Tuesday, March 17, 2015

How simple! Don't connect computers to the Internet!
South Korea Accuses North of Cyber-attacks on Nuclear Plants
South Korea's government accused North Korea Tuesday of carrying out cyber-attacks last December on its nuclear power plant operator, describing them as a provocation which threatened people's lives and safety.
The team on Tuesday said the hackers intended to cause a malfunction at atomic reactors, but failed to break into their control system.
KHNP officials have said the 23 nuclear reactors, which supply about 30 percent of the country's electricity, were safe because their control system was separated from external networks.

David Morrison writes:
Almost half of all American consumers (45%) said data security breaches have compromised their personal payment information or that of a household member, according Verizon’s 2015 PCI Compliance Report.
The document suggested credit unions and other card issuers might suffer damage from card security breaches until consumers start using payment cards with embedded EMV chips.
Verizon Enterprise Solutions, a subsidiary of the communication firm, published the report March 12. It was the fourth year Verizon has published the report, which looks into how firms comply with the Payment Card Industry Data Security Standard.
Read more on Credit Union Times.

(Related) WDWK (What does Watson know?)
Malware and DDoS Were the Most Common Attack Types in 2014: IBM
IBM today released the 2015 IBM X-Force Threat Intelligence Quarterly, a report that details the security incidents, financial malware trends, risky Android apps, and vulnerability disclosures seen in 2014.
According to IBM, malware and distributed denial-of-service (DDoS) attacks took the lead last year in terms of volume. SQL injection attacks are still efficient when it comes to extracting valuable information from Web servers and applications, but point-of-sale (PoS) malware has also helped cybercriminals steal a lot of records in the last year.
In 2014, the most commonly attacked industries were computer services (28.7%), retail (13%), government (10.7%), education (8%), and financial markets (7.3%).
The complete 2015 IBM X-Force Threat Intelligence Quarterly is available online.

(Related) Yet another breach (attack) summary.
Over Half of ICS Security Incidents Reported in 2014 Involved APTs: ICS-CERT
According to the “ICS-CERT Monitor” newsletter for the period between September 2014 and February 2015, a total of 245 incidents were reported to the organization in the fiscal year 2014.
The report revealed that well over half of the incidents affected the energy (32%) and the critical manufacturing (27%) sectors. Communications, water, transportation, healthcare, and government facilities sectors each accounted for 5-6% of the total number of ICS incidents.
Roughly 55% of the incidents involved APTs.

A small but rather big change?
Dustin Volz reports:
A judicial advisory panel Monday quietly approved a rule change that will broaden the FBI’s hacking authority despite fears raised by Google that the amended language represents a “monumental” constitutional concern.
The Judicial Conference Advisory Committee on Criminal Rules voted 11-1 to modify an arcane federal rule to allow judges more flexibility in how they approve search warrants for electronic data, according to a Justice Department spokesman.
Read more on National Journal.
[From the article:
Known as Rule 41, the existing provision generally allows judges to approve search warrants only for material within the geographic bounds of their judicial district.
But the rule change, as requested by the department, would allow judges to grant warrants for remote searches of computers located outside their district or when the location is unknown.
The government has defended the maneuver as a necessary update of protocol intended to modernize criminal procedure to address the increasingly complex digital realities of the 21st century. The FBI wants the expanded authority, which would allow it to more easily infiltrate computer networks to install malicious tracking software. This way, investigators can better monitor suspected criminals who use technology to conceal their identity.
… Google weighed in last month with public comments that warned that the tweak "raises a number of monumental and highly complex constitutional, legal and geopolitical concerns that should be left to Congress to decide."
In an unusual move, Justice Department lawyers rebutted Google's concerns, saying the search giant was misreading the proposal and that it would not result in any search or seizures not "already permitted under current law."

Better than I thought!
Survey: Surveillance Is Fine as Long as It's Not on Me
Growing concern over surveillance in cyberspace has people changing their online behavior, according to a report released Monday by the Pew Research Center.
Nearly 90 percent of the 475 adults surveyed said they were aware of government surveillance programs targeting Internet users.
"That's a very high number," said Omar Tene, vice president of research and education at the International Association of Privacy Professionals.
… Moreover, of those aware of the programs, more than a third (34 percent) had taken at least one measure to hide or shield their information from the government.
Among the measures taken in response to government surveillance were changing social media settings (17 percent), avoiding certain apps (15 percent), reducing social media use (15 percent), increasing face-to-face conversations (14 percent), uninstalling certain apps (13 percent), avoiding certain terms in online communication (13 percent), and deleting social media accounts (8 percent).
… "Most of the steps mentioned are really not effective for avoiding government surveillance," said Robert Neivert, COO of Private.me.
… Large numbers of adults supported monitoring programs aimed at suspected terrorists (82 percent), foreign leaders (60 percent), foreign citizens (54 percent) and even American leaders (60 percent), the Pew study found. However, 57 percent opposed monitoring of U.S. citizens.

I'm for it! Except for the parts where I'm not.
Leslie R. Caldwell, Assistant Attorney General for the Criminal Division of DOJ writes:
In a series of recent posts, we’ve been discussing the need for the Administration’s current cybersecurity proposals and discussing how they have been drafted in a careful and targeted way to enable us to protect privacy and security without ensnaring harmless or legitimate conduct. Reaching this balance is important in many parts of the criminal law, but it is particularly important in the law that protects the privacy and security of computer owners and users — the Computer Fraud and Abuse Act (CFAA). This law applies both to the hackers who gain access to victim computers without authorization from halfway around the world, and to those who have some authorization to access a computer — like company employees entitled to access a sensitive database for specified work purposes — but who intentionally abuse that access. Yet the CFAA needs to be updated to make sure that the statute continues to appropriately deter privacy and security violations. The Administration has proposed an amendment that maintains the law’s key privacy-protecting function while ensuring that trivial violations of things like a website’s terms of service do not constitute federal crimes.
Read more on the Department of Justice to see how they try to sell their proposed amendment.
[From the DoJ:
For example, a federal court feared that the statute could be construed to permit prosecution of a person who accesses the internet to check baseball scores at lunchtime in violation of her employer’s strict business-only internet use policy. Or, similarly, where a member of the public accesses a dating website but lies about his physical fitness in violation of the site’s terms of service that require users to provide only accurate information.
We understand these concerns. The Department of Justice has no interest in prosecuting harmless violations of use restrictions like these. [This is not a “get out of jail free” card for Ethical Hackers Bob] That’s why we’ve crafted proposed amendments to the CFAA to address these concerns — while still preserving the law’s application to those who commit serious thefts and privacy invasions.

(Related) Perhaps this is the model the FBI wants to follow?
Intelligence and Security Committee of Parliament published its Report ‘Privacy and Security: A modern and transparent legal framework’
“The Intelligence and Security Committee of Parliament has today published its Report ‘Privacy and Security: A modern and transparent legal framework‘. This Report includes, for the first time in a single document, a comprehensive review of the full range of intrusive capabilities available to the UK intelligence Agencies. It contains an unprecedented amount of information about those capabilities, the legal framework governing their use, and the privacy protections and safeguards that apply. The Report also reveals the use of certain capabilities – such as Bulk Personal Datasets and Directions under the Telecommunications Act 1984 – for the first time. The Report represents a landmark in terms of the openness and transparency surrounding the Agencies’ work. The Committee has also released a press statement on the report, and the opening statement from this morning’s press conference.”

...and just because this won't die.

Might be worth comparing to what we're teaching our students.
Advanced digital technologies are swiftly changing the kinds of skills that jobs require
… The researchers found that there were significant changes in skill requirements over the 2006-2014 time period. For example, as machines’ capabilities have increased in areas such as visual perception and voice perception — think Google Inc.’s self-driving car project or Apple Inc.’s Siri — jobs in the U.S. have started requiring those skills less. And as computers take over more routine work, jobs involve less supervision of people (since more and more people are, in effect, supervising machines rather than humans). For instance, the researchers note that in the past, an architect might have supervised draftsmen; today’s architects instead work with CAD software.
By contrast, some job skills have grown in importance — in particular, the ability to work with equipment such as computers. Demand also grew for skills in some areas in which machines haven’t made many inroads. The average occupation in the U.S. in 2014 more heavily emphasized interpersonal skills — an area where computers can’t yet compete with humans — than a comparable job in 2006.

For my students writing papers on Social Networking?
How To Respond To Fallacious Arguments On The Internet [Stuff to Watch]
… how often is your (naturally well-worded and kind-mannered) argument rebutted with an attack on your character, or a seemingly nonsensical comparison? Wouldn’t it be great if you could deflect these fallacious arguments while enlightening your detractors as to why their challenge falls short?
Well, with the help of these eight videos addressing common fallacies online, you can!

For my students who don't ask questions in class?
How to Google Something You Don't Know How to Describe
… There was something so satisfying about a simple exchange that answered a question I'd wondered quietly for years. Which helps explain why a site like What Is This Thing Called is so delightful. It's a simple Tumblr, made in the spirit of a similar Reddit thread, that features photos of obscure, forgotten, or otherwise ambiguous technologies. Anybody can comment on the photos to help clarify what the thing is.
A lot of the mystery things are of commonplace items. There's the plastic pamphlet that a restaurant bill arrives in (a check presenter) and those stumpy cylindrical posts that prevent cars from driving onto pedestrian spaces (bollards). Others are things that happen, phenomena rather than physical objects themselves—like the kink in a landline cord.
... Then there's Superfish, which promises that it can "find everything that words can't possibly describe" by using an algorithm to comb through millions of image matches to the photos you upload, then comparing and ranking the results. The company has a series of category-specific apps called Like That that help people identify the kinds of flowers, breeds of puppies, and styles of furniture that matches what they see in the world.

Something to add next to our Windows 10 preview?
You Can Now Preview Office 2016 and Skype for Business
… Previously launched as a private preview, Office 2016 is now available for commercial Office 365 users. This gives IT teams and developers a chance to test the product and provide feedback. They can also be the first to try new features that are issued via monthly updates.
… To learn more about and download the Office 2016 Preview program, visit the Office 2016 Preview section at Microsoft Connect.

No comments: