Wednesday, December 14, 2016

A new record?  
Steve Ragan reports:
Full data enrichment profiles for more than 200 million people have been placed up for sale on the Darknet.  The person offering the files claims the data is from Experian, and is looking to get $600 for everything.
Details of this incident came to Salted Hash via the secure drop at Peerlyst, where someone uploaded details surrounding the sale and the data.  The data was first vetted by the technical review board at Peerlyst, who confirmed its legitimacy.  Once it was cleared by the technical team, a sample of the data was passed over to Salted Hash for additional verification and disclosure.
Read more on Salted Hash.  Note that this is the same database/situation that reported on last week, after it was first reported by HackRead.’s report had included Experian’s denial that the data were hacked from their system.  They apparently have sent Steve the same statement.
Attribution aside (and yes, figuring out who got compromised is important), the fact that so much information about over 200 million people is in the wild should concern everyone.  Not all of the data will be accurate, but much of it will be, and that poses a variety of risks, as Steve appropriately notes.  Do read his article to find out more about the more than 80 types of information in this database.
[From the article:
Moreover, the data holds enough information to develop a sustained Phishing campaign, which could open the door to numerous other crimes.
“This data set alone (and there are many more) tells us who makes more than $100,000 a year in a given zip code and address; what allergies each member may have; how many home loans they have taken out in 15 years; how many pets; how often they shop; and about 80 other attributes.
Data enrichment is a value adding process, where external data from multiple sources is added to the existing data set to enhance the quality and richness of the data. This process provides more information of the product to the customer.

Now that’s amusing!  Okay, not really, but what happened to their backups?
Fleur Anderson and Paul Smith report:
The Australian Taxation Office has restored access to some of its online services, but concerns remain that large amounts of data have been lost after it suffered a “world-first” technical glitch to equipment from Hewlett Packard Enterprise more than 24 hours earlier.
Tax officials were reportedly told to work from home for the second successive day, due to inability to access some key internal systems, and citizens were unable to access its website after a failure in the hardware that stores the ATO’s data.
The systems went down on Monday after a failure of the HPE storage network, which was upgraded in November 2015 with technology news website ITNews reporting the loss of 1 petabyte of data, which it is still attempting to recover.
Read more on AFR.

I like it!  Suggests they will need to plan this before the breach.  Note that there is no time limit on detecting the breach.
From PayBefore:
The European Banking Authority (EBA) working with the European Central Bank (ECB) recently released a consultation paper on guidelines for payment service providers (PSPs) to follow in the event of security breaches.  Among the suggested mandates is notifying authorities of an incident within two hours from the moment the breach is detected—that’s significantly faster than the breach notification requirements set to go into force next year under the General Data Protection Regulation (GDPR), which requires notice within 72 hours of breach detection.
Read more on PayBefore.

Minor?  At least it shows what kind of “tools” sell.
Joe Cadillic writes:
A recent article in the News Gazette, reveals how the University of Illinois police tracked a stolen cell phone to a specific classroom.
How did the police, track a stolen cell phone to a specific classroom, you ask?
Police across the country are using cell phone detectors, like the ‘Wolfhound-Pro‘ or the “PocketHound” that can track cell phones from 150 feet away indoors and up to one mile outdoors (line-of-sight).
Read more on MassPrivateI.
[From the Wolfhound-Pro website:
Wolfhound-Pro’s passive receiver technology does NOT intercept or “listen-in” on any phones calls making it fully legal and the tool of choice for law enforcement trying to avoid sluggish court orders and search warrants.

I’ll add this to my Computer Security handouts.
IEEE puts out a first draft guide for how tech can achieve ethical AI design
The document, called Ethically Aligned Design, includes a series of detailed recommendations based on the input of more than 100 “thought leaders” working in academia, science, government and corporate sectors, in the fields of AI, law and ethics, philosophy and policy.

How AI can bring on a second Industrial Revolution
"The actual path of a raindrop as it goes down the valley is unpredictable, but the general direction is inevitable," says digital visionary Kevin Kelly — and technology is much the same, driven by patterns that are surprising but inevitable.  Over the next 20 years, he says, our penchant for making things smarter and smarter will have a profound impact on nearly everything we do.  Kelly explores three trends in AI we need to understand in order to embrace it and steer its development.

The world we live in…
US privacy rules stir confusion
The United States has a uniquely convoluted way of regulating privacy.
In the European Union, for example, all private information is treated the same, whether it’s collected by Facebook or by a doctor in a hospital.
But things are murkier in the U.S., thanks to an overlapping structure involving an alphabet soup of federal agencies.
The Federal Trade Commission (FTC) regulates privacy, but so does the Food and Drug Administration (FDA), the Federal Communications Commission (FCC) and the Department of Health and Human Services (HHS), just for starters.
“We are more or less the only country approaching privacy in a sectoral fashion,” said Sharon Klein, who heads the privacy, security and data protection practice at the law firm Pepper Klein.  “And it’s getting harder to be sectoral.”

Maybe I will allow my students to comment on my blog. CEO and co-founders cleared of pimping charges
The executives of classified listings site have been cleared of criminal charges relating to adult services advertised on the site.
   Last Friday, though, Sacramento County Superior Court Judge Michael Bowman found in favor of the defendant, with Bowman’s ruling (which can be seen here, courtesy of Ars Technica) stating that Backpage’s business is shielded by the Communications Decency Act.

I wondered how the government would keep older cars off the highways, this is it.  If your car can not ask the highway to open the gate at the on-ramp, you won’t be allowed to drive on the highway.
New Cars Could Be Required To 'Talk' To Each Other As Soon As 2020
More than two years after the National Highway Traffic Safety Administration first issued an advanced notice of proposed rulemaking to mandate vehicle-to-vehicle (V2V) communications in the U.S., the agency is finally ready to move forward.  Following an extended comment and testing period, NHTSA today published the notice of proposed rulemaking (NPRM) for what is expected to become Federal Motor Vehicle Safety Standard (FMVSS) 150.
If the NPRM makes it to the FMVSS stage without significant changes, all manufacturers would be required to install dedicated short-range communication (DSRC) radios into new vehicles, probably starting in about 2020.

Does this strike anyone else as being a bit too much?
Microsoft’s latest AI powered service aims to help you with your busy schedule
Setting up a meeting with someone outside your company can be a time-consuming process since you can’t see other’s calendars and free/busy information.  Generally, we email them to know their free timings and try to work out the meeting time.  To solve this issue, Microsoft has started an incubation project code-named “”  This project gives Cortana the ability to arrange meetings on your behalf.  By delegating scheduling tasks to Cortana, you can focus on getting things done rather than wasting time emailing back and forth.  This service is based on Genee, a scheduling AI startup that Microsoft acquired in August.

Think of it as a lack of standards?
Here’s your first tech buzzword of 2017: ‘Brownfield’
There’s a lot of hype and activity surrounding IoT, which is very positive and can help expedite its growth and proliferation.  However, the approach being embraced by most newcomers and early adopters leaves a lot to be desired.  Usually, designers and manufacturers are inclined to hop on the IoT bandwagon through “greenfield development” — creating products from scratch — rather than “brownfield development” — connecting existing devices, systems and infrastructure to the cloud.
   Meanwhile, we’re seeing manufacturers “reinvent the wheel” by creating proprietary hardware and software to power their IoT devices.  They face, and fail to deal with, the multitude of IoT development challenges — often simultaneously.
The unintended consequence is a fragmented IoT landscape plagued by an endemic lack of standards, creating products that are insecure, unreliable, unmanageable and weak at communicating with one another.  Interoperability is a huge issue, since the future of IoT is not devices that can be remotely controlled and send data back to the cloud, but rather devices and systems that can autonomously communicate between each other and reliably coordinate their actions.

New data centers everywhere as each country wants to control (or at least hold) its own data.
Amazon Opens Data Centers to Boost U.K. Cloud Services
Amazon Web Services, the cloud-hosting arm of Inc., opened new data centers in the U.K. as it seeks to stay abreast of competitors in offering cloud computing services to government and health-care customers.
   The U.K. data region, which comprises two zones, each consisting of multiple data centers, is the 16th Amazon Web Services operates worldwide and its third in Europe.  A fourth in France has already been announced and will open next year.
Governments are increasingly moving computing functions into the cloud.  But they are often required for regulatory and security purposes to hold data within their national borders.  The same applies for sensitive health-care information.

I’ll have to ask Indian students what is really happening.
India is in the throes of an unprecedented social experiment in enforced digital disruption, and the world has much to learn from it.
Prime Minister Narendra Modi launched a surprise in early November, demonetizing 500 and 1,000 rupee bank notes.  Modi’s war on cash is not without international precedent: Singapore, for example, withdrew its largest currency recently; the European Central Bank eliminated the 500-euro bank note; South Korea plans to eliminate at least all coins by 2020.
And yet India’s initiative had the potential for chaos.  Here’s why: the government effectively took 86% of cash out of circulation in an economy that is close to 90% cash-reliant.

No comments: