Monday, September 26, 2016

Should we expect record numbers of lawsuits?
You’ve probably seen some articles reminding law firms to secure their data better, as they hold a wealth of confidential personal, financial, medical, and corporate data.
But now it seems that the Florida Bar Association itself has been hacked.  No, they don’t contain the vast troves of sensitive personal and corporate law data that their members’ networks maintain, but still, it should be somewhat embarrassing.
According to the bar association’s web site, the Florida Bar is the organization of all lawyers licensed by the Supreme Court of Florida to practice law in the state.  Any lawyer who wishes to practice in Florida must be a member.  And according to their statistics, there are currently 85,038 members in good standing who are eligible to practice plus an additional 4,210 who are in good standing but not eligible to practice, and 13,535 more who are not eligible to practice (for a total of 102,783).
On September 22, a hacker or hackers associated with a former Palm Beach County Sheriff’s Office deputy who has a long-standing dispute with Florida law enforcement that appears to have gotten him raided by the FBI managed to access and acquire what appears to be their entire database.  In a lengthy post about the hack and database dump, they describe the data and comment on it  (Caution: their post uses language or imagery that some readers may find offensive).  They also parse the data.  Here are just some of the data they report:
158,385 email addresses
219,139 office phones and cell phone numbers
84,772 fax numbers (who would have known?  I haven’t seen a fax machine in 10 years)
226,928 mailing addresses
And in what will likely make some lawyers unhappy, the hacker(s) also analyze the disciplinary files in terms of which lawyers received the most bar complaints, and they include a rank-ordered list.
The hacker(s) helpfully, if impolitely, give the bar association a clue as to how secure their network better:
I recommend the Florida Bar do something about their JSON outputs to prevent their data fro leaking like Chief Deputy Gauger’s dick after banging a crack whore with syphilis.
The association’s web site, which had been reported by the hacker(s) as being down on Thursday was online when checked the site last night.  There does not appear to be any notice or mention of the hack or data leak. emailed the bar association to inquire as to what they were doing in response to the breach, but has not heard back by the time of publication.  This story will be updated as more information becomes available.

Anyone want to bet?
The Social Security website is now secure
   I recently wrote that the secure section of, the website of the US Social Security Administration, was not secure.  As shown above, it was rated C, a really bad grade, at the SSL Server Test run by SSL Labs.
   I tried to contact the Social Security Administration, but never heard back.
Despite all that, my previous blog may have made a difference.  The previously insecure is now, actually, really secure.  The current rating from SSL Labs is shown above.
[By the way, the SSL Server Test is an interesting Hacking tool.  Bob]

A new hacker target?  Think what could go wrong…
Fight For The Future launched HelloVote
by Sabrina I. Pacifici on Sep 25, 2016
BusinessInsider: “Registering to vote may now be a lot easier for a portion of the roughly 90% of Americans who own a cellphone.  The nonprofit group Fight For The Future launched HelloVote on [the morning of September 22, 2016] with the goal of boosting voter registration in several key battleground states by allowing voters to register directly via text message or Facebook Messenger.  Backed by brands like MTV, Genius, and the Latino Victory Project, the tool is the first major service to offer voter registration through text messaging, a process the company hopes will boost voter registration rolls, particularly among young voters…”

My Ethical Hacking students have a model to emulate.
Meeting Cellebrite - Israel's master phone crackers
Cellebrite was in the headlines earlier this year when it was rumoured to have helped the FBI to crack an iPhone used by the San Bernardino shooter.
Now the company has told the BBC that it can get through the defences of just about any modern smartphone.  But the firm refuses to say whether it supplies its technology to the police forces of repressive regimes.
   Mr Ben-Moshe claimed that his firm could access data on "the largest number of devices that are out there in the industry".
Even Apple's new iPhone 7?
"We can definitely extract data from an iPhone 7 as well - the question is what data."
He said that Cellebrite had the biggest research and development team in the sector, constantly working to catch up with the new technology.
He was cagey about how much data could be extracted from services such as WhatsApp - "It's not a black/white yes/no answer" - but indicated that criminals might be fooling themselves if they thought any form of mobile communication was totally secure.

Throughout 2016, it has become increasingly apparent that our smartphones have been misbehaving.  Malware is bad enough, issues with the device chipset can be patched, and you should have set a PIN for your device just in case.
But those things — concerning as they are — have been a mere sideshow to the real privacy scandal taking place right now.  That device in your pocket, or on your desk, or even in your hand as you read this… your phone has been spying on you.
   When this possibility was first posited, it seemed unlikely — that is, until cybersecurity researcher Ken Munro and Pen Test Partners’ David Lodge got together to develop an app.  With the aim of recording nearby conversations and displaying them on a PC, the app was a working proof of concept.
   Once you’ve digested that chilling fact, it’s time to check the recordings.  The best way to do this is to visit on your phone or in your desktop browser, and take a look at the long list of items that have been recorded.

Reads more like a bio of the judge, but interesting.
District Court Judge releases list of more than 200 cases veiled in secrecy of Patriot Act
by Sabrina I. Pacifici on Sep 25, 2016

Could be handy.
Network World – preliminary map of government open source laws
by Sabrina I. Pacifici on Sep 25, 2016
Jon Gold – NetworkWorld: “As the institutional use of open-source software continues to expand like an octopus, the public sector remains a key target market.  Government users like Linux and other open-source software for several reasons, but the most important ones are probably that total cost of ownership is often lower than it is for proprietary products and that open-source projects don’t vanish if the company providing them goes under…  Here’s a map of the status of open-source laws around the world, via the magic of Google Fusion Tables..”

A Maturity Model for my IT Governance class.  35 page PDF.
Baldrige Cybersecurity Excellence Builder
by Sabrina I. Pacifici on Sep 25, 2016
Baldrige Cybersecurity Excellence Builder. Key questions for improving your organization’s cybersecurity performance. Draft September 2016, National Institute of Standards and Technology.

Something to amuse my IT Architecture class.
Inside Apple And IBM's App Making Machine
   The IBM people brought with them to Cupertino that day a mobile app they’d been working on—a fuel calculation app for airline pilots—that they thought might serve as a starting point for the partnership.  It was built by IBM people, who had also built some powerful data analytics into the background.  The IBM people hoped the Apple people would see it and be impressed, and then the two companies would continue building the app together.
But that’s not what happened.  IBM's app—all 40 screens of it—was a bloated mess.  One Apple UI expert in the meeting said simply "that’s not going to work," a person who was there told me.  Pilots, the expert said, would not go through 40 screens in an app, even if they were currently doing the same tasks on paper.

Job opportunities for my Architecture students?
Banks Face Costly, Complex Technology Upgrades
   The reporting requirements put a strain on banks’ back-office systems, which “have been cobbled together over decades across several businesses,” said Caitlin Long, a former banker at Morgan Stanley and Credit Suisse Group AG who worked on technology projects before joining startup bank-tech firm this year.  “Many of those systems weren’t generating enough revenue to be worth upgrading.”
Swaps represent an unusual challenge because, unlike in other markets such as for stocks and options, derivatives prices hadn’t been systematically tracked in real time before.

Another interesting Architecture problem.  What information would you need?  How many miles, on what roads, at what times, in what weather?
Pay-per-mile insurance startup Metromile raises $191.5M, acquires Mosaic Insurance
The automotive industry is in flux with the rise of self-driving and electric cars, and the concept of car ownership altogether being thrown into question.  With this, the car insurance industry is changing, too, and now, an on-demand car insurance startup has raised a large round of funding as it aims to be leader of that change.
Metromile, the provider that lets you pay-per-mile for insurance, said that it has raised a whopping $191.5 million in funding — “primarily equity”, according to CEO Dan Preston.  Metromile will use the money to acquire an insurance carrier called Mosaic Insurance to handle the underwriting of its policies itself; as well as to expand new states in the U.S. and continue building its platform.

It’s good for you!  It will kill you!  It is good for you!
Research – Eating cheese daily is good for your health
by Sabrina I. Pacifici on Sep 25, 2016
UK Telegraph – High-fat cheese: the secret to a healthy life?  As usual, readers be aware that we are frequently told that various foods and beverages once thought to be bad for our health are now, according to new research, good for our health.

No comments: