SWIFT Software Bug Exploited by Bangladesh Bank Hackers
… Investigators at
British defense contractor BAE Systems told Reuters that the malware in question, evtdiag.exe, had been
designed to change code in SWIFT’s Access Alliance software to tamper with a
database recording the bank’s activity over the network.
That apparently allowed the
attackers to delete outgoing transfer requests and intercept incoming requests,
as well as change recorded account balances – effectively hiding the heist from
officials.
The malware even interfered with a printer to ensure that
paper copies of transfer requests didn’t give the attack away.
… It’s
thought that the malware was part of a multi-layered attack and used on the
SWIFT system once
Bangladesh Bank admin credentials had been stolen.
… For its part, SWIFT
confirmed it is later today releasing a software update to “assist customers in
enhancing their security and to spot inconsistencies in their local database
records."
You know they were a prime target.
Thomas Fox-Brewster reports:
Sexual preference. Relationship status. Income. Address. These are just some details applicants
for the controversial dating site BeautifulPeople.com are
asked to supply before their physical appeal is judged by the
existing user base, who vote on who is allowed in to the “elite” club based on
looks alone. All of this, of course, is
supposed to remain confidential. But
much of that supposedly-private information is now public, thanks to the leak
of a database containing sensitive data of 1.1 million BeautifulPeople.com
users. The leak, according to one
researcher, also included 15 million private messages between users. Another said the data is now being sold by
traders lurking in the murky corners of the web.
Read more on Forbes.
The data leak was originally uncovered
by Chris Vickery (now a researcher with MacKeeper), but as we were told in many
cases last year, this was supposedly a “test server.” It seems
that the test server contained real data. [“Real data” is never as
useful for testing as “test data” that has been designed to exercise every edit
in the application. Bob]
We would probably have been better served if everyone (and
by everyone I mean the politicians) just avoided bragging.
ISIS
Targeted by Cyberattacks in a New U.S. Line of Combat
The United States has opened a new line of combat against
the Islamic State, directing the military’s six-year-old Cyber Command for the
first time to mount computer-network attacks that are now being used alongside
more traditional weapons.
The effort
reflects President Obama’s desire to bring
many of the secret American cyberweapons that have been aimed elsewhere, notably
at Iran, into the fight against the Islamic State — which has proved
effective in using modern communications and encryption to recruit and carry
out operations.
… Cyber Command,
was focused largely on Russia, China, Iran and North Korea — where cyberattacks
on the United States most frequently originate — and had run virtually no
operations against what has become the most dangerous terrorist organization in
the world.
… The goal of the new campaign is to disrupt
the ability of the Islamic State to spread its message, attract new adherents,
circulate orders from commanders and carry out day-to-day functions, like
paying its fighters. A benefit of the
administration’s exceedingly rare public discussion of the campaign, officials
said, is to rattle the Islamic State’s commanders, who have begun to realize
that sophisticated hacking efforts are manipulating their data. Potential recruits may also be deterred if
they come to worry about the security of their communications with the militant
group. [Not so
sure about these last two ideas. Bob]
… The fact that
the administration is beginning to talk of its use of the new weapons is a
dramatic change. As recently as four
years ago, it would not publicly admit to developing offensive cyberweapons or
confirm its role in any attacks on computer networks.
That is partly
because cyberattacks inside another nation raise major questions over invasion
of sovereignty. But in the case of the
Islamic State, officials say a decision was made that a bit of boasting might
degrade the enemy’s trust in its communications, jumbling and even deterring
some actions. [Again, no so much… Bob]
Moves and counter-moves. You send
me annoying ads. I block annoying
ads. You try to identify anyone blocking
annoying ads so you can deny me access to content or override the block and
display annoying ads. I call in the
annoying ad lawyers… Would it be simpler
to make the ads less annoying?
Websites that detect your ad blocker could be breaking EU law
In the battle against ad blocking, many publishers have
begun preventing readers from viewing content while they have an ad blocker
switched on.
However, a letter purporting to be from the European
Commission suggests that these publishers could be breaking European law.
Interesting. Does
it provide any deterrence? Not sure what
the “tag” entails.
From the strike-Kuwait-from-your-tourism-plans
dept., Thinus Ferreira writes:
All visitors and tourists to
Kuwait will now have to submit to a DNA test and be DNA tagged before they’re
allowed to enter the Persian Gulf state.
In a world first, Kuwait wants to
DNA “tag” everybody in, as well as entering the country with the new DNA
legislation that will become law this year.
[…]
According to The
Kuwait Times, the DNA testing law is “aimed at creating an integrated
security database”. The law – the first
of its kind in the world – and the DNA tagging will only be used for “criminal
security purposes” according to Kuwait officials.
“Kuwait will have a database
including DBA fingerprints of all citizens, residents and visitors. This law is the first of its kind in the world
and Kuwait is the first country worldwide to apply the system,” notes the
publication.
Read more on Traveler24.
Do they have a moral obligation to monitor every social
media platform used by even one student?
If not, can they tell us which ones they feel they can safely
ignore? They opened the can, are they monitoring
all the worms?
I’ve previously
noted (snarkily, of course) the use of SnapTrends software by Orange County
Public Schools in Florida to monitor students’ social media activities.
Well, it seems they’re pleased as punch with the results
of their monitoring. So much so that
they’re renewing
the contract for the software. Details
of the approximately one dozen police investigations that resulted from use of
the software and manual searches were not disclosed.
[From the
article:
"It's a no-brainer to me," Chairman Bill
Sublette said. "I think we have a
moral obligation in every sense of the word to monitor social media
for threats to our students or schools."
The school district declined to provide many details about
how the software is used or the types of social media posts that had generated
alerts, citing exemptions in open-records laws regarding security. Officials stressed the software looks only at
publicly available posts.
Just because the politicians are screaming for backdoors into encryption
does not mean the scientific side of the government feels the same way.
DARPA Is Looking For The Perfect Encryption App, and It’s
Willing to Pay
While the FBI keeps
crying wolf about the dangerous dark future where criminals use technology that’s
impossible to spy on, the Pentagon’s blue-sky research arm wants someone to
create the ultimate hacker-proof messaging app.
The Defense Advanced Research Projects Agency, better
known as DARPA,
is looking for a “secure messaging and transaction platform” that would use the
standard encryption and security features of current messaging apps such as WhatsApp, Signal, or Ricochet, but also use a decentralized Blockchain-like
backbone structure that would be more resilient to surveillance and
cyberattacks.
DARPA’s goal is to have “a secure messaging system that
can provide repudiation or deniability, perfect forward and backward secrecy,
time to live/self delete for messages, one time eyes only messages, a
decentralized infrastructure to be resilient to cyber-attacks, and ease of use
for individuals in less than ideal situations,” according to a notice
looking for proposals, which was recently posted on a government platform that
offers federal research funds to small businesses.
(Related) Could this be why?
Serious weaknesses seen in cell phone networks
America’s digital adversaries may have spent years
eavesdropping on officials’ private phone conversations through vulnerabilities
in the global cell phone network, according to security experts.
… Specialists believe countries
like China, Russia and Iran have all likely exploited the deficiency to record
calls, pilfer phone data and remotely track high-value targets.
“I
would be flabbergasted if these foreign governments were not monitoring large
numbers of American officials on their cell phones,” Rep. Ted Lieu (D-Calif.)
told The Hill.
Perspective. Perhaps this kind of
disclosure is the future?
100 data breaches later, Have I been pwned gets its first
self-submission
I certainly didn't expect it would go this far when I
built Have I been pwned (HIBP) a few
years ago, but I've just loaded the 100th data breach into the system. This brings it to a grand total of 336,724,945 breached accounts that have
been loaded in over the years, another figure I honestly didn't expect to see.
But there's something a bit different about this 100th
data breach - it was provided to me by the site that was breached themselves. It was self-submitted, if you like.
(Related) The
opposite of self-reporting?
Looks like I missed a breach report from weeks ago. Troy Hunt writes:
Today I’ve been looking at the Naughty America data breach which was in the news
10 days ago. The breach itself is dated
March 14 which is a day short of six weeks before the time of writing. Yet somehow, Naughty America have yet to acknowledge the incident. In fact,
the first a number of their customers knew of the breach was when I contacted
them today and repeated the same process as I’d done with the Filipino voters. Not only did I get affirmative responses, one
member of the site even emailed me the original welcome email he’d received
from them in 2010, complete with the precise date that was stamped on his
record in the data breach.
Read more on WindowsITPro.
The breach was initially reported on Forbes, which sadly,
I no longer read because of their requirement that you turn off ad-blockers in
your browser. You can read other
coverage of the breach on TechInsider.
For my geeks. We could build an
App for that! (Whatever ‘that’ is.)
How to Detect Faces With the Google Cloud Vision API
The Google
Cloud Vision API is currently in Beta and available to developers with a
basic pricing model that is free up to a thousand units per month. That means that developers have access to
powerful image analysis capabilities backed by Google’s Machine Vision
Infrastructure to implement in any
relevant project.
The technology uses machine learning to identify the
content in images, such as objects, colors, and notable landmarks. That data can be leveraged by applications or
other software to perform
specific tasks according to the developer’s intentions. In this tutorial on
Google Cloud Platform, followers learn how to use the Google Cloud Vision API
to detect faces in an image, and use that data to draw a box around each face.
Something we want our students to start doing.
An Informal Chat About Ed Tech Blogging - Recording
Earlier this evening I hosted a Google+
Hangout On Air for people who had questions related to blogging for
professional purposes. It was an
informal half hour in which I answered a bunch of the questions that I
frequently receive in my email on that topic. A few new questions were added into the chat
too. If you weren't able to make it, you
can now watch
the recording on my YouTube channel. (you may want to fast-forward through
the first two minutes in which I was just setting things up).
(Related) Have my students create (and publish?) their own
textbook.
Collaborative Book Publishing with Google Slides & Issuu
EdTechTeacher,
an advertiser on this site, has launched a new FREE video series called #ETTchat.
Each week, one of their instructors posts a new video with ideas using
technology in the service of learning.
Collaborative Book Publishing
Google Slides has become a universal tool for students to
use on any device. In this video, Greg Kulowiec (@gregkulowiec) shows
how students could collaboratively design a book using Google Slides and then
publish it with the digital publishing platform, Issuu.
Learn more about collaborative tools and ePub creation on
the EdTechTeacher web site.
No comments:
Post a Comment