Saturday, November 14, 2015

Another good “bad example” to share with my Computer Security students. Consider how this could go undetected for so long.
The breach in question may have begun in January, 2012, years before OH Muhlenberg acquired Muhlenberg Community Hospital, but it potentially impacted all patients, all payment guarantors, employees and some credentialed providers after that date and before OH Muhlenberg learned of the breach and contained it. This incident does not yet appear on HHS’s public breach tool, so the number potentially impacted is not known as of the time of this posting.
OH Muhlenberg, LLC issued the following press release today:
[ … ]
OH Muhlenberg, LLC acquired the Muhlenberg Community Hospital operations on July 1, 2015. Prior to that time, the hospital had been owned and operated by Muhlenberg Community Hospital since 1938. As part of the acquisition, OH Muhlenberg, LLC acquired substantially all of the assets of the hospital in Muhlenberg, including its computer systems, patient records and other records.
On September 16, 2015, the Federal Bureau of Investigation (FBI) notified the hospital of suspicious network activity involving third parties. Upon learning this information, the hospital took immediate action, including initiating an internal investigation and engaging a leading digital forensics and security firm to investigate this matter. Based upon this review, the hospital confirmed that a limited number of computers were infected with a keystroke logger designed to capture and transmit data as it was entered onto the affected computers. The infection may have started as early as January 2012.
… Upon learning of the incident, the hospital took prompt steps to address and contain it, including immediately blocking the external unauthorized IP addresses, taking steps to disable the malware and continuing to enhance the security of its systems moving forward.
The affected computers were used to enter patient financial data and health information, information about persons responsible for a patient’s bill and employee/contractor data, including potentially name, address, telephone number(s), birthdate, Social Security number, driver’s license/state identification number, medical and health plan information (such health insurance number, medical record number, diagnoses and treatment information, and payment information), financial account number, payment card information (such as primary account number and expiration date) and employment-related information. [ … ]

Bad for my Computer Security students, good for my Computer Forensics students.
Lucian Constantin reports:
Companies relying on Microsoft BitLocker to encrypt the drives of their employees’ computers should install the latest Windows patches immediately. A researcher disclosed a trivial Windows authentication bypass, fixed earlier this week, that puts data on BitLocker-encrypted drives at risk.
Ian Haken, a researcher with software security testing firm Synopsys, demonstrated the attack Friday at the Black Hat Europe security conference in Amsterdam. The issue affects Windows computers that are part of a domain, a common configuration on enterprise networks.
Read more on PCWorld.

For my Computer Security students. This is not for amateurs. Consider the downside of attacking state sponsored hackers.
Hacking Back: Industry Reactions to Offensive Security Research
A good example of researchers “hacking back” is detailed in a report published this week by security firm Check Point. The company hacked into the phishing and C&C servers of the Iran-linked group dubbed Rocket Kitten (aka Newscaster), which led to the identification of victims and even an individual suspected of being the main developer.
[The report:
The complete report, titled “Rocket Kitten: A Campaign with 9 Lives” is available for download in PDF format.

Perhaps the FTC won't be leading the way to secure data, at least until they figure out what that means. Who made the decision to go after LabMD?
In a data security enforcement action that some have characterized as a modern version of David vs. Goliath, David won today, and the FTC lost. It was an enforcement action that the FTC never should have commenced, as I’ve argued repeatedly, and today’s loss may actually make future enforcement actions more difficult for them as the standard for demonstrating likelihood of substantial injury has now been addressed in this ruling.
LabMD was a cancer detection laboratory whose security practices were designed to comply with HIPAA’s standards. The FTC opened an investigation into their data security practices after an employee violated their policies and downloaded P2P software that wound up exposing some patient information on the file-sharing network.
For that mistake – which wasn’t even a reportable breach under HIPAA back in 2008 – the FTC came down like a ton of bricks on them. In 2013, after LabMD steadfastly refused to sign a consent order, the FTC filed a complaint that included many of its now-common complaints about what constitutes “unreasonable” data security practices that put consumers at risk of substantial injury.
But the FTC’s case relied primarily on evidence by a third party, Tiversa, Inc., who had testified to Congress and to the FTC that a LabMD file with patient information had been exposed a file-sharing network and had been downloaded by others. That testimony turned out not to be credible.
But the FTC had taken Tiversa’s testimony and asked some experts to assess the risk of substantial harm to consumers. The experts, however, were told to assume that the breach had occurred. As it turned out, the data had not been downloaded by anyone other than Tiversa. In time, the FTC informed the administrative law judge hearing the complaint that they would not rely on Tiversa’s original testimony nor on their expert witnesses’ statements. Instead, they argued that LabMD’s “unreasonable” data security had put consumers at risk of substantial injury – even though there was no evidence that the data had ever been shared or that even one consumer had been harmed.
By then, LabMD had closed its doors to new testing, crushed under the weight and expense of fighting the FTC. [Will they ever recover any of that? Probably as likely as the FTC apologizing... Bob]
Today, Administrative Law Judge Michael Chappell issued his ruling in FTC v. LabMD. It is a somewhat startling ruling for its veiled criticisms of the FTC commissioners’ actions.
On the main issues, though, Judge Chappell summarizes his ruling:
Section 5(n) of the FTC Act states that “[t]he Commission shall have no authority to declare unlawful an act or practice on the grounds that such act or practice is unfair unless [1] the act or practice causes or is likely to cause substantial injury to consumers [2] which is not reasonably avoidable by consumers themselves and [3] not outweighed by countervailing benefits to consumers or to competition.” 15 U.S.C. § 45(n). Complaint Counsel has failed to carry its burden of proving its theory that Respondent’s alleged failure to employ reasonable data security constitutes an unfair trade practice because Complaint Counsel has failed to prove the first prong of the three-part test – that this alleged unreasonable conduct caused or is likely to cause substantial injury to consumers.
First, with respect to the 1718 File, the evidence fails to prove that the limited exposure of the 1718 File has resulted, or is likely to result, in any identity theft-related harm, as argued by Complaint Counsel. Moreover, the evidence fails to prove Complaint Counsel’s contention that embarrassment or similar emotional harm is likely to be suffered from the exposure of the 1718 File alone. Even if there were proof of such harm, this would constitute only subjective or emotional harm that, under the facts of this case, where there is no proof of other tangible injury, is not a “substantial injury” within the meaning of Section 5(n).
At best, Complaint Counsel has proven the “possibility” of harm, but not any “probability” or likelihood of harm. Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury under Section 5(n) requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case. Accordingly, the Complaint is DISMISSED.
I’ve uploaded the entire ruling here (pdf), and I’m sure there will be more discussion and analysis later, but this is just so stunning that I wanted to get the news out immediately.

What is “notification” today? Do we need to use every possible means? Is there a hierarchy?
I’m not sure that posting a breach notification on a Facebook page is sufficient when you also have a web site where you could post the announcement. Assuming everyone is on Facebook is risky.
Case in point: Common Market in Union, Maine, posted this on their Facebook page on October 30.
We recently learned that there has been a breach of Debit and Credit Card data in our area. The Common Market was one of the stores compromised. Please keep a close eye on your Debit and/or Credit Card transactions for the last couple of months (from August 12 to October 26) for any suspicious activities or charges that you do not recognize. Contact your bank immediately if you see any suspicious activity.
We have been in close contact with our Debit/Credit card processor and they have taken steps to make sure our system is now secure.
We sincerely apologize for any inconvenience this has caused.
That FB post shows up in a scrolling feed on their web site, but if someone didn’t happen to check the site before it scrolled down, they might miss it.
While I commend Common Market for their transparency in notifying their customers, I would encourage ALL entities to post such disclosures on the home page of their web sites or prominently linked from the home page of their web sites.

Should become the basis for many interesting scenarios. If I understand the process, the terrorist in Paris could have sent messages to thousands of innocent people telling them to “begin the attack.” If that message went out at 3AM for example, most of the recipients would never have seen it and would be very surprised when the SWAT teams blew their front door down.
Soon, You Could Receive a Facebook Message That Disappears Before You Read It
Facebook is testing a new feature on Facebook Messenger in France that allows users to create messages that self-destruct an hour after they're sent. (Yes, you read that right: they disappear an hour after they're sent, not read.)
It's the first time a disappearing messaging feature has been available on the platform, and it's a clear indication that the company will continue to compete with Snapchat, the app that brought disappearing messages to the forefront. (Facebook tried, unsuccessfully, to acquire the company in 2013.)
… This latest attempt is different, primarily because it adds ephemerality as a feature to an existing app instead of requiring users to download a new one. But in practical terms, it seems pretty messy. Say you send someone an ephemeral message through Facebook Messenger, but they don't see it for a few hours. Does this mean your message will self-destruct before it's ever opened?
Apparently, yes.

For my student who asked me this week (the 6th week of the quarter) “What textbook?”
Search Any Book With Google – It’s Finally Legal!
… Google Books Library Project makes the complete text from all books searchable. When you search for a keyword or phrase in a book, the Search Engine Results Page (SERP) returns basic bibliographic information about the book and relevant snippets of context around the keywords.
If a book is out of copyright you can read and download the whole book. Sometimes publishers even give permission for their books (or portions of them) to be available on Google Books – including popular ones.
… This ruling is popular among fans of Google Books, but the implications reach farther than that. Non-profits, libraries, and software developers today have a much greater understanding of how Fair Use can protect them, and that’s great news. As Dan Cohen wrote in The Atlantic, this ruling could lead to all sorts of innovations:
Because many institutions want to avoid legal and financial risk, many possible uses that the courts would find fair — including a number of non-commercial, educational uses — are simply never attempted. A clearer fair-use principle, with stronger support from the courts, will make libraries and similar organizations more confident about pursuing forms of broader digital access.

So I make that (80.7 / 2,800 = 0.0288) a 2.88% return. Of course they could raise tolls every year.
Canadian consortium buys Chicago Skyway lease rights for $2.8 billion
A decade after investors gave the city more than $1.8 billion to lease the Chicago Skyway for 99 years, the rights to run the privatized highway and collect tolls have been sold for $1 billion more than the original price.
… The Skyway company reported collecting nearly $80.7 million in revenue from tolls last year, a slight increase from 2013.

Perspective. The only generation where the majority have posted selfies are the Millennials. Infographic.
The Selfie Habits Across Different Generations

For my students interested in Big Data.
9 Useful Open Source Big Data Tools
… Why are so many Big Data projects open source? There's no definitive answer, but most likely it's related to the fact that Hadoop is the project that got the Big Data bandwagon rolling. Since Hadoop is open source, many folks who work with it are active in the open source community. That means the tools they develop are also likely to be open source.

Interesting, but I probably will still ignore PowerPoint.
Microsoft announces two brilliant PowerPoint 2016 design tools
First, a new Designer feature is a bit like a real-time template. You can create all of your slides the way you normally do, with a template or without. You lay out the images and text, get everything in the order you want, and even create all of the timings and transitions. Then, you pick the Designer tool. As Maloney explained, it’s like taking your slides and giving them a graphic designer who knows how improve them even more and wow an audience. [I like it! Facts first, then pretty. Bob]
… Another interesting aspect to the Designer is that the processing for the suggestions occurs in Microsoft Azure in the cloud, and this feature knows which designs most users pick. If none one is picking the one with the art gallery look, it won’t keep showing up. It’s the power of the crowd instilled in the app. [I hate it! Looking for the lowest common denominator? Bob]
… Another new feature called Morph ... lets you create animations without having to know anything about how animation works. You create some art, move it around, and Morph watches what you are doing and builds the animation. [Distracting. Bob]

I can't believe so much happens every week!
Hack Education Weekly News
Via the LA School Report: “A year later, secrecy surrounds FBI probe of LAUSD's iPad program.”
… The University of Illinois has paid $875,000 to settle Steven Salaita’s lawsuit, resulting from the school’s decision to fire Salaita based on comments he made on Twitter about Palestine.
… “The Starbucks Corporation this week announced that it will offer a tuition-free education to a spouse or child of its employees who are veterans or active-duty members of the U.S. military,” Inside Higher Ed reports. (That is, tuition-free education at ASU Online as part of Starbucks’ existing deal with the school.)
… “Math tutoring service in the form of a phone sex hotline.” Stay classy, ed-tech. [Does it work? Bob]
… “Schools Can’t Stop Kids From Sexting. More Technology Can,” Jonathan Zimmerman argues in a NYT op-ed. Moar technology!

Perspective. I hadn't thought of that, but she might be on to something here.
How The Old Farmer’s Almanac Previewed the Information Age
… It must have seemed, to the people of the 1792, when The Farmer’s Almanac was founded, something like what a smartphone is to people today: a handheld, portable device that contained information about all manner of things—health advice, weather predictions, jokes, recipes, charts detailing the times of sunrises and sunsets, and other “new, useful, and entertaining” tidbits, as the cover promised.

Friday, November 13, 2015

The curse of Las Vegas? Amateurs can't be trusted?
CT Lottery: Game suspended after terminals ‘manipulated’
The CT Lottery has temporarily suspended the sales and cashing of its “5 Card Cash” because “some retailers may have intentionally manipulated the reporting mechanism on the terminal for their own personal benefit.”
It says new software is being changed “to further enhance the security features of the game.”
The Department of Consumer Protection believes some retailers may have intentionally manipulated the reporting mechanism on the terminal to win. DCP Commissioner Jonathan A. Harris said in a statement “the department is investigating the matter.”

For my Computer Security students, even though it's really about management. This also happens with software licenses. At some companies, it happen every year when the license expires. Every! Year!
Lapsed Apple certificate triggers massive Mac app fiasco
A lapsed Apple digital certificate today triggered a massive app fiasco that prevented Mac users from running software they'd purchased from the Mac App Store.
"Whenever you download an app from the Mac App Store, the app provides a cryptographically-signed receipt," explained Paul Haddad, a co-founder of Tapbots, the company behind the popular Tweetbot Twitter client, in an email reply to questions today. "These receipts are signed with various certificates with different expiration dates. One of those is the 'Mac App Store Receipt Signing;' that expires every two years. That certificate expired on 'Nov 11 21:58:01 2015 GMT,' which caused most existing App Store receipts to no longer be considered valid."
The result: Bedlam.
Until Apple replaced the expired certificate, users who booted up their Macs today were unable to launch the apps they had bought through the Mac App Store, the OS X version of the iPhone's distribution portal.
But even after Apple replaced the outdated certificate, many apps still refused to run or threw off scary error messages, including one that said the app was "damaged and can't be opened," and others that said the app was already being used on another Mac, when it was, in fact, not.

Another paper for my Computer Security students.
Emerging Cyber Threats Report 2016 – Impact of The Internet of Things
by Sabrina I. Pacifici on Nov 12, 2015
Georgia Institute of Technology Cybersecurity Summit 2015– “The intersection of the physical and digital world continued to deepen in 2015. The adoption of network- connected devices and sensors — the Internet of Things — accelerated and was expected to reach nearly 5 billion devices by the end of the year. The collection and analysis of big datasets shed light on a variety of subjects, from profiling consumers’ buying habits to forecasting the loss of Arctic ice. Companies, from Google to Apple to traditional car makers, focused greater efforts on creating autonomous vehicles with a near-term goal of a driverless car on the road by 2020. These trends continue despite obvious dangers. Ever-present devices and online tracking allow us to measure our activities, but give other third-parties unprecedented access to monitor those same habits. Automated systems are increasingly removing humans from operational loops, making everything from driving cars to diagnosing diseases less prone to human error, but at the same time, requiring that each device be trusted — a technology safeguard that does not yet fully exist. Attackers have shown that these dangers are not just theoretical. Online espionage groups exploited the trust relationship between two background-check suppliers and the U.S. Office of Personnel Management (OPM), leading to the exfiltration of perhaps the most significant cache of U.S.-focused intelligence to date. Two security researchers hacked a GMC Jeep Cherokee while a journalist was driving, resulting in a government-mandated recall of 1.5 million cars. To understand the dangers posed by our increasingly digital world, we need to study and define both the potential problems and necessary solutions. The annual Georgia Tech Cyber Security Summit (GTCSS) on Oct. 28, 2015 provided an opportunity for experts from academia, private industry and government agencies to come together and prepare for the challenges we face in securing an ever-more complex society. This is the 13th year that the Georgia Institute of Technology has hosted the event to support efforts to develop bold, new technologies and strategies that ensure the safety and security of government, industry and individuals..”

For all my IT students, but Computer Security in particular.
The Ethics Conversation We’re Not Having About Data
… From a data perspective, the news about Ashley Madison is the most cogent. This scandal may seem irrelevant to those who disdain the site’s shady business model, but you really should be paying attention. Here are five reasons why:
  1. Customers of the website presumably believe that the site owner has a strong desire to keep their data private. The website still fails to fend off hackers.
  2. Users who presume they are anonymous because they use pseudonyms on their profiles learn that data analysts have uncovered their identities via credit cards, and even stored the information in the databases.
  3. When customers ask for data deletion, even after these users pay the website to remove their data, the data continue to reside on the servers.
  4. Technologists discover that the programmers have made certain mistakes that allow over 10 million scrambled passwords to be decoded.
  5. After the hackers release the stolen data to the public, a horde of investigators immediately obtain the data, with the intention of discovering embarrassing personal details. These analysts see it as a rare opportunity to lay their hands on a massive, real-world dataset that typically is guarded tightly by businesses.

Amazing graphics. (and a new recording for my answering machine!) Does it even hint that Microsoft will lead us into the Promised Privacy Paradise?
Kieren McCarthy reports:
Microsoft has published what can only be described as a privacy manifesto.
The unusual online screed comes complete with interactive graphics, including a recording of the FISA court’s voicemail, and appears geared at pitching Microsoft as the protector of people’s global data.
Read more on The Register.

Privacy for those who don't think about privacy. (And for my Computer Security students as a training tool!)
Privacy Online Explained by Common Craft
Have you or your students ever wondered what happens to all of the data collected by your web browsing habits? Or have you wondered why Facebook shows you one set of advertisements while a friend sitting next to you might see completely different advertisements? It all comes down to data collection and online privacy. In their latest video Common Craft explains how privacy online is different than it is in the real world, what happens to your online data, and how that data was captured to begin with.

An example of (not much) Privacy.
Joel Hruska writes:
New research from Avast reveals just how easily compromised many so-called “smart” TVs actually are, as well as how little your consent to being tracked actually matters. This hack is unrelated to the investigation we discussed yesterday, concerning Vizio’s decision to sell identifiable user data to third-parties and advertisers, though many of these issues are interrelated.
Read more on ExtremeTech.

A question for those Balkinizing the Internet. How granular can we get. Will Centennial enact laws that conflict with Denver and have no relationship to federal law?
Andrew Blake reports:
Internet regulators in the Kremlin said this week that Twitter must begin storing the details of Russian users at facilities located within the country, walking back an earlier decision not to force the company into complying with a controversial, recently enacted data law.
Read more on Washington Times.

What if the driver was asleep in the back seat? How did the officer “flag down” the car? Does it respond to lights and sirens? Was someone watching a “cop cam” remotely?
Google self-driving car pulled over for going too slow
Beep, beep. A Google driverless car was pulled over in California. The problem? It was going too slow.
An officer in Mountain View, Calif., apparently saw traffic backed up behind the little, white vehicle. The car was traveling 24 mph in a stretch where the posted speed limit was 35 mph.
The officer realized it was self-driving car and pulled it over. The officer then “made contact with the operators to learn more about how the car was choosing speeds along certain roadways and to educated the operators about impeding traffic,” according to a post on the police department’s blog.
The car’s defense — its speed limit is set at 25 mph for “safety reasons,” according to a Google+ page.

Perspective. Clearly, I'm completely out of touch. What's a spotty fly?
Leaning power: Spotify names its most streamed track of all time
What might you think would be Spotify’s most popular track ever? Stairway to Heaven by Led Zeppelin, often claimed to be the greatest rock song of all time, and one of the most played on the radio? Michael Jackson’s Thriller, the title track of the biggest-selling album ever? Or Bing Crosby’s White Christmas, the most popular single of all time?
Answer: none of the above. In fact it’s a song released earlier this year, that didn’t top the charts in either the US or the UK, and which was released independently.
Lean On, by Major Lazer & DJ Snake (with MØ) has now received 526m plays worldwide, according to Spotify, overtaking the previous record holder, Thinking Out Loud by Ed Sheeran.

Colorado: toy supplier to the galaxy?
Sphero BB-8 is the 'Star Wars' toy you're looking for (hands-on)
When the "Star Wars: The Force Awakens" trailer dropped last November, one little astromech droid was the talk of the town: BB-8, the adorable spherical robot spotted zipping along the desert landscape.
The robot itself was designed and puppeteered by LucasFilm, but an actual working life-size model for public appearances was created by Colorado-based toy robot company Sphero. It was a perfect fit. Sphero's eponymous robot launched in 2011, a sphere that could be remote-controlled via a smartphone app.
Now that rolling toy has been adapted into a pint-sized BB-8, with an accompanying app that allows you to drive it around and send it on tiny adventures, coming in at a suggested retail price of $150, AU$250 or £130.

Imagine instantaneous communication over any distance.
Entanglement: A Milestone for Quantum Mechanics
A Dutch research team has proven a long believed aspect of quantum mechanics, namely that two particles can influence each other even across great distances.
… The long-distance influence of one particle on another was dubbed “spooky interaction at a distance” by none other than Einstein himself. Einstein did not believe in long distance interaction, but the new research suggests that this is one area where the world’s best-known physicist was wrong.

For the true music collector? MC Edison rap music?
Thousands of 100-year-old wax cylinder recordings available to stream
Before MP3s, before CDs and even before LPs there was the first commercial audio format known as the Edison wax cylinder.
This late 19th-century invention was capable of recording up to 3 minutes of sound on a cylinder made of wax (and later a metallic soap composite or plastic). It was eventually replaced by the popularity of the phonograph in 1929.
The University of California, Santa Barbara library is digitizing its collection of late 19th and early 20th century wax cylinder recordings and has placed over 10,000 songs online for anyone to stream and download.
The earliest wax cylinders were only able to be played about a dozen or so times before the wax wore out, but the pliability of the material meant that users could also record their own material.
… The searchable collection features everything from turn-of-the-century opera to mandolin solos to bizarre animal impressions. As you'd expect for audio recorded on violently degradable media, the quality of the recordings varies from "radio static" to "almost audible subway announcement."

This might help with the 'chatty' clumps of students in some of my classes.
Mega Seating Plan - Create Random or Organized Seating Charts
Mega Seating Plan is a free tool developed by a teacher for teachers. The purpose of Mega Seating Plan is to help you create seating charts from a spreadsheet of names. To create a seating chart in Mega Seating Plan simply import a spreadsheet of names, indicate where seats will be placed in your classroom, and then let Mega Seating Plan randomly assign students to seats. You can quickly alter the seating chart by dragging and dropping names on the chart.
Mega Seating Plan also has a random name selector tool built into it. To use that tool just pick a class list then click the center of your browser window to have a name randomly selected from the list.
Applications for Education
Mega Seating Plan could provide you with a quick way to shuffle the seating plans in your classroom. You might also use it to randomly create working groups in your classroom. To do that just arrange seats in groups then use the random assignment function to put students into working groups.

Thursday, November 12, 2015

Who is next?
Although the DDoS attack and extortion demand made on ProtonMail was the first to draw a lot of media attention – possibly because ProtonMail paid the demand – Hushmail, Runbox, Zoho, and VFEMail were also hit with DDoS attacks, seemingly by the hackers who call themselves the Armada Collective. Neomailbox was also hit, and now Iain Thompson reports that FastMail was hit, too:
FastMail has become the latest web services company to get taken down by distributed denial of service (DDoS) raiders who are trying to extort Bitcoins in exchange for internet access.
The company reports that its servers were down briefly on DDoS attack Sunday 8 November, after the people responsible contacted the company with a ransom demand, asking for 20 Bitcoin (worth around $7,500) to make the assaults go away. Another attack occurred on Monday.
“First of all, we would like to make one thing clear. We do not respond to extortion attempts, and we will not pay these criminals under any circumstances,” the firm said in a blog post.
Read more on The Register.
Graham Cluley had posted a copy of the extortion demand being made.

A challenge for my Computer Security students.
Most Enterprises Prone to Privileged Account Hacks: Report
Most Windows-based network devices that hold sufficiently privileged credentials to enable attackers compromise other machines and accounts have been found to be susceptible to compromise, a recent report from CyberArk Labs reveals.
According to the report (PDF), dubbed “Analyzing Real-World Exposure to Windows Credential Theft Attacks,” 88 percent of the analyzed Windows-based workstations and servers could be compromised through privileged account credential theft or abuse.

Once information (in this case photographs) hit the Internet, they are there for anyone to use.
Richard Chirgwin reports:
Police are now saying that yesterday’s Melbourne train-heist-and-wreck was possible because miscreants bought stolen keys online.
The vandalism, the cost of which is now estimated at AU$3 million rather than the original $2 million, involved people getting into an idle train at Hurstbridge station, starting it, and taking it on a 50-metre trip through the railyard.
The train halted by a “derail block” which then tipped it into another train.
However, in reporting the issue of stolen keys, Melbourne newspaper The Age compounded the problem: it showed a photograph of “universal keys” in sufficient detail for them to be reproduced.
Read more on The Register.

Perhaps we could build one for the US? (Use Google Translate.)
Telecompaper reports:
The Danish Business Authority said it has launched the Privacy Compass at a conference attended by more than 150 organisations. The online tool aims to help businesses monitor their use of personal data and follow the law.
Read more on Telecompaper.

Can I track your phone?
Cell Phone Location Tracking Laws By State
by Sabrina I. Pacifici on Nov 11, 2015
ACLU: “Location records can reveal an enormous of information about a person, especially with the proliferation of smartphones that constantly track our whereabouts. Because privacy laws haven’t kept up with advances in technology, police have long claimed the authority to access this information from cell phone companies without warrants. That’s changing. While Congress and the Supreme Court haven’t yet weighed in on whether a warrant should be required for location information, little by little, state legislatures and lower courts are expanding privacy protections for more and more Americans. That does mean, however, that the status of your privacy protections depends on where you are. For example, your location information is protected in Montana, but not in Georgia. In Illinois, police need a warrant to know where you are right now, but not where you were last week. In California, your location information is protected against warrantless search by state and local police, but not by federal authorities. In other states, we’re still waiting for rulings, and in Florida, state and federal courts are at odds on the matter. The map below details the status of cell phone location tracking laws by state. Click on any highlighted state for more information…”

Can I track you?
If you’re interested in how retailers are using facial recognition in their stores – without even notifying you – do read Joe Cadillic’s post on MassPrivateI. Here’s a snippet:
FaceFirst’s website describes in greater detail how they can send descriptive alerts to security when pre-identified shoplifters walk through any door at any store. They also claim to have the ability to identify litigious individuals.
“Just load existing photos of your known shoplifters, members of organized retail crime syndicates, persons of interest, and your best customers into FaceFirst. Instantly, when a person in your FaceFirst database steps into one of your stores, you are sent an email, text, or SMS alert that includes their picture and all biographical information of the known individual so you can take immediate and appropriate action.”

Phoney security? Can we determine who, beside the hacker, had access to these calls?
Not So Securus
AN ENORMOUS CACHE of phone records obtained by The Intercept reveals a major breach of security at Securus Technologies, a leading provider of phone services inside the nation’s prisons and jails. The materials — leaked via SecureDrop by an anonymous hacker who believes that Securus is violating the constitutional rights of inmates — comprise over 70 million records of phone calls, placed by prisoners to at least 37 states, in addition to links to downloadable recordings of the calls. The calls span a nearly two-and-a-half year period, beginning in December 2011 and ending in the spring of 2014.
Particularly notable within the vast trove of phone records are what appear to be at least 14,000 recorded conversations between inmates and attorneys, a strong indication that at least some of the recordings are likely confidential and privileged legal communications — calls that never should have been recorded in the first place.

Just another cutting-edge consultant – why the fuss? Oh yeah, they didn't bother to tell anyone. If the university trained the FBI forensics guys, would that be an non-issue? What did the FBI's lawyers know about this and could they have easily avoided the hassle?
Court Docs Show a University Helped FBI Bust Silk Road 2, Child Porn Suspects
An academic institution has been providing information to the FBI that led to the identification of criminal suspects on the dark web, according to court documents reviewed by Motherboard. Those suspects include a staff member of the now-defunct Silk Road 2.0 drug marketplace, and a man charged with possession of child pornography.
It raises questions about the role that academics are playing in the continued crackdown on dark web crime, as well as the fairness of the trials of each suspect, as crucial discovery evidence has allegedly been withheld from both defendants.

More excitement than a journalist can stand! Perhaps we'll find this one got away from the operator like the one that landed on the White House lawn.
The Seattle Great Wheel has been damaged by drone
Seattle’s Great Wheel was struck by a drone Wednesday night, shutting down the waterfront attraction briefly but causing no injuries. The incident happened just after 4.45 p.m. Employees say they heard a loud “thud” and saw a drone had crashed onto a plastic table on an outdoor patio area.
… Jamieson said drone strikes are fairly uncommon, recalling only one other incident when a drone crashed into a downtown Seattle building and then struck a 25-year-old woman in the head at the Pride Parade this summer.
… Great Wheel operators briefly stopped the ferris wheel, unloaded passengers, then inspected the ride and did not find any damage.

The new “on demand” businesses.
DoorDash Wants to Own the Last Mile
… One in three Silicon Valley households uses DoorDash. Nationwide, there are “tens of thousands” of Dashers.
… Though typically fueled by a feel-good mission (in DoorDash’s case it’s a desire to see local merchants thrive; Uber cites lofty ideals of a more evolved transportation policy), these enterprises see themselves not in terms of the prosaic tasks they perform for customers but more like utilities — human/machine infrastructure. The business, they claim, is not delivery but “logistics.” DoorDash, typical of this genre, believes that its real advantage lies in its software.

(Related) Innovative business, innovative lawsuits?
In-N-Out Files Lawsuit Against Food Delivery Startup DoorDash
Fast food restaurant In-N-Out, known for its delicious burgers and secret sauce, is suing food delivery startup DoorDash, TMZ reported earlier today. In-N-Out, which filed the lawsuit on Nov. 6, 2015, claims trademark infringement and unfair competition. Basically, In-N-Out wants DoorDash to stop delivering their delicious food because of concerns around quality, food handling and safety.
Here’s a key piece of the filing:
Defendant’s use of Plaintiff’s famous trademarks implies that Defendant not only delivers In-N-Out products to its customers, but that the quality and services offered by Defendant is the same as if consumers had made purchases directly from Plaintiff.

Perspective, and an illustration of Big Data?
Alibaba made $1 billion in 8 minutes
… By midday, that amount had crossed US$9 billion, equalling Alibaba's take for the whole day last year. China's second largest e-commerce company,, has recorded 14 million orders thus far.
Single's Day is the biggest online shopping day in the world, with several billion dollars worth of e-commerce transactions taking place. The International Data Corporation (IDC) told CNET that this year's sales will surpass $14 billion, which equates to over AU$20 billion or £9 billion. To put that into perspective, last year Thanksgiving and Black Friday sales in the US amounted to a relatively paltry US$2.5 billion.

Just because...
Navy Releases Definitive History of Naval Aviation Online
by Sabrina I. Pacifici on Nov 11, 2015
Navy Releases Definitive History of Naval Aviation Online By Jim Caiella, Naval History and Heritage Command, Communication and Outreach Division – “The Navy released online Nov. 4 its recently-published, two-volume history of U.S. naval aviation. United States Naval Aviation 1910–2010 by Mark L. Evans and Roy A. Grossnick (2015, ISBN 978-0-945274-87-2, hardback, two volumes) is the Naval History and Heritage Command’s fourth update to the original history which was initiated in 1960. That first issue celebrated the first 50 years of United States naval aviation and this two-volume set commemorates the centenary… This and other free Naval History and Heritage Command publications can be found at:”

For my spreadsheet students.
Microsoft Excel + Power BI = Data Analysis Bliss

For my students who grab the first item from a Google search.
Find Open Access Dissertations and Theses
by Sabrina I. Pacifici on Nov 11, 2015
PQDT Open provides the full text of open access dissertations and theses free of charge. You can quickly and easily locate dissertations and theses relevant to your discipline, and view the complete text in PDF format. Open Access Publishing – The authors of these dissertations and theses have opted to publish as open access. Open Access Publishing is a new service offered by ProQuest’s UMI Dissertation Publishing…”

For my App creating students.
10 DIY Application Development Platforms

Wednesday, November 11, 2015

Perfect timing. My next Computer Security class starts next week and I needed a good conversation starter. Confusing though, it's more about building the gamboling business than identity theft.
Charges Announced in J.P. Morgan Hacking Case
In one of the biggest cybercrimes in history, federal prosecutors say, three men stole data on more than 100 million people from a dozen companies’ computers and used a vast global network of accomplices to turn it into hundreds of millions of dollars in illegal profits.
Indictments unsealed Tuesday in Manhattan and Atlanta accused the men and hundreds of their accomplices of carrying out last year’s big data breach at J.P. Morgan Chase & Co. and a host of other crimes around the world—involving computer networks in South Africa and Brazil, money laundered through Cyprus and illegal credit-card payments processed in Azerbaijan.
Manhattan U.S. Attorney Preet Bharara on Tuesday said this “diversified criminal conglomerate” was “breathtaking” in the size and scope of its hacking.
… The schemes allowed Mr. Shalon and his accomplices to turn stolen information into hundreds of millions of dollars, including at least $100 million hidden in his Swiss and other bank accounts, prosecutors said.
… The investigation into the three men began when J.P. Morgan came forward “early on” to share information with the government, prosecutors said. That led investigators to uncover a broader network of criminal activity with computer hacking at its center.
… In addition to disguising payments and constantly obtaining new bank accounts, the men tried to evade detection by hacking into a company that assessed merchant risk for credit-card issuers, starting in 2012. The breach allowed the defendants to read employees’ emails and figure out how to sidestep the company’s efforts to monitor illegal payments, according to the indictment.

The Man Accused of Masterminding the Hacks That Shook Wall Street
… Shalon began building his criminal conglomerate in 2007 with Internet casinos and capped it off with stock and credit-card schemes years later, according to the 68-page indictment against Shalon and others in Manhattan.

Also for my Computer Security students.
Who Is The Biggest Security Threat? Turns Out, It’s You

Update: I would have guessed a lot higher.
BBC reports:
The cyber-attack on TalkTalk could cost it up to £35m in one-off costs, the company has said.
Following the hack, which divulged some users’ financial details, all customers of the telecoms group will be offered a free upgrade.
Read more on BBC. The company is still sticking to its position that customers who want out of their contract due to lack of trust will have to pay a contract termination fee unless they can show they were financially harmed by the breach.

(Related) Then again, maybe not.
Diana Goovaerts reports:
In its earnings report for the six months ended September 30, 2015, Experian posted a charge of $20 million stemming from its response to an October security breach that exposed the data of millions of T-Mobile customers.
According to the report, the “one-off costs” came from Experian’s response to the hack, which included notifying impacted individuals, offering them free credit monitoring services and informing the appropriate government agencies of the intrusion.
That reportedly doesn’t include costs associated with all the lawsuits filed against them over the breach.
Read more on Wireless Week.

Lots if questions. Did the hospital allow all their “financial services” employees full access to medical records? If this was a policy violation, did the hospital detect it and take appropriate action?
Kevin Grasha has an update on a breach previously noted on this site.
University of Cincinnati Medical Center can’t be sued after an employee leaked private medical records about a patient who had syphilis, a judge ruled Monday.
The patient, a woman in her early 20s, filed the lawsuit last year. A screen shot of the woman’s private medical records from the hospital was posted on the Facebook group, “Team No Hoes,” in September 2013. The records listed the woman’s diagnosis as “maternal syphilis.” She was pregnant at the time.
In a way, and even though the patient may appeal the ruling, this ruling is consistent with other cases where covered entities were found not liable for employees’ egregious conduct that were outside the employee’s scope of work duties. In this case, the employee was reportedly in the financial services department.
It is not known what, if any, action HHS/OCR has taken as a result of their investigation into the incident.
[From the article:
At a hearing Monday in Hamilton County Common Pleas Court, Judge Jody Luebbers ruled that the employee was not acting “within the scope of her employment” by leaking the records.
Ohio case law, Luebbers said, dictated that she drop the hospital from the suit.
“(The hospital) had a policy. It was violated,” she said. “It’s tragic … but that’s just how I see it.”
… The suit also names the woman’s former boyfriend and the former hospital employee, who was fired a week after the Facebook post. [Because of the emails and Facebook posts? Bob]

Politics: “It is better to look good than to be good.” (with apologies to Hernando Fernando)
Corinne Reichert reports:
The Australian Privacy Foundation has accused the Senate of being “dangerously naive” in thinking that opt-out e-health records could be secured against breaches of privacy.
Bernard Robertson-Dunn, a member of the Privacy Foundation who has also constructed IT systems for several government departments, said it is “patently absurd” for the Senate inquiry committee to think that Australian laws will do anything to deter criminals and cyber attacks from overseas.
Read more on ZDNet.
[From the article:
The Senate had ignored expert advice by changing the e-health records to be opt-out, according to the Privacy Foundation, with the likelihood of personal information being stolen and published in an attack similar to the Ashley Madison hack increasing with the more data that is stored.
"This is in spite of being told that it is insecure and a major threat to the privacy of most Australians, has little value to health professionals, and has all the appearance of primarily being an aid to law-enforcement and revenue-collection agencies," Robertson-Dunn said in a letter to senators.
Even lawful access to the medical information could constitute a "huge invasion of privacy", the Privacy Foundation argued, as anyone employed by a medical facility could access the health records of patients.

Mapping Attempts to Craft an Internet Bill of Rights
by Sabrina I. Pacifici on Nov 10, 2015
Towards Digital Constitutionalism? Mapping Attempts to Craft an Internet Bill of Rights. Lex Gil, Dennis Redeker, Urs Gasser. November 9, 2015. Available for download via SSRN.
“The idea of an “Internet Bill of Rights” is by no means a new one: in fact, serious efforts to draft such a document can be traced at least as far back as the mid-1990s. Though the form, function and scope of such initiatives has evolved, the concept has had remarkable staying power, and now—two full decades later—principles which were once radically aspirational have begun to crystallize into law. In this paper, we propose a unified term to describe these efforts using the umbrella of “digital constitutionalism” and conduct an analysis of thirty initiatives spanning from 1999 to 2015. These initiatives have great differences, and range from advocacy statements to official positions of intergovernmental organizations to proposed legislation. However, in their own way, they are each engaged in the same conversation, seeking to advance a relatively comprehensive set of rights, principles, and governance norms for the Internet, and are usefully understood as part of a broader proto-constitutional discourse. While this paper does not attempt to capture every facet of this complex political behavior, we hope to offer a preliminary map of the landscape, provide a comparative examination of these diverse efforts toward digital constitutionalism, and—most importantly—provoke new questions for further research and study. The paper proceeds in four parts, beginning with a preliminary definition for the concept of digital constitutionalism and a summary of our research methodology. Second, we present our core observations related to the full range of substantive rights, principles and themes proposed by these initiatives. Third, we build on that analysis to explore their perceived targets, the key actors and deliberative processes which have informed their character, and the changes in their substantive content over time. Finally, we look forward, identifying future directions for research in this rapidly changing policy arena and for the broader Internet governance community.”

Massive investment that could be made worthless if we keep trying to be the world's digital cops.
Microsoft is building data centres in Germany to protect European users from US spying
Microsoft is building a set of data centres in Germany which will, the company hopes, help fend of data requests from the US government, The Financial Times reports. The project is in conjunction with Deutsche Telekom.
Various big American companies, including Apple and Microsoft, have become involved in a legal spat with the US government over its rights to data access on non-US soil, namely in Europe. A lot of data for European customers was hosted in the US which, the government argued, allowed them access.
… Microsoft announced on Tuesday that the company is expanding its data centre presence elsewhere in Europe, spending $2 billion (£1.3 billion) on upgrading existing infrastructure in Ireland and the Netherlands and building entirely new centres in the UK.

Why does the government have so much trouble doing what thousands of companies do every day?
A decade into a project to digitize U.S. immigration forms, just 1 is online
Heaving under mountains of paperwork, the government has spent more than $1 billion trying to replace its antiquated approach to managing immigration with a system of digitized records, online applications and a full suite of nearly 100 electronic forms.
A decade in, all that officials have to show for the effort is a single form that’s now available for online applications and a single type of fee that immigrants pay electronically. The 94 other forms can be filed only with paper.

Our boy Kim is still using our own words against us. (Kim seems to be putting on weight.)
TPP text cited in Dotcom hearing
Lawyers for Kim Dotcom say the Trans Pacific Partnership (TPP) backs their view that internet service providers are protected from copyright infringement.
… The text showed internet service providers were protected from copyright infringement by their users.
It confirmed this protection was not conditional on service providers monitoring users, he said.

This is good. This could be troublesome. This could mean war. (Pick three)
Burma’s election leaves former patron China with uncomfortable questions
Burma’s historic general elections and signs of a landslide victory for backers of opposition leader Aung San Suu Kyi have raised some uncomfortable questions in giant northern neighbor China.
The first is how China’s Communist Party rulers will manage to get along with a civilian-led government in Burma after decades of wholeheartedly backing military rule in Burma.
But a second question, perhaps less expected, has bubbled up from Chinese people themselves in the past few days. If the Burmese can have democracy, some ask, why can’t we?

Tuesday, November 10, 2015

It could happen here.
Parliament HACKED: Sensitive data STOLEN, used to hold MP to ransom
Cybercrooks hacked into parliament's secure network and compromise several computers, The Times has claimed.
The hackers unearthed confidential documents relating to MP for Newcastle upon Tyne Central, Chi Onwurah – the shadow digital minister – and her employees.
The hack is the first report of a successful cyberattack against the secure parliament network, which is used internally used government employees.
It comes amid fears hackers are winning the cyberarms race against public bodies and companies, like Talk Talk – which was successfully hacked earlier this month with devastating consequences.
According to The Times report, the attackers used a cryptolocker virus to lock confidential files from a shared drive on the parliament network.
Once locked, the virus displayed a random note to the MP with a telephone number and instructs to pay a ransom to unlock the sensitive files.
… The Parliamentary Digital Service (PDS) seized all of the Ms Onwurah's computers and cut off her connection to shared drive.
Her hard drives were then wiped and replaced, The Times confirmed. [How good are your backups? Bob]

From the helpful IRS? “Give us a month to tell you we got your letter and are considering a response.”
Those who are victims of identity theft for tax refund fraud face numerous challenges. One of them is that should the victim attempt to obtain a copy of the fraudulent return to get information on the identity thief, the IRS refuses to release it – for privacy reasons! That may be changing, though. Keri Geiger and Margaret Collins report:
The Internal Revenue Service has introduced a formal policy to assist identity-theft victims in getting copies of bogus tax returns filed in their name.
The IRS, which posted instructions for fraud victims on its website for the first time this month, said it would acknowledge requests for copies of returns within 30 days and respond within 90 days. Due to strict IRS privacy laws, some of the information will be redacted to prevent fraud.
Read more on Bloomberg.
[From the article:
Many of the identity thefts resulted from thieves getting past security filters on the agency’s website, according to the IRS. That allowed them to gain access to past tax returns, which contained the information they needed to file fake returns. In August, the IRS said it identified an additional 220,000 taxpayers whose information may have been compromised.
The new policy, detailed on the IRS website, lets taxpayers request a copy of a fraudulent return by mailing a letter to the IRS and including information such as their Social Security number and proof of identity like a copy of a driver’s license or passport.

It's like having Mark Zuckerberg looking over your shoulder.
Facebook Photo Magic Goes Through Your Camera Roll And Recognizes Your Friends’ Faces
Facebook has confirmed it is launching a new feature for Messenger that uses facial recognition technology to automatically detect friends' faces in a photo and notifies the user to share the photo with those friends.
The feature, called Photo Magic, goes through users' camera roll and tries to recognize the faces of friends in photos. For instance, if a user takes a quick snap with friends at a party, Photo Magic will instantly check out the most recent photo and determine which Facebook friends are included in that photo before sending a notification to share that photo.
"If you get a new picture, whether you took that picture in your camera app or in a different app, and it goes to your camera roll, then we'll face detect on that picture," Peter Martinazzi, product manager for Facebook Messenger, says. "Then we'll send you the local notification for you to send that photo [to friends] if you want to."

Facebook told by Belgian court to stop tracking non-users
A court has given Facebook 48 hours to stop tracking people in Belgium who are not members of its social network.
Facebook says it will appeal against the decision and that the order relates to a cookie it has used for five years.
The cookie is installed when an internet user visits a Facebook page even if they are not members.
However, the Belgian court said that the company was obliged to obtain consent to collect the information being gathered.
"The judge ruled that this is personal data, which Facebook can only use if the internet user expressly gives their consent, as Belgian privacy law dictates," it said in a statement.

Fortunately, the court specified exactly what “improvements” were needed. Or am I wrong?
EFF – NSA Ordered to Stop Collecting, Querying Plaintiffs’ Phone Records
by Sabrina I. Pacifici on Nov 9, 2015
EFF news release: “Affirming his previous ruling that the NSA’s telephone records collection program is unconstitutional, a federal judge ordered the NSA to cease collecting the telephone records of an individual and his business. The judge further ordered the NSA to segregate any records that have already been collected so that they are not reviewed when the NSA’s telephone records database is queried. The order comes 20 days before the NSA program is set to expire pursuant to the USA FREEDOM Act. United States District Judge Richard Leon issued the order in Klayman v. Obama, a case in which EFF appeared as amicus curiae. Judge Leon ruled in December 2013 that the program was unconstitutional because it violated the 4th Amendment’s prohibition on unreasonable searches. But the US Court of Appeals for the DC Circuit sent the case back to him when it held that the plaintiffs in the case did not have standing to sue because they were Verizon Wireless customers, not Verizon Business Network Services (VBNS) customers, and the latter is the only provider the US government has acknowledged participated in the program. The plaintiff then amended the complaint and added two more plaintiffs, J.J. Little and his firm J.J. Little & Associates, P.C., both of which are long-standing VBNS customers.”

Robert D. Fram, Simon J. Frankel and Amanda C. Lynch of Covington & Burling write:
For most substantial companies, it is said, experiencing a data breach is not a matter of “if,” but “when.” Particularly when a company is consumer-facing, any publicized data breach is likely to be followed by consumer class action lawsuits.
For several years, Covington and other litigation defense teams have succeeded in obtaining dismissals of class action privacy and security lawsuits at an early stage because named plaintiffs have failed to prove sufficient actual harm to merit standing to sue. And we are engaged in briefing how the law of standing will be addressed by the U.S. Supreme Court in its next term in the case of Robins v. Spokeo Inc., 742 F.3d 409 (9th Cir. 2014), cert.granted, 135 S. Ct. 1892 (Apr. 27, 2015) (No. 113-1339).1
This article addresses how courts approach standing in data breach cases following the Supreme Court’s decision in Clapper v. Amnesty International, 133 S. Ct. 1138 (2013), and analyzes which alleged injuries are more likely to be durable in the face of a motion to dismiss.
Read more on Bloomberg BNA.

Could this be related to the article above?
Lawmakers ask agencies to reveal use of phone surveillance technology
Lawmakers on the House Oversight Committee sent letters Monday to the heads of 24 federal agencies seeking answers about the use of a controversial surveillance technology.
The devices, known by the brand name “StingRay,” simulate a cell phone tower and are able to collect information on mobile phones and their users. Lawmakers say they are trying to create a comprehensive record of how different federal agencies use the devices.

On the other hand…
Julian Hattem reports:
The Supreme Court on Monday declined to take up a closely watched case over whether police need a warrant to obtain records about people’s locations based on their cellphones, the latest chapter in an ongoing debate about how privacy laws apply to evolving technology.
The decision by the nation’s high court to pass on the case, Davis v USA, comes as a blow to privacy advocates who had pressed the justices to overturn an appeals court’s determination that a warrant is not necessary for the searches.
As is typical, the Supreme Court did not offer any justification in declining to take up the case on Monday.
Read more on The Hill.
[From the article:
Earlier this year, the 11th Circuit Court of Appeals declared that police did not violate the Constitution when they obtained 67 days' worth of records about the location of Quartavious Davis based on his cellphone calls. Based in part on those records, Davis was convicted earlier this year of seven armed robberies over the course of two months in 2010.

Why not?
Princess Leia And Rey Will Teach Your Kids How To Code: Star Wars Joins Hour Of Code Tutorials, a non-profit organization that provides free online tailored coding lessons for children in kindergarten all the way up to high school, recently held its annual Hour of Code event. In conjunction with the yearly event, introduced a new tutorial, Star Wars: Building a Galaxy with Code.
… All of the commands needed to move the bots are already listed as blocks and all that's needed are for children to drag and drop them to create a chain of commands. After the basic course with blocks is completed, Javascript, which involve BB-8's materials, will then be introduced. If the written code fails, the stage will reset. If they succeed, they'll be able to proceed to the next stage. Needless to say, the coding gradually intensifies as the level gets higher. The tutorial is meant to be taken by children who are 11 years old and above. Nevertheless, it's never too late or too early to learn the basics of coding.

For my programming students.
… Today we’re proud to announce the open source release of TensorFlow -- our second-generation machine learning system
(see the whitepaper for details of TensorFlow’s programming model and implementation).