Friday, September 30, 2016

We’ve been building the hardware for hackers.  
Hackers Infect Army of Cameras, DVRs for Massive Internet Attacks
Attackers used an army of hijacked security cameras and video recorders to launch several massive internet attacks last week, prompting fresh concern about the vulnerability of millions of “smart” devices in homes and businesses connected to the internet.
The assaults raised eyebrows among security experts both for their size and for the machines that made them happen.  The attackers used as many as one million Chinese-made security cameras, digital video recorders and other infected devices to generate webpage requests and data that knocked their targets offline, security experts said.
   “We’re thinking this is the tip of the iceberg,” said Dale Drew, head of security at Level 3 Communications Inc., which runs one of the world’s largest internet backbones, giving it a window into many of the attacks that cross the net.
The proliferation of internet-connected devices from televisions to thermostats provide attackers a bigger arsenal of weapons to infiltrate.  Many are intended to be plugged in and forgotten.  These devices are “designed to be remote controlled over the internet,” said Andy Ellis, security chief at network operator Akamai Technologies Inc., some of whose clients were affected.  “They’re also never going to be updated.”

What kind of backup is stored next to your live files? 
Oof. This notification from the New Jersey Spine Center, sent to patients on September 22, describes a real disaster where not only essential patient files and credit card information were locked up, but their most recent backup was too.  No wonder they paid the ransom.
On July 27, 2016, our computer systems were attacked by a malware ransom virus called “CryptoWall.”  The malware was detected by our virus protection software but unfortunately not until after our electronic patient records were encrypted.  The virus encrypted, thereby rendering unusable, all of our electronic medical record files that contained all of the clinical information on our patients such as procedures, office notes, reports, etc.
   The virus likely utilized a list of stolen passwords and ran an automated program that attempted access until a correct match was found.
Read the full letter here.  Their press release, posted to their site, provides a lot less detail and doesn’t mention paying ransom, but it does add one detail: they regained access to their files on August 1.  They do not mention how much the ransom was.

Sometimes all you need to detect hackers or malware is an indication that something is “different.”
Meet Apache Spot, a new open source project for cybersecurity
Hard on the heels of the discovery of the largest known data breach in history, Cloudera and Intel on Wednesday announced that they've donated a new open source project to the Apache Software Foundation with a focus on using big data analytics and machine learning for cybersecurity.
   Based on Cloudera's big data platform, Spot taps Apache Hadoop for infinite log management and data storage scale along with Apache Spark for machine learning and near real-time anomaly detection.  The software can analyze billions of events in order to detect unknown and insider threats and provide new network visibility.

Essentially, it uses machine learning as a filter to separate bad traffic from benign and to characterize network traffic behavior.  It also uses a process including context enrichment, noise filtering, whitelisting and heuristics to produce a shortlist of most likely security threats.

The insurance industry apparently likes those little “driving habit” recorders they hope you will install in your car, but this goes much farther.
Joe Cadillic sends along this item from
Speed cameras are banned in Virginia, but that did not stop the insurance industry from deploying them on state highways.  As part of an effort to promote the issuance of speeding tickets, the Insurance Institute for Highway Safety (IIHS) and the for-profit contractor Brekford set up ten radar units that they used to photograph the faces of motorists and identify them through Department of Motor Vehicles (DMV) records.  The group used the data collected to call for lowering of speed limits.
The National Motorists Association (NMA) noticed one flaw with the IIHS plan — IIHS never asked for permission to set up the cameras.  On Wednesday the group filed a complaint with the Commonwealth Transportation Board, which has jurisdiction over Virginia highways. READ MORE….

Free speech or free self-incrimination? 
Richard Winton reports:
Can police prevent hate crimes by monitoring racist banter on social media?
Researchers will be testing this concept over the next three years in Los Angeles, marking a new frontier in efforts by law enforcement to predict and prevent crimes.
During a three-year experiment, British researchers working with the Santa Monica-based Rand Corp. will be monitoring millions of tweets related to the L.A. area in an effort to identify patterns and markers that prejudice-motivated violence is about to occur in real time.
The researchers then will compare the data against records of reported violent acts.
Read more on the Los Angeles Times.
Joe Cadillic sent me the link to this story with a gentle I-tried-to-warn-you-all comment:
Earlier this year, I warned everyone that police will soon be arresting people based on ‘Sentiment Analysis’ of their Tweets:!/2016/08/police-to-arrest-people-based-on.html

Injury to a third party?
Wendy Davis reports:
Google can’t shake a privacy lawsuit alleging that it unlawfully scans Gmail messages.
In a ruling issued late last week, U.S. District Court Judge Lucy Koh in the Northern District of California ruled that people who are suing Google can proceed even without proof of financial injury.
The ruling stems from a lawsuit filed last year by San Francisco resident Daniel Matera, who said he doesn’t have a Gmail account, but is forced to communicate with Gmail users due to the “ubiquity of Gmail.”
Read more on MediaPost.

Somehow, I don’t think Dissent approves.
In what is likely to infuriate those who believe that the Federal Trade Commission has already abused its authority in its relentless enforcement action against a small cancer-detecting laboratory, the FTC has denied LabMD’s application for a stay of their final order  while LabMD appeals to a federal court.
In explaining its denial, the Commission said it looked at four factors:
(1) “the likelihood of the applicant’s success on appeal”; (2) “whether the applicant will suffer irreparable harm if a stay is not granted”; (3) “the degree of injury to other parties if a stay is granted”; and (4) the public interest. It is the applicant’s burden to establish that a stay is warranted. Toys “R” Us, Inc., 126 F.T.C. 695, 698 (1998).
Because the Commission believes it is right, it fails to see LabMD’s chances of success on appeal.  If they didn’t believe they were right, they never would have issued their final decision and order, right?  So the first factor is somewhat ridiculous and boils down to, “We thought we were right, we think we are right, and therefore, LabMD has no real chance of winning an appeal against us.”
On the second factor, that the Commission failed to see “irreparable harm” given the cost of notifications and implementing the comprehensive data security plan is…. shocking.
As to the degree of injury to other parties if the stay is granted, given that the FTC never bothered to contact even a single patient to inquire whether there had been any harm, the following borders on the obscene:
Because LabMD never notified any affected consumers of the breach, we do not know how many consumers may have suffered harm due, for example, to identity or medical identity theft.
But they could have known – and chose not to find out.
Keep in mind that as HHS spokesperson Rachel Seeger wrote to this blogger, HHS not only declined to join FTC in any action against LabMD, but this wasn’t even a reportable breach under HIPAA in 2008.  There was no requirement for LabMD to notify anyone.  So they didn’t and the FTC never did, and now the FTC would require LabMD to notify eight years later but it can’t wait for an appeal to a court?
Without notification, affected consumers and their insurance companies can do little to reduce the risk of harm from identity and medical identity theft or to address harms that may already have occurred.
They are, of course, referring to the “risk of harm” that they decided was substantial, even though there was no evidence of any harm to any person.  Nor did they provide controlled and replicated research demonstrating that simply having data exposed causes substantial injury to consumers.  If we ask people, “How do you feel that your lab test results were exposed and others could have downloaded them?” I hypothesize that many people would say they would be unhappy about that.  But if we ask them, “Do you feel you have been harmed by that exposure?” I suspect that the vast majority would say that they had not been harmed at all, much less substantially harmed.  Would even a few people claim significant harm?  It’s an empirical question, and FTC provided no evidence on that point.
As for the fourth, and “public interest” factor, I think the public’s interest is in getting the FTC’s authority and the notice issues clarified by the courts, and the denial of the stay is just another poor decision in a long chain of poor decisions in this case.
Related:   FTC v. LabMD (FTC’s case files)

Is this in response to the New York push for the Chelsea bomber?  
Feds approve updates to mobile emergency alerts
Federal regulators on Thursday overhauled the system that pushes alerts to smartphones and other mobile devices in an emergency.
Alerts that were once restricted to 90 characters will now be as long as 360 for some types of networks following the Federal Communication’s vote on the new rules.
And officials responding to emergencies will now be able to include links and phone numbers in all types of alerts.  That could allow law enforcement authorities to link to maps, for example, or other photos.
   The commission also told wireless providers to support alerts that were sent in Spanish.  They will also now formally consider whether to require support for other languages as well.
   The item gained a higher profile after authorities in New York City used the alerts system to send a message to smartphones informing the public that it was searching for Ahmad Khan Rahami, a suspect in a bombing in Manhattan and New Jersey earlier this month.

The Cloud covers the globe?
   We’ve recently joined the ranks of Google’s billion-user products. Google Cloud Platform now serves over one billion end-users through its customers’ products and services.
To meet this growing demand, we’ve reached an exciting turning point in our geographic expansion efforts.  Today, we announced the locations of eight new Google Cloud Regions — Mumbai, Singapore, Sydney, Northern Virginia, São Paulo, London, Finland and Frankfurt — and there are more regions to be announced next year.

For both my Governance and Architecture classes.
Firms Spend Big Money on Flaws They Could Fix in Development
Companies are spending millions on bug bounty programs whose goal is to identify vulnerabilities, but it might be more efficient to take a proactive approach and focus on identifying flaws in the development phase.
A survey commissioned by application security company Veracode shows that of 500 U.S. decision makers working in cybersecurity, 83 percent have admitted releasing code before testing it for security holes and bugs.  In contrast, a vast majority of them are confident that their software is secure.

For my Software Architecture students.  What tools will they need?
Ford sees big profits in ride-sharing
Ford Motor Co. thinks new mobility services could yield profit margins more than double what it makes selling cars and trucks, and Executive Chairman Bill Ford on Thursday said that’s because the automaker is becoming more nimble and forward-thinking.
“In time, if we do this right, we will become less capital-intensive,” he said at the World Mobility Leadership Forum, a two-day conference in Romulus focused on the changing role of transportation.  “We’ll have more revenue streams that aren’t dependent upon heavily fixed-costs investment.”

I’m lazy and cheap.  This App might have been designed for me. 
QuickKey + Inexpensive Phone = Time Saved On Grading
QuickKey is a popular iOS and Android app that can help you save a ton of time when grading multiple choice or true/false quizzes.  I first learned about it a few years ago when a colleague of mine was raving about it on Facebook.
Here’s the basics of how it works; create your quiz on the Quick Key website then print and distribute a bubble sheet.  After your students have completed the bubble sheet you simply scan the sheets with your phone and the grading is done for you.  As you can learn in the video embedded below, QuickKey will work on the cheapest of Android phones as well as on more expensive Android phones and on iPhones.

No comments: