measurements each second, calculating their position in relation to each other, working cooperatively toward particular missions, and just as important, avoiding each other despite moving quickly and in tight formations. Kumar and his colleagues are using intel from Pratt's lab, particularly around how ants communicate and cooperate without any central commander, to make swarming UAVs even more autonomous.
I suspect there will be an entire industry built to mentor and support small businesses. Integration of tools like this will be fundamental as everyone with a mobile device asks, “What should I know about these guys before I do business with them?”
Respond to Reviews Instantly with 'Google My Business' App
Too busy to respond to customer reviews? Google wants to help. For busy business owners who use Google+ Local, there's now an easier way to connect with customers on the go.
Google announced this week new updates to the Google My Business app, which now lets businesses better engage with customers by allowing owners to respond to reviews anytime, anywhere from their mobile devices.
(Related) Do they all have similar Apps?
5 Influential Review Sites That Matter to Your Reputation
Are we that lonely? That desperate for companionship? That unable to put down the mobile device and talk to a real person?
The Typical Tinder User Spends 77 Minutes Tinding Every Day
… The average Tinder user spends an astonishing 77 minutes a day on the app, a spokesperson for the company told The Huffington Post. That's a lot of time, especially considering the app moves fast. Users are presented with dating profile after profile, and they swipe left if they're not interested and right if they are. If two people swipe right on each other, they match and connect via the app's chat function.
… By comparison Instagram users spend an average of 21 minutes a day on the photo-editing and sharing app.
Humor for me.
… The US Department of Education released the latest version of its “gainful employment” rules this week, pleasing nobody. No longer will career training programs be held accountable for their student loan default rates. They’ll just be judged on graduates’ debt-to-earnings ratios. About 1400 programs, mostly at for-profit schools, will be affected, meaning that if they don't meet these new guidelines, their students will not be eligible for federal financial aid. (More on this over on Educating Modern Learners. Free subscription required.)
… Stanford University and Dartmouth College issued an apology to Montana voters after a mailer they sent out about candidates on the state’s ballot.
… The upcoming E-learning and Digital Cultures MOOC has a “teacher bot” that is “is programmed to automatically respond to tweets sent to the course hashtag, and designed to offer help and advice, or engage in conversation.” [Automating teachers? Bob]
… The ACLU and EFF are accusing a Tennessee school district of violating students’ rights with its new policy that “ allows school officials to search any electronic devices students bring to campus and to monitor and control what students post on social media sites.”
… Francis Schmidt, who teaches at Bergen Community College, will not lose his job because of a photo he took of his daughter wearing a Games of Thrones t-shirt saying “I will take what is mine with fire & blood.” The school apparently interpreted this as a threat and in turn put him on leave, made him see a mental health counselor, then threatened him with suspension or termination.
… MIT’s Les Perelman, one of the leading critics of automated essay graders, writes that “The Educational Test Service (ETS) won’t let me continue to test a product that they are trying to sell to schools and colleges across America. Specifically, the company will not allow me access to the Automated Scoring Engine (AES) unless I agree to let them censor my findings.”
For all my students. (Includes a guide to TOR) Not yet(?) available for download as a PDF or eBook.
Journey Into the Hidden Web: A Guide For New Researchers
Amazing! Scott Adams has been in one of my classes! Must have been!
Friday, October 31, 2014
It's not just the breachee that pays the price. (Is “breachee” a word or should I call the Oxford dictionary people?)
Nicholas Ballasy reports:
The Home Depot data breach cost credit unions almost $60 million, nearly twice as much as the Target breach, according to survey results released by CUNA Thursday.
In the survey conducted from Oct. 1 to Oct. 24, 835 credit unions reported that 7.2 million credit union debit and credit cards were affected by the breach.
CUNA said the average cost for each violation was $8.02 per card due to fraud, reissuing cards and related costs.
Read more on CreditUnion Times.
It's not strange that drones are flying over their reactors, it's strange that they can't locate the pilots!
France Investigates Mystery Drones
France is currently investigating who has been flying drones over its nuclear power plants. Unmanned aerial vehicles (UAVs) have been spotted buzzing seven of France’s state-owned power plants in recent weeks, and the authorities don’t currently have a clue who is responsible.
The drones are commercial models, meaning this could literally be anyone. Greenpeace was accused of being involved, but has vehemently denied it’s behind the stunt. This raises security concerns for obvious reasons, but unless these drones are shot on sight it seems there is very little that can be done to stop them.
Tools for my Ethical Hackers. Of course this is easily prevented, but most organizations won't take that extra step.
"AirHopper" Malware Uses Radio Signals to Steal Data from Isolated Computers
A proof-of-concept malware developed by researchers at the Ben Gurion University in Israel shows that an attacker can transmit sensitive information from isolated computers to nearby mobile phones by using radio signals.
Numerous organizations have resorted to what is known as "air gapping" to secure their most sensitive information. This security method can be efficient because the protected devices are isolated from the Internet, which makes them difficult to compromise.
… The researchers have demonstrated that data exfiltration from an isolated device is possible via radio signals captured by a mobile device. The proof-of-concept malware they have created, dubbed "AirHopper," uses the infected computer's graphics card to emit electromagnetic signals to a nearby mobile phone that's set up to capture the data.
… The attack has four main steps: getting the piece of malware onto the isolated computer, installing malicious code on one or more mobile phones, setting up a command and control (C&C) channel with the infected mobile device, and transmitting signals emanated by the isolated computer back to the attacker.
For my Computer Forensics students. Won't work on all encryption (not at all on Codes) but might prove useful.
Cora Currier and Morgan Marquis-Boire report:
When Apple and Google unveiled new encryption schemes last month, law enforcement officials complained that they wouldn’t be able to unlock evidence on criminals’ digital devices. What they didn’t say is that there are already methods to bypass encryption, thanks to off-the-shelf digital implants readily available to the smallest national agencies and the largest city police forces — easy-to-use software that takes over and monitors digital devices in real time, according to documents obtained by The Intercept.
We’re publishing in full, for the first time, manuals explaining the prominent commercial implant software “Remote Control System,” manufactured by the Italian company Hacking Team. Despite FBI director James Comey’s dire warnings about the impact of widespread data scrambling — “criminals and terrorists would like nothing more,” he declared — Hacking Team explicitly promises on its website that its software can “defeat encryption.”
Read more on The Intercept.
(Related) How big a problem is encryption? Encryption was used in (41/3576) 1.15% of the wiretaps, and kept the message secure in (9/41) about 22% of the time. So encryption was a real concern (9/3576) 0.25% of the time. One quarter of 1 percent!
Wiretap Report 2013
… The number of federal and state wiretaps reported in 2013 increased 5 percent from 2012. A total of 3,576 wiretaps were reported as authorized in 2013, with 1,476 authorized by federal judges and 2,100 authorized by state judges.
… The number of state wiretaps in which encryption was encountered increased from 15 in 2012 to 41 in 2013. In nine of these wiretaps, officials were unable to decipher the plain text of the messages. Encryption was also reported for 52 state wiretaps that were conducted during previous years, but reported to the AO for the first time in 2013. Officials were able to decipher the plain text of the communications in all 52 intercepts.
This could impact several areas of Computer Security.
NIST Releases Guide for Threat Intelligence Sharing Efforts
The National Institute of Standards and Technology (NIST) is seeking public comment on a draft paper outlining ways to help organizations improve threat intelligence sharing.
The paper, titled 'Guide to Threat Information Sharing', is aimed at providing guidance for improving the effectiveness of cyber-security efforts through strong information sharing practices.
… "When deciding what incident-related information to share with other organizations, the following factors should be considered: risk of disclosure; operational urgency and need for sharing; benefits gained by sharing; sensitivity of the information; trustworthiness of the recipients; [and the] methods and ability to safeguard the information," the report notes.
One to watch...
200 Organizations Take Part in Largest European Cybersecurity Exercise to Date
Today, the European Union Agency for Network and Information Security (ENISA) is conducting the biggest and most complex European cybersecurity exercise to date.
According to the agency, more than 200 organizations and 400 experts from a total of 29 European Union and EFTA countries will participate in Cyber Europe 2014, a large-scale event that's organized every two years. The exercise takes place at several centers all over Europe and is coordinated from a central control center.
… Participants will be presented with over 2,000 incidents, including defacements, data theft, denial-of-service (DoS), intelligence and media reports on malicious cyber operations, and attacks on critical infrastructure. The goal is to test not only the procedures and capabilities of each participant, but also the effectiveness of cooperation in the European Union.
Here's another example Scott Peppet (CU Law Professor) can add to his list.
Jennifer Baker reports:
In response to public outcry via Twitter and personal blogs on Wednesday, the Samaritans have announced an opt-out function for their stalker-friendly app Samaritans Radar.
Samaritans Radar automatically scans the tweets of anyone the user follows and alerts subscribers to potentially suicidal tweets based on “trigger phrases”. However well-meaning the intention, many Twitter users were quick to point out that there were huge privacy implications, not to mention the creepy effect: “The people you follow won’t know you’ve signed up to it and all alerts will be sent directly to your email address,” according to the Samaritans website.
Read more on The Register.
Perspective. (and a business opportunity!)
The False Promise of Anonymity – CDT
Sarah St.Vincent and Alex Bradshaw: “In recent weeks, multiple apps promising “secret” messaging have had sensitive data exposed by breaches and the apps’ not-so-secret data-sharing practices. This news makes one thing clear: the term “anonymity,” as used by apps that ostensibly enable individuals to post updates anonymously, often promises too much. Many applications promising anonymity collect highly specific user data despite representations to the contrary. Often, this data is monetized through sharing with third-parties and it is almost always susceptible to unauthorized access. The Whisper incident is an example of this misrepresentation of anonymity. After the Guardian reported that popular messaging app Whisper shares users’ IP addresses with government entities, Whisper conceded that this was true. However the app maintains that the service “does not collect nor store any personally identifiable information (PII) from users and is anonymous.” This position is puzzling for two reasons: first, Whisper’s exclusion of IP addresses from its definition of PII directly contradicts federal authorities’ interpretation of the term – NIST includes IP address in its definition of PII – and secondly, despite how “PII” is defined, simply refraining from collecting PII does not guarantee anonymity.”
Ethical problems or merely bad public relations? I read this as “Cool it! You're making it difficult for us to give you the 'Big Brother' powers you've been asking for.”
The head of the Senate Judiciary Committee is “increasingly concerned” with the way that federal agents are carrying out investigations, he told Attorney General Eric Holder on Thursday.
Sen. Patrick Leahy (D-Vt.) wrote to Holder in response to news that the Drug Enforcement Administration (DEA) used a woman’s identity to create a Facebook profile without her knowledge and that the FBI planted a fake Associated Press article on a phony Seattle Times website.
“Such tactics carry ethical and legal risks,” the longtime senator told Holder.
“Tactics such as these may ultimately prove counter-productive if they erode the public’s trust in the judgment and integrity of law enforcement officers.”
… On Thursday, he also said that officials should commit not to impersonate news organizations, days after news emerged that the FBI used a fake AP story to insert a bug into the computer of a teenager suspected of calling in bomb threats at their school.
… In his letter, Leagy noted that news about the controversial investigations come as the FBI is seeking to expand its ability to hack into people’s computers.
… The recent stories are not helping the FBI’s case in that matter, Leahy indicated.
Amusing. Does not seems to work exactly as advertised.
WSJ Database for consitutents to explore composition of Congressional representation
“The U.S. House of Representatives was envisioned as a house of the people, directly elected by voters and reflecting their will. But what if Congress also reflected its constituents’ demographics? Explore how members of the House compare with residents of each of the 435 congressional districts, based on the predominant characteristics within each. Then see how your district stacks up.”
The United States lags behind other nations when it comes to Internet speeds and prices, according to a Thursday report.
The Open Technology Institute's report evaluated prices and speeds of home broadband Internet from 24 cities around the world, including eight in the United States.
The study, which tracks with past studies and other recent data, found similar gaps for mobile broadband service as well.
… The report found that U.S. cities with publically owned networks, like Chattanooga or Lafayette, have speeds far exceeding cities with only traditional Internet service providers like Verizon, AT&T or Comcast. [I've advocated public networks for years! Bob]
Was this their strategy all along? With a Starbucks on every corner, delivery will be no big deal. (Thing of the British “Tea lady”)
Starbucks to deliver food and coffee in 2015: Howard Schultz calls it ‘e-commerce on steroids’
… Starbucks CEO Howard Schultz announced that the company plans to begin delivering food and beverages in select cities in the second half of next year, part of a larger effort by the Seattle coffee company to conquer the mobile payments arena.
“Imagine the ability to create a standing order of Starbucks delivered hot or iced to your desk daily,” Schultz said in a conference call with analysts.
Might be fun for our Design students. (I doubt Obama as the Grinch would win)
The White House is hosting a 3D printing contest to see who can design the best holiday ornament.
The contest will run through Nov. 10 and only requires contestants to submit a design rather than create and print out their entry, the White House Office of Science and Technology Policy said Thursday, announcing the contest.
Thursday, October 30, 2014
I get it. The FBI is afraid they will not be able to keep up with the crooks if they have to follow the current rules. The new rule would allow a magistrate to issue a warrant (good anywhere) that allows them to hack into any suspect computer. Once this is on the books, what would be next?
Ed Pilkington writes:
The FBI is attempting to persuade an obscure regulatory body in Washington to change its rules of engagement in order to seize significant new powers to hack into and carry out surveillance of computers throughout the US and around the world.
Civil liberties groups warn that the proposed rule change amounts to a power grab by the agency that would ride roughshod over strict limits to searches and seizures laid out under the fourth amendment of the US constitution, as well as violate first amendment privacy rights. They have protested that the FBI is seeking to transform its cyber capabilities with minimal public debate and with no congressional oversight.
The regulatory body to which the Department of Justice has applied to make the rule change, the advisory committee on criminal rules, will meet for the first time on November 5 to discuss the issue. The panel will be addressed by a slew of technology experts and privacy advocates concerned about the possible ramifications were the proposals allowed to go into effect next year.
Read more on The Guardian.
(Related) Something is missing from this story. What judge would issue a warrant based on a video obtained this way?
A lawsuit alleges that FBI agents shut off internet access to three Las Vegas villas and then posed as repairman to gain access to the houses.
The agency was investigating the residents of the houses — located at a luxury hotel — for their suspected involvement in online sports betting.
Defense attorneys for the men who were charged in the betting case said FBI agents used the tactic despite the opposition of an assistant U.S. attorney.
… Posing as technicians, they recorded video that was later used to obtain a warrant to arrest the residents.
Worth reading and thinking about.
Digital Life in 2025
The world is moving rapidly towards ubiquitous connectivity that will further change how and where people associate, gather and share information, and consume media. A canvassing of 2,558 experts and technology builders about where we will stand by the year 2025 finds striking patterns in their predictions.
… In their responses, these experts foresee an ambient information environment where accessing the Internet will be effortless and most people will tap into it so easily it will flow through their lives “like electricity.” They predict mobile, wearable, and embedded computing will be tied together in the Internet of Things, allowing people and their surroundings to tap into artificial intelligence-enhanced cloud-based information storage and sharing.
(Related) A graphic novel explaining Big Data (and the Internet of Things) for the complete novice.
Terms of Service
For my Computer Forensics students. What happens when a reporter calls your CEO asking for confirmation? You better have a plan.
Both Kelly Jackson Higgins and Brian Krebs had columns yesterday on a report by Allison Nixon of Deloitte on how to vet a data dump. The report should be required reading for journalists as the reputation harm that can occur by publishing or repeating false claims of a hack can be significant. While many will immediately think of Dropbox’s recent attempt to reassure users they had not been hacked, remember that Dropbox was also in the news earlier this year over a claimed hack that was not a hack at all.
Regular readers know that this blog and DataLossDB.org instituted policies of attempting to verify breach claims with the breached entity before publishing claims of a breach by anonymous hackers or hacktivists. It’s been a useful policy. Although it may delay publication of “news,” it reduces the risk of falsely reporting an entity has been compromised when they haven’t been. Unfortunately, not all entities respond to inquiries or requests, often leaving us with a “Go – No Go” decision to make. The techniques Nixon describes are not foolproof (see the discussion of “combolists”), but it’s a lot better than just repeating claims without investigation.
Brian has kindly uploaded a copy of the report here (pdf).
Wednesday, October 29, 2014
I would be shocked if this hadn't happened regularly. Clearly, hackers (including the Russians) have the tools and techniques needed and the White House is quite high on the “bragging list.” Are they jumping to the conclusion it was Russia?
Hackers Breach White House Computer System
The White House's unclassified computer network was recently breached by intruders, a US official said Tuesday, with The Washington Post newspaper reporting that the Russian government was thought to be behind the act.
… The Washington Post quoted sources as saying hackers believed to be working for the Russian government were believed to be responsible. [So, contractors? Bob]
(Related) Another “of course they are” article. Apparently breaking into unsecured civilian phones makes the North feel competent.
South Korea Spy Agency Says North Hacking Smartphones
North Korea attempted to hack tens of thousands of South Korean smartphones this year, using malware disguised in mobile gaming apps, the South's spy agency said in a report submitted to parliament this week.
The National Intelligence Service said more than 20,000 smartphones may have been infected by the apps that were posted on South Korean websites between May and September
… The North is believed to run an elite cyber war unit of at least 3,000 personnel, but it has denied any involvement and accuses Seoul of fabricating the incidents to fan cross-border tensions. [Their standard reply Bob]
I'll survey my Computer Security students tonight.
Kashmir Hill writes:
The generally accepted trade-off on the Internet is that you give up your privacy to get free stuff. It’s summed up by a frequently repeated adage, “If you’re not paying for it, you’re the product.” But sometimes you’re paying for it, and you’re still the product. Verizon and AT&T customers are paying an (often steep) monthly bill, but the payment doesn’t ensure privacy. Researchers say the carriers are inserting a unique code into customers’ browser requests to help serve up personalized ads. The way they are doing it makes you trackable by the sites you visit, third party ad networks, or, of course, the NSA, even if you take measures to protect your privacy, such as clearing your cookies.
Wired reports that it was first discovered by digital rights group EFF. Kenn White, a security consultant, created a site where mobile users can find out whether their phone is broadcasting the tracking code.
Read more on Forbes.
[From the article:
You can check it out here; the tracker is turned on for you if you see a bunch of letters and numbers after “Broadcast UID.”
Perhaps we'll see similar reports from all 50 states?
Attorney General Kamala D. Harris Releases Data Breach Report; 18.5 Million Californians’ Personal Information Put at Risk
LOS ANGELES – Attorney General Kamala D. Harris today released the second annual report detailing the 167 data breaches reported to the Attorney General’s office in 2013 that impacted18.5 million Californians by putting their personal information at risk. The report is accompanied by recommendations from the Attorney General for consumers, businesses and lawmakers on how to protect against data breaches and prevent them in the future.
… In 2013, the number of reported data breaches increased by 28 percent, from 131 in 2012 to 167 in 201. The number of Californians’ whose records were affected increased by over 600 percent, from 2.5 million in 2012 to 18.5 million in 2013. This increase was largely due to two massive retailer breaches at Target and LivingSocial, each of which put the personal information of approximately 7.5 million Californians at risk.
… The full Data Breach 2013 report is available here: https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/2014data_breach_rpt.pdf?
Sort of a mini-background check? Would it creep you out to know they did this to you?
– Make a killer impression on whoever you’re meeting. Charlie combs through 100’s of sources and automatically sends you a one-pager on everyone you’re going to meet with, before you see them. Be the one they remember by talking about things that truly matter to them. You’ll know what makes them tick, what you have in common, and the critical insights on their company that your competitors won’t.
Perspective. Somewhat simplistic, but interesting.
When It Goes Down, Facebook Loses $24,420 Per Minute
Cheaper than drones and no piloting skills required. What does Ohio really use them for?
The Ohio State Dept. of Transportation has loaned the “eye in the sky” to Pennsylvania, according to IBT and CBS.
No mention of what/how much the balloon records or for how long the data are being retained for people who may be incidentally surveilled in the process of searching for Eric Frein.
[From the IBT article:
The balloon had been scanning Ohio prisons for potential fugitives [Huh? Bob]
Terrific analysis and commentary by Daniel Solove, on LinkedIn.
The joy of BYOD. So, my little Computer Security minions, how do you control this?
Heck, that’s not a dirty little secret. It’s widely known as a problem, but I guess VentureBeat editors were looking to sex up the headline.
Mark Sullivan reports:
Hospital caregivers typically bring their own mobile devices to work and use them to share clinical and care coordination information other members of their multidisciplinary care team. It’s a practice that screams “HIPAA violation.”
Much of this information is transmitted via text messages or multimedia SMS. This can even include images.
Read more on VentureBeat.
Similar to setting up a phoney Facebook page for a 'sting?'
June Williams reports:
The FBI used a fake Seattle Times article and Internet link to infect a high school bomb-threat suspect’s computer with spyware, an ACLU technologist said Monday.
Documents obtained by the Electronic Frontier Foundation show the FBI made up a news story about the threats, used an AP byline and emailed a link “in the style of the Seattle Times” to the suspect’s MySpace account. When he clicked on the link, agents were able to track his IP address. [Couldn't they have subpoenaed the IP address from MySpace? Bob]
The Seattle Times appeared unaware of the ruse, and editor Kathy Best said she was “outraged.”
Read more on Courthouse News.
Interesting. Is this for parents to monitor their children or for anyone to monitor anyone? If you have the app and fail to take action, is there liability? Why doesn't the app call (or text) 911? Will this become mandatory? This one is only Twitter, but expect Facebook and Google Mail and everyone else to jump on similar Apps.
Twitter wants to tell you if your friends are suicidal
Samaritans Radar is a new Twitter app designed to warn users whether their connections online are at risk of suicide.
Predominantly aimed at those aged 15 to 35, the free app works by using a specially designed algorithm to monitor the tweets of those in people's network. If it finds specific keywords or phrases that throw up red flags that a person may be struggling to cope...
… The app will then send an email alert to a Twitter connection, which will include a link to the tweet that raised the alarm. That person will then be offered guidance on the best way of providing support to the tweeter.
(Related) Google search inside your body!
Google scientists to find 'hidden' cancer via nanoparticles
In a pioneering research, a Google life sciences team - which has two senior Indian-origin researchers - is set to find signs of deadly diseases like cancer by sending 'nanoparticles' in the bloodstream of a person and then get the results via a wearable device.
… "Every test you ever go to the doctor for will be done through this system," Andrew Conrad, head of the Life Sciences team at the Google X research lab, was quoted as saying at a WSJ conference.
The tiny "nanoparticles" will be delivered via a pill.
… According to Conrad, the firm will not collect or store medical data itself but will license the technology to others. [So they will publish the API to help me hack in Bob]
“It's a no brainer! They fly, so we'll regulate them like aircraft (except for blimps). No need to ask anyone if they see things differently.” Did the DHS pressure the FAA? OMG!
FAA Criminalizes Use Of Drones Near Stadiums, Violators Could Face Up To A Year In Jail
Flying drones or model planes near or over sports stadiums and auto race tracks could land operators in jail, the Federal Aviation Administration, or FAA, warned in a notice, The Associated Press, or AP, reported Tuesday. This is reportedly the first time that the use of drones has been criminalized in the United States.
… The notice is "another attempt by the FAA to impose legal restriction on drones or model aircraft that never existed before,” Brendan Schulman, a New York-based attorney, who represents several drone operators said, according to AP.
… The FAA reportedly stated that the restriction was being imposed for security reasons.
However, Schulman reportedly said that he did not believe that such restrictions would in any way help prevent terrorist attacks. The prohibition reportedly applies to nearly 150 stadiums in the U.S.
Sports teams too have expressed concerns over the new restrictions as drones are used for photographing and recording games, Kenneth Quinn, a former FAA general counsel who also has voiced concerns over the drone restrictions, said, according to AP. Quinn added that the teams wanted permission from the FAA to allow the use of drones by them to record practice sessions for future training.
(Related) Of course, this is not a drone.
A flying camera ... on a leash
As clear as mud. Does this look like a strategy or political tactics?
Streaming TV companies might soon play by cable’s rules — and that’s a good thing
As Americans begin watching more of their TV online, federal regulators want to even the playing field to make new Internet startups — such as the recently announced CBS streaming app or Aereo — more competitive next to their bigger rivals in the cable and satellite business.
A new proposal being circulated around the Federal Communications Commission would do just that. In a blog post Tuesday, FCC Chairman Tom Wheeler acknowledged that consumers are being forced to "buy channels they never watch."
… When the FCC gets around to voting on the proposal, the result could mean being able to mix and match video sources more easily.
… But the FCC proposal leaves out several of the most well-known video streamers -- Netflix and Amazon Instant Video. This may be a confusing distinction – after all, what's really the difference between CBS's streaming app and Hulu? The agency has said it distinguishes apps like CBS All Access because it provides programming on a schedule, while the Netflixes of the world offer shows on demand. But analysts have said what's really going on here is that the agency does not want to pull Web-based services such as Hulu into its orbit because of the political minefield surrounding the regulation of Web companies.
But there's another big benefit to the FCC proposal. Wheeler argued that the move would also help companies trying to break into the broadband market. These firms, such as Google Fiber, could focus on just building super high-speed connections without having to worry about being treated like a cable company. Currently they are being forced to pay a fee for video programming that travels over their pipes. According to Google, those costs are the single biggest thing holding Google Fiber back.
So it looks like the customers (and the researchers) were right, despite all the denials.
AT&T Accused of Deceiving Smartphone Customers With Unlimited Data Plans
Three years ago, AT&T warned smartphone customers with “unlimited” data plans that their connections might be slowed if they used a lot of data. On Tuesday, the Federal Trade Commission said AT&T’s disclosure was deceptive because it was not specific enough.
The commission filed a federal lawsuit against AT&T on Tuesday, saying the company had misled customers by slowing the connections of people with unlimited plans after they used more than two gigabytes of data in a month.
For some of the people who hit that threshold, the F.T.C. said, downloads were slowed by as much as 95 percent, essentially making their smartphones unable to gain access to the Internet or use certain apps.
“AT&T promised its customers unlimited data, and in many instances it has failed to deliver on that promise,” said Edith Ramirez, chairwoman of the agency. “The issue here is simple: ‘Unlimited’ means unlimited.” [What a concept! Bob] The commission, which does not have the power to impose fines, said it would seek “millions of dollars” in restitution for consumers.
It's not renting, it's borrowing. Funny she has never heard of this before.
Rent eBooks & Audiobooks for FREE
I spend way too much money on books! This year, I made a concerted effort to get more books from the library to help my budget. On my first visit to a local library, [That explains why she didn't know about borrowing Bob] I learned that they used Overdrive to rent eBooks and audiobooks! So now, I can check out eBooks and audiobooks from home and read them on my iPad! Overdrive allows you to rent eBooks, Audiobooks, and even video straight from your local library! There are no fees associated with this service. All you need is a library card!
To see if you library partners with Overdrive, simply make a quick search on their site. You can then create an Overdrive account using your library card. Download the App onto your Computer, iOS, or Android device and you’re ready to start checking out material! The nice thing about an Overdrive account is that you can sync your content across devices! Never lose your spot on your eBook or Audiobook! When your rental expires, it automatically goes back to the library, so no late fees!
I have a couple students writing books. Perhaps they could use this?
– is a reader-powered publishing for new, never-before-published books. It’s a place where readers help decide if a book gets published. Selected books will be published by Kindle Press and receive 5-year renewable terms, a $1,500 advance, 50% eBook royalty rate, easy rights reversions and featured Amazon marketing.