Saturday, March 19, 2016

As more information comes out, it just confirms that their security was really lacking. Or maybe they had all this stuff to pass their audits, but no manager actually looked at the reports.
Hackers Stalked Bangladesh Bank for Two Weeks Before Big Heist
… The report cast the unidentified hackers as a sophisticated group who sought to cover their tracks by deleting computer logs as they went. Before making transfers they sneaked through the network, inserting software that would allow re-entry.
… "Malware was specifically designed for a targeted attack on Bangladesh Bank to operate on SWIFT Alliance Access servers," the interim report said. Those servers are operated by the bank but run the SWIFT interface, and the report makes it clear the breach stretches into other parts of the bank’s network as well. "The security breach of the SWIFT environment is part of a much larger breach that is currently under investigation." [How is your bank's security? Bob]
… “We reiterate that the SWIFT network itself was not breached,” Booth said in an e-mail. “There is a full investigation underway, on what appears to be a specific and targeted attack on the victim’s local systems.”
… The assessment found the first suspicious log-in came on Jan. 24 and lasted less than a minute. On Jan. 29, attackers installed “SysMon in SWIFTLIVE" [See below Bob] in what was interpreted as reconnaissance activity, and appeared to operate exclusively with “local administrator accounts.”
Operator logs showed the hackers logged in for short periods of time until Feb. 6, according to the report. The four transfers that went to the Philippines occurred on Feb. 4. The report said the hackers have already hit other FireEye clients, though it’s unclear if those include other central banks.
… "Complex malwares have been identified with advanced features of command & control communication, harvesting of credentials and to securely erase all traces of activity after accomplishing its task," the report said. It identified 32 "compromised assets" that “were used for reconnaissance and to gain control of the SWIFT servers and related assets."
[Sysmon is a Microsoft product that is part of their Sysinternals package. Bob]
Sysmon v3.2 This release of Sysmon, a background service that logs security-relevant process and network activity to the Windows event log, now has the option of logging raw disk and volume accesses, operations commonly performed by malicious toolkits to read information by bypassing higher-level security features.

(Related) Another indication of Organized Crime? Perhaps a Special Ops team from some place like North Korea?
Researching and reporting on data breaches has always had some element of risk attached. You can get accused of hacking, or you can get threatened with litigation. In Brian Krebs’s case, you can find yourself swatted. Or in my case, you can get threatened with infection of HIV. But with the exception of swatting, the rest pales in comparison to a researcher getting kidnapped.
Catalin Cimpanu of Softpedia reports that may have happened to a researcher involved in investigating the high-profile breach of Bangladesh’s central bank at the US Federal Reserve Bank in New York that netted the thieves over $80 million (it would have been worse but for a typo the criminals made).
In the investigation that followed, security researchers blamed malware and a faulty printer but at the same time said that the Bangladesh central bank officials were also to blame because of weak security procedures. The bank’s governor and two deputy governors had to quit their jobs after the scandal.
In a weird turn of events, one of the security researchers who voiced their criticism at the central bank’s security measures disappeared on Wednesday night.
Family members are saying that Zoha met with a friend at 11:30 PM on Wednesday night, March 16. While coming home, a jeep pulled in front of their auto-rickshaw, and men separated the two, putting them in two different cars.
Read more on Softpedia.

So that's why you get “free” Apps.
FTC Warns Apps Over Secret Microphone Tracking
Have you ever wondered why some apps ask for access to the microphone on your phone?
… On Thursday, the Federal Trade Commission sent a letter to a dozen app developers that warned them not to abuse so-called “audio beacons,” which are capable of picking up secret noise signals embedded in TV shows. The beacon, which relies on your phone’s built-in microphone, can serve to confirm you watched a given program.
… The FTC also describes an underlying technology offered by an Indian company called SilverPush. The letter cites a Forbes article that describes how SilverPush had used “inaudible sound to let brands keep tabs on people’s online lives across TVs and smartphones for more than a year.”

“Lawyer rips apart T-shirt, throws chair at defense attorneys.” (It could happen.)
First Erin Andrews gets a $55M award from a jury in her lawsuit over a privacy breach while a hotel guest, and now Hulk Hogan gets a $115M jury award in his lawsuit against Gawker over a sex tape they made public.
I think the public may be finding its voice on the value of personal privacy and sending a strong message. Eriq Gardner sums up one key part of the case this way:
Ultimately, the case became a battle — at least indirectly —between the First Amendment, guaranteeing free speech and a free press, and the Fourteenth Amendment, where courts have determined that a right to privacy derives under equal protection of life, liberty and property. Like many states, Florida has enacted statutes that guard against intrusions on seclusion and privacy of communications. Hogan also won on his right of publicity claim.
I’m sure we’ll see lots of coverage – and legal analysis – of this case in the weeks and months to come.
And of course, Gawker is appealing it.
Update: Here’s the NY Time’s coverage with Gawker’s statement on the case. Hulk Hogan tweeted these responses:
Thank you God for justice, only love 4Life. HH
— Hulk Hogan (@HulkHogan) March 19, 2016
Told ya I was gonna slam another giant HH
— Hulk Hogan (@HulkHogan) March 19, 2016

A “shout out” to one of my favorite blogs, and one I steal from wholesale. My blog turns 10 this year also, but I do the blogging thing all wrong so I have far fewer posts.
On March 18, 2006,’s co-founder “Anonadmin” (a/k/a Ziplock) posted our very first news item on

Interesting article. Puts a few issues in perspective.
In 2011, Silicon Valley entrepreneur and investor Marc Andreessen famously wrote the startling essay, Why Software is Eating the World, in which he described how emerging companies built on software were swallowing up whole industries and disrupting previously dominant brand name corporations. Andreessen was prescient and almost giddy, in anticipating the dramatic, technological and economic shift through which software companies would take over large swaths of the global economy. What he did not anticipate was the extent to which software would also eat up the realms of governance, security and human rights.
… Several dimensions of the new digital ecosystem challenge this conception of governance.
The Trans-Border Nature of the Internet
Digitization of Everything
The Privatization of Governance

Will this be allowed? How will Cuba react? Definitely should be fun to watch.
Stripe Wants To Help Cuban Entrepreneurs Enter The Digital Age
Ahead of President Obama’s historic trip to Cuba next week, Silicon Valley payments upstart Stripe announced that it is helping Cuban entrepreneurs set up U.S. businesses.
The initiative lets foreign entrepreneurs incorporate U.S. businesses, obtain U.S. bank accounts and tax ID numbers, and, of course, set up a U.S. Stripe account to receive payments. The service, which costs $500 per business, will also give users access to tax advice from PwC along with legal advice.

An alternative Apple might have complied with? I don't think so, but what do I know?
Zack Whittaker reports:
The US government has made numerous attempts to obtain source code from tech companies in an effort to find security flaws that could be used for surveillance or investigations.
The government has demanded source code in civil cases filed under seal but also by seeking clandestine rulings authorized under the secretive Foreign Intelligence Surveillance Act (FISA), a person with direct knowledge of these demands told ZDNet. We’re not naming the person as they relayed information that is likely classified.
Read more on ZDNet.

The world the FBI was born in has changed. Perhaps they too need to re-invent themselves?
ProtonMail Opens Encrypted Email Service to Public
Encrypted email provider ProtonMail announced the global availability of its privacy focused email service to the public this week.
Offering end-to-end encryption in its email service, ProtonMail was launched in beta in May 2014 by CERN scientists and has been available on an invite-only basis for the past two-years.
With more than 1 million users participating in its closed beta, the service is now open to the world to allow more people take advantage of its privacy protection.
To ensure that user data is not accessible by third-parties, not even by ProtonMail itself, the company says that it stores data in an encrypted format and uses two passwords, one required to identify the user, and the other to decrypt the data. The second password is never sent to the server but is used only on the device, making the data unavailable to anyone else but the user, the company explains.
In addition to fully opening the service to the public, ProtonMail announced the availability of free iOS and Android mobile apps.

Remember your driving test? This isn't it.
Google argues that if self-driving cars can pass safety tests, they should be legal
Chris Urmson, director of Google's self-driving car project, has sent a letter to US Transportation Secretary Anthony Foxx today with a plan for selling autonomous vehicles that have no steering wheels or pedals, AP reports. The plan appears to be pretty straightforward: Urmson argues that if a self-driving car can pass standardized federal safety tests, they should be road-legal.

My students who drive for Uber need to think about this.
Uber Orders 100,000 Mercedes, Magazine Reports
Ride-hailing service Uber has placed a large order for cars with Germany’s Daimler, Manager Magazin reported on Friday.
Citing sources at both companies, the magazine said Uber had placed a long-term order for at least 100,000 Mercedes S-Class cars.
Uber is particularly interested in autonomous driving vehicles, the magazine reported, adding that such cars are expected to be available after 2020.

Perspective. I'll give you a couple of examples.
Get 11 Big Benefits from These 20 Sharing Economy Tools
Flightcar (iOS) allows you to park your car in one of several city airports (currently 13) completely free of charge. In return, they can rent your vehicle out to approved visitors in your city for the duration of your vacation. All vehicles are insured for up to $1 million.

Deliver Anything to Anyone

It won’t be long until Uber takes on this industry, but for now, Postmates (iOS, Android) is working hard to corner the on-demand delivery market

Has the government been using bad data and will Big Data correct the problem? Will Economics become less dismal? A very interesting article.
Can Big Data Help Measure Inflation?
… In the last decade, though, the government has had a harder time measuring CPI. Their method is usually to go around from store to store, taking stock of prices around the country. But e-commerce now accounts for around 7 percent of U.S. GDP, which means online spending is an important component of the CPI. As more and more people are shopping online, calculating this index has gotten more difficult, because there haven’t been any great ways of recording prices from the sites disparate retailers.
… Adobe is now aggregating the sales data that flows through their software for its Digital Price Index (DPI) project, an initiative that’s meant to answer some of the questions that have been dogging researchers now that e-commerce is such a big part of the economy.
The project, which tracks billions of online transactions and the prices of over a million products, was developed with the help of the economists Austan Goolsbee, the former chairman of Obama’s Council of Economic Advisors and a professor at the University of Chicago’s Booth School of Business, and Peter Klenow, a professor at Stanford University.
… One notable finding of Adobe’s DPI, for instance, is what has happened to the prices of electronics in the past year. While the CPI reports 7.1 percent deflation for computers and 14.4 percent for TVs over that time period, the DPI found 13.1 percent and 19.4 percent.
Another advantage of the Adobe data, according to Goolsbee and Klenow, is that it gives a sense of how many units of any given product are being sold, which helps economists identify instances in which consumers substitute one product for another

For my students.
How to Quickly Write a Resume Today with LinkedIn

As I grade papers, I'll still keep current on the industry.
Hack Education Weekly News
Via the BBC: “Every school to become an academy, ministers to announce.” That’s every school in England. And becoming an academy means the end to local control.
Via the Courier-Journal: “All students who graduate from Kentucky high schools, home schools or obtain their GEDs in Kentucky will be able to attend community colleges for free under a bill that passed the Kentucky House of Representatives on Thursday.”
… “Colorado State U Launches Online ‘Boot Camp’ Style Comp Sci Programs,” says Campus Technology.

No comments: