- Note: “The 2015 OPM data breach compromised records of 21.5 million current and former federal employees and their families and instigated a full-scale review of government cybersecurity.”
Wednesday, November 23, 2016
Embarrassing things happen. Makes it hard to claim they don’t make mistakes.
Twitter accidentally suspends its own CEO's account
For a while late Tuesday, attempts to reach Jack Dorsey's profile produced an error message saying it had been suspended. That prompted speculation his account might have been hacked or automatically shut down because of a high number of complaints from other users.
After it came back online, Dorsey tweeted that the suspension was the result of "an internal mistake."
That provoked angry responses from some people who asked how many regular users' accounts might also have been accidentally frozen by the company in the past.
… Which users Twitter does or doesn't suspend has become a highly sensitive topic. The platform has struggled to find a healthy balance between allowing free speech and protecting users from harassment.
I wonder how common this is? Sounds like a service Tony Soprano would offer…
Catalin Cimpanu reports:
A Cardiff court has sentenced James Frazer-Mann, a 35-year-old man from Barry, the UK to a suspended sentence of 12 months, a fine of £530 ($660), and 180 hours of community service for hiring a hacker to go after his company’s competition and a website where customers had criticized his service.
US authorities discovered Frazer-Mann’s actions after they shut down Liberty Reserve, an online payment system based in Costa Rica that allowed people to transfer money by entering someone’s name, date of birth, and email address.
Read more on BleepingComputer.
Yet another government agency proposing a national ID requirement.
From Papers, Please!
Reversing its longstanding official position that no law or regulation requires air travelers to possess or show any ID credentials, the TSA has given notice of a new administrative requirement for all airline passengers:
In order to be allowed to pass through checkpoints operated by the TSA or TSA contractors, air travelers will be required to have been issued a REAL-ID Act compliant government-issued ID credential, or reside in a state which has been given an “extension” by the DHS of its administrative deadline for a sufficient show of compliance with the REAL-ID Act of 2005.
The TSA will still have a procedure and a form (TSA Form 415) for travelers who don’t have their ID with them at the checkpoint, typically because it has been lost or stolen or is in the process of being replaced or renewed. But that procedure will no longer be available to people who haven’t been issued any ID, or who have ID from states the DHS hasn’t certified as sufficiently compliant with the REAL-ID Act.
Read more on Papers, Please!
So, what else is new? Government bureaucracies never seem to move quickly and rarely manage well.
Audit of OPM Security Systems Shows Continued Material Weakness
by Sabrina I. Pacifici on Nov 22, 2016
OPM IG Federal Information Security Modernization Act Audit – FY 2016: “This audit report again communicates a material weakness related to OPM’s Security Assessment and Authorization (Authorization) program. In April 2015, the then Chief Information Officer issued a memorandum that granted an extension of the previous Authorizations for all systems whose Authorization had already expired, and for those scheduled to expire through September 2016. Although the moratorium on Authorizations has since been lifted, the effects of the April 2015 memorandum continue to have a significant negative impact on OPM. At the end of fiscal year (FY) 2016, the agency still had at least 18 major systems without a valid Authorization in place…”
Must have been a very well written warrant!
Joseph Cox reports:
In January, Motherboard reported on the FBI’s “unprecedented” hacking operation, in which the agency, using a single warrant, deployed malware to over one thousand alleged visitors of a dark web child pornography site. Now, it has emerged that the campaign was actually several orders of magnitude larger.
In all, the FBI obtained over 8,000 IP addresses, and hacked computers in 120 different countries, according to a transcript from a recent evidentiary hearing in a related case.
Read more on Motherboard.
[From the article:
The Department of Justice has had an intense battle on its hands over the past few months, especially around the validity of the warrant used for this hacking operation. According to a filing from the Department of Justice, fourteen court decisions have found that the warrant was not properly issued pursuant to Rule 41 of the Federal Rules of Criminal Procedure, which governs how search warrants can be authorized.
The main issue has been that the judge who signed the warrant, Magistrate Judge Theresa C. Buchanan in the Eastern District of Virginia, did not have the authority to greenlight searches outside of her own district. In four cases, courts have then decided to throw out all evidence obtained by the malware because of the violation.
But, changes to Rule 41 will likely come into effect on December 1, meaning that magistrate judges will be allowed to authorize warrants just like the one used in the Playpen investigation.
I don’t worry about computers that look out for my health. I worry about companies that sell that information to advertisers. (and hackers, always hackers)
Grant Ferowich reports:
Google DeepMind and the National Health Service will partner in a move that alerts providers about abnormalities in patients’ vital signs and blood results—and privacy advocates have already started to cry foul.
The artificial intelligence branch of Google and the Royal Free NHS agreed to a five-year deal that will allow Google’s algorithms to monitor the health data of 1.6 million patients, the Financial Times reports.
The deal’s proponents argue that thousands of deaths per year could be prevented from conditions such as acute kidney damage, the article notes, but critics say such promises are “unproven.”
Read more on Fierce Healthcare.
I take this as a good sign. Your average cop is probably not inclined to excessive force.
Police Body Cameras Don’t Reduce Use of Force: Study
New research shows that body cameras don’t consistently lead to a reduction in the use of force by police—nor does their use discourage officers from taking action.
The findings stand in contrast to previous studies that looked at how cameras influence police behavior.
… The researchers in Milwaukee also found that police officers wearing cameras conducted more citizen contacts, traffic checks and other activities used to measure “proactivity” than officers who didn’t.
Should you obey local laws or kiss that market goodbye? WWTD (What Will Trump Do?)
Facebook Said to Create Censorship Tool to Get Back Into China
Mark Zuckerberg, Facebook’s chief executive, has cultivated relationships with China’s leaders, including President Xi Jinping. He has paid multiple visits to the country to meet its top internet executives. He has made an effort to learn Mandarin.
Inside Facebook, the work to enter China runs far deeper.
The social network has quietly developed software to suppress posts from appearing in people’s news feeds in specific geographic areas, according to three current and former Facebook employees, who asked for anonymity because the tool is confidential. The feature was created to help Facebook get into China, a market where the social network has been blocked, these people said. Mr. Zuckerberg has supported and defended the effort, the people added.
Something for all my students.
How to Write Email with Military Precision
… During my active duty service, I learned how to structure emails to maximize a mission’s chances for success. Since returning from duty, I have applied these lessons to emails that I write for my corporate job, and my missives have consequently become crisper and cleaner, eliciting quicker and higher-quality responses from colleagues and clients. Here are three of the main tips I learned on how to format your emails with military precision:
1. Subjects with keywords
2. Bottom Line Up Front (BLUF).
3. Be economical.
For those of us who searched the house for hidden Christmas presents?
Amazon Just Found a Way to Let You See Inside the Box Without Opening It (AMZN)
… Amazon rolled out an update for its iOS app last week which allows users to know what’s inside their incoming Amazon boxes before opening them.
To use this latest feature on the app, simply tap your iPhone’s camera icon besides the search box. Doing this will open up a number of options, from which you need to select the “Package X-Ray” button. Then hold the camera frame over the barcode of your box and the items inside will be displayed.
… Sadly though, despite the name, this feature does not give you a view of the actual items inside your Amazon boxes.
Instead, the app gives you information regarding the items inside the box. Also, you will be given a visual of these items which link you back to the product page on the website.
I was somewhat surprised by this…
Disruptive Change in the Taxi Business: The Case of Uber
by Sabrina I. Pacifici on Nov 22, 2016
Disruptive Change in the Taxi Business: The Case of Uber – Judd Cramer, Alan B. Krueger – NBER Working Paper No. 22083 – Issued in March 2016
“In most cities, the taxi industry is highly regulated and utilizes technology developed in the 1940s. Ride sharing services such as Uber and Lyft, which use modern internet-based mobile technology to connect passengers and drivers, have begun to compete with traditional taxis. This paper examines the efficiency of ride sharing services vis-à-vis taxis by comparing the capacity utilization rate of UberX drivers with that of traditional taxi drivers in five cities. The capacity utilization rate is measured by the fraction of time a driver has a fare-paying passenger in the car while he or she is working, and by the share of total miles that drivers log in which a passenger is in their car. The main conclusion is that, in most cities with data available, UberX drivers spend a significantly higher fraction of their time, and drive a substantially higher share of miles, with a passenger in their car than do taxi drivers. Four factors likely contribute to the higher capacity utilization rate of UberX drivers: 1) Uber’s more efficient driver-passenger matching technology; 2)the larger scale of Uber than taxi companies; 3) inefficient taxi regulations; and 4) Uber’s flexible labor supply model and surge pricing more closely match supply with demand throughout the day.”
This is interesting. Could it be extended to Computer Security? Law?
Tele-Mentoring Is Creating Global Communities of Practice in Health Care
… At the start, a team of specialists with a deep knowledge of hepatitis C gathered virtually in a conference room at the University of New Mexico Health Sciences Center. In that conference room would be a video screen with a matrix of individual primary care providers who were sitting in their own offices and clinics across New Mexico. Each provider would, in turn, present their patients with hepatitis C and get guidance on caring for each patient from the experts at the university hub. Each of the other providers learned from every case presentation.
Strategy Analytics: Apple Captures Record 91 Percent Share of Global Smartphone Profits in Q3 2016
Linda Sui, Director at Strategy Analytics, said, “We estimate the global smartphone industry realized total operating profits of US$9.4 billion during Q3 2016. Apple dominated and captured a record 91 percent share of all smartphone profits worldwide.
… “We estimate Huawei generated US$0.2 billion of smartphone operating profit worldwide in Q3 2016. Huawei captured 2 percent share of all smartphone profits, taking second spot overall, and becoming the world’s most profitable Android vendor for the first time ever.
… The full report, Apple Captures 91 Percent Share of Global Smartphone Profits in Q3 2016, is published by the Strategy Analytics Wireless Smartphone Strategies (WSS) service, details of which can be found here: http://tinyurl.com/z46xf88.
More stuff I want blocked in the Computer Labs.
… Several tools are available that can make this happen, from emulators and virtual machines to browser plugins.
This should be simple for my students, they often get things backwards.
This Malware Turns Headphones Into Microphones
Researchers at Ben Gurion University in Israel have created malware that will turn your plugged in headphones into a microphone.
Now, if you've ever plugged old headphones into a standard line in jack, you know that headphones are basically tiny microphones anyway, with vibrations converting themselves into electromagnetic signals. But this malware is a bit different. Dubbed "Speake(a)r," the malware does the same thing, but through software. Wired explains:
Their malware uses a little-known feature of RealTek audio codec chips to silently "retask" the computer's output channel as an input channel, allowing the malware to record audio even when the headphones remain connected into an output-only jack and don't even have a microphone channel on their plug. The researchers say the RealTek chips are so common that the attack works on practically any desktop computer, whether it runs Windows or MacOS, and most laptops, too.
Wired says that in their tests, the researchers at Ben Gurion were able to record sound from as far as 20 feet away with a pair of Sennheiser headphones. Apparently, even when the compressing the recording to send over the internet, the recording was still distinguishable.
Another challenge for my “Designated Hackers.” (Why doesn’t NY use these guys?)
Israeli Firm Can Steal Phone Data in Seconds
Israeli firm Cellebrite's technology provides a glimpse of a world of possibilities accessible to security agencies globally that worry privacy advocates.
… Cellebrite's technology is not online hacking. It only works when the phone is physically connected to one of the firm's devices.
The company recently demonstrated its capabilities for an AFP journalist.
The password on a phone was disabled and newly taken photos appeared on a computer screen, complete with the exact location and time they were taken.
… The real challenge, Ben-Peretz agrees, is staying in the lead in a race where phone manufacturers constantly launch new models and update software with ever more complicated security.
In the firm's lab they have 15,000 phones -- with around 150-200 new models added each month.
An idea for the Computer Security club: Collect old phones and hack them!