Wednesday, August 31, 2016

We may need BlockChain sooner than I thought. 
Exclusive: SWIFT discloses more cyber thefts, pressures banks on security
SWIFT, the global financial messaging system, on Tuesday disclosed new hacking attacks on its member banks as it pressured them to comply with security procedures instituted after February's high-profile $81 million heist at Bangladesh Bank.
In a private letter to clients, SWIFT said that new cyber-theft attempts - some of them successful - have surfaced since June, when it last updated customers on a string of attacks discovered after the attack on the Bangladesh central bank.
"Customers’ environments have been compromised, and subsequent attempts (were) made to send fraudulent payment instructions," according to a copy of the letter reviewed by Reuters.  "The threat is persistent, adaptive and sophisticated - and it is here to stay." [Are they saying they can’t prevent these attacks?  Bob]
The disclosure suggests that cyber thieves may have ramped up their efforts following the Bangladesh Bank heist, and that they specifically targeted banks with lax security procedures for SWIFT-enabled transfers.
   All the victims shared one thing in common: Weaknesses in local security that attackers exploited to compromise local networks and send fraudulent messages requesting money transfers, according to the letter.
   (For a graphic [Video, actually.  Bob] on how hackers made off with millions, click

Collapse W3C Workshop Report: Blockchains and the Web
by Sabrina I. Pacifici on Aug 30, 2016
On August 26, 2016, “W3C published the report of the W3C Blockchains and the Web workshop held on 29-30 June, 2016, in Cambridge, Massachusetts, USA.  Participants at the workshop found many topics for possible standardization or incubation, including various aspects of identity and proof-of-existence, as well as smaller blockchain primitives that could increase interoperability across different distributed ledgers...  The organizers strove to have representation by different classes of stakeholders within the larger blockchain community, loosely organized around technology stacks and applications.  The technology stacks include Bitcoin, Ethereum, Hyperledger, and others.  Applications include identity and asset management, smart contracts, and infrastructure around a decentralized Web (IPFS).  The workshop was deliberately aimed at non-payment uses for blockchains, since W3C already has an existing Web Payments activity where payments-related technology is discussed…”

This is a new way to profit from security problems, so I want to find out what actually happened.  This does not seem to be a final resolution.  Who should step in?  The SEC might find this questionable, for example.
Study finds flaws in criticism of St. Jude cyber security
University of Michigan researchers on Tuesday said their own experiments undermine recent allegations of security flaws in St. Jude Medical Inc's pacemakers and other implantable medical devices.
Shares of St. Jude fell 5 percent on Thursday after short-selling firm Muddy Waters and its business partner, cyber security company MedSec Holdings Inc, alleged finding significant security bugs in the company's Merlin@home device for monitoring implanted heart devices.  They said the flaws could potentially enable others to remotely speed up the heart devices or drain their power.
The university said its researchers came "to strikingly different conclusions" after generating the conditions reported by Muddy Waters.
   "We're not saying the (Muddy Waters) report is false; we're saying it's inconclusive because the evidence does not support their conclusions," said Kevin Fu, University of Michigan associate professor of computer science and engineering and director of the Archimedes Center for Medical Device Security.
   Muddy Waters issued a statement saying the firm was not surprised that the result of the research was inconclusive.
"We deliberately did not publish detailed information on the vulnerabilities, exploits or attacks on the devices in order to avoid giving the play book to potential attackers," the statement said.  "If anything, this proves that we were responsible with our disclosure."

Smack!  Take that, FBI!
Chris Bing reports:
FBI Director James Comey wants to see private businesses report data breach incidents and other detected cyber intrusions directly to the Bureau more than they are already doing so.
The FBI director explained that the Bureau’s strategy to increase cooperation will center on four missions: partner outreach and education, establishing trusted relationships, working to minimize the disruption felt by both a company’s employees and customers, and keeping all investigations private by securely holding and not disclosing internal enterprise data publicly.
Read more on FedScoop.
Pardon me while I spit.
What kind of “partnership” is it, Mr. Comey, if when the FBI is notified of a hack, it refuses to reach out to alert the hacked entity?  If FBI field offices take the position that their role is to take in information, but that they do not alert entities of breaches that they learn about, why should anyone inform the FBI of cybercrimes they learn about?
Don’t know what I’m talking about, Mr. Comey?  Get the phone recordings from your Baltimore field office from last night.  It will become quite clear.

By lawyers, for lawyers?
Remember the lawsuit against Yahoo! for scanning non-users’ emails for advertising purposes?  David Kravets writes:
Days ago, a Silicon Valley federal judge signed off (PDF) on a settlement (PDF).  The lawyers won, they were awarded $4 million (£3 million), and the public got nothing.  What’s more, the settlement allows Yahoo to continue to scan e-mails without non-Yahoo users’ consent.  (Yahoo Mail customers have granted consent to the scanning as a condition of using the service.)  The major change the lawsuit produced was that Yahoo is agreeing to scan the e-mail while it’s at rest on its servers instead of while the mail is in transit.  This, according to the settlement, satisfies the California Invasion of Privacy Act (CIPA) claims.  The deal spells out that Yahoo only has to do this for three years, but Yahoo said it would continue with the new scanning protocol after the three years expire.
Read more on Ars Technica.

After encrypting any data that you want to keep secure, create a text file that says: “As promised, here is the gibberish created by my new “random number and text” generator.  Please keep this confidential as you analyze it for true randomness.”  Append your encrypted file, then re-encrypt the whole thing.  If you are required to decrypt, you can do so immediately and “prove” you have nothing to hide. 
Orin Kerr writes:
Back in June, I blogged at length about a pending Third Circuit case that considers the Fifth Amendment limits on ordering a suspect to decrypt his hard drives.  The court recently announcedthat it will hear oral argument in the case on Sept. 7 before Judges Jordan, Vanaskie and Nygaard.
Read more on The Volokh Conspiracy.

For both Computer Security and Disaster Recovery. 
Data Breach Aftermath and Recovery for Individuals and Institutions
by Sabrina I. Pacifici on Aug 30, 2016
Anne Johnson and Lynette I. Millett, Rapporteurs; Forum on Cyber Resilience Workshop Series; National Academies of Sciences, Engineering, and Medicine: “In January 2016, the National Academies of Sciences, Engineering, and Medicine hosted the Workshop on Data Breach Aftermath and Recovery for Individuals and Institutions.  Participants examined existing technical and policy remediations, and they discussed possible new mechanisms for better protecting and helping consumers in the wake of a breach.  Speakers were asked to focus on data breach aftermath and recovery and to discuss ways to remediate harms from breaches.  This publication summarizes the presentations and discussions from the workshop.”

An interesting collection of Data Science links, if nothing else…
Get started in data science: 5 steps you can take online for free

(Related)  Even more…
A Gentle Intro to Data Science with 5 Udemy Courses

Something the Criminal Justice students can use?
How Private Investigators Use the Internet to Track You

Purr-spective?  Check the date on this article.  It isn’t April 1st.  This is real?
Acer is going all in on pets, whose population is growing faster than humans’
At a conference today in Berlin before the consumer trade show IFA, Acer CEO Jason Chen announced that his company had identified “petware” or “petwear” (could be either, I guess) as a $20 billion market opportunity for the Taiwanese computing company.
“We all know that the pet population is growing,” Chen said.  “The global pet population is growing so rapidly, in the U.S., the pet numbers are 2X the baby numbers.”
To address this market, Chen said Acer had acquired crowdfunded Pawbo to launch a new hub of connected pet products.  He did not say how much Acer paid.

If there is a way to tweak the system, Kim Dotcom will find it. 
Kim Dotcom's extradition hearing live stream makes legal history but no drama
The live streaming of Kim Dotcom’s extradition hearing in a New Zealand high court kicked off on Wednesday with warped pictures, delayed audio and dwindling viewership as the day wore on.
Megaupload founder Dotcom is fighting an extradition order to the United States, where he is wanted on online piracy charges.
On Tuesday, his lawyers were granted permission to live stream the court proceedings on YouTube, on the condition that it would be deleted at the conclusion of the case (estimated to be in six to eight weeks’ time) and that the video would air after a 20-minute delay in case any evidence was suppressed.  Comments on the live stream have also been disabled.
Dotcom’s court case is the first in New Zealand ever to be live streamed.

Interesting that Congress had this research done.
CRS – How Can the Results of a Presidential Election Be Contested?
by Sabrina I. Pacifici on Aug 30, 2016
“In the midst of the presidential campaign season, the possibility of election fraud has been raised.  This discussion briefly examines how the results of a presidential election may be contested.  Although it has national impact, the presidential election is in essence 50 state and District of Columbia elections for presidential electors, held on the same day throughout the country.  Therefore—and consistent with the states’ traditional authority over the administration of elections within their jurisdictions—states have the initial responsibility for resolving challenges, recounts, and contests to the results of a presidential election.  Specifically, the Electoral Count Act of 1887, as amended, contemplates that contests and challenges to the vote for presidential electors are to be initially handled in the states.  Codified in part at 3 U.S.C. § 5 , the law provides that if a contest or challenge in a state to the election or appointment of presidential electors is resolved in that state before the sixth day prior to the meeting of the electors, such determination shall be “conclusive” and shall “govern” when Congress counts the electoral votes as directed by the Twelfth Amendment.  The Supreme Court has referred to this as the “safe harbor” provision.  This year, the presidential electors are scheduled to meet on December 19.  Six days prior is December 13, which therefore, will be the last day for the states to make a final determination in order for it to be conclusive when Congress counts the votes…”

Washington Post publishes searchable document archive for new book on Trump
by Sabrina I. Pacifici on Aug 30, 2016
Via WaPo – “Trump Revealed, a biography of the Republican presidential nominee published August 23 [2016] by Scribner….The archive is searchable and navigable in a number of ways.  It is meant as a resource for other journalists and a trove to explore for our many readers fascinated by original documents.” 

Back to school time is App list time. 
60 Awesome iPhone & iPad Apps for Students Heading Back to School

Even cheaper than a used book sale!
6000+ Children's Books Available for Free
The University of Florida's Digital Collections offers a huge library of digitized children's books.  Thanks to Open Culture I discovered this collection this afternoon and immediately started to browse through it.  The books that you will find in the collection consist of works that are in the public domain.  You can search for books according to topic, language, publisher, genre, and publication date.
All of the children's books in the collection can be read online.  Reading the books online could be a bit difficult for some as there is a border with menus surrounding each page of the books.  To avoid that, you can print all of the books for free.  The printed version does not display anything but the book as it was scanned.
   The children's book available through the UFDC aren't books that your students or their parents are likely to see on bookstore shelves.  The value of this collection is that it could introduce parents and students to books that they might enjoy reading together and wouldn't have otherwise found.

Does this sum up communications in the digital age, or merely TL;DR?

No comments: