Wednesday, February 24, 2016

How long will it take my students to find this site? Could be a fun way to kill a few minutes at the end of class…
Seth Boster reports:
Jacksonville State University officials learned Tuesday of a website that allows users to search for students’ personal information, including photos, addresses and phone numbers, all apparently stolen from JSU’s own database.
The site allows visitors to search using students’ names to find photographs along with birthdates, student ID numbers, fraternity and sorority affiliation and other information. Information for some former students, faculty and staff is also on the site.
Read more on The Anniston Star.
Following concerns raised on Twitter, the site has now redacted street addresses, but the database can be searched by entering just a single letter. For example, entering “A” returns 150 results that include date of birth, picture, and student ID number, as well as email address.
The site’s maintainer(s) posted the following message on a paste site:
The website is intended to be a safe yet intriguing lesson to universities and other academic institutions to value their students’ personal information. We live in an age where records that were once on paper protected by security guards are now digitized protected by nothing.
The sad truth is college aged students are very susceptible to identity theft: they post every detail of their life online and are just beginning to understand financial security.
I believe among the responsibilities of any organization that one belongs to is the protection of their subjects’ personal information. Jacksonville State University among others have failed to honor this responsibility.
You know what’s scarier than your address and phone number being released on a website? Not knowing that your SSN, credit card, and account numbers are being silently collected every day by cybercrime organizations.
In lieu of similar compromises our academic institutions will hopefully adapt from this misfortune.

If the hackers are really good – perhaps doing something never done before – you may face a Class Action lawsuit because you were not gooder? Sounds like the FTC's argument.
There’s an update to the Scottrade breach previously reported on this blog. The breach, potentially impacting 4.6M customers, was disclosed in October 2015 but had reportedly occurred between late 2013 and early 2014. Three individuals were indicted in November, 2015.
Now Top Class Actions reports that a consolidated data breach class action lawsuit was filed in Missouri federal court last week.
Scottrade’s cybersecurity measures were so deficient that it never realized the massive theft occurred until two years later, when federal authorities told them about it,” the Scottrade class action lawsuit states. The hackers allegedly accessed the personal identification information (PII) of Scottrade customers from September 2013 to February 2014 without detection from Scottrade, which the plaintiffs call an “inexcusable failure of Scottrade’s obligation to take reasonable steps to safeguard this information.”
The consolidated Scottrade class action lawsuit was filed on Feb. 19 by plaintiffs Andrew Duqum, Stephen Hine, Matthew Kuhns and Richard Obringer. Hine filed a separate data breach class action lawsuit in California, but Scottrade argued in December that it should be consolidated with a nearly identical case that was already pending in Missouri.
Read more on Top Class Actions.

For my Ethical Hacking students old enough to drive.
Controlling vehicle features of Nissan LEAFs across the globe via vulnerable APIs
Last month I was over in Norway doing training for ProgramUtvikling, the good folks who run the NDC conferences I've become so attached to.
… I also cover how to inspect, intercept and control API requests between rich client apps such as those you find on a modern smart phone and the services running on the back end server. And that’s where things got interesting.
One of the guys was a bit inspired by what we’d done and just happened to own one of these – the world’s best-selling electric car, a Nissan LEAF:
What the workshop attendee ultimately discovered was that not only could he connect to his LEAF over the internet and control features independently of how Nissan had designed the app, he could control other people’s LEAFs.
… Let me clarify something before going any further and it’s something I harp on about in my workshops too; when a potential security flaw is identified, you’ve got to think very carefully about how you proceed with verification. [Amen! Bob]

Hard to tell if this is significant or not. All of this information is already available online, most of it is presumed to be false (users provide phoney names on such sites) and possession of such data is not proof you hacked the system. (If they have more evidence, it is not mentioned in the articles.) Why do they care? Is republishing a subset of the data a crime?
Tracie Sullivan reports:
Utah authorities are investigating a website allegedly created by a Cedar City resident who published personal information of Southern Utah residents whose names were part of a 2015 website hack.
According to four search warrants unsealed last week in 3rd District Court, a Facebook page and a website called AM Southern Utah “disclosed customers’ names, physical and email addresses for the Southern Utah area,” who had allegedly registered with Ashley Madison.
The warrants stem from a Utah investigation conducted by the State Bureau of Investigations and is part of a larger FBI investigation into the hack. No one has been charged with a crime in either investigation.
Read more on St. George News.
[From the article:
… the SBI investigator believes there has been a violation of Utah’s Computer Crimes Act, Utah Code 76-6-703. Specifically, the violation “has occurred, ‘without authorization (the suspect) gains…access to and…discloses…computer data…and thereby causes damage to another.’ The damage in this case was to the reputation of the individuals whose information was listed on”

Okay, maybe he didn't side with the FBI. But he still seems to be washing his wishy. Make up your mind Bill!
FBI v Apple spat latest: Bill Gates is really upset that you all thought he was on the Feds' side
Bill Gates says reports of him backing the FBI in the ongoing saga with Apple over the unlocking of a killer's iPhone are inaccurate.
Asked about widespread reports that the former Microsoft CEO and the world's richest man was taking the Feds' side, Gates told Bloomberg News on Tuesday that he was "disappointed" with the reporting and that it "doesn't state my view on this."
… According to Gates, however, he has a more nuanced view about "striking a balance" in providing government access to information rather than in deciding who is right, the FBI or Apple.

(Related) Just as perspective… This is one reason why the FBI will have to play wack-a-mole if they want to gain backdoors into every encryption package.
Encrypted-Messaging App Telegram Now Has 100 Million Users
… Less than three years after Durov and his brother launched Telegram, he now reports that 100 million people use the free encrypted messaging app every month, up from 60 million people last May. That growth is coming from all over the world. While that’s a small number compared with the billion people who pull up WhatsApp every month, or the 800 million people who go on Facebook Messenger, it’s illustrative of the early growth that signaled each of these services had mainstream appeal. “Every day, 350,000 new users sign up for Telegram,” Durov said. “And we have zero marking budget.” In other words, Telegram is not going away.

(Related) You could dispute the claim that this is “more scholarly” but certainly it's what Congress is seeing.
Encryption and Evolving Technology: Implications for U.S. Law Enforcement Investigations
by Sabrina I. Pacifici on Feb 23, 2016
Via FAS – CRS Report – Encryption and Evolving Technology: Implications for U.S. Law Enforcement Investigations, Kristin Finklea Specialist in Domestic Security February 18, 2016.
“Because modern-day criminals are constantly developing new tools and techniques to facilitate their illicit activities, law enforcement is challenged with leveraging its tools and authorities to keep pace. For instance, interconnectivity and technological innovation have not only fostered international business and communication, they have also helped criminals carry out their operations. At times, these same technological advances have presented unique hurdles for law enforcement and officials charged with combating malicious actors. Technology as a barrier for law enforcement is by no means a new issue in U.S. policing. In the 1990s, for instance, there were concerns about digital and wireless communications potentially hampering law enforcement in carrying out court-authorized surveillance. To help combat these challenges, Congress passed the Communications Assistance for Law Enforcement Act (CALEA; P.L. 103-414), which among other things, required telecommunications carriers to assist law enforcement in executing authorized electronic surveillance. The technology boundary has received renewed attention as companies have implemented advanced security for their products—particularly their mobile devices. In some cases, enhanced encryption measures have been put in place resulting in the fact that companies such as Apple and Google cannot unlock devices for anyone under any circumstances, not even law enforcement. Law enforcement has concerns over certain technological changes, and there are fears that officials may be unable to keep pace with technological advances and conduct electronic surveillance if they cannot access certain information. Originally, the going dark debate centered on law enforcement’s ability to intercept real-time communications. More recent technology changes have potentially impacted law enforcement capabilities to access not only communications, but stored data as well.”
[The most recent Wiretap Report to Congress is for 2014. You can find it here:
The number of state wiretaps in which encryption was encountered decreased from 41 in 2013 to 22 in 2014. In two of these wiretaps, officials were unable to decipher the plain text of the messages. Three federal wiretaps were reported as being encrypted in 2014, of which two could not be decrypted. Encryption was also reported for five federal wiretaps that were conducted during previous years, but reported to the AO for the first time in 2014. Officials were able to decipher the plain text of the communications in four of the five intercepts.

For my Computer Security class. If the bad guys don't get you, the FTC might. If the bad guys get you, the FTC will be happy to pile on!
Asus Settles FTC Charges Over Router Security
The FTC filed a lawsuit against Asus claiming that the vendor has put hundreds of thousands of consumers at risk through a series of critical vulnerabilities found in its routers and related services.
The agency accused Asus that it misrepresented the security features included in its routers and falsely claimed that they can protect computers and local networks against hacker attacks, when in reality they were plagued by serious vulnerabilities that allowed malicious actors to hijack devices.
As part of the settlement with the FTC, Asus will have to establish and maintain a comprehensive security program that is subject to external audits for a period of 20 years. The vendor will also have to ensure that customers can sign up for a security notification system designed to inform them about the availability of firmware updates and provide instructions on how to protect themselves against potential attacks.

Is this just to harass Google and Facebook?
Christoph Ritzer and Sven Jacobs write:
A new German law, which grants authority to the country’s consumer and business associations to enforce compliance with data protection laws, goes into force on February 24, 2016. A representative of the German Ministry of Justice pointed out that the new enforcement powers are specifically aimed at foreign companies having their headquarters or operating from outside Germany, including the U.S.
Read more on Norton Rose Fulbright Data Protection Report.

(Related) Or part of a more general attack on “Internet stuff?”
German government to use Trojan spyware to monitor citizens
… The interior ministry spokesman defended the government's decision, saying "basically we now have the skills in an area where we did not have this kind of skill." The program was already endorsed by members of the government in autumn 2015, the ministry said. [More bragging than defense... Bob]

A network of citations?
Free tool to visualize Supreme Court cases
by Sabrina I. Pacifici on Feb 23, 2016
“As lawyers, we’re all accustomed to talking about the lines of cases that create bodies of precedent for legal principles. A new tool launched this week lets you visualize lines of Supreme Court cases so that you can better analyze and study them. Called Supreme Court Citation Networks, it was created as a collaboration between the Free Law Project and The Supreme Court Mapping Project at the University of Baltimore School of Law.”

Tools & Techniques. This could be useful.
Tagboard Offers New Features for Following Hashtags Across Multiple Networks
Tagboard is a tool that allows you follow a hashtag and see all of the Tweets, Instagram, Facebook, and Google+ posts about it in one place. Last year I created a tutorial video about Tagboard in which I demonstrated its primary features. Today, Tagboard added some new features that teachers will probably appreciate.
Tagboard now offers some post moderation tools. You can now block or remove posts and users within a saved Tagboard. Within a saved Tagboards you can now filter by keyword, post type, and or social network.
Applications for Education
Tagboard can be a good tool for tracking trending news stories with your students. The new moderation features will be helpful if you are planning to display a Tagboard in your classroom. Before displaying the Tagboard go through and remove any content that you don't want to share with your students.

For my next Statistics class (and a cautionary tale for Computer Security and other classes). You should ask yourself if everyone agrees with your assumptions.
How a Group of MIT Students Gamed the Massachusetts State Lottery

Have I mentioned that I'm teaching Spreadsheets in the Spring?
How to Import Data Into Your Excel Spreadsheets the Neat & Easy Way

Dilbert brilliantly summarizes the good and bad of the “Gig Economy.”

No comments: