Thursday, October 01, 2015

For my Ethical Hacking students. Check with your lawyers before you try something like this.
Love it!
Steve Nichols reports:
A cyber hacker gets scammed when he targeted a Clearwater cyber security firm.
KnowBe4 trains corporate clients on defending against “phishing attacks”, a term for using realistic-looking but fake emails for illicit gain.
Last Friday, the company’s chief financial officer received an email purportedly from the chief technology officer requesting instructions on wire transferring nearly $20,000.
Read what happened next on Fox13.
[From the article:
Then they sent a fake email appearing to be from AOL, the scammer's email provider. It said the email account was locked for security purposes, and the user needed to "click here" to log in and unlock the account. "And of course this link doesn't go to AOL, that link goes to us" Irimie explained.
"Indeed he entered his user name and password so we could get his IP address, his internet address" Sjouwerman said, adding that information in turn provided the scammer's geographic location. "We know where it is but we refrain from making that public because we've transferred it to law enforcement, and it's now in their hands" he told FOX 13 News.

It is intelligence laundering. You have a source you don't want to compromise (say a spy in the Kremlin) so you use the intelligence from that source to ensure you “stumble upon” the same intelligence in a way that “explains” how you got the information without getting your spy shot.
FBI and DEA under review for use of NSA mass surveillance data
… The investigations surfaced in a report to Congress from the Justice Department's inspector general.
Parallel construction is a controversial investigative technique that takes information gained from sources like the NSA's mass surveillance, covers up or lies about the sources, and then utilizes them in criminal investigations inside the United States. The information was passed to other federal agencies like the Internal Revenue Service (IRS).
The technique was described as “decades old, a bedrock concept” by a DEA official.
Critics at the Electronic Frontier Foundation (EFF) described the technique as “intelligence laundering” designed to cover up "deception and dishonesty" that ran contrary to the original intent of post-9/11 surveillance laws.
… The DEA’s use of parallel construction was revealed by Reuters a few months later.
… The NSA sent daily metadata reports to the FBI from at least 2006 to 2011, according to the director of national intelligence.
The ongoing review will examine how the FBI processed the NSA’s information, how much information was passed along, and the results of the initiated investigations.
… The Justice Department’s Office of Inspector General is also investigating the FBI’s use of Patroit Act Section 215 from 2012 to 2014 that allowed it to obtain “any tangible thing” from any business or entity as part of investigations against international terrorism or spying.
A previous investigation revealed that every single Section 215 application submitted by the FBI to the secretive Foreign Intelligence Surveillance Court (FISA) was approved.

(Related) Compromising your field agents is always a bad thing.
Aditya Tejas reports:
The U.S. Central Intelligence Agency (CIA) pulled a number of officers from the American Embassy in Beijing as a precautionary measure after a massive cyberattack in June compromised the personal data of over 22 million federal employees, according to a report Tuesday.
U.S. officials reportedly said the data breach was conducted by a hostile party to identify spies and other American officials who could be blackmailed to provide information. The records, stolen from the Office of Personnel Management (OPM), contain the background checks of State Department employees.

An interesting way to identify and ensure everyone is using Best Practices!
Excellent. NewsOK reports:
State Auditor Nicole Galloway on Wednesday announced the launch of a cybersecurity audit initiative in Missouri schools.
The initiative will focus on identifying practices that improve the security of information that schools have on students and their families.
Read more on NewsOK.
[From the article:
According to the Privacy Rights Clearinghouse, a nonprofit based in San Diego, more than 250 K-12 schools across the United States experienced a data breach event in the past 10 years. [I'd bet that number is low. Bob]

Do they care what the customer's want? What will happen if Google blocks Digical?
Mobile Operator Digicel Will Block Advertising Across Its Network
Who needs an ad-blocking app when your telecom operator will prevent ads from reaching your mobile device?
Wireless operator Digicel will soon begin blocking online advertising from traveling across its networks in the Caribbean and South Pacific, the company announced Wednesday.
German telecommunications group Deutsche Telekom is also considering blocking advertising on its networks, a person familiar with the matter said.
Jamaica-based Digicel said online advertising companies such as Google, Facebook and Yahoo will now be required to pay to deliver ads to its subscribers, or can expect to have them blocked.
… For now, U.S. consumers are blocking ads by installing software on their computers or mobile devices. The practice is growing, threatening the business model of many ad-supported online sites and services.

Because vast improvements don't work well with half-vast implementations. Europe has been using these for 5 years. Why are there any surprises here? Because no one tried to learn from the Europeans, they tried to make it all up on their own.
Chips, Dips and Tips: 5 Potential Problems With New Credit Cards
… Thursday's "deadline" for merchants to support the new EMV technology — or face the consequences if fraud occurs — is really a soft target, and consumers are unlikely to notice any dramatic changes or encounter difficulties as they make their shopping rounds.
… the chip generates a unique purchase code every time the card is used, transactions will take a few seconds longer to process. Added to unfamiliarity with the "dip" process and there may be checkout delays, experts warn.
"Some people are experiencing a 20 second wait times with these chips," said Avivah Litan, vice president and analyst at Gartner Research.
… "I have several credit cards with chips in them and all but my American Express work really well," said chip credit card user Marilyn Barnicke Belleghem. "Apparently, the chip (on that card) is placed in the wrong position to be accurately read on the machine at the grocery store where I like to shop."
… In other countries, chip cards come with PINs, which require the user to remember a four-digit number in order to use the card. Most U.S. chip cards won't come with PIN technology initially, meaning shoppers will still confirm purchases with a signature. The problem is, some chip credit card machines in other countries aren't equipped to accept signatures, so you might not be able to pay if you're traveling and don't have a card with a PIN.
… With only a signature required, we won't have the full protection that a PIN offers. If a thief steals your chip card, they can still use it. They just have to forge your signature.
The new technology doesn't protect against fraud in online purchases, either. Online transactions don't require a terminal at checkout, so there's no way to read your card and generate a code. All anyone needs is your credit card number, three-digit security code, and expiration date.
… The added hassle might motivate consumers to use phones to make wireless NFC (near-field communication) payments, which is quicker.
"I think this is going to spur an adoption of mobile payments," said Gartner's Litan. "They're much more convenient. This is exactly what the credit card companies want you to do. The same culprits pushing chips, they would also like us to use our mobile phones. Then they don't have to pay for physical cards, and it has the same security as a chip."

An interesting question for my lawyer friends.
Why Are So Many Law Firms Trapped in 1995?

Replacing project management? Turning tasks into just another thing on the Internet of Things?
Asana's New Plan: Tracking Every Aspect Of Your Work, With Help From Developers
… Asana has some 140,000 companies who use it to track projects and tasks, with the hope of eliminating back-and-forth conversations that happen in email and meetings in favor of, you know, actual work. While most use it for free, more than 10,000 companies pay per-team fees that start at $21 a month, and Asana now has "tens of millions of dollars" in annual recurring revenue, Moskovitz said.
… The problem is that not everything you deal with at work is a task. Asana, historically, has presented itself as a task-management tool. Now, Moskovitz and Rosenstein want to expand its scope to the larger category of "work tracking," an area of collaboration they see as coequal to file sharing, like Box and Dropbox, and messaging, the field of Slack, Convo and similar apps.
Sections are essentially additional data fields that can be assigned to an object in Asana. Venture-capital firms might track companies by stage and amount invested. A DNA analysis firm might track vials. A nonprofit orchestrating healthcare in a developing country might track patients. All of those require a more structured approach than a generic task.
That, in turn, opens up Asana to far more interesting possibilities for third-party developers. A healthcare systems integrator might build a generalized case-management tool for hospitals. A publishing company might create a system for tracking an article from assignment to editing and fact-checking to publication.

A case study of political disconnect? “We knew it couldn't be done until 2019 so we set the deadline at 2015. Then we can claim we're statesmanlike by extending it to 2018.”
Bill to extend safety system deadline would avert rail shutdown, help Metra
A measure introduced in the U.S. House on Wednesday seeks to avert the threatened year-end shutdown of the nation's freight and commuter railroads, including Metra.
Leaders of the Transportation and Infrastructure Committee said their bipartisan legislation would give U.S. railroads an additional three years to implement the congressionally mandated safety system known as positive train control.
The lawmakers acknowledged that the Dec. 31 deadline for installation of PTC on the vast majority of the railroads is not achievable, and that extending the period until the end of 2018 will prevent significant disruptions of both passenger and freight rail service across the country.
… Without an extension, railroads say their crews would be prohibited by law from operating trains beyond that date. They say freight shipments will be halted, commuter lines will cease operations, and Amtrak service outside of portions of the Northeast Corridor will be suspended.
A shutdown could have a huge impact on Chicago, the nation's rail hub. Each day, the city has 500 freight trains pass through, Metra operates 753 trains, and 56 Amtrak trains come and go.
… The agency has said previously that installing PTC will cost $350 million and won't be fully in place until at least mid-2019.

Perspective. Why “free” works.
The price of free: how Apple, Facebook, Microsoft and Google sell you to advertisers

Is Office365 getting all of Microsoft's attention?
Likes and @Mentions coming to Outlook on the web
Over the last several years, social networks have changed the way we communicate. In our personal lives, we show our approval by “Liking” a friend’s status update on Facebook and we “@Mention” others in a Twitter post to call attention to it. In our workplace, these same social concepts became popular through enterprise social tools such as Yammer. Today we’re taking the next step and introducing Like and @Mention to workplace email in Outlook on the web.
… To Like a message, simply click the thumbs-up icon in the reading pane. This turns the icon from gray to blue, notes within the email that you liked the message and adds a thumbs-up icon in the email list view. Anyone on the thread can Like a message, and their Likes are identified and captured within the message as well. If someone likes your email, you’ll receive a notification letting you know.
While the focus of Likes is on specific emails, the focus of Mentions is on specific individuals. When collaborating on email, it is common to call out a specific person for an action or request. Another scenario is adding a person to an existing thread for their attention—perhaps you are on a thread and know that the person who can answer a question was not initially included. Using the Mentions feature ensures that the person is not only aware of the request but is also included in the thread.
… The Like feature in Outlook on the web will begin to roll out today to Office 365 First Release customers whose Office 365 plan includes Exchange Online. We expect the feature to roll out broadly to eligible Office 365 commercial customers starting in late October. The Mention feature will begin rolling out to First Release customers in mid-October and broadly to all eligible Office 365 commercial customers in mid-November.
In addition, our users who have been migrated to the new version of the service will start seeing Mentions in the December time frame as well.

Ain't technology wonderful? Power for devices on the Internet of Things.
Freevolt generates power from thin air
… Drayson Technologies today announced Freevolt, a system that harvests energy from radio frequency (RF) signals bouncing around in the ether and turns it into usable, "perpetual power."
… We're constantly surrounded by an ever-denser cloud of RF signals. They're the reason your smartphone gets 2G, 3G and 4G coverage, your laptop gets WiFi, and your TV receives digital broadcasts.
… According to Drayson, Freevolt is the first commercially available technology that powers devices using ambient RF energy, no dedicated transmitter required.

For my students who are serious about their field of study.
The 5 Best News Curation Apps to Fight Information Overload

No comments: