Monday, October 19, 2015

Once upon a time, we would roll tanks to the border to express our annoyance. What is the Cyberspace equivalent?
Cyberspace Becomes Second Front in Russia’s Clash With NATO
… Along with reported computer breaches of a French TV network and the White House, a number of attacks now being attributed to Russian hackers and some not previously disclosed have riveted intelligence officials as relations with Russia have deteriorated. These targets include the Polish stock market, the U.S. House of Representatives, a German steel plant that suffered severe damage and The New York Times.
U.S. officials worry that any attempt by the Russian government to use vulnerabilities in critical infrastructure like global stock exchanges, power grids and airports as pressure points against the West could lead to a broader conflict...

I think we need to create a Best Practices guide for organizations (and their lawyers).
Andrew Sadauskas reports:
In the immediate aftermath of a security breach, companies should ensure they don’t use weasel words and have in place strong internal communications and clearly-defined staff guidelines, according to Atlassian head of security intelligence Daniel Grzelak.
Read more at ITNews. Why? Because I actually agree with pretty much everything he advises, and if more companies took his advice, there’d be a lot less snark on my blog. [and on mine! Bob]

(Related) But this is not always possible. Consider hiding it in other news like Target did by announcing their breach on the day President Obama was inaugurated. It almost worked!
Christopher Escobedo Hart writes that a well-handled breach can actually improve a company’s bottom line.
A recent study goes a step further, suggesting that if handled well a data breach can actually help the bottom line. This counter-intuitive conclusion, conducted by Sebastian Gay at the University of Chicago, is based on data from breaches occurring between 2005-2014. The paper finds that “firms manage to avoid the full negative effect of a privacy breach event disclosure by releasing on the same day an abnormal amount of positive news to the market.” In other words, sometimes companies have maintained a store of “good news” that they bundle together and release at around the same time that they disclose a data breach, which not only offsets the negative effect of the bad news of a data breach, but actually increases the bottom line.
Read more on Foley, Hoag Security, Privacy and the Law.

See? It's not just Hillary, it's anyone who is computer illiterate.
From the yeah-this-probably-needs-to-be-investigated dept.:
Hillary Rodham Clinton’s e-mail scandal didn’t stop the head of the CIA from using his own personal AOL account to stash work-related documents, according to a stoner high-school student who claims to have hacked into them.
CIA Director John Brennan’s private account held sensitive files — including his 47-page application for top-secret security clearance — until he recently learned that it had been infiltrated, the hacker told The Post.
Other e-mails stored in Brennan’s non-government account contained the Social Security numbers and personal information of more than a dozen top American intelligence officials, as well as a government letter about the use of “harsh interrogation techniques” on terrorism suspects, according to the hacker.
Read more of this report by Philip Messing, Jamie Schram and Bruce Golding on NY Post.
The twitter accounts being used to disclose the hack, @phphax (“Cracka”) and @_CWA_ are still online this morning, as are files purporting to be Brennan’s email contact list and call logs of Avril Haines, the White House Deputy National Security Advisor.
Assuming, for now, that these reports are accurate, I’m not sure what this will do to the brouhaha over Clinton’s private email server.
[From the Post article:
… The FBI and other federal agencies are now investigating the hacker, with one source saying criminal charges are possible, law enforcement sources said.
“I think they’ll want to make an example out of him to deter people from doing this in the future,” said a source who described the situation as “just wild” and “crazy.”
“I can’t believe he did this to the head of the CIA,’’ the source added. “[The] problem with these older-generation guys is that they don’t know anything about cybersecurity, and as you can see, it can be problematic.”

Confusing. How will they differentiate between “nation-state” and “teenager working for a nation-state?” Is this a small/medium/huge problem?
Facebook to Warn Users of State Sponsored Attacks
According to the social network, users will be informed on any suspected compromise from an attacker believed to be working on behalf of a nation-state. The company is already monitoring accounts for potentially malicious activity while offering users the possibility to proactively secure their accounts, and the new security measure is building on this foundation.
In addition to a warning on the possible malicious activity, Facebook will provide users with the possibility to turn on Login Approvals, which would ensure that third-parties cannot login into a user’s account. As soon as the account is accessed from a new device or browser, the user receives a security code on the phone, so that only they could login.
Alex Stamos, Chief Security Officer at Facebook, explains in a blog post that the warnings are not being sent out because Facebook's platform or systems have been compromised, but that user’s computer or mobile device might have been infected with malware.

Interesting. I can neither confirm nor deny... Mathematically, this might not be as difficult as you might think.
How is NSA breaking so much crypto?
There have been rumors for years that the NSA can decrypt a significant fraction of encrypted Internet traffic. In 2012, James Bamford published an article quoting anonymous former NSA officials stating that the agency had achieved a “computing breakthrough” that gave them “the ability to crack current public encryption.” The Snowden documents also hint at some extraordinary capabilities: they show that NSA has built extensive infrastructure to intercept and decrypt VPN traffic and suggest that the agency can decrypt at least some HTTPS and SSH connections on demand.
However, the documents do not explain how these breakthroughs work, and speculation about possible backdoors or broken algorithms has been rampant in the technical community. Yesterday at ACM CCS, one of the leading security research venues, we and twelve coauthors presented a paper that we think solves this technical mystery.
… For the nerds in the audience, here’s what’s wrong: If a client and server are speaking Diffie-Hellman, they first need to agree on a large prime number with a particular form. There seemed to be no reason why everyone couldn’t just use the same prime, and, in fact, many applications tend to use standardized or hard-coded primes. But there was a very important detail that got lost in translation between the mathematicians and the practitioners: an adversary can perform a single enormous computation to “crack” a particular prime, then easily break any individual connection that uses that prime.

“As long as you are volunteering that data, you won't mind if we copy it into our criminal database, right?” Have we paid for DNA testing or have we agreed to add our DNA to their database forever?
Cops are asking and 23andMe for their customers’ DNA
When companies like and 23andMe first invited people to send in their DNA for genealogy tracing and medical diagnostic tests, privacy advocates warned about the creation of giant genetic databases that might one day be used against participants by law enforcement. DNA, after all, can be a key to solving crimes. It “has serious information about you and your family,” genetic privacy advocate Jeremy Gruber told me back in 2010 when such services were just getting popular.
Now, five years later, when 23andMe and Ancestry both have over a million customers, those warnings are looking prescient. “Your relative’s DNA could turn you into a suspect,” warns Wired, writing about a case from earlier this year, in which New Orleans filmmaker Michael Usry became a suspect in an unsolved murder case after cops did a familial genetic search using semen collected in 1996. The cops searched an database and got a familial match to a saliva sample Usry’s father had given years earlier. Usry was ultimately determined to be innocent and the Electronic Frontier Foundation called it a “wild goose chase” that demonstrated “the very real threats to privacy and civil liberties posed by law enforcement access to private genetic databases.”
… As NYU law professor Erin Murphy told the New Orleans Advocate regarding the Usry case, gathering DNA information is “a series of totally reasonable steps by law enforcement.” If you’re a cop trying to solve a crime, and you have DNA at your disposal, you’re going to want to use it to further your investigation. But the fact that your signing up for 23andMe or means that you and all of your current and future family members could become genetic criminal suspects is not something most users probably have in mind when trying to find out where their ancestors came from.
“It has this really Orwellian state feeling to it,” Murphy said to the Advocate.
If the idea of investigators poking through your DNA freaks you out, both and 23andMe have options to delete your information with the sites. 23andMe says it will delete information within 30 days upon request.

This could cause a few problems. Imagine schools introducing technology that does a good job teaching students but fails to meet the state's standards. They buy the technology and then most of their students won't use it.
Rich Lord reports:
The homework assignments, essays, musings and instant messages today’s students are entering into educational websites and applications would be subject to new data privacy standards under legislation introduced today in Harrisburg.
State Rep. Dan Miller, D-Mt. Lebanon, and Tedd Nesbit, R-Grove City, have introduced two-bills that would stop short of outlawing controversial data practices, but would require that districts inform parents if they use technology that doesn’t meet the standards, and allow students to opt out.
Read more on Government Technology.
[From the article:
Nearly two-thirds of the districts could show no process for vetting the privacy policies of education technology vendors. Only eight systems could show that they were training teachers to protect student data.
Most of the vendors had no provision for deleting unneeded student data or protecting it in a corporate acquisition or bankruptcy sale, and only a tiny minority pledged to notify schools in the event of a data breach.

I don't see this as a problem for quite some time. (Except for TV game shows)
The End of Expertise
… Talk to people in such professional service industries as private banking, auditing, consulting, even engineering, and you begin to hear concerns about the commoditization of professional knowledge.
… Increasingly, tax preparation is being automated, and even auditing is going the way of algorithmic review and big data “sweeps” instead of sampling. Artificial intelligence is writing much of the content that you’re reading (although not this!), and Jancis Robinson, the wine expert and writer, recently wrote that she has “gone from being a unique provider of information to having to fight for attention.”

Interesting blog post. I've been looking for a follow-up to Paul David's “The Dynamo and the Computer” I think this might be it. Interesting read anyway.
The Deployment Age
A couple of weeks ago James Gross, co-founder of Percolate, had me speak at their Transition conference. I talked about Carlota Perez, her theories, and the transition to the deployment period that we are currently undergoing. The talk, as I remember it, (plus some stuff I had to cut for time) is below. I’ve also added some additional material as sidenotes.
Perez’ theory describes the path a technological revolution, like the Industrial Revolution, takes and the social, economic and institutional changes that go along with it. The jury is still out on the theory, and there are plenty of reasons to doubt it. But if it successfully predicts what happens over the next ten years it will have in good part proved its power.

Do you think this will upset my Computer Security students?
Google is recording your voice and questions
by Sabrina I. Pacifici on Oct 18, 2015
“Google searches are like a stream of consciousness. We plug every idle curiosity, every thought, and every question into the search engine. Google has always kept careful record of these searches, which helps sell ads. But Google also keeps an audio log of the questions you ask its voice search function, OK Google, and now you can listen to those recordings online. Back in June, Google launched a new portal for all Google account-related activities. It’s where you can manage your privacy settings, see what you’ve searched for, and where Google has logged your location. The Guardian pointed out Oct. 12 that these archives include a section for voice searches, and it’s a little unnerving to listen to every silly thing you’ve asked since the service launched…”
  • Note to self and others – everything you say and do via digital devices is collected – by various organizations for reasons ranging from marketing to surveillance. We have automatically been opted-out of “privacy.” And it is always a good idea to seek the assistance of a Librarian – in person is a bonus – we listen to and respond to questions on a mind boggling range of issues, with expertise, and without an agenda.

For my Math students.
The 20 Websites You Need to Learn Math Step by Step

No comments: