Monday, April 25, 2016
What happened is leaking out much more slowly that the bank’s money. If there is a flaw in the Swift software, all member banks are at risk.
SWIFT Software Bug Exploited by Bangladesh Bank Hackers
… Investigators at British defense contractor BAE Systems told Reuters that the malware in question, evtdiag.exe, had been designed to change code in SWIFT’s Access Alliance software to tamper with a database recording the bank’s activity over the network.
That apparently allowed the attackers to delete outgoing transfer requests and intercept incoming requests, as well as change recorded account balances – effectively hiding the heist from officials.
The malware even interfered with a printer to ensure that paper copies of transfer requests didn’t give the attack away.… It’s thought that the malware was part of a multi-layered attack and used on the SWIFT system once Bangladesh Bank admin credentials had been stolen.
… For its part, SWIFT confirmed it is later today releasing a software update to “assist customers in enhancing their security and to spot inconsistencies in their local database records."
You know they were a prime target.
Thomas Fox-Brewster reports:
Sexual preference. Relationship status. Income. Address. These are just some details applicants for the controversial dating site BeautifulPeople.com are asked to supply before their physical appeal is judged by the existing user base, who vote on who is allowed in to the “elite” club based on looks alone. All of this, of course, is supposed to remain confidential. But much of that supposedly-private information is now public, thanks to the leak of a database containing sensitive data of 1.1 million BeautifulPeople.com users. The leak, according to one researcher, also included 15 million private messages between users. Another said the data is now being sold by traders lurking in the murky corners of the web.
Read more on Forbes. The data leak was originally uncovered by Chris Vickery (now a researcher with MacKeeper), but as we were told in many cases last year, this was supposedly a “test server.” It seems that the test server contained real data. [“Real data” is never as useful for testing as “test data” that has been designed to exercise every edit in the application. Bob]
We would probably have been better served if everyone (and by everyone I mean the politicians) just avoided bragging.
ISIS Targeted by Cyberattacks in a New U.S. Line of Combat
The United States has opened a new line of combat against the Islamic State, directing the military’s six-year-old Cyber Command for the first time to mount computer-network attacks that are now being used alongside more traditional weapons.
The effort reflects President Obama’s desire to bring many of the secret American cyberweapons that have been aimed elsewhere, notably at Iran, into the fight against the Islamic State — which has proved effective in using modern communications and encryption to recruit and carry out operations.
… Cyber Command, was focused largely on Russia, China, Iran and North Korea — where cyberattacks on the United States most frequently originate — and had run virtually no operations against what has become the most dangerous terrorist organization in the world.
… The goal of the new campaign is to disrupt the ability of the Islamic State to spread its message, attract new adherents, circulate orders from commanders and carry out day-to-day functions, like paying its fighters. A benefit of the administration’s exceedingly rare public discussion of the campaign, officials said, is to rattle the Islamic State’s commanders, who have begun to realize that sophisticated hacking efforts are manipulating their data. Potential recruits may also be deterred if they come to worry about the security of their communications with the militant group. [Not so sure about these last two ideas. Bob]
… The fact that the administration is beginning to talk of its use of the new weapons is a dramatic change. As recently as four years ago, it would not publicly admit to developing offensive cyberweapons or confirm its role in any attacks on computer networks.
That is partly because cyberattacks inside another nation raise major questions over invasion of sovereignty. But in the case of the Islamic State, officials say a decision was made that a bit of boasting might degrade the enemy’s trust in its communications, jumbling and even deterring some actions. [Again, no so much… Bob]
Moves and counter-moves. You send me annoying ads. I block annoying ads. You try to identify anyone blocking annoying ads so you can deny me access to content or override the block and display annoying ads. I call in the annoying ad lawyers… Would it be simpler to make the ads less annoying?
Websites that detect your ad blocker could be breaking EU law
In the battle against ad blocking, many publishers have begun preventing readers from viewing content while they have an ad blocker switched on.
However, a letter purporting to be from the European Commission suggests that these publishers could be breaking European law.
Interesting. Does it provide any deterrence? Not sure what the “tag” entails.
From the strike-Kuwait-from-your-tourism-plans dept., Thinus Ferreira writes:
All visitors and tourists to Kuwait will now have to submit to a DNA test and be DNA tagged before they’re allowed to enter the Persian Gulf state.
In a world first, Kuwait wants to DNA “tag” everybody in, as well as entering the country with the new DNA legislation that will become law this year.
According to The Kuwait Times, the DNA testing law is “aimed at creating an integrated security database”. The law – the first of its kind in the world – and the DNA tagging will only be used for “criminal security purposes” according to Kuwait officials.
“Kuwait will have a database including DBA fingerprints of all citizens, residents and visitors. This law is the first of its kind in the world and Kuwait is the first country worldwide to apply the system,” notes the publication.
Read more on Traveler24.
Do they have a moral obligation to monitor every social media platform used by even one student? If not, can they tell us which ones they feel they can safely ignore? They opened the can, are they monitoring all the worms?
I’ve previously noted (snarkily, of course) the use of SnapTrends software by Orange County Public Schools in Florida to monitor students’ social media activities.
Well, it seems they’re pleased as punch with the results of their monitoring. So much so that they’re renewing the contract for the software. Details of the approximately one dozen police investigations that resulted from use of the software and manual searches were not disclosed.
[From the article:
"It's a no-brainer to me," Chairman Bill Sublette said. "I think we have a moral obligation in every sense of the word to monitor social media for threats to our students or schools."
The school district declined to provide many details about how the software is used or the types of social media posts that had generated alerts, citing exemptions in open-records laws regarding security. Officials stressed the software looks only at publicly available posts.
Just because the politicians are screaming for backdoors into encryption does not mean the scientific side of the government feels the same way.
DARPA Is Looking For The Perfect Encryption App, and It’s Willing to Pay
While the FBI keeps crying wolf about the dangerous dark future where criminals use technology that’s impossible to spy on, the Pentagon’s blue-sky research arm wants someone to create the ultimate hacker-proof messaging app.
The Defense Advanced Research Projects Agency, better known as DARPA, is looking for a “secure messaging and transaction platform” that would use the standard encryption and security features of current messaging apps such as WhatsApp, Signal, or Ricochet, but also use a decentralized Blockchain-like backbone structure that would be more resilient to surveillance and cyberattacks.
DARPA’s goal is to have “a secure messaging system that can provide repudiation or deniability, perfect forward and backward secrecy, time to live/self delete for messages, one time eyes only messages, a decentralized infrastructure to be resilient to cyber-attacks, and ease of use for individuals in less than ideal situations,” according to a notice looking for proposals, which was recently posted on a government platform that offers federal research funds to small businesses.
(Related) Could this be why?
Serious weaknesses seen in cell phone networks
America’s digital adversaries may have spent years eavesdropping on officials’ private phone conversations through vulnerabilities in the global cell phone network, according to security experts.
… Specialists believe countries like China, Russia and Iran have all likely exploited the deficiency to record calls, pilfer phone data and remotely track high-value targets.
“I would be flabbergasted if these foreign governments were not monitoring large numbers of American officials on their cell phones,” Rep. Ted Lieu (D-Calif.) told The Hill.
Perspective. Perhaps this kind of disclosure is the future?
100 data breaches later, Have I been pwned gets its first self-submission
I certainly didn't expect it would go this far when I built Have I been pwned (HIBP) a few years ago, but I've just loaded the 100th data breach into the system. This brings it to a grand total of 336,724,945 breached accounts that have been loaded in over the years, another figure I honestly didn't expect to see.
But there's something a bit different about this 100th data breach - it was provided to me by the site that was breached themselves. It was self-submitted, if you like.
(Related) The opposite of self-reporting?
Looks like I missed a breach report from weeks ago. Troy Hunt writes:
Today I’ve been looking at the Naughty America data breach which was in the news 10 days ago. The breach itself is dated March 14 which is a day short of six weeks before the time of writing. Yet somehow, Naughty America have yet to acknowledge the incident. In fact, the first a number of their customers knew of the breach was when I contacted them today and repeated the same process as I’d done with the Filipino voters. Not only did I get affirmative responses, one member of the site even emailed me the original welcome email he’d received from them in 2010, complete with the precise date that was stamped on his record in the data breach.
Read more on WindowsITPro.
The breach was initially reported on Forbes, which sadly, I no longer read because of their requirement that you turn off ad-blockers in your browser. You can read other coverage of the breach on TechInsider.
For my geeks. We could build an App for that! (Whatever ‘that’ is.)
How to Detect Faces With the Google Cloud Vision API
The Google Cloud Vision API is currently in Beta and available to developers with a basic pricing model that is free up to a thousand units per month. That means that developers have access to powerful image analysis capabilities backed by Google’s Machine Vision Infrastructure to implement in any relevant project.
The technology uses machine learning to identify the content in images, such as objects, colors, and notable landmarks. That data can be leveraged by applications or other software to perform specific tasks according to the developer’s intentions. In this tutorial on Google Cloud Platform, followers learn how to use the Google Cloud Vision API to detect faces in an image, and use that data to draw a box around each face.
Something we want our students to start doing.
An Informal Chat About Ed Tech Blogging - Recording
Earlier this evening I hosted a Google+ Hangout On Air for people who had questions related to blogging for professional purposes. It was an informal half hour in which I answered a bunch of the questions that I frequently receive in my email on that topic. A few new questions were added into the chat too. If you weren't able to make it, you can now watch the recording on my YouTube channel. (you may want to fast-forward through the first two minutes in which I was just setting things up).
(Related) Have my students create (and publish?) their own textbook.
Collaborative Book Publishing with Google Slides & Issuu
EdTechTeacher, an advertiser on this site, has launched a new FREE video series called #ETTchat. Each week, one of their instructors posts a new video with ideas using technology in the service of learning.
Collaborative Book Publishing
Google Slides has become a universal tool for students to use on any device. In this video, Greg Kulowiec (@gregkulowiec) shows how students could collaboratively design a book using Google Slides and then publish it with the digital publishing platform, Issuu.
Learn more about collaborative tools and ePub creation on the EdTechTeacher web site.