Saturday, October 29, 2016
For my Computer Security students. The whole world is against you!
Mirai Botnet Infects Devices in 164 Countries
Mirai, the infamous botnet used in the recent massive distributed denial of service (DDoS) attacks against Brian Krebs’ blog and Dyn’s DNS infrastructure, has ensnared Internet of Things (IoT) devices in 164 countries, researchers say.
In early October, Mirai’s developer released the malware’s source code and also revealed that there were over 300,000 devices infected with it. Soon after, as the botnet was increasingly used in DDoS attacks, Flashpoint security researchers determined that over half a million IoT devices worldwide were vulnerable to Mirai, because they were protected by weak security credentials.
I like it! But it will never happen.
White & Case LLP write:
At a recent Parliamentary meeting to discuss the draft Digital Economy Bill, the UK Information Commissioner recommended imposing personal liability and accountability upon company directors. If such liability is imposed, it will mark a radical departure from the current law, under which directors of companies generally have no personal liability or accountability for breaches of data protection law committed by their companies.
On 13 October 2016, the Information Commissioner, Elizabeth Denham, (the “Commissioner“) gave evidence to a House of Commons Public Bill Committee (the “Committee”) regarding the ICO’s recommendations for the Digital Economy Bill (the “Bill”). The Commissioner expressed support for making directors personally liable for breaches of data protection law by their companies.
Read more on Lexology.
I wonder how often they do a “two-year review?”
Donna Borak reports:
A U.S. bank regulator on Friday disclosed a data breach involving a former agency employee’s unauthorized removal of more than 10,000 records.
The cybersecurity breach was first detected by the Office of the Comptroller of the Currency in September while the agency was undertaking a retrospective two-year review of employees downloading information in an effort to help minimize cyberthreats.
Read more on WSJ.
Update. Why don’t I get students like this? Oh wait, I do!
Oops. I missed this one when Tristan Kirk first reported it:
A notorious teenage hacker who was the brains behind more than 1.7 million cyber attacks around the world is facing jail.
Adam Mudd, 19, sold access to his Titanium Stresser programme, allowing users to crash websites and computers by overloading them with requests.
He is believed to have made more than £300,000 before his 18th birthday through subscriptions to his programme, which fueled 1,738,828 cyber attacks around the globe between September 2013 and March last year.
Mudd designed the distributed denial of service (DDoS) software from his bedroom when he was just 15, first roadtesting it by crashing the West Herts College’s website while he was studying computer science there.
Read more on The Evening Standard.
A novel use of technolgy!
Ontario police are broadcasting thousands of text messages to phones used close to the site of a murder.
Police hope the messages will bring forward new evidence and eyewitnesses to the murder of John Hatch last year.
The phones have been identified as being in use on 16 December close to the route Mr Hatch travelled on the night he was killed.
About 7,500 people are expected to receive the messages asking them to contact police.
Read more on BBC.
Of note: the OPP said it used a court order to discover the numbers of all the active phones known to have been used last year in the vicinity.
"Après moi le deluge." I expect many more “concrete injuries.”
Klein Moynihan Turco LLP write:
On October 24, 2016, the United States District Court for the Southern District of California refused to dismiss claims brought by two former inmates and their counsel regarding violations of a California privacy law. The plaintiffs commenced a class action against Securus Technologies, Inc. (“Securus”), a self-proclaimed “inmate communications provider,” alleging that Securus unlawfully monitored and recorded telephone conversations between the inmates and their counsel. The California Invasion of Privacy Act (“CIPA”) “makes it a felony to, ‘without permission from all parties to the conversation, eavesdrop on or record, by means of an electronic device, a conversation, or any portion thereof, between a person who is in the physical custody of a law enforcement officer or other public officer, or who is on the property of a law enforcement agency or other public agency, and that person’s attorney . . . .’”
Read more on JDSupra.
[From the article:
Among other arguments contained in its motion to dismiss, Securus alleged that the plaintiffs’ allegations were insufficient to provide standing. The Court rejected this argument, holding that a violation of CIPA is indeed a concrete and particularized injury in fact.
An interesting article. (The GIF headline is a nice touch!)
HOW THE UAE IS RECRUITING HACKERS TO CREATE THE PERFECT SURVEILLANCE STATE
“Be careful what you wish for, 'cause you just might get it.” I toss these at my international students just to watch the amazed expression on their faces…
The Economics Of The Uber Employment Decision Is Not Quite What You Think - Drivers Are Now Poorer
Much excitement in left wing circles as Uber loses a case at an employment tribunal. The argument was over what is the legal status of Uber drivers? Are they really self-employed? Or do they have a closer relationship with the firm, something closer to employment, or even as an employee? This is of course a legal question and one that depends upon the vagaries of UK employment law. However, the underlying economics here is rather clear–the result, whichever way it goes, isn’t going to change the overall conditions for Uber drivers very much, if at all. The net effect is in fact to make them slightly poorer. Because all of those things which come with closer employment relationships actually come out of the wages of the workers in the first place.
What benefit is there for NYC?
Study: NYC's Airbnb ban costs $500M
Airbnb hosts in New York City could generate a half billion dollars each year by renting out their homes to tourists, according to a new analysis, but that money will likely disappear under the state’s new penalties targeting short-term rentals.
The business-friendly American Action Forum calculated the price of short-term rentals in the city and found that Airbnb hosts have the potential to earn $500 million each year. They did not account for empty rooms that remain unfilled on any given night.
… Critics of Airbnb say the short-term rental website is raising the cost of living in New York City, but others point out it provides economic opportunity to residents and feeds tax dollars into the state and city coffers.
Hack Education Weekly News
… Via Edsurge: “U.S. Dept. of Ed. Unveils Free Online Tool for Rapid Evaluation of Edtech Products.”… Via The New York Times: “Obama Brought Silicon Valley to Washington.” (Is that a good thing?) [At least the large contributors. Bob]
… Via Inside Higher Ed: “A divided federal appeals court on Wednesday upheld a lower court’s ruling that a Minnesota community college was justified when it kicked a student out of a nursing program because of Facebook comments administrators deemed to be unprofessional and threatening to fellow students.”
… Via the Education Law Center: “Several New Jersey civil rights and parent advocacy organizations have filed a legal challenge to new high school graduation regulations recently adopted by the State Board of Education. The new rules make passing the controversial PARCC exams a requirement for a New Jersey high school diploma and will also prevent students who opt out from graduating.” [What happens if no one passes? Bob]
… Via the MIT Media Lab: “Blockcerts – An Open Infrastructure for Academic Credentials on the Blockchain.” [Why? Bob]
… Also via Edsurge: “Pursuing Academic Freedom and Data Privacy Is a Balancing Act.”
… Via The Next Web: “Survey shows millennials fall for cyber scams more often than seniors.”
Inspired by the Privacy Foundation’s seminar on Encryption and Privacy, I thought I’d point you to these tools created by Drexel University that illustrate how easy/complex encryption is. I encrypt the instructions for a mini-project, then point the students to the encryption/decryption calculator. They have to create keys and encrypt a message to me.
This guide is intended to help with understanding the workings of the RSA Public Key Encryption/Decryption scheme.
RSA Express Encryption/Decryption Calculator
This worksheet is provided for message encryption/decryption with the RSA Public Key scheme