Tuesday, March 01, 2016

Geeks at war! At least we have shifted to the offense. (The first acknowledgment anyway)
W. J. Hennigan reports:
Military commanders have mounted a cyberoffensive against Islamic State in Iraq and Syria in recent weeks by deploying hackers to penetrate the extremist group’s computer and cellphone networks, according to the Pentagon.
The cyberassault, which Defense Secretary Ashton Carter authorized last month, marks the first time teams from U.S. Cyber Command have been integrated into an active battlefield since the command was established in 2009.
Read more on The Columbian.

Reasonably large, poorly secured.
Joseph Cox reports:
A hacker on the dark web forum Hell claims to have sold the email addresses and plaintext passwords of over 27 million users of dating site Mate1.com.
“Their server was compromised and the MySQL database was dumped,” the hacker, who asked to remain anonymous, told Motherboard. “I had shell/command access to their server.”
Read more on Motherboard.
There doesn’t seem to be any statement on Mate1.com’s web site as of the time of this posting.
[From the article:
On Monday, this reporter clicked the "forgotten password" feature on Mate1's login page. The full, plaintext password was then emailed, further corroborating that the site does indeed store passwords without any hashing.

Need some insider/personal data? Just ask!
Snapchat Admits Getting Scammed and Leaking Employee Data
On Sunday, the ephemeral messaging app revealed on its blog that the data of some of its employees, current and past, has been compromised. On Friday, a scammer impersonated the company’s CEO, Evan Spiegel, and sent a phishing email asking for payroll information to an employee in that department. Unfortunately, neither Snapchat’s security system, nor the employee realized it was a scam, and the data was “disclosed externally,” the company explains.
Snapchat says it took action within four hours, confirming it was an isolated phishing incident and reporting it to the FBI.

Want to own the police computers? Someone on the inside will fall for your phishing email.
Aaron Leibowitz reports:
Hackers stole the encryption key to a software system at the Melrose Police Station on Thursday evening, compelling the department to pay the hackers one Bitcoin to regain control, Chief Michael Lyle told the Free Press on Monday.
The attack came in the form of an email sent to the entire department around 7 p.m. Thursday, Lyle said. One person opened the email, [I'll bet there was more than one. Bob] setting off a virus that voided the department’s control of a program it uses to log incident reports, known as TriTech.
[From the article:
The Melrose Police did not lose any data, but officers were forced to put all log entries and incident reports in Microsoft Word documents until the problem was addressed, according to Lt. Mark DeCroteau.
They also had to book arrested parties on paper – “the old fashioned way,” DeCroteau said.

Are critical switches (circuit breakers, valves, etc.) available over the Internet?
Utilities Cautioned About Potential for a Cyberattack After Ukraine’s
The Obama administration has warned the nation’s power companies, water suppliers and transportation networks that sophisticated cyberattack techniques used to bring down part of Ukraine’s power grid two months ago could easily be turned on them.
After an extensive inquiry, American investigators concluded that the attack in Ukraine on Dec. 23 may well have been the first power blackout triggered by a cyberattack — a circumstance many have long predicted. Working remotely, the attackers conducted “extensive reconnaissance” of the power system’s networks, stole the credentials of system operators and learned how to switch off the breakers, plunging more than 225,000 Ukrainians into darkness.

For my Computer Security students. Re-program to remove that “assume” when the other vehicle is controlled by a mere human?
Google Self-Driving Car Hits A Bus In Los Angeles And It's At Fault: Here's What Happened
… The Google AV was driving in the far right side of the three-lane boulevard, preparing to take a right turn onto Castro Street. However, it couldn't smoothly do so because of sandbags that surrounded a storm drain, and it had to move to the center to make the turn.
The Lexus did let a couple of cars pass before it proceeded to maneuver around the obstruction, but a bus approaching at 15 mph was right behind it. According to the accident report, the bus was visible in the left mirror. It then collided with the bus, incurring damage on its front-left fender, wheel and sensor.
"A public transit bus was approaching from behind. The Google AV test driver saw the bus approaching in the left side mirror, but believed the bus would stop or slow to allow the Google AV to continue. Approximately three seconds later, as the Google AV was reentering the center of the lane, it made contact with the side of the bus," the report says (PDF).
… Placed in the same situation that drivers face every day, the Google AV predicted that the bus would allow it to pass first, as it's positioned ahead of the incoming vehicle. The occupant also thought the same. Apparently, they were both wrong.
Google says the company itself and the AV in question are at fault to a certain degree, making this the first case under that condition.

The (probably) never-ending story continues. Might be interesting to see what Apple argued in this case. (I assume their lawyers were there?)
N.Y. judge backs Apple in encryption fight with government
The U.S. government cannot force Apple Inc (AAPL.O) to unlock an iPhone in a New York drug case, a federal judge in Brooklyn said on Monday, a ruling that bolsters the company's arguments in its landmark legal showdown with the Justice Department over encryption and privacy.
The government sought access to the phone in the Brooklyn case in October, months before a judge in California ordered Apple to take special measures to give the government access to the phone used by one of the shooters in the San Bernardino, California, attacks.
U.S. Magistrate Judge James Orenstein in Brooklyn ruled that he did not have the legal authority to order Apple to disable the security of an iPhone that was seized during a drug investigation.
His ruling echoed many of the arguments that Apple has made in the San Bernardino case, particularly his finding that a 1789 law called the All Writs Act cannot be used to force Apple to open the phone. Orenstein also found that Apple was largely exempt from complying with such requests by a 1994 law that updated wiretapping laws.
… Orenstein said his ruling in Apple’s favor was not a decision on "whether the government should be able to force Apple to help it unlock a specific device; it is instead whether the All Writs Act (AWA) resolves that issue and many others like it yet to come."
Orenstein concluded that "the government posits a reading of the latter phrase so expansive – and in particular, in such tension with the doctrine of separation of powers – as to cast doubt on the AWA's constitutionality if adopted."
He also wrote: "The implications of the government's position are so far-reaching – both in terms of what it would allow today and what it implies about Congressional intent in 1789 – as to produce impermissibly absurd results."
Orenstein also found that Communications Assistance for Law Enforcement Act, passed in 1994, exempted Apple from this sort of request.
[The ruling:

(Related) A peek ahead.
Here's what Apple’s top lawyer will tell Congress tomorrow

(Related) Note that this is largely built in to sites like Google. It is not individuals encrypting their communications.
Study finds about half of Web traffic is encrypted
About 49 percent of Internet traffic is encrypted, according to a new study released Monday.
That is a 36 percentage point jump from April 2014, when only about 13 percent of traffic was being encrypted. The results Monday confirm other studies that have seen a large uptick in encryption, with the increase predicted to continue.
The study found that 24 of the top 50 sites encrypt their traffic by default, usually signaled on a users’ browser by a lock and the letters “https” ahead of the web address. The study also found 42 of the top 50 sites either encrypt by default or shift to encryption after log in.

(Related) ...and if you don't encrypt, it's your own fault! (Would lawyers expect the same “exemption?”)
Joseph Lazzarotti of Jackson Lewis highlights an important note in recent OCR guidance:
What is a covered entity’s obligation under the Breach Notification Rule if it transmits an individual’s PHI to a third party designated by the individual in an access request, and the entity discovers the information was breached in transit?
If a covered entity discovers that the PHI was breached in transit to the designated third party, and the PHI was “unsecured PHI” as defined at 45 CFR 164.402, the covered entity generally is obligated to notify the individual and HHS of the breach and otherwise comply with the HIPAA Breach Notification Rule at 45 CFR 164, Subpart D. However, if the individual requested that the covered entity transmit the PHI in an unsecure manner (e.g., unencrypted), and, after being warned of the security risks to the PHI associated with the unsecure transmission, maintained her preference to have the PHI sent in that manner, the covered entity is not responsible for a disclosure of PHI while in transmission to the designated third party, including any breach notification obligations that would otherwise be required. Further, a covered entity is not liable for what happens to the PHI once the designated third party receives the information as directed by the individual in the access request.
Read more on Lexology.

My guess is he enjoyed the way Scalia asked the questions.
Justice Clarence Thomas breaks 10-year streak, asks question in court

Another look into the future of the Internet of Things. Perhaps my bottle will send a “Bring me another Fat Tire Dear” to my wife as I near the end of my beer?
With 'Smart' Brita Pitcher, Amazon Aims To Change How Consumers Buy Everyday Essentials
This is not your mother’s water pitcher. [I expect to see this in many ads. Bob]
Amazon is testing the waters for ways to render brick-and-mortar shopping virtually obsolete — at least when it comes to everyday necessities.
The online giant has launched the new Wi-Fi-enabled Brita Infinity pitcher, which is designed to automatically order a new filter through its Amazon Dash Replenishment reordering program when the existing filter nears its capacity.

Coca Cola tried this last week with their 12-packs. Perhaps more kids have smartphones in Sweden?
Kids will soon be able to turn their Happy Meals into VR goggles in Sweden
Fast food juggernaut McDonald's is rolling out a pilot program in Sweden that turns Happy Meal boxes into virtual reality goggles. With a few flips and folds, kids can transform the box into a smartphone holder, which provides a kinda-sorta VR experience similar to Google Cardboard.

Because my students should at least talk like they understand this stuff!
Are You Confused by the Windows App Terminology?

No comments: