Tuesday, July 28, 2015

A new field of study for my Computer Security students? I'm sure there must be a way to “set up” car manufacturers for the Class Action lawsuits that will surely follow. Perhaps a letter asking them to confirm rumors of dangerously weak security?
What To Do if Your Car Tries to Kill You
The scary news last week was that a couple of guys demonstrated they could hack into a Jeep and take control of it. Later, more details came out that suggested you might want to avoid Chrysler cars altogether.
The industry appears to be waiting for the first major catastrophic accident before putting resources into fixing this problem at the proper level. They are slowly forming industry groups to look at it -- but at the current rate, their fix will come long after a lot of us are dead.

Not really related, but my veteran students might find this amusing.
… Law of cyber warfare practitioners surely breathed a sigh of relief when they found that only 15 of the 1,176 pages in DOD’s new Law of War Manual addressed cyber warfare. DOD appears to have concluded that the law in this area is still developing (or, perhaps, not developing), and that trying to capture it precisely would lead to the creation of a chapter that would soon be irrelevant. As a result, the cyber warfare chapter sticks broadly to the application of the principles of the law of armed conflict to cyber warfare – although it “inconveniently” introduces a new legal concept that seems inconsistent with other sections of the manual.
… The DOD manual discusses the meaning of cyber attack during armed conflict (in bello), as well. The definition of attack is important within on-going armed conflicts because it determines when the principles of the law of armed conflict apply. The DOD manual notes the term doesn’t encompass defacing government webpages; briefly disrupting Internet service in a minor way; briefly disrupting, disabling, or interfering with communications; or disseminating propaganda. However, the DOD manual modifies its stance by introducing a unique principle of cyber warfare – Avoidance of Unnecessary Inconvenience. “[E]ven if a cyber operation is not an ‘attack’ or does not cause any injury or damage that would need to be considered under the proportionality rule, that cyber operation still should not be conducted in a way that unnecessarily causes inconvenience to civilians or neutral persons.” Perhaps the language is just a specific articulation of the principle of humanity, for example, and is also applicable to kinetic warfare, but it appears to be new. It’s not clear that inconvenience has ever been a consideration in warfare, as emphasized in chapter 5, footnote 306 of the DOD manual.

Definitely something for my IT Governance students to analyze. How poor must your security be to take over 6 months to bring systems back up?
TV5Monde in chaos as data breach costs roll into the millions
TV5Monde was very visibly hacked back in April when the French news channel, which broadcasts ten channels in over 200 countries, was downed by hackers who also gained control of its social media channels.
… At the time, the hack was believed to be the work of Islamic State sympathisers although later reports from Trend Micro and others suggest this was a ‘false flag' operation, conducted by the APT28/Pawn Storm group, which is believed to be closely associated with the Russian government.
The attack has been traced back to January 2015 when phishing emails were sent to TV5 Monde journalists. Leaked documents suggest German secret services knew about the attack two months before discovery, while experts, speaking anonymously to SCMagazineUK.com recently, suggested GCHQ knew about it too.
… “Following the 8 April attack, we are not allowed to reconnect our services to the Internet network until we have rebuilt a safer system under ANSSI's [the French agency – Ed] orders,” he told SC.
… “The attack will cost TV5Monde about €4.5 million in 2015, plus lost commercial revenues which are as yet not fully known. And the new system will cost us about €2.5million more each following year.”
The nature of the new infrastructure was naturally a “very sensitive subject”, said Bigot only adding that it would build “a much more sophisticated system which will include an all-round watch to ensure any attack will be known and dealt with in due time.”
… He added that Sony Pictures Entertainment took eight weeks to have email, with finance systems so damaged that financial results had to be postponed.

For my Ethical Hacking and Computer Forensics students.
Embedded Tweets can be Easily Faked

Another tool for my Ethical Hacking students and a new “problem” for my Computer Security students. Not easily implemented, but doable.
And another security bubble or delusion bursts.
Kim Zetter reports:
The most sensitive work environments, like nuclear power plants, demand the strictest security. Usually this is achieved by air-gapping computers from the Internet and preventing workers from inserting USB sticks into computers. When the work is classified or involves sensitive trade secrets, companies often also institute strict rules against bringing smartphones into the workspace, as these could easily be turned into unwitting listening devices.
But researchers in Israel have devised a new method for stealing data that bypasses all of these protections—using the GSM network, electromagnetic waves and a basic low-end mobile phone. The researchers are calling the finding a “breakthrough” in extracting data from air-gapped systems and say it serves as a warning to defense companies and others that they need to immediately “change their security guidelines and prohibit employees and visitors from bringing devices capable of intercepting RF signals,” says Yuval Elovici, director of the Cyber Security Research Center at Ben-Gurion University of the Negev, where the research was done.
Read more on Wired.
[From the article:
“[U]nlike some other recent work in this field, [this attack] exploits components that are virtually guaranteed to be present on any desktop/server computer and cellular phone,” they note in their paper.

You should probably get this update.
Android flaw lets hackers break in with a text message
… "Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS (text message)," Zimperium Mobile Security said in a blog post.
"A fully weaponized successful attack could even delete the message before you see it. You will only see the notification."
Android code dubbed "Stagefright" was at the heart of the problem, according to Zimperium.
Stagefright automatically pre-loads video snippets attached to text messages to spare recipients from the annoyance of waiting to view clips.
Hackers can hide malicious code in video files and it will be unleashed even if the smartphone user never opens it or reads the message, according to research by Zimperium's Joshua Drake.
… Stagefright imperils some 95 percent, or an estimated 950 million, of Android phones, according to the security firm.
Zimperium said that it reported the problem to Google and provided the California Internet firm with patches to prevent breaches.
"Google acted promptly and applied the patches to internal code branches within 48 hours, but unfortunately that's only the beginning of what will be a very lengthy process of update deployment," Zimperium said.

Local. Privacy in Jefferson County is about making an effort? Succeeding is no longer important? I read this as taking six months to create a Best Practices guide, then awarding yourself a “Seal” that protects nothing.
Doug Hrdlicka reports:
A new partnership between Jeffco Public Schools and 26 other districts nationwide could lead to more rigid security measures for student data.
For the next six months 27 school districts, working with The Consortium for School Networking, will work toward establishing a nationwide set of standards around student privacy. The end result will be known as the Trusted Learning Environment Seal that public schools can adopt to assure the community that their student’s data is protected.
Read more on Chalkbeat.
Back in 2013, Jeffco caught flak from parents over joining up with inBloom. The board eventually cut ties with inBloom, leading the state education department to end its contract with the provider.
[From the article:
The TLE Seal is not a cloud option for districts to securely store their data, but rather, a stamp of approval for taking precautions to protect student data.
Currently, Jeffco officials spend up to four weeks [Strange wording. Surely it does not take that long to read a contract. Perhaps the try working through a backlog within four weeks? Bob] screening any software, free or paid for, for language that allows teachers and officials to share student information. The district has created a list of approved programs and cloud services.
“The TLE Seal is one more step in our process to ensure that Jeffco Public Schools is implementing best practices for protecting student and staff data,” said McMinimee.
At the end of the six months schools will be able to implement the TLE Seal to ensure the protection of their students’ data.

This is going to be amusing. Like granting a Power of Attorney without the paperwork. Might be a fun hack though.
Facebook's 'legacy contact' feature goes live in the UK allowing users to appoint digital heirs
Earlier this year, Facebook announced it would be creating a feature called "legacy contacts".
This meant that any of the 35 million UK Facebook users would be able to appoint a friend or loved one to maintain their social media account after they die.
As of today, the feature is now live in the UK - meaning you can appoint your social media heir today. If you want your account to be deleted upon your death, you can flick that switch too - although someone will still need to inform Facebook that you've moved on.
… Anyone nominated as a legacy contact will be able to write a post that's displayed at the top of the profile and change profile images on the page.
They will even be allowed to accept or refuse new friend requests on behalf of the deceased.
The online executor will however not be able to edit what the deceased already posted, what friends continue to post on the page, or remove tagged images. Nor will they be able to delete the account.

This is big.
Google AdSense Publishers Must Now Obtain EU Visitors’ Consent Before Collecting Data
Google has announced a change to its user consent policy which will affect website publishers using Google products and services, including Google AdSense, DoubleClick for Publishers and DoubleClick Ad Exchange, as well as whose sites or apps have visitors arriving from the European Union. Under the new policy, publishers will have to obtain EU end users’ consent before storing or accessing their data, says Google.
The change, which is in direct response to the EU’s cookie compliance regulations, follows the arrival of the Google-published website called CookieChoices, spotted earlier this month. That site was launched with the intention of helping digital publishers obtain tools and access other resources that will aid in their obligations to obtain user consent, Google noted at the time.
These tools include code that website publishers can use to inform visitors about their cookies, as well as those that can be used to directly obtain consent, like splash screens, notification bars, or one-time, pop-up alerts that can be used on mobile apps.
… Google is applying this to its own services, while also challenging publishers to comply with the updated policy by a September 30th, 2015 deadline, according to an email sent out about the change. In addition, this policy will also affect those with iOS or Android applications who will have to show a message to app users upon first launch.

Microsoft is shifting to a nickel & dime business plan?
Want to remove the ads from Solitaire in Windows 10? That'll be $1.49 a month
Microsoft is once again bundling Solitaire with Windows, but if you want an ad-free experience then that's going to cost you.

Amazon wants to be the “everything store.”
Amazon launches music streaming service in the UK
Amazon has entered the UK streaming market with the launch of Prime Music, a new service available to Amazon Prime customers as part of their annual £79 subscription.
Prime Music will provide access to more than one million songs and about 500 specially created playlists.
Amazon's answer to Spotify, Deezer and Google Play follows the launch of Apple Music and Jay-Z's Tidal this year.
However, there are some big holes in the Amazon Prime catalogue.
The likes of Amy Winehouse, Abba, Katy Perry, Kanye West and Eminem - all part of the Universal Music Group - are unavailable at launch.

Huh. And I thought it went back before Attila the Hun.
The Evolution of Modern Terrorism
… One hundred years before 9/11, terrorism was present in America. Given this history with terrorism, I will discuss the roots of modern terrorism, the scholarly perspective on the evolution of terrorism, and the importance of understanding the motivations and strategies of terrorists.
… UCLA political science professor, David Rapoport, writes that the French Revolution “introduced terror to our vocabulary.” Rapoport writes extensively about how modern terrorism has evolved through four waves.
The Four Waves of Modern Terrorism
Rapoport’s writing, The Four Waves of Modern Terrorism (PDF), looks at specific time periods that can be categorized into specific phases precipitated by events. These waves are:
  1. Anarchist Wave
  2. Anticolonial Wave
  3. New Left Wave
  4. Religious Wave

Perspective. The report is yours for a mere £3970.
38 billion IoT devices will be deployed by 2020
According to recent research data by Juniper Research, the world will see a 285 per cent increase in the Internet of Things (IoT) devices by the end of 2020, which will mean 38 billion more devices.
The surprising fact about this increment, is that most of the growth in these devices will be coming from business sectors such as smart grids, smart buildings, etc. and not the usual headline grabbing ‘smart home’ devices.
… According to V3, the Juniper analyst told them that all the businesses that are embracing this new change of IoT must make sure that they have the right systems in place to use the reams of additional data that they will be gathering.

Perspective. What would Walter Cronkite say?
Evolving Role of News on Twitter and Facebook
by Sabrina I. Pacifici on Jul 27, 2015
Pew Research Center: “The share of Americans for whom Twitter and Facebook serve as a source of news is continuing to rise. This rise comes primarily from more current users encountering news there rather than large increases in the user base overall, according to findings from a new survey. The report also finds that users turn to each of these prominent social networks to fulfill different types of information needs. The new study, conducted by Pew Research Center in association with the John S. and James L. Knight Foundation, finds that clear majorities of Twitter (63%) and Facebook users (63%) now say each platform serves as a source for news about events and issues outside the realm of friends and family. That share has increased substantially from 2013, when about half of users (52% of Twitter users, 47% of Facebook users) said they got news from the social platforms. Although both social networks have the same portion of users getting news on these sites, there are significant differences in their potential news distribution strengths. The proportion of users who say they follow breaking news on Twitter, for example, is nearly twice as high as those who say they do so on Facebook (59% vs. 31%) – lending support, perhaps, to the view that Twitter’s great strength is providing as-it-happens coverage and commentary on live events.”

A handout for our CS & IT students?
Learn with Coding Projects: 9 Udemy Courses for The Beginner Programmer

Includes some LinkedIn tips.
Hidden Features For Your Favorite Social Networks
Check out the infographic below for a look at some features for Facebook, Twitter, Google+, and LinkedIn that you probably aren’t using.

A little suggestion based on Big Data? Take every advantage you can.
The Science of the Perfect LinkedIn Photo
… As TIME put it recently:
“Choosing an exemplary photo just got more involved: new research suggests looking at least a ‘little’ happy in your picture will make you appear more trustworthy to prospective employers.”

No comments: