MyJoyOnline reports:
Four computers used by the
Electoral Commission (EC) for the Limited Biometric Voter Registration exercise
have been stolen at Savelugu in the Northern region.
The office of the Commission
was broken into through the window Sunday night.
“The locks were still on as if
nothing had happened” when electoral officers went to the office, Joy News
Northern regional correspondent Matina Bugri reported.
Read more on MyJoyOnline.com.
[From the
article:
He explained that the computers and biometric verification
devices containing data gathered on the last day of the registration exercise
on Sunday were all missing. [Did they
wait until all the data had been gathered?
Bob]
For my Ethical Hacking students. Try not to cross the line and if you do be
sure to have a scapegoat handy.
Researcher Arrested For Hacking Elections Websites
David Levin, owner of Vanguard Cybersecurity, discovered
in December that the elections website of Lee County was plagued by an SQL
injection vulnerability that allowed access to credentials stored in plain
text. The expert later also identified
security holes on the Florida Division of Elections website.
Levin contacted a supervisor of elections candidate and in
January they made a video demonstrating the existence of the SQL injection flaw
on the Lee County elections website and showed how exposed credentials could be
used to access accounts and information. The security hole was only then reported to
the Supervisor of Elections Office.
According to local reports, the white hat hacker was arrested last week
and charged with three counts of unauthorized access to a computer or a
computer system. He was released on a
$15,000 bond after a few hours.
… “Dave obviously
found a serious risk but rather than just stopping there and reporting it, he
pointed a tool at it that sucked out a volume of data. That data included credentials stored in plain
text (another massive oversight on their behalf) which he then used to log onto
the website and browse around private resources (or at least resources which
were meant to be private),” said Troy Hunt, a security expert who has often
been involved in the disclosure of serious vulnerabilities.
Hunt pointed out that in the case of SQL injection vulnerabilities
such as the one found by Levin, it’s easy to demonstrate that a risk exists
without actually accessing any potentially sensitive data.
Try anything, you never know when you might hit a soft
spot.
Important news out of the UK this morning, where the
government (National Crime Agency) tried to get a court to compel Lauri
Love to provide decryption key to devices they had seized from him. Love had refused, arguing (understandably),
that he had never been charged with any crime, and that they were attempting to
do an end-run around protections under RIPA by a back-door route (“case
management”) to forcing compliance.
This morning, the court denied the government’s motion. The Free Lauri campaign explains:
This morning at Westminster
Magistrates’ Court, District Judge Nina Tempia rejected a
National Crime Agency (NCA) request to use the court’s case management powers
to order Lauri Love to hand over his encryption keys, preventing a dangerous
precedent that would have given UK police new powers to compel people to
decrypt their electronic devices, even if they are not suspected of a crime.
Remarking on the NCA’s
application, the judge said that authorities must instead use the existing
legal regime created by the Regulation of Investigatory Powers Act (RIPA) if
they wish to compel someone to surrender encryption keys, and that the court’s
case management powers cannot be used by authorities to circumvent statutory
safeguards in RIPA.
Read more on Free
Lauri.
The information on the encrypted devices may, or may not,
contain evidence relating to charges Love faces in the U.S., and the US has
previously applied to the UK to extradite Love. Love has been fighting the extradition,
claiming that if there are any charges, they should be filed and tried in the
UK. But the UK did not find
evidence/grounds to prosecute Love there.
So if Love’s going to prosecuted for hacking – and he’s
been indicted in three federal districts here by now – it’s going to be in the
US, and today’s ruling in the UK means that the US won’t be getting any
additional evidence from his devices in the foreseeable future. Of course, they will argue that they already
have enough evidence and just need the UK to extradite Love, but today’s ruling
is likely a disappointment to prosecutors here.
No apology, that’s what these Apps are supposed to do.
GAO Report – Smartphone Data: Information and Issues
Regarding Surreptitious Tracking Apps That Can Facilitate Stalking
by Sabrina I. Pacifici on May 9, 2016
Smartphone Data: Information and Issues Regarding
Surreptitious Tracking Apps That Can Facilitate Stalking, GAO-16-317:
Published: Apr 21, 2016. Publicly
Released: May 9, 2016.
“GAO found that the majority of the reviewed websites for
smartphone tracking applications (apps) marketed their products to parents or
employers to track the location of their children or employees, respectively,
or to monitor them in other ways, such as intercepting their smartphone
communications. Several tracking apps
were marketed to individuals for the purpose of tracking or intercepting the
communications of an intimate partner to determine if that partner was
cheating. About one-third of the
websites marketed their tracking apps as surreptitious, specifically to track
the location and intercept the smartphone communications of children,
employees, or intimate partners without their knowledge or consent. The key concerns of the stakeholders with whom
GAO spoke—including domestic violence groups, privacy groups, and
academics—were questions about:
(1) the applicability of current
federal laws to the manufacture, sale, and use of surreptitious tracking apps;
(2) the limited enforcement of
current laws; and
(3) the need for additional
education about tracking apps.
GAO found that some federal laws apply or potentially
apply to smartphone tracking apps, particularly those that surreptitiously
intercept communications such as e-mails or texts, but may not apply to some
instances involving surreptitiously tracking location. Statutes that may be applicable to
surreptitious tracking apps, depending on the circumstances of their sale or
use, are statutes related to wiretapping, unfair or deceptive trade practices,
computer fraud, and stalking. Stakeholders
also expressed concerns over what they perceived to be limited enforcement of
laws related to tracking apps and stalking. Some of these stakeholders believed it was
important to prosecute companies that manufacture surreptitious tracking apps
and market them for the purpose of spying. Domestic violence groups stated that
additional education of law enforcement officials and consumers about how to
protect against, detect, and remove tracking apps is needed. The federal government has undertaken
educational, enforcement, and legislative efforts to protect individuals from
the use of surreptitious tracking apps, but stakeholders differed over whether
current federal laws need to be strengthened to combat stalking. Educational efforts by the Department of
Justice (DOJ) have included funding for the Stalking Resource Center, which
trains law enforcement officers, victim service professionals, policymakers,
and researchers on the use of technology in stalking. With regard to enforcement, DOJ has prosecuted
a manufacturer and an individual under the federal wiretap statute for the
manufacture or use of a surreptitious tracking app. Some stakeholders believed the federal wiretap
statute should be amended to explicitly include the interception of location
data and DOJ has proposed amending the statute to allow for the forfeiture of
proceeds from the sale of smartphone tracking apps and to make the sale of such
apps a predicate offense for money laundering. Stakeholders differed in their opinions on the
applicability and strengths of the relevant federal laws and the need for
legislative action. Some industry
stakeholders were concerned that legislative actions could be overly broad and
harm legitimate uses of tracking apps. However,
stakeholders generally agreed that location data can be highly personal
information and are deserving of privacy protections.”
Worth sharing with my students. All of them.
10 companies that can help you fight phishing
According to the most recent Verizon data breach report, a phishing email is often the first
phase of an attack. That's because it
works well, with 30 percent of phishing
messages opened, but only 3 percent reported to management.
… The Anti-Phishing Working Group offers a variety of resources,
including a phishing education landing page that companies can use in
conjunction with their anti-phishing campaigns. Some of the vendors below, including Phishme
and KnowBe4, also offer free resources.
Another free tool is MSI
Simple Phish from MicroSolved, which
allows security teams to run their own phishing tests inside their
organization.
(Related) Keep the
glossary up to date! (Voice and SMS)
New Phishing Techniques To Be Aware of: Vishing and Smishing
Something for my Computer Security students to
ponder. What should you tell Watson and
what should you keep from ‘him?’ (Note
that you make copies of a non-specific Watson and then teach whatever he needs
to know.)
IBM Watson Brings AI Wonders to Cybersecurity
… Ginni Rometty,
CEO of IBM ibm ,
will introduce a cybersecurity-specific
version of Watson at an IBM computer security summit on Tuesday, the
company said. The project, powered by
IBM’s Bluemix cloud computing platform, includes a partnership between IBM and
eight universities that begins in the fall.
… IBM researchers
have already begun feeding Watson with all sorts of computer security data
sourced from its open access threat intelligence platform, called X-Force
Exchange.
… Watson is also
designed to ingest research papers, blog posts, news stories, media reports,
alerts, textbooks, social media posts, and more to build up knowledge about all
the latest cyber threats. Students at the partnering schools will help input and
annotate this so-called unstructured data (meaning data that’s not
easily machine readable) to train the system.
Would there be a market for a truly secure
smartphone? Perhaps my students could
write the OS as a final exam?
The government wants to know why it takes so long for your
smartphone to get security updates
We trust our smartphones with an astounding amount of
information, but all too often those devices may not be protected with the
latest security fixes. That's the problem at the heart of a new
government project announced
today in which the Federal Communications Commission and the Federal
Trade Commission are teaming up to examine the sometimes messy way security
patches are delivered to consumers' smartphones.
Another area to ponder.
Computers Gone Wild: Impact and Implications of Developments
in Artificial Intelligence on Society
by Sabrina I. Pacifici on May 9, 2016
Computers Gone Wild: Impact and Implications of
Developments in Artificial Intelligence on Society May 9, 2016 The
following summary was written by Samantha Bates:
“The second “Computers Gone Wild: Impact and Implications
of Developments in Artificial Intelligence on Society” workshop took place on
February 19, 2016 at Harvard Law School. Marin Soljačić, Max Tegmark,
Bruce Schneier, and Jonathan Zittrain convened this informal workshop to
discuss recent advancements in artificial intelligence research. Participants represented a wide range of
expertise and perspectives and discussed four main topics during the day-long
event:
the impact of artificial
intelligence on labor and economics,
algorithmic decision-making,
particularly in law,
autonomous weapons, and
the risks of emergent human-level
artificial intelligence.
Each session opened with a brief overview of the existing
literature related to the topic from a designated participant, followed by
remarks from two or three provocateurs. The session leader then moderated a discussion
with the larger group. At the conclusion
of each session, participants agreed upon a list of research questions that
require further investigation by the community. A summary of each discussion as well as the
group’s recommendations for additional areas of study are included here…”
Made for attack ads.
Of greater concern, have they lost anything else? (If we’re lucky, they only “loose” emails
that might embarrass the administration – or the next one.)
State Dept.
says it has no emails from ex-Clinton staffer
The State Department can find no emails to or from a
former Hillary Clinton aide who worked for the agency and also managed
Clinton’s private computer server while she served as secretary of state, the
government said in a new court filing on Monday.
The government said as much in U.S. District Court in
Washington in answer to a lawsuit by the Republican National Committee. The committee had sued over its public records
request for all work-related emails sent to or received by Clinton’s former
aide, Bryan Pagliano, between 2009 and 2013, the years of Clinton’s tenure.
… agency officials
continue to search for “Mr. Pagliano’s emails, which the department may have
otherwise retained.”
Oh the horror of change! Does this rise to “big deal” level?
Google is testing a change to one of its most iconic designs
Google is testing
an alternative to its iconic blue links in search results: Turning them
black.
The company A/B tests various tweaks to its
products all the time, but this swap feels particularly jarring since
the search engine has kept the same overall color scheme since
its earliest days of "10 bare blue links."
Google has proven in the past that its scale means that
something like a small shift in shade can have big consequences. In the early days, Google tested 40 different
shades of blue for its links and the winning hue helped it reel in an
extra $200 million a year in ad revenue.
Some users are saying that the change makes it harder to
differentiate between which links they've clicked and which they haven't.
Perspective. Soon,
my only option will be to buy a smartphone that talks to me. “What took you so long, Bob?”
Sales of PCs, laptops, and tablets fell 13% in Q1; reaching
lowest point since 2011
… According to
the latest report from market research firm Canalys, shipments of PC
devices (including desktops, notebooks, two-in-ones, and tablets) amounted to
101 million units in the first quarter of 2016. That represents a decline of 13 percent from
the same period a year ago — the lowest volume since the second quarter of
2011.
A time waster for my students?
Panama Papers Database Goes Live
by Sabrina I. Pacifici on May 9, 2016
Follow up to previous posting – ICIJ
to Release Panama Papers Offshore Companies Data – today’s news – Offshore Leaks Database
– Find out who’s behind almost 320,000 offshore companies and trusts from the
Panama Papers and the Offshore Leaks investigations – accompanied by the
following warning: “There are legitimate uses for offshore companies and trusts.
We do not intend to suggest or imply
that any persons, companies or other entities included in the ICIJ Offshore
Leaks Database have broken the law or otherwise acted improperly. Many people and entities have the same or
similar names. We suggest you confirm
the identities of any individuals or entities located in the database based on
addresses or other identifiable information. If you find an error in the database please get in touch with us.”
“This database contains information on almost 320,000
offshore entities that are part of the Panama Papers and the Offshore Leaks
investigations. The data covers nearly
40 years – from 1977 through 2015 – and links to people and companies in more
than 200 countries and territories. The
real value of the database is that it strips away the secrecy that cloaks
companies and trusts incorporated in tax havens and exposes the people behind
them. This includes, when available, the
names of the real owners of those opaque structures. In all, the interactive application reveals
more than 360,000 names of people and companies behind secret offshore
structures. They come from leaked
records and not a standardized corporate registry, so there may be duplicates. In some cases, companies are listed as
shareholders for another company or a trust, arrangement that often helps
obscure the flesh-and-blood people behind offshore entities. ICIJ obtained the data through two massive
leaks. The majority of the names in this
database come from Panamanian law firm Mossack Fonseca, whose inner workings were exposed in the Panama Papers
investigation published in April 2016 in conjunction with Süddetsche Zeitung
and more than 100 other media partners. Around a third of the offshore entities were
incorporated through Portcullis
Trustnet (now Portcullis) and Commonwealth
Trust Limited, two offshore service providers exposed as part of ICIJ’s
2013 Offshore Leaks exposé.
This was the first information added to
this database when it was released in June 2013, which was then produced in
conjunction with Costa Rican newspaper La Nación. The database does not disclose the totality of
the leaked records. It doesn’t divulge
raw documents or personal information en masse. It contains a great deal of information about
company owners, proxies and intermediaries in secrecy jurisdictions, but it
doesn’t disclose bank accounts, email exchanges and financial transactions
contained in the documents. ICIJ is publishing the information in the public
interest. While many of the activities
carried out through offshore entities are perfectly legal, extensive reporting
by ICIJ and its media partners for more than four years has shown that the
anonymity granted by the offshore economy facilitates money laundering, tax
evasion, fraud and other crimes. Even
when it’s legal, transparency advocates argue that the use of an alternative, parallel economy
undermines democracy because it benefits a few at the expense of the majority. Read more about why ICIJ is making this
information public here. The questions
and answers below address the most frequent questions about this data. If you still have questions after reading
them, please get in touch with us.”
For those students who always have those plug thingies in
their ears. “What lecture?”
7+ Easy Ways to Discover New Music You Will Love
No comments:
Post a Comment