Tuesday, May 10, 2016
Maybe they just wanted the computers. Maybe they want the election?
Four computers used by the Electoral Commission (EC) for the Limited Biometric Voter Registration exercise have been stolen at Savelugu in the Northern region.
The office of the Commission was broken into through the window Sunday night.
“The locks were still on as if nothing had happened” when electoral officers went to the office, Joy News Northern regional correspondent Matina Bugri reported.
Read more on MyJoyOnline.com.
[From the article:
He explained that the computers and biometric verification devices containing data gathered on the last day of the registration exercise on Sunday were all missing. [Did they wait until all the data had been gathered? Bob]
For my Ethical Hacking students. Try not to cross the line and if you do be sure to have a scapegoat handy.
Researcher Arrested For Hacking Elections Websites
David Levin, owner of Vanguard Cybersecurity, discovered in December that the elections website of Lee County was plagued by an SQL injection vulnerability that allowed access to credentials stored in plain text. The expert later also identified security holes on the Florida Division of Elections website.
Levin contacted a supervisor of elections candidate and in January they made a video demonstrating the existence of the SQL injection flaw on the Lee County elections website and showed how exposed credentials could be used to access accounts and information. The security hole was only then reported to the Supervisor of Elections Office.
According to local reports, the white hat hacker was arrested last week and charged with three counts of unauthorized access to a computer or a computer system. He was released on a $15,000 bond after a few hours.
… “Dave obviously found a serious risk but rather than just stopping there and reporting it, he pointed a tool at it that sucked out a volume of data. That data included credentials stored in plain text (another massive oversight on their behalf) which he then used to log onto the website and browse around private resources (or at least resources which were meant to be private),” said Troy Hunt, a security expert who has often been involved in the disclosure of serious vulnerabilities.
Hunt pointed out that in the case of SQL injection vulnerabilities such as the one found by Levin, it’s easy to demonstrate that a risk exists without actually accessing any potentially sensitive data.
Try anything, you never know when you might hit a soft spot.
Important news out of the UK this morning, where the government (National Crime Agency) tried to get a court to compel Lauri Love to provide decryption key to devices they had seized from him. Love had refused, arguing (understandably), that he had never been charged with any crime, and that they were attempting to do an end-run around protections under RIPA by a back-door route (“case management”) to forcing compliance.
This morning, the court denied the government’s motion. The Free Lauri campaign explains:
This morning at Westminster Magistrates’ Court, District Judge Nina Tempia rejected a National Crime Agency (NCA) request to use the court’s case management powers to order Lauri Love to hand over his encryption keys, preventing a dangerous precedent that would have given UK police new powers to compel people to decrypt their electronic devices, even if they are not suspected of a crime.
Remarking on the NCA’s application, the judge said that authorities must instead use the existing legal regime created by the Regulation of Investigatory Powers Act (RIPA) if they wish to compel someone to surrender encryption keys, and that the court’s case management powers cannot be used by authorities to circumvent statutory safeguards in RIPA.
Read more on Free Lauri.
The information on the encrypted devices may, or may not, contain evidence relating to charges Love faces in the U.S., and the US has previously applied to the UK to extradite Love. Love has been fighting the extradition, claiming that if there are any charges, they should be filed and tried in the UK. But the UK did not find evidence/grounds to prosecute Love there.
So if Love’s going to prosecuted for hacking – and he’s been indicted in three federal districts here by now – it’s going to be in the US, and today’s ruling in the UK means that the US won’t be getting any additional evidence from his devices in the foreseeable future. Of course, they will argue that they already have enough evidence and just need the UK to extradite Love, but today’s ruling is likely a disappointment to prosecutors here.
No apology, that’s what these Apps are supposed to do.
GAO Report – Smartphone Data: Information and Issues Regarding Surreptitious Tracking Apps That Can Facilitate Stalking
Smartphone Data: Information and Issues Regarding Surreptitious Tracking Apps That Can Facilitate Stalking, GAO-16-317: Published: Apr 21, 2016. Publicly Released: May 9, 2016.
“GAO found that the majority of the reviewed websites for smartphone tracking applications (apps) marketed their products to parents or employers to track the location of their children or employees, respectively, or to monitor them in other ways, such as intercepting their smartphone communications. Several tracking apps were marketed to individuals for the purpose of tracking or intercepting the communications of an intimate partner to determine if that partner was cheating. About one-third of the websites marketed their tracking apps as surreptitious, specifically to track the location and intercept the smartphone communications of children, employees, or intimate partners without their knowledge or consent. The key concerns of the stakeholders with whom GAO spoke—including domestic violence groups, privacy groups, and academics—were questions about:
(1) the applicability of current federal laws to the manufacture, sale, and use of surreptitious tracking apps;
(2) the limited enforcement of current laws; and
(3) the need for additional education about tracking apps.
GAO found that some federal laws apply or potentially apply to smartphone tracking apps, particularly those that surreptitiously intercept communications such as e-mails or texts, but may not apply to some instances involving surreptitiously tracking location. Statutes that may be applicable to surreptitious tracking apps, depending on the circumstances of their sale or use, are statutes related to wiretapping, unfair or deceptive trade practices, computer fraud, and stalking. Stakeholders also expressed concerns over what they perceived to be limited enforcement of laws related to tracking apps and stalking. Some of these stakeholders believed it was important to prosecute companies that manufacture surreptitious tracking apps and market them for the purpose of spying. Domestic violence groups stated that additional education of law enforcement officials and consumers about how to protect against, detect, and remove tracking apps is needed. The federal government has undertaken educational, enforcement, and legislative efforts to protect individuals from the use of surreptitious tracking apps, but stakeholders differed over whether current federal laws need to be strengthened to combat stalking. Educational efforts by the Department of Justice (DOJ) have included funding for the Stalking Resource Center, which trains law enforcement officers, victim service professionals, policymakers, and researchers on the use of technology in stalking. With regard to enforcement, DOJ has prosecuted a manufacturer and an individual under the federal wiretap statute for the manufacture or use of a surreptitious tracking app. Some stakeholders believed the federal wiretap statute should be amended to explicitly include the interception of location data and DOJ has proposed amending the statute to allow for the forfeiture of proceeds from the sale of smartphone tracking apps and to make the sale of such apps a predicate offense for money laundering. Stakeholders differed in their opinions on the applicability and strengths of the relevant federal laws and the need for legislative action. Some industry stakeholders were concerned that legislative actions could be overly broad and harm legitimate uses of tracking apps. However, stakeholders generally agreed that location data can be highly personal information and are deserving of privacy protections.”
Worth sharing with my students. All of them.
10 companies that can help you fight phishing
According to the most recent Verizon data breach report, a phishing email is often the first phase of an attack. That's because it works well, with 30 percent of phishing messages opened, but only 3 percent reported to management.
… The Anti-Phishing Working Group offers a variety of resources, including a phishing education landing page that companies can use in conjunction with their anti-phishing campaigns. Some of the vendors below, including Phishme and KnowBe4, also offer free resources.
Another free tool is MSI Simple Phish from MicroSolved, which allows security teams to run their own phishing tests inside their organization.
(Related) Keep the glossary up to date! (Voice and SMS)
New Phishing Techniques To Be Aware of: Vishing and Smishing
Something for my Computer Security students to ponder. What should you tell Watson and what should you keep from ‘him?’ (Note that you make copies of a non-specific Watson and then teach whatever he needs to know.)
IBM Watson Brings AI Wonders to Cybersecurity
… Ginni Rometty, CEO of IBM ibm , will introduce a cybersecurity-specific version of Watson at an IBM computer security summit on Tuesday, the company said. The project, powered by IBM’s Bluemix cloud computing platform, includes a partnership between IBM and eight universities that begins in the fall.
… IBM researchers have already begun feeding Watson with all sorts of computer security data sourced from its open access threat intelligence platform, called X-Force Exchange.
… Watson is also designed to ingest research papers, blog posts, news stories, media reports, alerts, textbooks, social media posts, and more to build up knowledge about all the latest cyber threats. Students at the partnering schools will help input and annotate this so-called unstructured data (meaning data that’s not easily machine readable) to train the system.
Would there be a market for a truly secure smartphone? Perhaps my students could write the OS as a final exam?
The government wants to know why it takes so long for your smartphone to get security updates
We trust our smartphones with an astounding amount of information, but all too often those devices may not be protected with the latest security fixes. That's the problem at the heart of a new government project announced today in which the Federal Communications Commission and the Federal Trade Commission are teaming up to examine the sometimes messy way security patches are delivered to consumers' smartphones.
Another area to ponder.
Computers Gone Wild: Impact and Implications of Developments in Artificial Intelligence on Society
Computers Gone Wild: Impact and Implications of Developments in Artificial Intelligence on Society May 9, 2016 The following summary was written by Samantha Bates:
“The second “Computers Gone Wild: Impact and Implications of Developments in Artificial Intelligence on Society” workshop took place on February 19, 2016 at Harvard Law School. Marin Soljačić, Max Tegmark, Bruce Schneier, and Jonathan Zittrain convened this informal workshop to discuss recent advancements in artificial intelligence research. Participants represented a wide range of expertise and perspectives and discussed four main topics during the day-long event:
the impact of artificial intelligence on labor and economics,
algorithmic decision-making, particularly in law,
autonomous weapons, and
the risks of emergent human-level artificial intelligence.
Each session opened with a brief overview of the existing literature related to the topic from a designated participant, followed by remarks from two or three provocateurs. The session leader then moderated a discussion with the larger group. At the conclusion of each session, participants agreed upon a list of research questions that require further investigation by the community. A summary of each discussion as well as the group’s recommendations for additional areas of study are included here…”
Made for attack ads. Of greater concern, have they lost anything else? (If we’re lucky, they only “loose” emails that might embarrass the administration – or the next one.)
State Dept. says it has no emails from ex-Clinton staffer
The State Department can find no emails to or from a former Hillary Clinton aide who worked for the agency and also managed Clinton’s private computer server while she served as secretary of state, the government said in a new court filing on Monday.
The government said as much in U.S. District Court in Washington in answer to a lawsuit by the Republican National Committee. The committee had sued over its public records request for all work-related emails sent to or received by Clinton’s former aide, Bryan Pagliano, between 2009 and 2013, the years of Clinton’s tenure.
… agency officials continue to search for “Mr. Pagliano’s emails, which the department may have otherwise retained.”
Oh the horror of change! Does this rise to “big deal” level?
Google is testing a change to one of its most iconic designsGoogle is testing an alternative to its iconic blue links in search results: Turning them black.
The company A/B tests various tweaks to its products all the time, but this swap feels particularly jarring since the search engine has kept the same overall color scheme since its earliest days of "10 bare blue links."
Google has proven in the past that its scale means that something like a small shift in shade can have big consequences. In the early days, Google tested 40 different shades of blue for its links and the winning hue helped it reel in an extra $200 million a year in ad revenue.
Some users are saying that the change makes it harder to differentiate between which links they've clicked and which they haven't.
Perspective. Soon, my only option will be to buy a smartphone that talks to me. “What took you so long, Bob?”
Sales of PCs, laptops, and tablets fell 13% in Q1; reaching lowest point since 2011
… According to the latest report from market research firm Canalys, shipments of PC devices (including desktops, notebooks, two-in-ones, and tablets) amounted to 101 million units in the first quarter of 2016. That represents a decline of 13 percent from the same period a year ago — the lowest volume since the second quarter of 2011.
A time waster for my students?
Panama Papers Database Goes Live
Follow up to previous posting – ICIJ to Release Panama Papers Offshore Companies Data – today’s news – Offshore Leaks Database – Find out who’s behind almost 320,000 offshore companies and trusts from the Panama Papers and the Offshore Leaks investigations – accompanied by the following warning: “There are legitimate uses for offshore companies and trusts. We do not intend to suggest or imply that any persons, companies or other entities included in the ICIJ Offshore Leaks Database have broken the law or otherwise acted improperly. Many people and entities have the same or similar names. We suggest you confirm the identities of any individuals or entities located in the database based on addresses or other identifiable information. If you find an error in the database please get in touch with us.”
“This database contains information on almost 320,000 offshore entities that are part of the Panama Papers and the Offshore Leaks investigations. The data covers nearly 40 years – from 1977 through 2015 – and links to people and companies in more than 200 countries and territories. The real value of the database is that it strips away the secrecy that cloaks companies and trusts incorporated in tax havens and exposes the people behind them. This includes, when available, the names of the real owners of those opaque structures. In all, the interactive application reveals more than 360,000 names of people and companies behind secret offshore structures. They come from leaked records and not a standardized corporate registry, so there may be duplicates. In some cases, companies are listed as shareholders for another company or a trust, arrangement that often helps obscure the flesh-and-blood people behind offshore entities. ICIJ obtained the data through two massive leaks. The majority of the names in this database come from Panamanian law firm Mossack Fonseca, whose inner workings were exposed in the Panama Papers investigation published in April 2016 in conjunction with Süddetsche Zeitung and more than 100 other media partners. Around a third of the offshore entities were incorporated through Portcullis Trustnet (now Portcullis) and Commonwealth Trust Limited, two offshore service providers exposed as part of ICIJ’s 2013 Offshore Leaks exposé. This was the first information added to this database when it was released in June 2013, which was then produced in conjunction with Costa Rican newspaper La Nación. The database does not disclose the totality of the leaked records. It doesn’t divulge raw documents or personal information en masse. It contains a great deal of information about company owners, proxies and intermediaries in secrecy jurisdictions, but it doesn’t disclose bank accounts, email exchanges and financial transactions contained in the documents. ICIJ is publishing the information in the public interest. While many of the activities carried out through offshore entities are perfectly legal, extensive reporting by ICIJ and its media partners for more than four years has shown that the anonymity granted by the offshore economy facilitates money laundering, tax evasion, fraud and other crimes. Even when it’s legal, transparency advocates argue that the use of an alternative, parallel economy undermines democracy because it benefits a few at the expense of the majority. Read more about why ICIJ is making this information public here. The questions and answers below address the most frequent questions about this data. If you still have questions after reading them, please get in touch with us.”
For those students who always have those plug thingies in their ears. “What lecture?”
7+ Easy Ways to Discover New Music You Will Love