Tuesday, August 16, 2016

You don’t hack the NSA, but like anyone else, third party systems might be more vulnerable. 
NSA hacked? Top cyber weapons allegedly go up for auction
An anonymous group claims to have stolen hacking tools that might belong to the National Security Agency and is auctioning them off to the highest bidder.

It’s a pretty bold claim, but the hackers have offered sample files, and some security researchers say they appear to contain legitimate exploits.
The files were allegedly stolen from the Equation Group, a top cyberespionage team that may have links to the NSA.

Interesting how useful this would be for intelligence agencies.  It could flag anyone who contacts known terrorists, for example. 
Linux bug leaves 1.4 billion Android users vulnerable to hijacking attacks
An estimated 80 percent of Android phones contain a recently discovered vulnerability that allows attackers to terminate connections and, if the connections aren't encrypted, inject malicious code or content into the parties' communications, researchers from mobile security firm Lookout said Monday.
As Ars reported last Wednesday, the flaw first appeared in version 3.6 of the Linux operating system kernel, which was introduced in 2012.  In a blog post published Monday, Lookout researchers said that the Linux flaw appears to have been introduced into Android version 4.4 (aka KitKat) and remains present in all future versions, including the latest developer preview of Android Nougat.  That tally is based on the Android install base as reported by statistics provider Statista, and it would mean that about 1.4 billion Android devices, or about 80 percent of users, are vulnerable.
   The vulnerability makes it possible for anyone with an Internet connection to determine whether any two parties are communicating over a long-lived transport control protocol connection, such as those that serve Web mail, news feeds, or direct messages.  In the event the connections aren't encrypted, attackers can then inject malicious code or content into the traffic.  Even when the connection is encrypted, the attacker may still be able to determine a channel exists and terminate it.  The vulnerability is classified as CVE-2016-5696.

(Related) spying without a designed bug.
Three Surprising Ways Your Smartphone Can Be Used to Spy On You
   you might not know that your photos, Bluetooth, and even smartphone battery could be used to spy on you…

They can’t do it domestically, but they want to exercise the tools so they reach out to law enforcement in other countries? 
Australian Authorities Hacked Computers in the US
Australian authorities hacked Tor users in the US as part of a child pornography investigation, Motherboard has learned.
The contours of this previously-unreported hacking operation have come to light through recently-filed US court documents.  The case highlights how law enforcement around the world are increasingly pursuing targets overseas using hacking tools, raising legal questions around agencies’ reach.
In one case, Australian authorities remotely hacked a computer in Michigan to obtain the suspect’s IP address.
“I think that's problematic, because they've got no jurisdiction,” Greg Barns, an Australian barrister who practices criminal and human rights law who's also a former national president of the Australian Lawyers Alliance, told Motherboard in a phone call.
   “The person would have to have a link to the jurisdiction,” Barns, from Stawell Chambers, wrote in an email.
He added that authorities might be able to argue that because the site's owner was Australian, that gives them the greenlight to conduct overseas searches for other suspects.  At one point, The Love Zone server was also reportedly moved to Brisbane, giving Task Force Argos, the Queensland Police Service unit that took over the site, access to every private message on the site.
“But they can't simply wander around the world, assisting other law [enforcement], saying, ‘We're here to help,’” Barns said.

How are we ever going to keep up with all the hacks?
Thousands of Soros docs released by alleged Russian-backed hackers
Hackers believed to be backed by Russia this weekend publicly released more than 2,000 documents connected to billionaire Democratic donor George Soros and his Open Society Foundations.
The documents detail the ins and outs of Soros’s groups, which have funded a slew of public health, human rights and education programs around the globe, while also mounting opposition to hard-right conservatives in the U.S.

Interesting, but I would add a few more criteria.  (Maybe just tweaks to the wording?)  Similarity to recent hacks in the industry.  Missing “Best Practice” defense. 
Dan Munro had an interesting conversation with Jeff Williams of Contrast Security at BlackHat, which led to a draft scoring system for data breaches and corporate responses:
  1. Tone – Is the announcement apologetic and not blaming?  Does it acknowledge that there should have been better defenses and that the breach should have been detected and been able to stop the attack?
  2. Timeline – When was the initial break-in?  When was it discovered?  How long to disclose?
  3. Scope – What information was stolen and what control was lost?
  4. Size – How many people were affected? How many servers?
  5. Root Cause – What was the underlying vulnerability that was exploited?  What defenses are in place and how did the attack bypass the defenses?
  6. Discovery – Who discovered it?  Victims?  Security firm?  Why didn’t you know earlier?
  7. Remedy – Are you really making victims whole?  For how long? [Personal Health Information – PHI is literally lifelong]
  8. Future – What are going to do to prevent future/similar attacks?
  9. Blame – Did you state or imply that the attack was “sophisticated” or “advanced?” Did you provide any evidence of that?
  10. Oddities – Were there any oddities to the timeline not making sense – or details that stretch credulity?
Read more on Forbes.

How Big Brotherly of them.  Everyone should be as handicapped as the EUs’ telecoms? 
EU plans to extend some telecom rules to web-based providers
The European Union is planning to extend telecom rules covering security and confidentiality of communications to web services such as Microsoft's Skype and Facebook's WhatsApp which could restrict how they use encryption.
The rules currently only apply to telecoms providers such as Vodafone and Orange.
   "Unlike telcos, OTT (web-based) are global players that are allowed to commercially exploit the traffic data and the location data they collect," telecoms group Orange said in a response to the EU's public consultation on the reform proposals.
Under the existing "ePrivacy Directive", telecoms operators have to protect users' communications and ensure the security of their networks and may not keep customers' location and traffic data.

This is interesting.  Think it could become popular here in the US?
theguardian – Police to hire law firms to tackle cyber criminals in radical pilot project
by Sabrina I. Pacifici on Aug 15, 2016
Private law firms will be hired by police to pursue criminal suspects for profit, under a radical new scheme to target cyber criminals and fraudsters.  In a pilot project by the City of London police, the lead force on fraud in England and Wales, officers will pass details of suspects and cases to law firms, which will use civil courts to seize the money.  The force says the scheme is a way of more effectively tackling fraud – which is now the biggest type of crime, estimated to cost £193bn a year.  It is overwhelming police and the criminal justice system.  The experiment, which is backed by the government and being closely watched by other law enforcement agencies, is expected to lead to cases reaching civil courts this year or early next year.  Officers will use the private law firms to attempt to seize suspects’ assets.  If unsuccessful, police could decide to leave it at that or pursue the case themselves through the criminal courts…”

If you do gather data, is it the right data?
Are You Collecting the Right Data? Lessons from American Apparel
How many Facebook likes and Instagram followers does your company have?  How about memberships, or downloads?  As these numbers grow from hundreds to thousands to millions, you may assume that your business is riding high.  Apparently your customers love you, and there are many more to come.
But according to Thoryn Stephens, the chief digital officer at American Apparel, measurements like these can constitute what he calls “fake or false metrics.”  They may be distracting you from underlying problems, or untapped potential. Instead, businesses need to focus on “the true metrics that drive value,” he said at the recent Wharton Customer Analytics Initiative Conference.

We should be watching start-ups in India closely. 
India’s WhatsApp rival Hike raises $175M led by Tencent at a $1.4B valuation
India has a new tech unicorn. Hike, a four-year-old messaging app, today announced that it has closed $175 million in funding led by new investors Chinese internet giant Tencent and manufacturing firm Foxconn.  The Series D round values the company at $1.4 billion, founder and CEO Kavin Bharti Mittal confirmed to TechCrunch.
   Born out of a joint-venture between Bharti and SoftBank, Hike includes standard messaging app features you’d expect, alongside free voice calling and a few other twists.  It has put emphasis on local users with features that include a privacy option to hide chat messages, in case a nosey relative gets hold of your phone as can happen in India, and the ability to send messages via SMS to friends who aren’t using the Hike app, another foreseeable usecase in the country.
   “Every market has two messaging apps that do well,” [Not sure I’d agree with that.  Bob] he said in an interview with TechCrunch.  “There’s one that replaces SMS and one that does a lot more than that. Hike doesn’t even compete with WhatsApp today, it is used very actively in addition to other apps.”

(Related)  Same for Russia.
The Top 8 Russian Social Networks (And What Makes Them Great)
   This difference in social media use is of huge importance for brands who use social media sites for advertising, as it can completely change a marketing strategy that is used in other parts of the world. That aside, it’s also just interesting to see how online communication can differ in different parts of the world!

Another point of view on BitChain.  Not sure I like where this one is going.  (Not all Americans are evil.)
UNRISD – Development Finance: Can Bitcoin play a role in social finance?
by Sabrina I. Pacifici on Aug 15, 2016
The United Nations Research Institute for Social Development (UNRISD) – The United Nations Research Institute for Social Development has released a new paper that explores the potential for digital currency Bitcoin to facilitate what author Brett Scott describes as ‘truly empowering social and solidarity-based finance’.  “Bitcoin has been ambivalently received by many in international development circles,” the report states.  “Despite this, the question of whether Bitcoin can be harnessed to build [a] new means of solidarity-based finance remains unanswered.  This paper sketches out some key issues practitioners should consider when thinking about cryptocurrency technology.”

Amusing, but he has a point.  (Several, actually.)
The Big Tech Election Stories No One Else Is Covering
   In the case of both the Clinton email scandal and the DNC email leak -- not to mention the various whistle-blower events -- what interests me isn't what's been covered but what hasn't been covered.  I'll shine a light on some of the huge misses from a tech perspective.

If I know when the light will change, my self-driving car can time itself to hit the intersection at the full (legal) speed!
Audi Traffic Light Timer Tech Counts Down To Green, Further Enables Texting Road Warriors
   Traffic light information is an Audi PRIME feature and will allow vehicles to communicate with the infrastructure in select metropolitan areas throughout the United States.  The service connects to the internet via LTE to Traffic Technology Services servers.  The feature will inform drivers of how much time there is left until a light turns green.

Face to face with my students?  That’s another reason to never own a smartphone!
Google's new video-chatting app is finally here, but the best feature doesn't work for iPhone users
   The tech giant first announced the app, Google Duo, at Google IO in May.  It's a simple, one-to-one messaging app that doesn't come with a lot of fanfare — you simply scroll through your contacts to see who has the app, click, and connect.  But as Nick Fox, vice president of Google's communications division, told Business Insider, that was intentional.

Illustrating why Hillary thought she could not trust the State Department?

No comments: