Friday, April 03, 2015

Every employee needs to hear this.
IBM discovers new cyberscam
IBM has uncovered a sophisticated fraud scheme run by a well-funded Eastern European gang of cybercriminals that uses a combination of phishing, malware and phone calls that the technology company says has netted more than $1 million from large and medium-sized US companies.
The scheme, which IBM security researchers have dubbed 'The Dyre Wolf,' is small in comparison with more recent widespread online fraud schemes but represents a new level of sophistication.
According to IBM, since last year the attackers have been targeting people working in companies by sending spam email with unsafe attachments to get a variant of the malware known as Dyre into as many computers as possible.
If installed, the malware waits until it recognizes that the user is navigating to a bank website and instantly creates a fake screen telling the user that the bank's site is having problems and to call a certain number.
If users call that number, they get through to an English-speaking operator who already knows what bank the users think they are contacting. The operator then elicits the users' banking details and immediately starts a large wire transfer to take money out of the relevant account.

For my Ethical Hackers: How would you detect someone copying data to a thimbdrive? Only list your top five suggestions.
It’s still too easy for bad actors and others to download ePHI onto thumb drives. And do most covered entities even realize it has happened or is happening?
WDAM in Mississippi reports that Hattiesburg Clinic has been notifying patients of unauthorized access to their records by a former optometry provider who allegedly accessed their records to send letters notifying patients about his new employer.
The clinic states they first became aware of the breach, which occurred between December 11 and December 31, 2014 on January 23rd. They do not say how they learned of the breach, other than that they were made aware of it.
Notification letters, dated March 20th, explained that the doctor had copied patients’ contact information onto a thumb drive that he took with him to his new employer to enable him to send out letters notifying patients of his new employment. The clinic recovered the thumb drive and received assurances that neither the doctor nor the Hattiesburg Eye Clinic, his new employer, retained any information.
Although the clinic indicates it reported the incident to HHS, the incident does not yet appear on HHS’s public breach tool, so either it should appear shortly, or the breach impacted less than 500 patients.
This post will be updated if the incident appears on the public breach tool.

What is Cyber-war? Do my Computer Security students need a clear definition to counter an attack? Of course not. However, it would help them predict “what comes next.”
CRS – Cyberwarfare and Cyberterrorism
by Sabrina I. Pacifici on Apr 2, 2015
Cyberwarfare and Cyberterrorism: In Brief, Catherine A. Theohary, Specialist in National Security, Policy and Information Operations. John W. Rollins, Specialist in Terrorism and National Security. March 27, 2015.
“Recent incidents have highlighted the lack of consensus internationally on what defines a cyberattack, an act of war in cyberspace, or cyberterrorism.
Cyberwar is typically conceptualized as state-on-state action equivalent to an armed attack or use of force in cyberspace that may trigger a military response with a proportional kinetic use of force.
Cyberterrorism can be considered “the premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or further social, ideological, religious, political or similar objectives, or to intimidate any person in furtherance of such objectives.”
Cybercrime includes unauthorized network breaches and theft of intellectual property and other data; it can be financially motivated, and response is typically the jurisdiction of law enforcement agencies.
Within each of these categories, different motivations as well as overlapping intent and methods of various actors can complicate response options. Criminals, terrorists, and spies rely heavily on cyber-based technologies to support organizational objectives. Cyberterrorists are state-sponsored and non-state actors who engage in cyberattacks to pursue their objectives. Cyberspies are individuals who steal classified or proprietary information used by governments or private corporations to gain a competitive strategic, security, financial, or political advantage. Cyberthieves are individuals who engage in illegal cyberattacks for monetary gain. Cyberwarriors are agents or quasi-agents of nation-states who develop capabilities and undertake cyberattacks in support of a country’s strategic objectives. Cyberactivists are individuals who perform cyberattacks for pleasure, philosophical, political, or other nonmonetary reasons. There are no clear criteria yet for determining whether a cyberattack is criminal, an act of hactivism, terrorism, or a nation-state’s use of force equivalent to an armed attack. Likewise, no international, legally binding instruments have yet been drafted explicitly to regulate inter-state relations in cyberspace. The current domestic legal framework surrounding cyberwarfare and cyberterrorism is equally complicated. Authorizations for military activity in cyberspace contain broad and undefined terms. There is no legal definition for cyberterrorism. The USA PATRIOT Act’s definition of terrorism and references to the Computer Fraud and Abuse Act appear to be the only applicable working construct. Lingering ambiguities in cyberattack categorization and response policy have caused some to question whether the United States has an effective deterrent strategy in place with respect to malicious activity in cyberspace.”

“If we do it, it might violate privacy so we want to contract with a private entity to do exactly the same thing.”
DHS eyes service to track license plates
The Department of Homeland Security (DHS) is offering up a contract for companies to keep track of people’s license plates.
The department’s Immigration and Customs Enforcement (ICE) posted a draft solicitation on Thursday, slightly more than a year after the department scuttled a previous attempt to create a license plate tracking system over fears it could infringe on people’s privacy.
The new request, which was first reported by The Washington Post, makes clear that the department “is neither seeking to build nor contribute to a national” license plate reading system. Instead, it wants to use a preexisting commercial service to help track down people suspected of violating the country’s immigration and other laws.

Facebook does not do “secretly.” You just have to look at their privacy policy on page 2471, paragraph 57, sub-paragraph 401, line 12 and there, plain as day it says “and anything else we want to do.”
Tony Briscoe reports:
A Cook County man is suing Facebook, alleging that the social media giant has violated Illinois privacy laws with facial recognition software that “secretly amassed the world’s largest privately held database of consumer biometrics data.
Carlo Licata claims in a lawsuit filed Wednesday in Cook County Circuit Court that Facebook has violated state law by not informing him in writing that his biometric data was being collected or stored, or when it would be destroyed.
Read more on The Chicago Tribune.

Just because it seems to disappear doesn't mean it's gone.
Snapchat Shows Data Requests in Transparency Report
Snapchat, the social network known for its disappearing messages, released its first transparency report Thursday showing hundreds of requests from US and foreign law enforcement agencies.
Between November 1 and February 28, Snapchat said it received 375 requests from US law enforcement officials, and produced at least some data in 92 percent of those cases.
"While the vast majority of Snapchatters use Snapchat for fun, it's important that law enforcement is able to investigate illegal activity," Snapchat said in a blog post.
"We want to be clear that we comply with valid legal requests."
The requests were mostly in the form of subpoenas, warrants or court orders, along with a smaller number of emergency requests.
Outside the US, Snapchat received 28 requests and produced data in six of those cases. The requests came from Britain, Belgium, France, Canada, Ireland, Hungary and Norway.

Are we reacting to sensational news stories rather than researching the facts? Sure looks that way to me.
Eyes in the Sky: The Domestic Use of Unmanned Aerial Systems, House Judiciary Committee
by Sabrina I. Pacifici on Apr 2, 2015
Eyes in the Sky: The Domestic Use of Unmanned Aerial Systems, House Judiciary Committee, May 17, 2013. Serial No. 113–40.
… Within the last few years, high powered computers and data networks have been combined with aircraft, allowing them to be piloted remotely. [“Remote Piloting” does not rely on computers or networks. Think model airplanes – we've been doing this for decades! Bob]
… Law enforcement and public safety are increasingly becoming the most prevalent uses for UAS. [Somehow, I doubt that. Bob]
… The ability to fly a small, unmanned aircraft with cameras and sensors can also profoundly affect privacy and civil liberties in this country. No longer restricted to the high cost and short flight time of manned flight, UAS can hover outside a home or office. Using face recognition software and fast computer chips, a UAS may soon be able to recognize someone and follow them down the street. These new surveillance capabilities, in the hands of the police, may be intrusive to our concepts of individual liberty. That is why I have cosponsored the ‘Preserving American Privacy Act of 2013, a bill sponsored by Representative Ted Poe of Texas and Representative Zoe Lofgren of California.

...because they are our (Taxpayers) employees?
AP reports:
The Washington Supreme Court says public employees don’t have a right to privacy about the fact that they’re being investigated.
Two workers with the Spokane School District, who have been on paid administrative leave for years, sought to have their names redacted on documents released under a public records request.
In a 5-4 decision, the court said the documents — which didn’t detail the substance of the allegations against them — could be released with their identities.
Read more on Houston Chronicle.

Europe doesn't think like the US Congress. Perhaps if Google et. al. Started “euro PACs” they would find themselves loved by the EU?
Antitrust and Other Inquiries in Europe Target U.S. Tech Giants
It is not a good week to be a giant American tech company in Europe.
The European antitrust investigation into Google appears to be heating up. More European countries are looking into Facebook’s privacy settings.
And Apple, which already is under scrutiny for its low corporate tax arrangements in Ireland, is now facing potential antitrust questions from the European Commission about the company’s new music streaming service expected this year.

The downside is that I won't have the terrorist “user guides” freely available for my Criminal Justice or Homeland Security students.
Feinstein: Take the 'Anarchist Cookbook' and al Qaeda magazine off the Internet

Perspective. This happened because XP was “good enough.”
14-Year-Old Windows XP Still Has More Users Than Windows 8.x

For my Students. There's an App for Apps.
Arc Welder Adds Android Apps to Chrome
Android apps will soon be compatible with any desktop operating system capable of running Chrome. This means that anyone using Chrome OS, Windows, Mac, or Linux will gain access to the thousands of Android apps currently available on Google Play.
This is thanks to ARC Welder, a new Chrome app Google has initially released as a developer preview. ARC Welder converts any Android app into a Chrome app, meaning they can be used on a host of other operating systems. Only a handful of apps have so far been ported to ARC, but the release of ARC Welder means that number is sure to increase exponentially.
ARC Welder is at a very early beta stage, so it’s far from perfect. Some of the Google Play Services are still missing, meaning apps which use them will simply crash. However, it’s clear that Google is working towards making Android and Chrome act as one, which should be a boon for users of the tech giant’s products and services.

For my students who shop Amazon (and perhaps a few of us adjuncts)
6 Amazon Prime Benefits You Might Be Ignoring Right Now
Free Months of Prime
If you’re currently enrolled in a college or university and you have a valid .edu email address, you can register as part of the Amazon Student program which grants you a six-month free trial for Prime. When the trial ends, you can upgrade to a full Amazon Prime membership for 50% off.
Note: This free trial only includes free shipping, free 2-day delivery, and unlimited photo storage with Prime Photos.
Prime Instant Video, Prime Music, Kindle Owners Lending Library, and membership sharing are only available to those with a full Amazon Prime membership.

Believe it or not, I have students interested in poetry.
5 Resources for National Poetry Month
April is National Poetry Month in the U.S. Writing and or understanding poetry can be a challenge for those of who don't consider ourselves the creative writing type. Surely we have students who feel that way too. Here are five resources that can help us understand and create poetry.
ReadWorks has a new selection of famous poems available on their website. The selection is organized by grade level. As with every passage on ReadWorks, each poem is accompanied by a set of guided reading questions.
BoomWriter has put together new vocabulary sheets for Poetry Month. The poetry vocabulary is part of a larger poetry lesson plan for elementary and middle school students. You can download the vocabulary words and lesson plans as PDFs. (Disclosure: BoomWriter advertises on
The Poetry Foundation offers some helpful resources for teachers and students. One of the resources that immediately jumped out at me when I visited the Poetry Foundation's Learning Lab was the glossary of poetry terms. Students can search the glossary alphabetically, by form & type of poem, by rhyme & meter, by schools & projects, by technique, and by theory or criticism. The Poetry Foundation offers a free mobile app for iOS and Android. The app allows users to search for poems, save poems, and share favorite poems with their friends. You can search for poems by poet, by title, or by entering a line or two of a favorite poem.
Word Mover is a free iPad app and web app from Read Write Think. The app is designed to help students develop poems and short stories. When students open the Word Mover app they are shown a selection of words that they can drag onto a canvas to construct a poem or story. Word Mover provides students with eight canvas backgrounds on which they can construct their poems. If the word bank provided by Word Mover doesn’t offer enough words they can add their own words to the word bank.
Scholastic has assembled a big list of lesson resources for teaching poetry this month. One of the resources that I really like is the Poetry Idea Engine. The Poetry Idea Engine is a simple, interactive tool that helps students create four types of poems; haiku, limerick, cinquain, and free verse. To create poem on Poetry Idea Engine students select one of the four formats. If they pick one of the first three format students will be given a short explanation of the pattern before completing the template to create their poems.

No comments: