Monday, June 20, 2016
I would call this “stopping a major security risk,” but then what do I know.
Wells Fargo Cites New API as Screen Scraping Countermeasure
… Wells Fargo recently announced that it has created an API to make business bank account data available in accounting software Xero. According to a recent article by Penny Crosman for American Banker, the turnaround comes in response to the continued use of screen scraping to access bank data.
… These security concerns are largely founded on the fact that consumers are giving out their online banking username and password to third parties to access accounts and perform the scraping. Several prominent banks are currently attempting to reduce the risk of financial data aggregation through the use of OAuth, as Wells Fargo is doing with Xero to leverage its commitment to the API concept.
The practice is commonplace. And the end-users are cooperating!
Fintech Firm Plaid Raises $44 Million
Plaid Technologies Inc., whose software allows a variety of financial-technology startups to access their customers’ bank account information, has raised $44 million in a new round led by a fund at Goldman Sachs Group Inc.
… Many upstart financial-services providers such as online financial adviser Betterment Inc. use Plaid’s software to access or check customers’ account data when providing mobile and web services like budgeting, investing or lending.
I wish the government would stop providing my Computer Security students with such excellent “Bad Examples!”
Jack Moore reports:
After a wildfire tears through your community, the last thing you may be worried about is having your identity stolen or your personal information breached.
But maybe you should be.
A new inspector general report finds the Federal Emergency Management Agency still struggles to properly handle the safeguarding of personally identifiable information, or PII, at its disaster recovery centers.
Read more on NextGov.
(Related). Proof that Liberals are Airheads?
Yet another security incident linked to failure to change default passwords.
CJAD in Canada reports that the Quebec Liberals’ failure to change the default password on their videoconferencing system allowed anyone to gain access to strategy meetings.
The user who found the flaw showed off the unlimited access to the Journal de Montreal. Published screenshots show archived videos of various meetings.
No need to hack opposition research, when you can just wait for the security clueless to leak their own data.
The competition continues. The term “government malware” is not yet in common use.
Joshua Kopstein writes:
The FBI has had a fair amount of success de-anonymizing Tor users over the past few years. Despite the encryption software’s well-earned reputation as one of the best tools for online privacy, recent court cases have shown that government malware has compromised Tor users by exploiting bugs in the underlying Firefox browser—one of which was controversially provided to the FBI in 2015 by academic researchers at Carnegie Mellon University.
But according to a new paper, security researchers are now working closely with the Tor Project to create a “hardened” version of the Tor Browser, implementing new anti-hacking techniques which could dramatically improve the anonymity of users and further frustrate the efforts of law enforcement.
Read more on Motherboard.
Inspiration for our Ethical Hacking students?
How to Use an Undocumented Facebook API to Identify Friends in Photos
… Tagging friends in photos is nothing new, but the more recent Facebook feature that pops up asking ‘Do you want to tag X?’ when hovering over an image got developer Narendra Rajput wondering how Facebook identifies who the person is. In this recent post, Rajput explained how he figured out the undocumented API.
No matter who is right, this provides insight. Do all Facebook users know this is what happens?
Facebook litigating $15B user internet track case
by Sabrina I. Pacifici on Jun 19, 2016
Facebook Accused Of Tracking Users’ Internet Activity By Consuella Pachico – – “Facebook is facing multidistrict litigation over allegations that the social media site tracked users’ internet activity after they logged off. Facebook is insisting that users cannot sue because they were not harmed by the site’s tracking activities. In response to users’ claim that their privacy rights were violated by post-logoff tracking, Facebook states that nothing in the amended complaint identifies “how the alleged violations caused plaintiffs to suffer real, actually existing injuries that are not abstract, conjectural, or hypothetical.”
· In re: Facebook Internet Tracking Litigation, case number 5:12-md-02314, in the U.S. District Court for the Northern District of California.
Something for Contract Law students to debate? If I use your program to do what you program was designed to do, have I done anything wrong?
You may feel like you’re entering the Twilight Zone after reading this report from Russell Brandom:
One day after $53 million abruptly disappeared from an experimental cryptocurrency project, a note claiming to be from the attacker has surfaced on PasteBin, claiming that the money drained from the system is now legally his. The attacker withdrew the money by exploiting a contract bug in the code of the DAO (or Decentralized Autonomous Organization), a collective investment fund that uses the Ethereum cryptocurrency. The DAO had raised well over $100 million from Ethereum users at the time of the attack.
“I have carefully examined the code of The DAO and decided to participate after finding the feature where splitting is rewarded with additional ether,” the note reads. “I… have rightfully claimed 3,641,694 ether, and would like to thank the DAO for this reward,” the note reads. “I am disappointed by those who are characterizing the use of this intentional feature as ‘theft.’” The note also threatens legal action against any who attempt to reclaim the money through technical means.
Read more on The Verge.
The note from the “attacker” is very well written, suggesting a certain level of education. But the gist of the note is that the individual thinks s/he’s found a loophole or clause in the contract that can be legally exploited and seems to be bragging about it.
This will be interesting to follow.
There are some things man was not meant to know.
The American people are too delicate to hear such things!
His words would convince millions to join ISIS.
He is right, we is wrong.
Have we become so afraid of terrorists that we can’t let people decide for themselves how crazy this guy was?
Lynch: "Partial Transcript" Of Orlando 911 Calls Will Have References To Islamic Terrorism Removed
In an interview with NBC's Chuck Todd, Attorney General Loretta Lynch says that on Monday, the FBI will release edited transcripts of the 911 calls made by the Orlando nightclub shooter to the police during his rampage.
"What we're not going to do is further proclaim this man's pledges of allegiance to terrorist groups, and further his propaganda," Lynch said. "We are not going to hear him make his assertions of allegiance [to the Islamic State]."
A little “one-upmanship?” I thought all US chips were already made in China – or is that only smartphones?
China builds world’s fastest supercomputer without U.S. chips
China on Monday revealed its latest supercomputer, a monolithic system with 10.65 million compute cores built entirely with Chinese microprocessors. This follows a U.S. government decision last year to deny China access to Intel's fastest microprocessors.
There is no U.S.-made system that comes close to the performance of China's new system, the Sunway TaihuLight. Its theoretical peak performance is 124.5 petaflops, according to the latest biannual release today of the world's Top500 supercomputers. It is the first system to exceed 100 petaflops. A petaflop equals one thousand trillion (one quadrillion) sustained floating-point operations per second.
Perspective. Is this real competition or is everyone not Uber or Lyft just another small player? It’s hard to keep track of them all!
Uber Finds Passage to India Blocked by 30-Year-Old Ola Founder
Black cab app Gett is launching a billboard campaign that mocks Uber for being expensive
Americans and the new digital economy: 8 key findings
by Sabrina I. Pacifici on Jun 19, 2016
“Digital technology has ushered in a slew of new shared, collaborative and on-demand online services ranging from virtual marketplaces to home sharing. These services have potentially far-reaching implications for consumers and regulators and for the future of work in this country. To examine the scope and impact of these new services, Pew Research Center conducted its first survey devoted to the broader issues of the new digital economy. Here are eight findings from the report…”
Reading with your ears is not really reading, but it beats not reading at all.
This Site Has Thousands of Free Public Domain Audiobooks
… If you want to experience a few audiobooks yourself without shelling out so much cash, consider heading over to Librivox. It’s home to thousands of public domain audiobooks. No price tags.
The key is that these audiobooks are read by volunteers from around the world, mainly those who are training to be voiceover artists. Also, you won’t find newly released books, but you’ll find a lot of classics and hidden gems.