Saturday, March 05, 2016

Yesterday, one of my former students sent me an email explaining how his company had been phished. It really is an epidemic (translations: It really works!)
Add AmeriPride and Actifio to the ever-growing list of companies whose employees’ W-2 info was snagged by criminals via phishing.
If your company didn’t urgently re-train employees about this growing problem with phishing and business email compromises, do it now.
Update 1: Add Evening Post Industries to the list of those whose employees fell for business email compromise, resulting in employees’ W-2 data in criminals’ hands.

Have they found an antidote? When was the last time you tested your backup plan?
Kat Hall reports:
North Dorset District Council is working with police to identify the source of a ransomware attack this week, the latest incident in what security experts believe to be a growing problem for local authorities.
According to an email seen by The Register, the attack had infected 6,000 files on the council’s servers by Tuesday.
However, the council said yesterday evening the problem had been fixed.
Read more on The Register.
[From the article:
He added that with more sophisticated encryption targets have little choice between restoring their systems from a backup or paying the ransom.
Eddy Willems, security specialist at G-Data, said attackers were deliberately targeting organisations which appear more likely to pay the ransom to get back online. "Some of these organisations do not have the latest backup [systems] installed," he said.

When you fear that facts and logic are against you, make stuff up? If I was the judge, that would really make me wonder what else was pulled from “thin air.”
What is a “lying-dormant cyber pathogen?” San Bernardino DA says it’s made up [Update]
One day after the San Bernardino County district attorney said that an iPhone used by one of the San Bernardino shooters might contain a "lying-dormant cyber pathogen," the county's top prosecutor went on the offense again. DA Michael Ramos said Apple must assist the FBI in unlocking the phone because an alleged security threat might have been "introduced by its product and concealed by its operating system."
… The fact no one has heard of a pathogen that might carry devastating qualities has us and others wanting to know exactly what is a "lying-dormant cyber pathogen?" We asked Ramos' office to elaborate. Ars' e-mail and phone messages, however, were not returned.
… But late Friday, Ramos told The Associated Press that his cyber doom suggestion was out of thin air.
… The prosecutor suggested in a court filing yesterday that the iPhone—a county phone used by Farook and recovered after the shooting—might be some type of trigger to release a "lying-dormant cyber pathogen" into the county's computer infrastructure. On Friday, the district attorney again demanded that a federal magistrate presiding over the dispute command Apple to help decrypt the phone.

(Related) “Mon Dieu! The FBI wants us to become French!”
Iain Thomson reports:
The French parliament has voted in favor of punishing companies that refuse to decrypt data for government investigators – by threatening businesses with big fines and possible jail terms for staff.
This comes amid the FBI’s high-profile battle with Apple in the US to unlock a dead killer’s encrypted iPhone.
French deputies voted to add an amendment to a penal reform bill that would fine companies €350,000 (US$385,350) for a refusal to decrypt and give up to five years in jail for senior executives. Telecommunications company executives would face smaller fines and up to two years in jail for not cooperating with the authorities.
Read more on The Register.

(Related) Flipping their flop for political or privacy reasons? Will they reverse again in a few months? (Does their policy favor privacy or convenience?)
Amazon reverses course on encryption for its Fire tablets
It's been only one day since -- in the midst of a national debate over encrypted devices -- Amazon started pushing a new Fire OS 5 to its tablets that ditched support for device encryption. Just yesterday, the company said that was because customers weren't using the feature. [How did they know? Bob] Tonight, the company tells Engadget that it will bring the option back in another update that is due to arrive this spring. Given the attention Apple's battle with the FBI has brought to this security feature it seems logical that encryption remains at least available as an option, even on a device intended for casual usage.

Another FBI kerfuffle in the works? Sounds like they are targeting the Young Republicans.
Sarah Lazare writes:
Under new guidelines, the FBI is instructing high schools across the country to report students who criticize government policies and “western corruption” as potential future terrorists, warning that “anarchist extremists” are in the same category as ISIS and young people who are poor, immigrants or travel to “suspicious” countries are more likely to commit horrific violence.
Based on the widely unpopular British “anti-terror” mass surveillance program, the FBI’s “Preventing Violent Extremism in Schools” guidelines, released in January, are almost certainly designed to single out and target Muslim-American communities. However, in its caution to avoid the appearance of discrimination, the agency identifies risk factors that are so broad and vague that virtually any young person could be deemed dangerous and worthy of surveillance, especially if she is socio-economically marginalized or politically outspoken.
Read more on AlterNet.

For my Computer Security class to consider. (Kind of a fluff piece.)
How the 'Internet of Things' could be fatal

Another article for my Computer Security students. Serious actors planning extensively – sounds to me like they would try a few “test hacks” like maybe OPM or Sony. Just saying.
Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid
… The hackers who struck the power centers in Ukraine—the first confirmed hack to take down a power grid—weren’t opportunists who just happened upon the networks and launched an attack to test their abilities; according to new details from an extensive investigation into the hack, they were skilled and stealthy strategists who carefully planned their assault over many months, first doing reconnaissance to study the networks and siphon operator credentials, then launching a synchronized assault in a well-choreographed dance.
… Ukraine was quick to point the finger at Russia for the assault. Lee shies away from attributing it to any actor but says there are clear delineations between the various phases of the operation that suggest different levels of actors worked on different parts of the assault. This raises the possibility that the attack might have involved collaboration between completely different parties—possibly cybercriminals and nation-state actors.
… Regardless, the successful assault holds many lessons for power generation plants and distribution centers here in the US, experts say; the control systems in Ukraine were surprisingly more secure than some in the US, since they were well-segmented from the control center business networks with robust firewalls. But in the end they still weren’t secure enough—workers logging remotely into the SCADA network, the Supervisory Control and Data Acquisition network that controlled the grid, weren’t required to use two-factor authentication, which allowed the attackers to hijack their credentials and gain crucial access to systems that controlled the breakers.
The power wasn’t out long in Ukraine: just one to six hours for all the areas hit. But more than two months after the attack, the control centers are still not fully operational, according to a recent US report. Ukrainian and US computer security experts involved in the investigation say the attackers overwrote firmware on critical devices at 16 of the substations, leaving them unresponsive to any remote commands from operators. The power is on, but workers still have to control the breakers manually.

Thou shalt not fish for evidence?
Andrea Noble reports:
In a historic victory for privacy rights advocates, the Maryland Court of Special Appeals upheld a ruling that barred prosecutors from using evidence discovered through the Baltimore Police Department’s use of secret cellphone tracking technology.
The ruling, issued late Wednesday, marks the first time any appellate court in the country has thrown out evidence obtained through warrantless use of the secretive devices, often known by the brand name Stingray.
The brief order, signed by Judge Andrea Leahy, offered no explanation of the reasoning behind the decision but indicated that an opinion would be forthcoming.
Read more on The Washington Times.

(Related) “When we specify phone calls, we mean everything including phone calls.”
John Frank Weaver writes:
In July 2015, I wrote an article about Fourth Amendment protection for self-driving cars that referenced Commonwealth v. Dorelas, a Massachusetts case that considered how specific a warrant must be before police can search a smartphone. (Full disclosure: I helped the American Civil Liberties Union of Massachusetts draft its amicus brief.) Briefly: Defendant Denis Dorelas was arrested following a shooting. While investigating the shooting, witnesses told police that Dorelas had received threatening phone calls and text messages from the other individual involved in the shooting. Based on this evidence, police applied for and received a warrant to search Dorelas’ iPhone…..
Read more on Slate.
[From the article:
In the decision, which was released in January, the Supreme Judicial Court ruled that the warrant was constitutionally granted because electronic communications “can come in many forms” and the issuing judge “could conclude that the evidence sought might reasonably be located in the photograph file,” despite the fact that the only evidence supporting the search of the iPhone was testimony that referenced phone calls and texts. Equating texts and phone calls with all electronic communications is a huge expansion of those forms of evidence and grants broad discretion to police to search all the data on a phone as long as there is evidence suggesting that any data on the phone could be related to criminal activity.

I can think of a few reasons why it would simplify things at Facebook (No warrants asking them to identify users) But it ruins my New Yorker cartoon, “On the Internet, nobody knows you're a dog.”
Facebook can nix German users with fake names
… The German court's decision rested on the fact that Facebook's European headquarters are in Ireland. The company therefore only needs to comply with orders from the Irish data protection authority. Ireland decided back in 2011 that Facebook's real-name policy did not violate people's right to privacy.

History is written by the winners, except in the EU.
Google makes narrow expansion of 'right to be forgotten' official
… Google said on Friday that it would delist the links from all of its domains when they are accessed in the country where the petition to remove the content originated.
… Google portrayed its announcement Friday as one that would mollify privacy regulators without infringing too much on the sanctity of its platform.
“We’re changing our approach as a result of specific discussions that we’ve had with EU data protection regulators in recent months,” wrote Global Privacy Counsel Peter Fleischer in a blog post. “We believe that this additional layer of delisting enables us to provide the enhanced protections that European regulators ask us for, while also upholding the rights of people in other countries to access lawfully published information.”

Something my Data Management students can use to get rich?
How Netflix Knows Exactly What You Want to Watch
Netflix’s rise to being the world’s primary media streaming service was no fluke. It was based on a complex recipe of data manipulation and emotion that means the company knows what you want to watch even before you know yourself.
… It is Netflix’s secret sauce of algorithms, big data, and gut instinct that fuel this unstoppable growth. It’s this secret sauce that allows Netflix to not just consistently recommend content that users will (likely) love, but also to fund the creation of that content, confident that it will be a success.
It’s no surprise that big data plays a big part in Netflix’s ability to recommend and fund the right content. What is surprising, however, is the kind of data and amount of data that Netflix tracks every time you use the service.

I had no idea – and I still don't but looking at the illustration, they have several ways to make money. .
How Snapchat brings celebrities millions of views and offers advertisers a young audience

Another snapshot of my indusrty.
Hack Education Weekly News
Via The Harvard Crimson: “Harvard jointly filed an amicus brief to the National Labor Relations Board on Monday arguing against the unionization of graduate students, joining six other Ivy League universities, Stanford, and MIT in a call for the board to uphold existing rulings that define the relationship between private universities and graduate students as strictly academic.”
Via SF Gate: “Hackers compromised a UC Berkeley computer network containing the financial data of 80,000 people.”
… This week in rebranding bullshit: “Ubiquitous learning could push the term ‘online’ out of education.”
… “Minnesota State University at Moorhead has announced an unusual scholarship program,” Inside Higher Ed reports. “Four $2,500 scholarships and two $1,000 scholarships will be awarded (on top of other aid for which students are eligible) based on tweets.”
… The “Transcript of Tomorrow”!
… According to a survey of 4000 community college students, “about 50 percent of students reported having one or more mental-health condition,” The Chronicle of Higher Education reports.

No comments: