Saturday, November 29, 2014
This is kind of a big deal. Sit at home and install malware on credit card readers anywhere this company has clients? Sounds like a major hole to me.
Bill Smith reports:
Parking service provider SP Plus says its equipment at Evanston’s three downtown municipal parking garages was hacked to steal credit card data from drivers.
In a statement issued today, SP Plus says that the three Evanston garages, along with 10 more in Chicago and four in other cities, were affected by the security breach.
It says its payment card vendor notified it early this month that an unauthorized person had used that company’s remote access tool to connect to computers that process payment cards in the garages and install malware on the systems to steal the card data.
Read more on Evanston Now.
[From the article:
The company says the security breach at the Evanston garages started on Oct. 8 and that the last at-risk dates were Oct. 26 at the Church Street Garage, Nov. 1 at the Sherman Plaza Garage and Nov. 10 at the Maple Avenue garage. [Late notice again? Why? Bob]
If you have no idea what happened to your “security,” you could look for a way to spin the story to promote your latest movie. Next they'll claim the “Hacked by #GOP” translates to the “Geeks of Pyongyang!”
Sony Pictures Suspects North Korean Hand Behind Cyberattack
Sony Pictures still has no idea who is behind the catastrophic attack that rendered its company-wide computer system useless on Monday, but the company is not taking out the possibility that hackers from North Korea, possibly operating out of China, are behind the attack.
Re/code cites people familiar with the matter who say that Sony is investigating this particular line of thinking because of "The Interview", a soon-to-be-released comedy film about the assassination of North Korean leader Kim Jong-Un. The film, which stars actors Seth Rogers and James Franco, features two journalists who win a one-in-a-million interview with Kim Jong-Un, played by Randall Park. The journalists are then enlisted by the CIA to kill the North Korean leader.
As Kim Myong-chol, director for the Center for North Korea-U.S. Peace told the Daily Telegraph after seeing the film's trailer said, Kim Jong-Un is not happy about being the target of assassination attempts in a movie and warns that those behind "The Interview" will suffer "merciless retaliation". [It may appear that way to the managers at Sony! Bob]
Includes some security “Best Practices.” (Perhaps we should send a copy to Sony?)
Internet Security Threat Report 2014
… This year’s ISTR once again covers the wide-ranging threat landscape, with data collected and analyzed by Symantec’s security experts. In this summary, we call out seven areas that deserve special attention…
… If 2011 was the year of the breach, then 2013 can best be described as the Year of the Mega Breach. The total number of breaches in 2013 was 62 percent greater than in 2012 with 253 total breaches. It was also larger than the 208 breaches in 2011. But even a 62 percent increase does not truly reflect the scale of the breaches in 2013. Eight of the breaches in 2013 exposed more than 10 million identities each.
“Hey! I see you have added a “smart refrigerator” to your kitchen! I also notice that your Veggie-to-Beer ratio is a bit low.” My Ethical Hackers will be pleased that they no longer have to stumble upon the devices they hack.
Search engine for the Internet of Things
“Thingful® is a search engine for the Internet of Things, providing a unique geographical index of connected objects around the world, including energy, radiation, weather, and air quality devices as well as seismographs, iBeacons, ships, aircraft and even animal trackers. Thingful’s powerful search capabilities enable people to find devices, datasets and realtime data sources by geolocation across many popular Internet of Things networks, and presents them using a proprietary patent-pending geospatial device data search ranking methodology, ThingRank®. If you are concerned about asthma, find out about any air quality monitors in your neighbourhood; somebody working with a Raspberry Pi can find others round the corner using the same computing platform; if you notice a ship moored nearby, discover more about it by tracking it on Thingful, or get notified of its movements; a citizen concerned about flooding in a new neighbourhood can look up nearby flood monitors or find others that have been measuring radiation. You might even watch the weekly movements of a shark as it explores the oceans. The possibilities are unbounded! Thingful also enables people and companies to claim and verify ownership of their things using a provenance mechanism, thereby giving them a single web page that aggregates information from all their connected devices no matter what network they’re on, in categories that include health, environment, home, transport, energy and flora & fauna. Users can also add objects to a Watchlist in order to keep track of them, monitor their realtime status and get notifications when they change. [What a great tool for stalkers! Bob] Some of the well-known Internet of Things services that Thingful currently indexes include Weather Underground, Smart Citizen, the UK Met Office Weather Observations Website, and Netatmo, as well as others like Thingspeak, Air Quality Egg, The International Soil Moisture Network and The Sea Turtle Conservancy.”
Interesting (and huge) report.
Measuring the Information Society 2014
“The MIS Report, which has been published annually since 2009, features key ICT data and benchmarking tools to measure the information society, including the ICT Development Index (IDI). The IDI captures the level of ICT developments in 166 economies worldwide and compares progress made during the last year.
… The 6th edition of the ITU Measuring the Information Society (MIS) Report was launched on November 24th, in Tbilisi, Georgia, at the World Telecommunication/ICT Indicators Symposium (WTIS) 2014.”
For the Game Club database of “All Things Game!”
5 Sites For The Mario Lover In Us
My industry, God help me...
… The US Department of Education announced a plan to “strengthen teacher preparation.” The new guidelines, writes The Chronicle of Higher Education, “would require states to evaluate teacher-training programs based, in part, on how many of their graduates get and keep jobs and how much their graduates’ future students learn. Only programs deemed effective by their states would be eligible to award Teach Grants, which provide students with up to $4,000 a year.” [So best case we evaluate the education teaching students received based on the income of their students. Isn't that looking at what happened 5 or 10 years ago? Bob]
… Students in Finland will no longer learn handwriting, but will learn typing skills instead. I look forward to the responses from those who hail Finland as the model for all education reforms .
… Khan Academy has partnered with the Metropolitan Museum of Art.
Don't have much trouble with my Math classes...
7 Good Resources for Avoiding, Preventing, and Detecting Plagiarism
Thanks to an email from a kind reader I discovered that a couple of the resources about plagiarism that I reviewed in the past are no longer as good as they once were. Therefore, I have created this updated collection of resources for teaching students to how to avoid plagiarism along as well as resources for preventing and detecting plagiarism.
Education is the best prevention:
Purdue's OWL website is the number one place I refer students and parents to for questions not only about plagiarism, but also for questions about all parts of the writing process.
A Magical Guide to Avoiding Plagiarism is an infographic guide created by Kate Hart. A Magical Guide to Avoiding Plagiarism uses a Harry Potter theme to succinctly explain to students when and why they need to properly cite the sources of their information. I've embedded the infographic below, but I encourage you to visit Kate Hart's blog post about it as she goes into more depth on the topic of plagiarism.
Plagiarism.org, produced by the same people that produce the commercial plagiarism detection software Turn It In, has a free learning center for students and teachers. Plagiarism.org's learning center includes tips about avoiding plagiarism, definitions of plagiarism, and explanations of when you do or do not have to cite a reference. Plagiarism.org also hosts two recorded webinars addressing the topic of plagiarism in schools and how teachers can educate their students about plagiarism.
Tools and methods for detecting plagiarism:
The first thing I do when I want to check a student's work for plagiarism is to do a quick search onGoogle. If you notice that a student has strung together some phrases that you don't think they've written, put the suspected phrase inside quotation marks and search. You may also want to search on Google Scholar.
Plagiarism Checker created as a project for the University of Maryland, is an easy-to-use tool for detecting plagiarism. Simply enter a chunk of text into the search box and the Plagiarism Checker will tell you if and from where something was plagiarized.
Paper Rater is a free service designed to help high school and college students improve their writing. Paper Rater does basic spelling and grammar checks, but the real value of Paper Rater is that it tells students if their papers have elements of plagiarism. Paper Rater scans students' papers then gives students an estimate of the likelihood that someone might think that their papers were plagiarized.
Friday, November 28, 2014
Russia's Economy Ministry: 'We Will Not Collapse!'
The Russian Economy Ministry just tweeted a bizarre quote from Economic Development Minister Alexei Ulyukayev. On its official account on Twitter the ministry posted a picture of the minister alongside a quote saying — "We will not collapse!".
Still something fishy here. Word is, this was an inside job.
Sony Pictures sheds no light on hacking
… Sony, the Japanese entertainment and electronics group, offered few details on what progress it was making with fixing the computer problems at its US unit, which is closed for the Thanksgiving holiday.
… Some reports suggested the data contain PDF files of passports, visas and other documents belonging to cast and crew members working on Sony productions.
A “Forest Gump Moment” (stupid is as stupid does) Are managers really this ignorant? Definately something for my Computer Security students to read.
This is your bank, please verify your details – No, you verify YOUR details!
… The problem with this exchange was that it set off a heap of the typical scam signals. I’ve dealt with more than my share of them in the past so I have a bit of sense of how these things normally go down and those signals include:
- Call by an unlisted number: clearly scammers don’t want to be identified.
- Long delay on connect after picking up: typical of a cheap VOIP connection.
- Foreign accent, particularly from a developing nation: especially prevalent with scams run out of India and beyond most foreign governments’ reach.
- Establishing a sense of urgency: claiming to be your bank is always going to make people sit up and pay attention (is my money alright???)
- Requesting information before establishing identity: asking for address or other personal info.
Some of these may be unavoidable in a legitimate query, but a combination of multiple signals should immediately put you on high alert.
Tools & Techniques for my students.
How To Sync Any Files To Your Smartphone Or Tablet Without The Cloud
… Sure, there are hacks that let you sync your entire Dropbox with Android, but with BitTorrent Sync, the process is easy: just set up the app and your files will sync whenever both your computer and your mobile device are on.
I too have access. Now all I need is time.
Create Cloud Based Presentations With Microsoft’s PowerPoint Destroyer Sway
Sway is a novel tool for building cloud based presentations. Sway offers a rapid design experience, focusing on the collation of images, text, and video, sourced from the web or your computer. It’s a canvas for your ideas, quick to create, and easy to share.
… Sway is part of Microsoft’s Office Online collection. Unlike PowerPoint, a Sway presentation has no borders, page breaks or slides...
… PowerPoint is continually criticised for its stale, dusty environment. Meanwhile, web based contenders are on the rise. Prezi resides over an estimated 50 million userbase. SlideShare engages another 58 million individual users per month. That’s 108 million people Microsoft are hoping to attract with Sway.
This infographic is for my students, who will get to it when they get to it.
15 Ways To Beat Procrastination
Thursday, November 27, 2014
...and a Happy Thanksgiving to you, EU. So now you can argue with two companies (Go and Ogle?)
The European Parliament Just Voted To Break Up Google
The European Parliament has passed a historic vote to break up US tech giant Google.
The EU doesn't actually have the power to break up the company, but it does send a message to Google that the EU is unhappy with its business practises.
… The European Parliament has never voted to break up a company before, making this a historic decision.
If I read this correctly (and I often do not) this is signaling that Kim Jong-un is on shaky ground and could suffer a fatal attack of gout at any time.
North Korea reveals Kim Jong-un’s sister’s top role in ruling party
North Korea has revealed that leader Kim Jong-un’s younger sister is a senior official in the ruling Workers’ Party, strengthening analysts’ views that she is an increasingly important part of the family dynasty that runs the country.
State media on Thursday referred to Kim Yo-jong as a departmental vice director within the party’s Central Committee.
For my Computer Security class.
Twitter wants to spy on the other mobile apps you download - here's how to stop it
Twitter is to start monitoring the other apps that you download to your mobile phone and use that data to help sell advertising.
The company says it’s about making a "more personal Twitter experience for you" so that it can deliver "tailored content that you might be interested in".
Twitter will only collect the list of names of apps you install - your "app graph" data - rather than the content within those apps, but it’s still a little creepy.
… Thankfully, Twitter has made it easy to opt out.
If you are using Twitter for Android
You need to go into settings, tap the account you’d like to adjust and under “other” you can adjust the setting to "tailor Twitter based on my apps".
If you are using Twitter for iOS
Go into settings, find the account you want to change and, under Privacy, you can change the setting to "tailor Twitter based on my apps".
Of course they do. (It's for the patients!) If they could guarantee security, this would not be an issue. So far, they haven't convinced me they even think about security.
Joseph Conn reports:
The American Medical Informatics Association is asking Congress to amend a central federal healthcare privacy rule, in order to give medical researchers access to patient records without their consent.
A see-saw battle has been waged at the federal policy level for more than a decade over patient consent regarding medical records, with patient privacy advocates arguing that control over information about one’s self is the definition of privacy.
So, not surprisingly, a leading privacy advocate reacted negatively to the AMIA request.
“It’s shocking that they don’t have enough data yet, they’re going after more?” said Dr. Deborah Peel, a psychiatrist who heads the Patient Privacy Rights Foundation in Austin, Texas. “We completely support the opinion that every research use should be disclosed to the patient.”
Read more on Modern Healthcare.
It’s not just disclosure, of course, that’s at issue. It’s also the issue of consent or at the very least, the right to opt out of use of PHI.
This blogger believes that Congress should not amend HIPAA to permit research use of PHI without patient consent.
For my Ethical Hackers. A nice summary!
Are Your Home Security Cams Being Streamed Online Without Your Knowledge?
Reports broke earlier this month about a website that was live streaming footage from more than 70,000 Internet connected security cameras. In the past few days, the media reports have gotten hysterical with the Daily Mail reporting — and I use that word loosely — that Russians spy on UK families via their webcams. This particular website has now been removed but the security threat is not gone.
I’ve looked into it, talked to a security expert and worked out some of how the supposed hack occurred.
All the cameras on the website were broadcasting their feed online because they were designed to do so.
… According to the site’s now-removed FAQ the cameras were found with what Kev calls “Google hacking”. Many of the effected cameras’ webpages include things like “live feed” and the camera model in the title tag. By using advanced search operators such as intitle: it’s possible to find all of these pages that have been indexed by Google.
… Google finds sites by following links. If Google can’t find links to a site it can’t index it. All the affected camera’s webpages ended up on Google. This means, that for some reason, there is a link somewhere on the Internet pointed to the camera’s webpage.
A couple of these look interesting.
5 Useful Apps For All Smartphone Owners
Record Encounters With Law Enforcement Using Police Tape
It is an app (for both iOS and Android) which you can use to record an encounter with law enforcement, and then have it immediately uploaded (I couldn’t find out whether it is uploaded to YouTube or to the ACLU).
Once it’s uploaded, no-one can force you to delete it. And by taking the time to use this site to bone up on your legal knowledge, you can calmly and rationally discuss a situation with a police officer, knowing what is right and what is wrong.
Find Out How Good An App’s Privacy Levels Are With Privacy Grade
With the amount of apps an average person puts on their phone, there is a higher than average chance that some of them will have a back door to somewhere you don’t want it to go.
Privacy Grade is a site for Android apps only, but most of them will also have an iOS version, which won’t be that much different from its Android counterpart. It assigns a grade to each app depending on a multitude of factors, and since the research is done at Carnegie Mellon University, you can be assured that there is some credibility to these scores.
Wednesday, November 26, 2014
I don't like it, but I saw this coming years ago. The cost of a “complete review” or of any kind of “certification of compliance” just went through the roof.
Data Security Auditor May be Drawn Into Data Breach Class Action for Failing to Identify Vulnerabilities
DrinkerBiddle reports a development in Storm v. Paytime, Inc., No. 14-cv-01138-JEJ (M.D. Pa.):
In August, Paytime, Inc., a payroll services company, moved to dismiss a putative class action filed in the wake of a data breach in which the personal and financial information of more than 230,000 people was compromised. Paytime argued that the plaintiffs lack standing, have failed to plead actual harm, and were not a party to or intended beneficiary of any contract with Paytime.
On September 30, while the motion to dismiss was pending, Paytime ran up against the court’s deadline for joining additional parties and filed a motion for leave to file a third party complaint against its data security auditor. Six months prior to the data breach, SotirIS, a provider of integrated business solutions and cloud hosting, performed a “comprehensive breach assessment” for Paytime. According to Paytime, “SotirIS failed to identify vulnerabilities in Paytime’s computer systems and, therefore, contributed to the occurrence of the data security event.” Therefore, Paytime argues, if Paytime were found liable “for such a vulnerability, then SotirIS is liable to [Paytime] for contribution and indemnification.”
Read more of DrinkerBiddle’s Cybersecurity Litigation Newsletter.
Perhaps I should get my band of merry men (and women) together again? If I could be assured the Feds would not take umbrage... (I thing the “military grade” bit is a joke.)
Endgame Raises $30 Million to Bring Military-Grade Cyber Tools to the Enterprise
Security intelligence and analytics solutions provider Endgame, Inc. announced that it has closed a $30 million Series C equity funding round.
The latest round brings the total funding raised by the Arlington, Virginia-based firm to $90 million.
Endgame, which has been known for selling tools and zero-day exploits to government customers for offensive purposes, is shifting its focus to sell its military-grade security intelligence and analytics platform to enterprise customers.
… “The exploit business is a crummy business to be in,” Fick told Forbes. “If we’re going to build a top-tier security firm, we have to do things differently…. This is one of those happy circumstances where business realities, reputational concerns and my personal feelings aligned.”
… “Our core capabilities use data science and cutting-edge technology to give our federal and commercial customers real-time visibility across their digital domains, and our ecosystem of applications use that insight to solve a wide array of security problems,” the company explained.
I'm surprised they know that much!
Pew: Americans Not So Internet Savvy, Lack Insight on Privacy, Net Neutrality
… For those interested in seeing where they sit on the scale of Internet knowledge, the survey can be taken here.
(Related) 'Tis a puzzlement!”
A majority of the global public is concerned about online privacy, but fewer have actually done anything about it, according to a new survey of Internet users around the world.
A poll from the Centre for International Governance Innovation, a Canadian think tank, found that 64 percent of people said they are more concerned about their privacy online than they were a year ago, and more than three-quarters are concerned about criminals or someone else hacking into their accounts and stealing information.
Yet just 43 percent said they avoid certain websites because of privacy concerns raised over the last year, and only 39 percent say they change their account information regularly.
Too much attention to the Income Statement? Look what someone noticed about the Balance Sheet.
Saks real estate an 'added gift': Hudson's Bay CEO
The real estate that came with Hudson's Bay's $2.9 billion purchase last year of the Saks department store chain was "a little added gift with purchase," CEO Richard Baker told CNBC on Tuesday.
That's some gift. On Monday, the company announced its Saks flagship on Manhattan's Fifth Avenue has been valued at $3.7 billion, making it the most valuable retail building in the world.
The Copyright Cops legal strategy is similar to all out war. Attack on all fronts and keep attacking until you have unconditional surrender or total annihilation. (and hope that happens before your case gets tossed out of court)
Internet mogul Kim Dotcom says he is officially broke.
The German entrepreneur and failed politician has revealed this week that his three-year, $10 million legal fight against extradition to the US to face trial on an alleged conspiracy to commit the biggest-ever breach of copyright has seen him run out of cash.
A high profile Queen's Counsel and one of the country's biggest law firms stepped down from his legal team team earlier this month.
"The US Government has taken all my assets up until the raid in all jurisdictions and after I invested money into the internet Party, the MPAA (Motion Picture Association of America) sued me civilly to try to seize those assets too, so I'm officially broke right now," Dotcom said via live video-link from his Coatesville mansion at the Unbound Digital conference in London yesterday.
Perspective. Like Internet TV only radio. Another blow to Cable?
Chromecast Adds 100,000 Radio Stations
Chromecast users can now listen to 100,000 radio stations, thanks to TuneIn adding support for Google’s media streaming dongle. Both the free and paid versions of the TuneIn app now support Chromecast, instantly adding both local and international radio stations, plus hundreds of different podcasts to the device.
This explains why the Gaming Club is flying drones down the hallways all day. It's fun watching them try to put coins in the coffee machine.
Drone pilot wanted: Starting salary $100,000
Big companies, such as Amazon and Facebook, are looking for pilots who fly drones and engineers with experience in building the unmanned aircraft. And they are willing to pay top dollar for the right stuff.
… As many as 100,000 new jobs will be created in the first 10 years after unmanned aircraft are cleared for takeoff in U.S. airspace, according to a 2013 report from the Association for Unmanned Vehicle Systems International.
Large employers are already paying up for drone pilots -- about $50 an hour, or over $100,000 a year -- according to Al Palmer, director of the center for Unmanned Aircraft Systems at the University of North Dakota.
Because some of my Gamers are still passing! Obviously, they are not wasting enough time.
50 Great Video Games We Recommend You Play Right Now
There are so many great video games waiting to be played, and so little time to play them all. This means many gamers struggle to know what to play next, and which must-play titles to prioritize over the glut of mediocre titles out there.
In this article we’ll name 50 video games covering all genres and all platforms, all of which were recommended by your fellow MakeUseOf readers.
May be useful background in a few classes. Oldies but goodies?
15 Documentaries About The Internet, Hacking, Startups & Cyberculture [Stuff to Watch]
Technology is fascinating, and people love to learn. One of the best ways to lose an evening (or productive morning) is to combine the two in video form. Over the last two decades the Internet has grown from an exclusive cluster of early adopters to a ubiquitous communication tool that’s essential for living in the modern world we have created.
This has resulted in a huge number of documentary films exploring everything from consumer electronics to the financial, ethical and practical implications of our technology habit.
I had great hopes, but so far they don't speak “student.”
Slated Is An iOS 8 Keyboard That Translates Conversations For You
Another way to confuse my students? Note how Google Trends shows when this took off.
Spatchcocking: The Silly Word Behind the Turkey Trend
… a radical innovation in turkey preparation has started to become mainstream: “Spatchcocking,” or removing the backbone and flattening the turkey. This process—also known as butterflying, and common for preparing chickens—reduces the roasting time for a turkey from roughly three hours to around 45 minutes.
Tuesday, November 25, 2014
Interesting. I look forward to seeing what failed. Unless Sony is really, really bad at security, this could have serious and widespread implications. Note: A lot of the Ethical Hacking community seems to find this “suspicious.” Could anyone be this bad at securing their systems?
Sony Comes To A Screeching Halt Targeted By Massive Ransomware Hack
It appears that Sony has become the victim of a massive ransomware hack which has resulted in the company shutting down. An unnamed source spoke to Business 2 Community claiming that the company shut down after its computers in New York and around the nation were infiltrated.
The source, according to the website, is an ex-employee of Sony Pictures who has a friend that still works for the company. According to the source’s friend, allegedly, every computer in Sony’s New York Office, and every Sony Pictures’ office across the nation, bears an image from the hacker with the headline “Hacked By #GOP” which is then followed by a warning.
… [Update] Another unnamed source has surfaced and, speaking to Variety, claims that Sony's IT department told employees to disable the WiFi on their mobile devices and turn off their computers. That same source went on to say that the company has told its workers that the situation will take anywhere from one day to three weeks to be resolved.
(Related) On the other hand.
Ransom is the new black – the increasing trend of online extortion
… Brian Krebs reported on this a few months ago and it’s about as brazen as you’d expect online criminals to get; give us money or we’ll mess up your stuff. It’s the mob protection racket of the digital era only more random with less chance of getting caught and not as many gold necklaces (I assume). That one bitcoin is about $400 American dollars today so enough for a tidy little return but not enough that it makes for an unachievable ransom for most small businesses.
The worrying thing is though, this is just part of a larger trend that’s drawing online criminals into the very lucrative world of extortion and we’re seeing many new precedents in all sorts of different areas of the online world. Let me show you what I mean.
For my Computer Security and Risk management classes.
Why Vendor Risk Management is Critical to Your Business
You’ve heard the trite expression “A chain is only as strong as its weakest link.” Well, it’s true, and when it comes to enterprise security, the weakest link might be outside your own organization.
Every since it came to light that the Target data breach originated through compromised credentials belonging to a third party vendor, there has been a renewed focus on vendor risk management (VRM), and especially on computer security risks.
There's money in Privacy!
Investors are dumping money into a nascent anonymous messaging app that allows users to post comments to people within a 1.5 mile-radius of their phone.
The app, Yik Yak, revealed Monday it had received $62 million in venture funding, just months after it raised $11.5 million.
In just one year, Yik Yak has quickly gained popularity on high school and college campuses, but has yet to get a significant foothold in the adult market.
… WhatsApp, which rose to prominence as a privacy-focused text messaging service, now has more than 600 million users worldwide.
But privacy groups were appalled when Facebook purchased the app for $22 billion earlier this year, worried the social networking giant would misuse WhatsApp's user data.
Last week, WhatsApp announced it would be rolling out end-to-end encryption for its users, meaning only the sender and receiver can read the message.
Snapchat also rapidly gained a massive following in 2013, promising a way to send self-erasing messages. The company later settled Federal Trade Commission charges that those messages were not necessarily deleted permanently.
Still, Snapchat has been valued at $10 billion, according to multiple media reports.
The Wall Street Journal reported Yik Yak is now valued in the low nine figures.
Other anonymous messaging apps like Secret and Whisper have attracted more limited, yet passionate, audiences.
“We think you were wrong (and perhaps evil) to capture that data, but don't destroy it because it might be useful.”
Aliya Sternstein reports:
The Department of Homeland Security is poised to ditch all records from a controversial network monitoring system called Einstein that are at least three years old, but not for security reasons.
DHS reasons the files — which include data about traffic to government websites, agency network intrusions and general vulnerabilities — have no research significance.
But some security experts say, to the contrary, DHS would be deleting a treasure chest of historical threat data. And privacy experts, who wish the metadata wasn’t collected at all, say destroying it could eliminate evidence that the governmentwide surveillance system does not perform as intended.
Read more on NextGov.
Also has implications for the Kim Dotcoms around the world?
Law Enforcement Without Borders
CDT – “A critical case is now working its way through the US courts—one that raises important questions for users and providers of cloud services in both the US and Europe. As part of a US criminal investigation, a US federal court has ordered Microsoft to hand over a customer’s files that the company holds in its Ireland data centre. Microsoft has refused to comply with this order, arguing among other things that a warrant issued by a US court is not sufficient to reach content stored outside US territory, and that the US government must obtain the assistance of the Irish authorities. The crucial question here is: what rules apply when one country demands that a service provider with a physical presence on its territory give its authorities access to communications stored in another country? Because larger policy questions are at stake, CDT and other public interest groups are filing briefs in the case on 15 December. And recently, Dara Murphy, the Irish Minister for European Affairs and Data Protection, asked the European Commission to file its observations. The Commission is now considering adding its voice to the conversation. CDT believes that the European Commission’s views would be helpful in shaping the outcome.”
Free is good.
Law Review Commons
“Over 200 open-access law reviews · Over 150,000 articles · Free current issues & archives from 1852.”
For my iPhone using students.
The 5 Most Frequently Used Free Apps on My iPad
A couple of weeks ago I published a list of my most frequently used browser and desktop apps. I created a similar list on iPadApps4School.com. That list is now included below.
When I am reading a blog post that I want to save for later, I share it to my Evernote account.
Skitch is the tool that I use on my iPad when I want to create an annotated screenshot.
Penultimate provides a place for you to hand-write notes on your iPad. The app allows you to create multiple notebooks with multiple pages in each.
I check this app at 12pm Eastern Time for new apps that are free for a limited time.
I use Drive for reviewing Documents that have been shared with me. I also use Drive for storing videos that I have created on my iPad.
I'm thinking about changing the final exam in my Spreadsheet class...
How to Create a Jeopardy-style Game in Google Spreadsheets
Around this time last year I shared a neat Google Spreadsheets script called Flippity. Flippity was originally designed to help you create flashcards through Google Spreadsheets. This morning Steve Fortna informed me that you can now use Flippity to create Jeopardy-style gameboards through Google Spreadsheets. In the video embedded I demonstrate how to use Flippity to create a Jeopardy-style gameboard.
Monday, November 24, 2014
This has been around since 2008 (maybe 2006) and definitely smells like it was designed by intelligence pros.
Regin, a new piece of spyware, said to infect telecom, energy, airline industries
The cyber security firm Symantec on Sunday revealed that a malicious new piece of software is collecting information on individuals, companies, and government entities without their knowledge.
The malware, called Regin, is considered to be a mass surveillance and data collection tool (sometimes referred to as “spyware”). Its purpose and origin is still unclear, Symantec said, but researchers believe that the program is the work of a nation-state.
… Symantec said Regin (pronounced “re-gen,” as in “regenerate”) monitors its targets with a rarely-seen level of sophistication. Internet service providers and telecommunications companies make up the bulk of the those that are initially infected, researchers said. Regin then targets individuals of interest—in the hospitality, energy, research, and airline industries, among others—that are served by those ISPs. Regin’s operators continue to use infected companies as a springboard to gain access to more individuals. Once they gain access, they can remotely control a person’s keyboard, monitor Internet activity, and recover deleted files.
More than half of observed attacks have targeted Russia and Saudi Arabia, Symantec said. The rest are scattered across Europe, Central America, Africa, and Asia.
Regin: Top-tier espionage tool enables stealthy surveillance
Symantec Security Response: ” An advanced spying tool, Regin displays a degree of technical competence rarely seen and has been used in spying operations against governments, infrastructure operators, businesses, researchers, and private individuals. An advanced piece of malware, known as Regin, has been used in systematic spying campaigns against a range of international targets since at least 2008. A back door-type Trojan, Regin is a complex piece of malware whose structure displays a degree of technical competence rarely seen. Customizable with an extensive range of capabilities depending on the target, it provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organizations, infrastructure operators, businesses, researchers, and private individuals. It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks. Its capabilities and the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a nation state. As outlined in a new technical whitepaper from Symantec, Backdoor. Regin is a multi-staged threat and each stage is hidden and encrypted, with the exception of the first stage. Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages. Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyze and understand the threat.”
How to find out if the million credit card details I sold you will work at Walmart? There's an App for that!
Fraud Service Uses Charity Websites to Validate Stolen Credit Card Data
Cybercriminals who specialize in payment card fraud can verify the validity of stolen data by using an automated tool which conducts transactions on the websites of non-profit organizations, researchers at PhishLabs reported on Friday.
The card data verification service relies on a bot developed in the Perl programming language and an IRC channel. Fraudsters can use the IRC channel to communicate with each other, while the verification process takes place via private messages.
Once they log in to the IRC channel, cybercrooks must simply send a private message containing credit card numbers, cardholder names, and expiration dates to a moderator by using a special input syntax. The bot monitors messages and when the specific syntax is identified, and then conducts a transaction on the website of a charity or a non-profit organization. The fraudsters are then provided with transaction details from which they can learn if the stolen card data is valid, researchers said.
The military (and perhaps DHS) do not use “cost” as a basis for evaluating the success of weapons or other technology. Should the police ignore cost? What is one arrest “worth?” The initial outlay isn't too great, but how much does it cost to review the false positives? Does the data get deleted from the DHS servers after six months, like the city ordinance requires?
Three license plate readers that Menlo Park police began using this summer captured images of more than 250,000 plates between July 1 and Oct. 1, according to a police staff report.
Out of all those images, however, only one could be tracked to a crime. Police recovered a stolen car and arrested the thief.
The readers, which cost a total of $57,914, are mounted on the roofs of two marked patrol cars and one unmarked vehicle used by detectives.
… The collected data is then uploaded to a server managed by the Northern California Regional Intelligence Center, part of the Department of Homeland Security.
… According to the staff report, 263,430 license plates were photographed in the first three months that the readers were used. Of those, 141 plate numbers registered as a "hit," matching those of vehicles on an active wanted list that were stolen or associated with missing people.
"The vast majority of the hits were subsequently deemed to be a 'false read' after further review by the [Automated License Plate Reader] operator," the report states.
Police spokeswoman Nicole Acker said a "false read" occurs when the photo of a license plate differs from the computer-generated image of the plate.
"A simplified example of a type of false read would be when an 8 is read as a B and vice versa," she wrote in an email.
I'm thinking of creating an App that tracks everything “for academic purposes.” Great (green) quote!
Ride-sharing giant Uber’s ability to monitor users’ movement without their knowledge is exposing what some critics call a gaping hole in the nation’s privacy laws.
Unlike some other types of data, regulators cannot limit what companies are able to do with information about customers' location, which could show where people live, sleep and travel.
… “Right now we protect health data, we protect financial data, we protect kids’ data, but location isn’t protected,” said Alvaro Bedoya, the executive director of Georgetown University’s Center on Privacy and Technology.
“As long as a company is not deceiving you about how they’re using the data, they can pretty much do whatever they want with it,” he added.
The future of research generating Big Data?
CERN Open Data Portal
“The CERN Open Data portal is the access point to a growing range of data produced through the research performed at CERN. It disseminates the preserved output from various research activities, including accompanying software and documentation which is needed to understand and analyze the data being shared. The portal adheres to established global standards in data preservation and Open Science: the products are shared under open licenses; they are issued with a digital object identifier (DOI) to make them citable objects in the scientific discourse (see details below on how to do this).
Data and re-use – LHC Data:
Data produced by the LHC experiments are usually categorized in four different levels (DPHEP Study Group (2009)). The Open Data portal focuses on the release of data from levels 2 and 3.
- Level 1 data comprises data that is directly related to publications which provide documentation for the published results
- Level 2 data includes simplified data formats for analysis in outreach and training exercises
- Level 3 data comprises reconstucted data and simulations as well as the analysis level software to allow a full scientific analysis
- Level 4 covers basic raw level data (if not yet covered as level 3 data) and their associated software and allows access to the full potential of the experimental data.”
This infographic should provide some incentive to students who are not sure if they should learn to code. Note: This is revenue per day!
You Won’t Believe How Much Money These iOS Games Make
You know that gaming on the iPhone is big business. Free-to-play games like Candy Crush Saga, Clash of Clans, and others are making insane amounts of money from games that are technically free. It’s all about the in-app purchases, and love them or hate them, they are here to stay.
Just how much money are the people and companies behind these popular iOS games actually making? You might want to take a seat, because the numbers will shock you.
(Related) Cross checking those revenue numbers...
Top grossing iOS mobile gaming apps as of October 2014, ranked by daily revenue (in U.S. dollars)