Saturday, May 07, 2016

There goes that Guinness World Record.
Garbage in, garbage out: Why Ars ignored this week’s massive password breach
Earlier this week, mass panic ensued when a security firm reported the recovery of a whopping 272 million account credentials belonging to users of Gmail, Microsoft, Yahoo, and a variety of overseas services.  "Big data breaches found at major email services" warned Reuters, the news service that broke the news.  Within hours, other news services were running stories based on the report with headlines like "Tech experts: Change your email password now."
Since then, both Google and a Russia-based e-mail service unveiled analyses that call into question the validity of the security firm's entire report.
"More than 98% of the Google account credentials in this research turned out to be bogus," a Google representative wrote in an e-mail.  "As we always do in this type of situation, we increased the level of login protection for users that may have been affected."  According to the report, the compromised credential list included logins to almost 23 million Gmail accounts.

(Related)
Here's how I verify data breaches


A continuous process.  Nothing new there.  Perhaps if we combine IBM’s Watson with their Quantum Computer…
Mohit Kumar writes:
Defense Advanced Projects Agency (DARPA) is offering funding for security researchers who can help the agency to develop algorithms that can identify hackers under its new game-changing initiative called ‘Enhanced Attribution Program’.
Although organizations and countries give their best to identify cyber campaigns who infiltrated their critical infrastructure, tracking down the culprits has always been a difficult task — thanks to TOR, Virtual Private Networks (VPNs), and other methods used to hide the attack source.
However, through this new initiative, the United States military research agency DARPA hopes that agencies would quickly track and identify sophisticated hackers or criminal groups by monitoring their exact behavior and physical biometrics.
The aim of Enhanced Attribution program is to track personas continuously and create “algorithms for developing predictive behavioral profiles.
“The goal of the Enhanced Attribution (EA) program is to develop technologies for generating operationally and tactically relevant information about multiple concurrent independent malicious cyber campaigns, each involving several operators; and the means to share such information with any of a number of interested parties without putting at risk the sources and methods used for collection,” reads the project’s official site.
In other words, the Enhanced Attribution Program will not only help the government characterize the cyber criminal but also share the criminal’s modus operandi with potential victims and predict the attacker’s next target.
Read more on The Hacker News.
Wait… “without putting at risk the sources and methods used for collection?”  That sounds to me like a response to recent court cases where the government has dismissed cases rather than reveal their surveillance methods


Does Congress know about this?  Do computers have a “Right to Privacy?”  Perhaps a “Right to be left alone?” 
Lindsay Tonsager writes:
In a blog post published on the Federal Trade Commission (FTC) website, Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, recently stated that:
“we regard data as ‘personally identifiable,’ and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer, or device.  In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test.”
The post (which reiterates Ms. Rich’s remarks at the Network Advertising Initiative’s April meeting) suggests a shift in the FTC’s treatment of IP addresses and other numbers that identify a browser or device.   The FTC previously has taken the position that browser and device identifiers are deserving of privacy protections, but the FTC generally has avoided classifying these identifiers as equivalent to personally identifiable information (such as name, email, and address) except in the narrow context of children’s privacy.
Read more on Covington & Burling Inside Privacy.


I don’t post much from Kellogg.  I’m not sure why that is.
Is Reading Someone’s Emails Like Entering Their Home?
   In the late nineteenth century, when considering laws about intercepting confidential messages, Congress debated whether the telegraph was comparable to the postal service.  Protecting the privacy of a telegram, after all, only made sense if everyone agreed that telegrams were analogous to personal letters—a view that, though it never became an official act of Congress, was eventually supported by state laws.
But the rise of electronic communications has made this analogical reasoning even more of a headache.  By 1995, courts were debating whether encryption software belonged on a list of regulated munitions (alongside bombs and flamethrowers) or whether encryption was in fact a “language act” protected by the first amendment.


Wouldn’t this fall under the same exemption as your fingerprints?  It’s pretty hard NOT seeing your face, does a photograph make that much of a difference?
Defeat for Facebook in Court Is Bad News for Firms That Scan Faces
Who owns your face?
A California judge on Thursday ruled against Facebook in a lawsuit that says the company violated user privacy by scanning their faces without permission and inviting others to “tag” them in photographs.
The case is significant because it’s one of the first to test the boundaries of how companies use facial recognition software, a rapidly-advancing technology that treats faces as the modern-day equivalent of a fingerprint.  (At Facebook, the company has internally referred to the tool as a “faceprint.”)
   In the ruling, which you can read here, U.S. District Judge James Donato agreed that Facebook’s scanning and tagging feature qualified as a use of biometric identifier covered by the statute.  On a key procedural issue, he refused Facebook’s request to decide the case under California law, where companies don’t face restrictions on the use of biometrics.


Statistically backed assertions. 
   How large is this secret ECPA docket?  Extrapolating from a Federal Judicial Center study of 2006 federal case filings, I have estimated that more than 30,000 secret ECPA orders were issued that year alone.  Given recent DOJ disclosures, the current annual volume is probably twice that number.  And those figures do not include surveillance orders obtained by state and local authorities, who handle more than 15 times the number of felony investigations that the feds do.  Based on that ratio, the annual rate of secret surveillance orders by federal and state courts combined could easily exceed half a million.  Admittedly this is a guess; no one truly knows, least of all our lawmakers in Congress.  That is precisely the problem.


Some interesting (or at least amusing) speculation.
Panama Papers Source Offers to Aid Inquiries if Exempt From Punishment
The anonymous source behind the huge leak of documents known as the Panama Papers has offered to aid law enforcement officials in prosecutions related to offshore money laundering and tax evasion, but only if assured of protection from punishment.
“Legitimate whistle-blowers who expose unquestionable wrongdoing, whether insiders or outsiders, deserve immunity from government retribution,” the source, who has still not revealed a name or nationality, said in a statement issued Thursday night.


This should amuse my researching students.
OSoMe: The IUNI observatory on social media
by Sabrina I. Pacifici on
OSoMe: The IUNI observatory on social media. PeerJ Preprints 4:e2008v1 https://doi.org/10.7287/peerj.preprints.2008v1
“The study of social phenomena is becoming increasingly reliant on big data from online social networks.  Broad access to social media data, however, requires software development skills that not all researchers possess.  Here we present the IUNI Observatory on Social Media, an open analytics platform designed to facilitate computational social science.  The system leverages a historical, ongoing collection of over 70 billion public messages from Twitter.  We illustrate a number of interactive open-source tools to retrieve, visualize, and analyze derived data from this collection.  The Observatory, now available at osome.iuni.iu.edu, is the result of a large, six-year collaborative effort coordinated by the Indiana University Network Science Institute.”


Wisdom from my favorite statistical website.  (I think #4 will become critical)
The Four Things I Learned From The Donald Trump Primary
1. Don’t rule out the ahistorical when there’s little history.
2. Take a nuanced view of the polls.
3. Maybe favorability ratings aren’t as hard to change as we thought.
4. Don’t assume the party knows what it’s doing.
Let’s give some credit to Trump himself!  No, I don’t think that Trump is a strategic and tactical mastermind who planned every move he made, or even that every move was successful.  On the whole, though, more of what he did worked than didn’t work.  Trump generated a ton of free media coverage; that helped him.  He was willing to challenge Republican orthodoxy; that, at the very least, didn’t hurt him.  I don’t know whether he’s built a new political coalition or the Trump phenomenon is sui generis, but whatever the guy did, it worked.


Universities developing cybersecurity degrees to fill jobs gap
If they want to continue to protect our nation’s most valuable data from cyber-attacks, leading security practitioners need to look to the future of the security industry and develop ways to grow the talent needed to fill the looming jobs gap.


My Saturday sillies.
Hack Education Weekly News
   The Justice Department has warned North Carolina that its new anti-trans bathroom law violates the Civil Rights Act.  According to the AP, “North Carolina’s prized public universities could be the biggest losers as state leaders defend a new law limiting the rights of LGBT people.  The 17-university system, which includes the University of North Carolina at Chapel Hill and North Carolina State University as well several historically black colleges, risks losing more than $1.4 billion in federal funds if the Republicans who run the Legislature don’t reverse the law.  The U.S. Justice Department wants an answer by the end of business on Monday.”  The new head of the UNC system, “Margaret Spellings Is Caught Between Her State and the Federal Government.  Now What?” asks The Chronicle of Higher Education.
   Via Inside Higher Ed: “The Federal Trade Commission announced Thursday that the operators of Gigats.com agreed to settle deception charges.  Gigats.com is an education lead-generation company based in Orlando, Fla., that claims to prescreen job applicants for employers. However, the company was instead gathering information for for-profit colleges and career training programs, according to the FTC.”


For my Computer Security and Ethical Hacking students.
Pay What You Want for the Ethical Hacker and Pentester Pro Learning Bundle
   Anyone can start learning them with the Ethical Hacker and Pentester Pro Bundle at MakeUseOf Deals.
It combines nine high-quality video courses, and you can pay what you want for the tuition.  Read on to find out more.
   All of these courses come with lifetime access, and you can stream the lessons on desktop and mobile devices.  Best of all, you can claim a certificate of completion to put on your CV when you master each subject.
   You can name your price on the last two courses in this deal, but to unlock the full bundle, you simply need to beat the average price paid.  These nine courses are normally worth $1,431 put together, so grab the bundle now to enjoy a huge markdown!

Friday, May 06, 2016

Surely no bank is still using Windows XP? 
New Trojan Targets Banks in US, Mexico
   The Trojan, written in .NET apparently by Spanish-speaking developers, caught the attention of researchers because it relies on popular tools such as Fiddler, an HTTP debugging proxy server application, and Json.NET, a high-performance JSON framework for .NET.
The malware is delivered using an installer named “curp.pdf.exe” that is served on several compromised websites.  Once executed, the installer downloads three files to the Windows system directory: the main payload (syswow.exe), a Fiddler DLL file (FiddlerCore3dot5.dll), and a Json.Net DLL file (Newtonsoft.Json.dll).  The main payload is then executed and the installer terminates itself.
..   If the infected machine is running Windows XP or Windows Server 2003, the malware creates a registry entry for persistence, downloads a configuration file, and launches the Fiddler proxy engine.  For other Windows versions, the threat doesn’t create a registry entry, and it starts the proxy engine only after installing a Fiddler-generated root certificate.
Once it’s installed on a device, the malware collects system information and sends it back to its command and control (C&C) server, which responds with a configuration file containing different C&C locations and other instructions.  Json.NET is used to parse the server’s response and save it in an XML file.  This file contains the list of domains targeted by the malware — when users visit these domains, they are redirected to phishing websites designed to trick them into handing over their information.


A small local problem?
Kieran Nicholson reports:
State investigators are looking into a database breach at the Colorado Department of Transportation which could lead to identity thefts.
The breach of the Disadvantaged Business Enterprise program with CDOT was discovered recently and has been reported to the Colorado Bureau of Investigation, said Amy Ford, a CDOT spokeswoman.
[…]
“A probationary employee, who worked at CDOT from January 2016 to April 2016 and had access to confidential tax returns of DBE…firms, had been using personal information for improper purposes,” the notification letter, sent Wednesday, said.
Read more on Denver Post.


One way to control your music library? 
Apple Stole My Music. No, Seriously
“The software is functioning as intended,” said Amber.
“Wait,” I asked, “so it’s supposed to delete my personal files from my internal hard drive without asking my permission?”
“Yes,” she replied
   What Amber explained was exactly what I’d feared: through the Apple Music subscription, which I had, Apple now deletes files from its users’ computers.  When I signed up for Apple Music, iTunes evaluated my massive collection of Mp3s and WAV files, scanned Apple’s database for what it considered matches, then removed the original files from my internal hard drive.  REMOVED them.  Deleted.  If Apple Music saw a file it didn’t recognize—which came up often, since I’m a freelance composer and have many music files that I created myself—it would then download it to Apple’s database, delete it from my hard drive, and serve it back to me when I wanted to listen, just like it would with my other music files it had deleted.

(Related) I will have to warn my students.
Apple Music’s new student membership option discounts the service by 50%
Amid news that Apple Music is getting a makeover come this summer, Apple today launched a new plan to boost subscribers to its streaming music service and competitor to Spotify, SoundCloud, Tidal and others.  It’s introducing an Apple Music student plan which will discount the service by 50 percent for those who are enrolled in an eligible college or university.
   The student membership is rolling out now in the available markets.


Think about those little secondary issues?
Cheryl Clark reports:
When Sharp Grossmont Hospital officials realized anesthesia drugs were disappearing from surgery carts, they turned to video surveillance to catch those responsible.  In the process, they also captured many images of women undergoing surgery.
The video surveillance has raised questions about patient privacy and how well the hospital managed its storage of dangerous drugs.
Read more on KPBS.


Useful backgrounder?  Something our App students could build? 
How Shops Track You Using Your Smartphone


Coming soon to a law firm near you?
Gabe Friedman reports:
The privacy focused class-action law firm Edelson P.C. announced it has filed a federal class-action under seal that targets a Chicago-based regional law firm for data security holes.
On Thursday morning, name partner Jay Edelson tweeted that he had filed a motion to unseal the complaint against the unnamed firm.
[…]
In an interview with Big Law Business in March, Edelson explained that his firm had conducted a year-long investigation and identified 15 major law firms with inadequate cybersecurity.  He said his firm planned to file a series of lawsuits that target data security vulnerabilities at law firms on behalf of firm clients who have concerns about how their data is being protected.
Read more on Bloomberg BNA.
I’m hard-pressed to see how any such civil suit could prevail if there’s been no actual hack or data compromise of the defendants’ systems, but the FTC could sure as hell investigate or take action if infosecurity is that bad.
Either way, this will be one to watch.  If nothing else, if the lawsuit is unsealed, this could become a name and shame situation to get law firms off the dime to bring their A game on security.


Will this impact our student portal?  Possibly.
Joey Bunch reports:
A bill to protect students’ online privacy while they are doing their school work is on its way to the governor’s desk to be signed into law.
The Colorado House gave it final passage Thursday with a 65-0 vote.  House Bill 1423 would prevent educational software and app makers from collecting any data that can be linked directly back to an individual student.
Read more on Denver Post.

(Related)  Same question.  Different state.
Rep. Cristin McCarthy Vahey (D-Fairfield) praised passage of legislation that would protect student privacy by imposing certain restrictions on the use and sharing of student data.  HB 5469, AN ACT CONCERNING STUDENT DATA PRIVACY, was passed by the Senate Wednesday evening.  The bill now goes to the Governor’s desk.
The legislation would restrict how student information may be used by contractors, consultants, and operators of websites, online services, and mobile applications for schools.  Companies would be required to specify how they will secure student data and would be prohibited from using student data for advertising unless authorized by the contract.
Read more on Fairfield Sun.


Lacking demonstrable intelligence themselves (real or artificial) it amazes me that politicians are addressing these issues.  Were they frightened by the Terminator movie? 
White House worries about bad A.I. coding
   President Barack Obama's administration released a report this week that examines the problem associated with poorly designed systems that, increasingly, are being used in automated decision making.
   A second effort looks at our algorithmic future through a series of four workshops held across the U.S. to examine A.I.'s impact on society.
   The U.S. will produce an A.I. report after it holds workshops beginning May 24 in Seattle.  That will be followed by meetings in Washington, Pittsburgh and New York City in July.


For some old school types. 
How to Get RSS Feed Updates Straight to Your Email Inbox
Maybe it’d be better to receive those RSS updates as emails.
Fortunately, this is possible!  You’ll need to know how to use IFTTT, which is a lovely web service that can perform all kinds of actions based on certain triggers.  In our case, whenever our RSS feed updates, we want IFTTT to send it to us as email.


Good news for the employability of my Computer Security students?
After ISIS, Americans Fear Cyberattacks Most


Perfect timing.  Today’s Computer Security lecture is on Networks.
Interop: 12 killer (and free) tools for network engineers
Visibility is key to troubleshooting network woes, but getting such access can be expensive.  To help out, a veteran networking pro shared with attendees of the Interop conference in Las Vegas his list of a dozen mostly free “killer” tools.


A real concern.  Likely to have a serious negative impact no matter who wins. 
Americans’ Distaste For Both Trump And Clinton Is Record-Breaking


I can predict which if my students will become this employee!

Thursday, May 05, 2016

Are we trying to get into the Guinness Book of World Records?  
Millions of stolen email credentials shared online by Russian hacker
Tens of millions of stolen credentials for Gmail, Microsoft and Yahoo email accounts are being shared online by a young Russian hacker known as "the Collector" as part of a supposed larger trove of 1.17 billion records.
That's according to Hold Security, which says it has looked at more than 272 million unique credentials so far, including 42.5 million it had never seen before.  A majority of the accounts reportedly were stolen from users of Mail.ru, Russia's most popular email service, but credentials for other services apparently were also included.
   Some 40 million of the credentials came from Yahoo Mail, 33 million were from Microsoft Hotmail, roughly 24 million were from Gmail, and nearly 57 million were from Mail.ru, according to Reuters.  Thousands of others came from employees of large U.S. companies in banking, manufacturing and retail, and hundreds of thousands more reportedly were from accounts at German and Chinese email providers.


Now this is interesting.  Would you believe that LAPD would keep this from the FBI? 
LAPD hacked into iPhone of slain wife of 'Shield' actor, documents show
   LAPD detectives found an alternative way to bypass the security features on the white iPhone 5S belonging to April Jace, whom the actor is accused of killing at their South L.A. home in 2014, according to a search warrant filed in Los Angeles County Superior Court.
The bypass occurred earlier this year, during the same period that the FBI was demanding that Apple unlock the iPhone 5C of San Bernardino shooter Syed Rizwan Farook.  The FBI eventually said it found another method for unlocking the phone without using Apple.
LAPD Det. Connie Zych wrote that on March 18, the department found a "forensic cellphone expert" who could "override the locked iPhone function," according to the search warrant.
The search warrant did not detail the method used by the LAPD to open the phone, nor did police reveal the identity of the cellphone expert.  It's also unclear what operating system April Jace's phone had.


The latest “warm and fuzzy” report. 
FROM 2013 to 2015, the NSA and CIA doubled the number of warrantless searches they conducted for Americans’ data in a massive NSA database ostensibly collected for foreign intelligence purposes, according to a new intelligence community transparency report.
The estimated number of search terms “concerning a known U.S. person” to get contents of communications within what is known as the 702 database was 4,672 — more than double the 2013 figure.
And that doesn’t even include the number of FBI searches on that database.  A recently released Foreign Intelligence Surveillance Court ruling confirmed that the FBI is allowed to run any number of searches it wants on that database, not only for national security probes but also to hunt for evidence of traditional crimes.  No estimates have ever been released of how often that happens.


A couple of interesting hypotheticals to kick around in my Computer Security class.
Susan Hennessey writes:
During the recent panel event at the Hoover Institution on using data to protect privacy, I had an interesting exchange with Laura Donohue of Georgetown Law, which I’ve been mulling over ever since.
I had made the argument that, in discussing information sharing and privacy, it is important to differentiate between different types of data.  There are a number of areas in which privacy and security are mutually reinforcing, as a genuine operational matter and not just as a linguistic framing.  In particular, I argued, where we can automate collection and processing of data, technology can increasingly promote both privacy and security. [I agree and extend this to Military Intelligence generally.  Bob]
Donohue disagreed, and she had a pretty good line in response:
Read more on Lawfare.

(Related)  Nothing specific.  In fact, it sounds like what yearbook photographers used to do with those old fashioned camera thingies.
Katie Banks reports:
Police are investigating following teenage girls’ claims they were caught on camera without their knowledge or permission.
Shawnee police are now investigating one of their male classmates at Mill Valley High School in the De Soto School District for a possible privacy breach.
Students at the high school and their parents agree that the news of a teenage boy taking cell phone technology too far has caused some concern.
Families received an email on Tuesday from Mill Valley High’s principal.  It says a student, using a cell phone, took photos and videos of female students in public places while at school.
Read more on Fox4KC.


My guess is that Donald Trump will not pick this as one issue to use against Hillary.  I suspect he would be uncomfortable discussing technology.  Okay, “uncomfortable” is not the right word.  Nothing seems to make him uncomfortable. 
Romanian hacker Guccifer: I breached Clinton server, 'it was easy'
   Guccifer’s potential role in the Clinton email investigation was first reported by Fox News last month.  The hacker subsequently claimed he was able to access the server – and provided extensive details about how he did it and what he found – over the course of a half-hour jailhouse interview and a series of recorded phone calls with Fox News.
Fox News could not independently confirm Lazar’s claims.
In response to Lazar’s claims, the Clinton campaign issued a statement  Wednesday night saying, "There is absolutely no basis to believe the claims made by this criminal from his prison cell.  In addition to the fact he offers no proof to support his claims, his descriptions of Secretary Clinton's server are inaccurate.  It is unfathomable that he would have gained access to her emails and not leaked them the way he did to his other victims.”
The former secretary of state’s server held nearly 2,200 emails containing information now deemed classified, and another 22 at the “Top Secret” level.

(Related)
Federal judge opens the door to Clinton deposition in email case
   Judge Emmet Sullivan of the U.S. District Court for the District of Columbia laid out the ground rules for interviewing multiple State Department officials about the emails, with an eye toward finishing the depositions in the weeks before the party nominating conventions.
Clinton herself may be forced to answer questions under oath, Sullivan said, though she is not yet being forced to take that step.
“Based on information learned during discovery, the deposition of Mrs. Clinton may be necessary,” Sullivan said in an order on Wednesday.


Architecting the perfect automobile platform?  What should your car do for you?
Ford Invests in Pivotal to Soup Up Its Software
Ford Motor Co. , like the rest of the auto industry, has a software problem: Elon Musk’s Tesla Motors.
Tesla has set the standard in the auto industry as the equivalent of an iPad on wheels, offering major software updates to improve vehicles.
On Thursday, Ford said it will invest $182.2 million in Pivotal Software Inc., a San Francisco-based software company expected to help Ford stay competitive as software and cars become one.
,,,   FordPass includes a smartphone app that helps users with parking, car sharing, remote access to vehicles and other services.  Ford ownership isn’t required to use the app, and Ford says that FordPass “aims to do for car owners what iTunes did for music fans.”


Is this the virtual assistant we’ve been waiting for?  (Or merely a better pizza ordering App?) 
Siri’s creators say they’ve made something better that will take care of everything for you
   The engineers erupted in cheers as the pizzas arrived.  They had ordered pizza, from start to finish, without placing a single phone call and without doing a Google search — without any typing at all, actually.  Moreover, they did it without downloading an app from Domino’s or Grubhub.
   The goal is not just to build great artificial intelligence. Companies see in this effort the opportunity to become the ultimate intermediary between businesses and their customers.


The best “new tool” ever! 
Google aims to kill 'Death by PowerPoint' with new Slides
   The new features -- currently rolling out on Android, iOS and the Web app -- aim to make slide presentations more interactive.  Audience members can ask questions and vote for which questions should get answered.
   Education is obviously one key market for Google.  Mary Jo Madda got to interview Bose—Survey Says:
Bose believes that the Q&A feature [has] implications for teaching practices. [And] for students who may be afraid to ask for help.
“As a student myself, I've definitely been lost and confused in class. [Q&A] takes away the fear of asking questions. ...  Other students who have up-voted your question are [undoubtedly] also confused.”

(Related)
How to Use the New Q&A and Laser Pointer Features of Google Slides @googledocs


This could be amusing!
Feds make it easier for students to use drones
The Federal Aviation Administration (FAA) on Wednesday announced new guidelines meant to make it easier for students to use drones for academic purposes.
Students at accredited educational institutions will not need to get authorization from the FAA, according to the guidelines, or apply for an exemption from existing rules.  Faculty members will also be able to use a drone without additional authorization, assuming they are assisting a student.


Some of my students have too much time on their hands.  They might be perfect for this.
Did You Know You Can Earn Money Testing Mobile & Web Apps?


Those who do not study history are doomed to repeat it, but have we lost so much so quickly?
Police Called After Student Tries To Buy Lunch With $2 Bill
An eighth-grade student found herself in hot water for buying chicken nuggets for lunch last week – using a $2 bill.
Danesiah Neal, an eighth grader at Fort Bend Independent School District’s Christa McAuliffe Middle School outside of Houston, Texas, attempted to pay for lunch with a $2 bill given to her by her grandmother, Sharon Kay Joseph.  However, cafeteria workers at the school didn’t believe that it was real – they never see $2 bills, apparently – and called the police.  According to Neal, the police officer told her that she could be in “big trouble” for using the bill which they believed to be counterfeit.
   Some semblance of sanity eventually took over and school officials called Joseph, who confirmed that she had given the bill to her granddaughter to pay for lunch.  In the meantime, the police (who apparently didn’t have much else to do that day) went to the convenience store where Joseph was given the bill.  They also took the bill to a local bank where it was eventually determined to be real.  Phony crisis averted.

Wednesday, May 04, 2016

So they can still generate electricity, but they can’t bill for it?  Or pay their employees?  Or their vendors? 
Richard Chirgwin reports:
A water and electricity authority in the US State of Michigan has needed a week to recover from a ransomware attack that fortunately only hit its enterprise systems.
Lansing’s BWL – Board of Water & Light – first noticed the successful phishing attack on its corporate systems on April 25, and has had to keep systems including phone servers locked down since then.
The company says customer data has not been stolen (only, as is the case in ransomware attacks, encrypted).
Read more on The Register.
Last week, the FBI posted an alert highlighting what we already knew: ransomware is on the rise.  And not only is it hitting all sectors, it’s hitting personal home computers.
What some may not know, and from the FBI’s alert:
And in newly identified instances of ransomware, some cyber criminals aren’t using e-mails at all.  According to FBI Cyber Division Assistant Director James Trainor, “These criminals have evolved over time and now bypass the need for an individual to click on a link.  They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.”
If you think you or your organization have been the victim of ransomware, contact your local FBI field office and report the incident to the Bureau’s Internet Crime Complaint Center.


Screwing up by the numbers?
Aha. I see Brian Krebs got some answers before I did concerning a breach involving ADP.  On April 30, I had reported that Allegheny College suspected that employee reports of W-2 data comprise were linked to a breach involving ADP’s iPay.  In an email to this site earlier today, Rick Holmgren, the college’s vice-president of Information Services and Assessment said he still had no idea how unauthorized third parties were able to register accounts on iPay.  ADP, contacted several times by DataBreaches.net yet, has yet to provide the requested explanation.
Enter Brian Krebs to the rescue.  Brian reports that the criminals were able to steal wage and tax data from ADP by registering accounts in the names of employees at “more than a dozen customer firms.”
ADP says the incidents occurred because the victim companies all mistakenly published sensitive ADP account information online that made those firms easy targets for tax fraudsters.
Last week, U.S. Bancorp(U.S. Bank) — the nation’s fifth-largest commercial bank — warned some of its employees that their W-2 data had been stolen thanks to a weakness in ADP’s customer portal.
…. A reader who works at the financial institution shared a letter received from Jennie Carlson, U.S. Bank’s executive vice president of human resources.
“Since April 19, 2016, we have been actively investigating a security incident with our W-2 provider, ADP,” Carlson wrote.  “During the course of that investigation we have learned that an external W-2 portal, maintained by ADP, may have been utilized by unauthorized individuals to access your W-2, which they may have used to file a fraudulent income tax return under your name.”
The letter continued:
“The incident originated because ADP offered an external online portal that has been exploited.  For individuals who had never used the external portal, a registration had never been established.  Criminals were able to take advantage of that situation to use confidential personal information from other sources to establish a registration in your name at ADP.  Once the fraudulent registration was established, they were able to view or download your W-2.”
[….]
According to ADP, new users need to be in possession of two other things (in addition to the victim’s personal data) at a minimum in order to create an account: A custom, company-specific link provided by ADP, and a static code assigned to the customer by ADP.
The problem, Cloutier said, seems to stem from ADP customers that both deferred that signup process for some or all of their employees and at the same time inadvertently published online the link and the company code.  As a result, for users who never registered, criminals were able to register as them with fairly basic personal info, and access W-2 data on those individuals.
Read more on KrebsOnSecurity.com.
The problem being described appears different than the problem being reported in connection with Greenshades clients.  As I’ve reported previously on this site, Greenshades claims their clients’ employees had their W-2 data compromised because they used their DOB and SSN as their login credentials, [Aargh!  Bob] and criminals who obtained that information elsewhere were then able to login as the employees and download their W-2 data.  Other clients’ employees, they claim, likely fell for a phishing scheme directing them to a fake Greenshades domain.
ADP and Greenshades are not the only payroll or W-2 vendors whose clients have been reporting problems.  As also noted previously on this site, Innovak customers in Mississippi and Alabama have reported problems, and Stanford University and its vendor, W-2 Express, are still investigating how over 700 Stanford employees had their W-2 data stolen.
How many other vendors have experienced compromises remains unknown, as some entities reporting breaches of their employees’ W-2 data are not naming their vendors.
Might this be a good time for all vendors to review and strengthen their authentication procedures?


Or screwing up wholesale.  (We don’t need no stinking encryption!) 
EqualizeRCM Services  is a vendor providing billing and collection services to healthcare providers.  In compliance with HIPAA, it has Business Associate contracts with its clients, who provide it with the information needed to fulfill its functions.  The firm has headquarters in Austin, Texas, and offices in Houston and Washington, D.C.
On February 29, EqualizeRCM learned that a laptop had been stolen from an employee on February 25 or 26.  A notification letter, signed by Janine Anthony Bowen of LeClairRyan to the New Hampshire Attorney General’s Office, does not indicate whether the laptop was stolen from the employee’s home, a car, or some other location.
[ … ]
In a statement posted on their web site on April 28, EqualizeRCM explained that
the information potentially exposed may have included patient name, address, phone number, date of birth, gender, insurance provider and policy number, health care provider information, billing and diagnosis codes, medical record number, internal reference number, date and type of service, the name of the treating facility, and other administrative information.
Financial account information and Social Security numbers were not impacted, and as of April 28, neither EqualizeRCM nor its clients were aware of any misuse of the information.  As a precaution, however, EqualizeRCM is offering affected patients services through AllClear ID.
[…]
In addition to offering remediation services, EqualizeRCM is also reviewing its policies and procedures, implementing additional safeguards to ensure information in its control is appropriately protected, and “retraining employees on existing policies for the proper handling of sensitive information.”


Are there billboards near potential target? 
Joe Cadillic isn’t buying any protestations that the data are “anonymous.”
He writes:
Clear Channel Outdoor (CCO) has 675,000 billboards worldwide most of which are tracking everyone’s smartphones and tablets.  CCO’s ad program is a partnership between AT&T and other companies that collect location data from smartphones, company officials said.
CCO’s smartphone electronic surveillance system is called “RADAR” which they insist, anonymizes everyone’s data. But it does much more than that, it tracks consumer’s real-world travel patterns and behaviors.
Read more on MassPrivateI.


Those who do not study technology are doomed to misunderstand it?  Frustrated (or technically ignorant) judges will certainly repeat rulings like this one. 
WhatsApp Goes Through Judicial Revolving Door in Brazil
A Brazilian court on Tuesday overturned a different court's Monday order that blocked WhatsApp, the messaging site owned by Facebook, amid a criminal investigation into drug trafficking in the state of Sergipe.
The earlier judicial demand that WhatsApp provide data considered critical to the investigation came soon after a ramp-up in the level of encryption built into the app.  Five major Internet service providers faced hefty fines of about US$142,000 daily if they failed to comply with the order.
   The decision to block WhatsApp was clumsy and disproportionate, said Katitza Rodriguez, international rights director at the Electronic Frontier Foundation.
   The order surprised activists in Brazil, who considered the move out of step with the spirit of the law, noted Javier Pallero, policy analyst at Access Now.
   Brazilian lawmakers on Tuesday held hearings to consider a series of laws that could lead to a severe crackdown on open technology and privacy, as part of Brazil's Parliamentary Inquiry on Cybercrime.
Officials on Wednesday are expected to vote on seven pieces of legislation that would give police warrantless access to IP addresses, allow judges to block sites used for criminal purposes, and require monitoring of content on sites and apps deemed offensive, according to EFF.


Just to be clear…
Law Affords More Protection to PINs Than Prints
   Although the Fifth Amendment to the U.S. Constitution protects citizens from self-incrimination, that protection doesn't extend to opening mobile phones with a fingerprint, according to Paul Rosenzweig, a George Washington University professorial lecturer in law.
"None of your physical characteristics are subject to Fifth Amendment protection," he told TechNewsWorld.
"You don't have a right to refuse to stand in a lineup," Rosenzweig said.  "You don't have a right to refuse an order to give your fingerprint to be compared to fingerprints at a crime scene."
The Fifth Amendment protects only things that are testimonial in nature.


Sometimes being the dominant player in a market can get expensive.  Would any insurance cover this?  If not, will they be able to replace all these airbags before bankruptcy?
Takata's fight for survival gets even harder as airbag recall widens
   “This is just another step in the long decline of Takata,” said Jochen Siebert, managing director of JSC (Shanghai) Automotive Consulting Co.  “I just can’t see how Takata can survive this disaster.”
An expanded safety campaign will deal a further blow to President Shigehisa Takada, who has so far failed to contain a spiraling crisis that’s wiped out 75 percent of his family company’s market value in the past year.  Last May, the airbag supplier set the record for the largest automotive recall in U.S. history by agreeing to almost double the number of vehicles called back to about 34 million.


Something for my Spreadsheet students to play “what if” games with.
Traditional and Roth Individual Retirement Accounts (IRAs): A Primer
by Sabrina I. Pacifici on
CRS report via FAS – Traditional and Roth Individual Retirement Accounts (IRAs): A Primer, John J. Topoleski, Analyst in Income Security. April 27, 2016.
“In response to concerns over the adequacy of retirement savings, Congress has created incentives to encourage individuals to save more for retirement through a variety of retirement plans.  Some retirement plans are employer-sponsored, such as 401(k) plans, and others are established by individual employees, such as Individual Retirement Accounts (IRAs).  This report describes the primary features of two common retirement savings accounts that are available to individuals.  Although the accounts have many features in common, they differ in some important aspects.  Both traditional and Roth IRAs offer tax incentives to encourage individuals to save for retirement.  Contributions to traditional IRAs may be tax-deductible for taxpayers who (1) are not covered by a retirement plan at their place of employment or (2) have income below specified limits.  Contributions to Roth IRAs are not tax-deductible and eligibility is limited to those with incomes under specified limits…”


For my geeks!
IBM Is Now Letting Anyone Play With Its Quantum Computer
Quantum computing is computing at its most esoteric.  It’s an experimental, enormously complex, sometimes downright confusing technology that’s typically the domain of hardcore academics and organizations like Google and NASA.  But that might be changing.
Today, IBM unveiled an online service that lets anyone use the five-qubit quantum computer its researchers have erected at a research lab in Yorktown Heights, New York.  You can access the machine over the Internet via a simple software interface—or at least it’s simple if you understand the basics of quantum computing.


For my Students!  “Study hard.”  “Come to class on time.” 
How to Add Subliminal Messages to Windows
Whether you want to train your unconscious mind while you work, perform a study on whether these messages have an effect, or just play a few pranks on your friends’ computers, here’s how you can add some subliminal message text to Windows.


A recording studio on your phone?
Moog’s New App Is a Spot-on Recreation of a Classic Synth
Five years ago, Moog Music proved you could use the iPad as a real musical instrument when it released Animoog, a polyphonic synthesizer app that made full use of the tablet’s touchscreen.
   The Moog Model 15 Synthesizer app is an iOS-powered recreation of the iconic Model 15 modular synth from 1973.  You can download it now for $30.  If you find that steep, consider two things.  One, this is a pro-grade instrument that plays and sounds like the business.  And two, a real Model 15 is the size of a suitcase and tops $10,000; the iPad version delivers 90 percent of the goods in something easily carried in your backpack.

(Related)  I wonder if any of my students have talent? 
BandLab - Collaboratively Create Music Online
BandLab is a free service that enables you to create music in your web browser or through free Android and iOS apps.  In BandLab's you can create soundtracks using any of the virtual instruments that are provided.  You can also speak or sing to record a track.  Within the BandLab editor you can mix your tracks together to create a song.  If you have existing audio files on your computer, you can upload those to incorporate into your BandLab creations.
BandLab is designed to allow you to collaborate with others. To collaborate you first have to create a band in your BandLab profile then invite other users to join your band.