Saturday, August 06, 2016

One of the downside risks of “pushing” updates? 
PoS Trojan Bypasses Account Control Posing as Microsoft App
A newly discovered PoS (Point-of-Sale) malware can bypass computer defenses such as User Account Control (UAC) by posing as a legitimate Microsoft application, Doctor Web researchers have discovered.
   Upon infection, the Trojan performs a series of checks to determine whether on the targeted system runs any program that could hinder its activity.  It looks for any copies of itself, as well as for virtual machines, emulators, and debuggers, and terminates itself if any of these is found.
Otherwise, the malware runs itself and attempts to gain administrator privileges by tricking the default system defenses.  In the User Account Control (UAC) warning triggered by the malware, however, the user is informed that the running application is called WMI Commandline Utility (wmic.exe) and is developed by Microsoft.

My Computer Security students should find this confusing. 
Insurers working to fill cyberinsurance data gaps
Insurance companies typically have decades of data, if not more, on which to base their risk estimates.
That's not the case with cyber risk, however.  There's very little historical data available, the data is not complete, and the threat landscape doesn't just change year by year, but day by day.  There isn't even a standard set of definitions that everyone can agree on.
   One of the first problems when it comes to buying cyberinsurance is that nobody knows exactly what it means.  Corporate financial officers, security managers, and insurance brokers have different understanding of risk, for example.

According to a recent cyberinsurance survey by the SANS Institute, only 30 percent of underwriters and 38 percent of information security professionals believe that they speak the same language.  
   For example, one policy might refer to a "privacy breach," another to a "data breach", and a third to "network security wrongful acts."
"Is a privacy breach the same thing as a privacy wrongful act?" he asked.  "Is a data breach the same as a network security wrongful act?"
"And a lot of the language hasn't been tested in court yet," he added.
   In a recent survey the company conducted, only 10 percent of IT experts said they believed that their cyber coverage was completely up to date, and of those who had cyber insurance, and only 43 percent were confident that it covered business email compromise fraud.  There was a similar lack of confidence about new social engineering attacks.
"Almost half -- 45 percent -- of firms are clueless as to whether their cyberinsurance policy is up to date for covering these types of threats," Malone said.

“We use that code to identify our VIP passengers, not for security.” 
Hacker uses fake boarding pass to get into every airline lounge for free
   The security flaw was discovered by Przemek Jaroszewski, the head of Poland’s Computer Emergency Response Team.  He discovered that lounge access is coded into the QR code of an electronic boarding pass, but not verified by any central database.
   The hack hasn’t been tested in North America, so it’s possible that it would be defeated by more stringent checks.  The TSA told Wired that lounge security is the responsibility of the airlines, and is nothing to do with the more general security apparatus.

Another form of intimidation?  Actions short of war? 
Cyber Espionage Targets Interests in South China Sea
A cyber espionage campaign has been discovered apparently targeting participants in the recent Permanent Court of Arbitration case brought by the Philippines against China over Chinese claims of sovereignty in the South China Sea.
   The cyber espionage campaign was discovered by F-Secure.  It named it NanHaiShu, and has today published an analysis of the methodology and malware involved.   
   One thing is certain -- Chinese feelings in the South China Sea run deep.  Soon after after the ruling it commenced a major wargames exercise with, according to ZeroHedge, "some 300 ships, dozens of fighter planes, and involved troops that are responsible for coastal defense radars, communications, and electronic warfare defense."

Are we about to retaliate? 
Obama prepares to boost U.S. military's cyber role: sources
   Under the plan being considered at the White House, the officials said, U.S. Cyber Command would become what the military calls a "unified command" equal to combat branches of the military such as the Central and Pacific Commands.
Cyber Command would be separated from the National Security Agency, a spy agency responsible for electronic eavesdropping, the officials said.  That would give Cyber Command leaders a larger voice in arguing for the use of both offensive and defensive cyber tools in future conflicts.

Perspective.  If Pokémon is eating batteries, what Apps are neglected? 
Pokémon Go drives a surge in smartphone backup battery sales
Early on in the Pokémon Go hype cycle, there were signs that players were driving a significant uptick in sales of backup batteries, like the Mophie units you may be familiar with that offer USB connections for topping up mobile devices while you’re away from an outlet.  Now, research from analytics firm NPD Group goes beyond early anecdotal evidence to show that in fact, unit sales across the portable power pack segment saw a 101 percent spike in the two weeks spanning July 10 and July 23, as compared to the same period last year.

Another week older but no wiser.
Hack Education Weekly News
   Denver District Judge Michael Martinez has ordered a halt to a Douglas County program that allowed parents to use vouchers to send their children to private schools.
   Atlanta Public Schools debut new police force,” WSB-TV reports.  Every school will have a dedicated police force, which as Tressie McMillan Cottom quips, is more than have AP classes.
   Also via Inside Higher Ed: “A prominent technology think tank wants the federal government to encourage the use of standardized assessments to measure postsecondary knowledge and skills, with an approach that would separate learning from credentialing and challenge the dominance of traditional college degrees.”

Friday, August 05, 2016

Update.  It takes a while to unravel the knots these hackers tied. 
Philippine central bank fines Rizal Bank over Bangladesh cyber heist failings
The Philippine central bank said on Friday it would fine Rizal Commercial Banking Corp (RCB.PS) (RCBC) a record 1 billion pesos ($21 million), after the bank was used by cyber criminals to channel $81 million stolen from Bangladesh Bank in February.
The central bank said in a statement that it was the largest amount it has ever approved "as part of its supervisory enforcement actions" on a bank.
   Unknown hackers tried to steal nearly $1 billion from the Bangladesh central bank's account at the Federal Reserve Bank of New York between Feb. 4 and Feb. 5, and succeeded in transferring $81 million to four accounts at RCBC in Manila.
RCBC earlier on Friday challenged Bangladesh Bank to take it to court, telling Reuters that the "Philippine side has done its part" and that the transfers were made based on authenticated instructions over payments network SWIFT.
   A Bangladesh central bank team is currently in Manila to try and recover some of the lost money, but said they were close to getting back only $15 million.

Somehow, I don’t think this will be received well.
Users of hacked bitcoin exchange may be forced to share loss
Hong Kong-based bitcoin exchange Bitfinex is likely to spread the $68 million loss from Tuesday’s cyber-theft among its clients.  This may include users who weren’t directly affected by the hack.
“We are still working out the details so nothing is set in stone, however we are leaning towards a socialized loss scenario among bitcoin balances and active loans to BTCUSD positions,” a spokesperson of the exchange posted on Reddit.

Niche investing?  Are the local versions of global Apps really worth this much? 
KKR, Warburg Pincus Invest in Indonesia Motorcycle-Hailing App Go-Jek
Investors including KKR & Co. and Warburg Pincus LLC reached a deal Thursday to invest more than $550 million in Indonesian motorcycle-hailing app PT Go-Jek, according to a person familiar with the situation.
   Go-Jek offers cheap, on-demand motorcycle taxis that can be booked through smartphones.  The company’s fixed prices and pickup times meaning passengers don’t need to haggle over prices at motorbike stands.  It has also expanded into on-demand grocery shopping, delivery services, masseuses and beauticians, and has also ventured into offering cars and minivans.

(Related)  Clones without a niche?  Full on competition?
Startups Seek to Challenge Craigslist in Online Classifieds
An arms race is heating up to replace Craigslist, the dominant force in online classifieds the past two decades.
Startup companies OfferUp and Letgo are surging in popularity among people looking to buy and sell everything from used clothes to used cars through their smartphones.  And deep-pocketed investors are paying up for stakes in them even though they don’t charge for their services today.

Perspective.  Think of this as another indication that Big Data is really, really big!
Can Twitter Fit Inside the Library of Congress?
In 2010, the Library of Congress and Twitter announced a historic and incongruous partnership: Together, they would archive and preserve every tweet ever posted, creating a massive store of short-form thoughts.  It was odd: a 210-year-old institution partnering with a four-year-old startup, cataloging the internet’s ephemeral #brunchtweets.
   Yet, however dubious the task seemed back then, no one doubted the Library of Congress would get the work done.  If Twitter could handle a few million tweets a day, surely the largest library in the world could, too.
But as it turns out, it couldn’t.
   The library has been handed a Gordian knot, an engineering, cyber, and policy challenge that grows bigger and more complicated every day—about 500 million tweets a day more complicated.  Will the library finally untie it—or give in and cut the thing off?
“This is a warning as we start dealing with big data—we have to be careful what we sign up for,” said Michael Zimmer, a professor at the University of Wisconsin-Milwaukee who has written on the library’s efforts.  “When libraries didn’t have the resources to digitize books, only a company the size of Google was able to put the money and the bodies into it.  And that might be where the Library of Congress is stuck.”

For the student tool kit.
How to Quickly Scan Documents Using Android & Google Drive
   Get started by opening the Google Drive app on your Android phone.  Tap the floating + button in the bottom-right corner and choose Scan.  The app will launch your camera and you can snap a photo of whatever you’d like to scan.

For my students and my peers.
   If you think of social media as the sole province of vacation selfies and muffin recipes, the idea of using it for genuine professional development may seem absurd.  But there are plenty of ways you can use social media to build professional skills, knowledge, and relationships, without getting overwhelmed.
To get real learning value out of social media, ask yourself these three questions:
What do I want to learn?
When do I have time for learning?
Whom do I want to learn from or with?

Thursday, August 04, 2016

Do you really want my Ethical Hacking students to choose the next president?  “We’ve ignored this since the last election, but now it’s an emergency!” 
U.S. Seeks to Protect Voting System From Cyberattacks
The Obama administration is weighing new steps to bolster the security of the United States’ voting process against cyberthreats, including whether to designate the electronic ballot-casting system for November’s elections as “critical infrastructure,” Jeh Johnson, the secretary of Homeland Security, said on Wednesday.
   a vastly complex effort given that there are 9,000 jurisdictions in the United States that have a hand in carrying out the balloting, many of them with different ways of collecting, tallying and reporting votes.  [Far less than the number of Starbucks.  Bob] 
   Mr. Johnson said he was considering communicating with state and local election officials across the country to inform them about “best practices” to guard against cyberintrusions, and that longer-term investments would probably have to be made to secure the voting process.

Interesting.  This starts like a report of a breach that has nothing to do with health records, then they are amazed to find that it does!  They have no idea how that happened, but they claim to have blocked it? 
Rajiv Leventhal reports:
Phoenix-based Banner Health, one of the largest healthcare systems in the U.S., announced on August 3 that it is notifying approximately 3.7 million individuals about a breach in which cyber attackers gained unauthorized access to computer systems that process payment card data at food and beverage outlets at certain Banner locations.
The incident was discovered by Banner Health on July 7, though the attack was initiated on June 17, according to the health system’s press release.  The attackers targeted payment card data, including cardholder name, card number, expiration date and internal verification code, as the data was being routed through affected payment processing systems.  Payment cards used at food and beverage outlets at certain Banner Health locations during the two-week period between June 23 and July 7 may have been affected.  The investigation revealed that the attack did not affect payment card payments used to pay for medical services, the organization said.
Then, on July 13, Banner Health learned that the cyber attackers may have indeed gained unauthorized access to patient information, health plan member and beneficiary information, as well as information about physician and healthcare providers.  The patient and health plan information may have included names, birthdates, addresses, physicians’ names, dates of service, claims information, and possibly health insurance information and social security numbers, if provided to Banner Health.  The physician and provider information may have included names, addresses, dates of birth, social security numbers and other identifiers they may use.
Read more on Healthcare Informatics.
Banner Health has created a support site for the breach.
[From the Healthcare article: 
How the hack expanded from certain food and beverage outlets to patient information systems is currently unclear.  But, Banner has mailed letters to 3.7 million patients, health plan members and beneficiaries, food and beverage customers and physicians and healthcare providers related to the attack.
The health system said that it “worked quickly to block the attackers and is working to enhance the security of its systems in order to help prevent this from happening in the future.” 

This makes no sense.  Why give up such valuable access for a few minutes of “fame?”  The standard playbook suggests they did not have access, but may be able to get their hooks into a hurriedly created replacement. 
JTA reports:
An Israeli cyberintelligence company claims it has hacked Islamic State communications and learned about the group’s plans to attack U.S. air bases in Kuwait, Bahrain and Saudi Arabia.
Intsights, which is run by former Israel Defense Forces intelligence officers and based in Herzliya, said Wednesday it had hacked the forum on which ISIS operatives publish terror attack plans, the Times of Israel reported citing Channel 10.
Read more on JTA.
[From the Times article:
Arvatz said the group would doubtless be closed down now it had been exposed on Israeli television.

Just whisper in Big Brother’s ear. 
Joe Cadillic writes:
Researchers at the University of Salamanca (USAL) have developed a ‘Sentiment Analysis’(SA) algorithm that monitors Twitter and Facebook.
Psychologist, Paul Ekman has worked with the CIA, DOD and DHS for years, helping develop facial emotion detection, click here to read more.
Our government is also using ‘Emotive Analytics‘ (EA), to arrest and imprison innocent people!
Ekman has provided training to a whole series of people who were guards at Abu Ghraib prison, too, in how to extract information and truth without torture.  “They used my [facial analysis] work, and it was very successful,” Ekman said.
It’s only a matter of time, before police use Emotive Analytics to arrest Americans.
American policing of a person’s sentiments, is this a joke?
Sadly, this is no joke.
Read more on MassPrivateI.

What can my students learn for this?  I’ll have them hack in and see.  (They’ll want to leave their resumes on the group’s desktops in any case.)
IBM Unveils "X-Force Red" Pen Testing Group
The new "IBM X-Force Red" team is a group of ethical hackers that will pound the virtual walls of companies in an effort to discover vulnerabilities in their networks, hardware, and applications.
Led by pen testing guru Charles Henderson, who previously served as VP of Managed Security Testing at Trustwave, the X-Force Red team consists of hundreds of security professionals scattered across dozens of locations around the world.
In addition to searching for software vulnerabilities and misconfigurations, the team will help test the human element, by performing phishing and social media attack simulations, along with physical security tests to determine the risks associated with in-person interactions. 

IT Architecture.
A new set of relationships is being formed within companies around how people working in data, analytics, IT, and operations teams work together.  Is there a “right” way to structure these relationships?

Perhaps “brick and mortar” isn’t enough anymore? 
Will Walmart Really Buy is new, available to the general public for only a little over a year.  A year that has been a turbulent one – had to reset its business model away from memberships early on and its valuation got a quick resetting from a targeted $2 billion to the $1.34 billion valuation eventually settled on in November of last year.  But on the other hand, it did hit that unicorn valuation in less than six months – the firm found itself involved in some high profile partnerships (like this one with the White House) and has ended its years with numbers trending toward the black – but not there yet.
But differences aside, they have a common enemy in Amazon – the firm that disrupted Walmart out of being the biggest retailer on Earth by market cap, and the undisputed leader in U.S. eCommerce that entered the field to disrupt.  In some sense the firms were always natural friends despite being competitors.
And now, if recent reports are to be believed, it may be the case that and Walmart are going to be more than friends with a common enemy, and instead may become a single firm with a common cause – retail dominance in store and online.

The very definition of unpredictable?  “I can’t win because everything is rigged against me?”
'A sense of panic is rising' among Republicans over Trump, including talk of what to do if he quits
Donald Trump’s relations with the Republican Party – and his political fortunes – worsened dramatically Wednesday, as party leaders fretted openly about the inability of his campaign staff to control him and even began to discuss what to do if their unpredictable nominee suddenly quit the race.
   “The bottom line is that he has to get more disciplined,” said Bennett, still a Trump supporter.  “There’s no doubt about it.  We can’t have unforced errors.”
Trump showed no signs he would heed that advice.
   He ran through a long list of other grievances, insisting the media had unfairly criticized him at every turn.

For our Networking students?
Israel’s SolidRun creates open networking kit inspired by Raspberry Pi
SolidRun, a developer of electronic modules and PCs, said it is launching ClearFog Base kit, an off-the-shelf open development kit that enables do-it-yourself hardware enthusiasts to create their own telecom-grade routers.

I often feel like Wally after teaching a class.

Wednesday, August 03, 2016

One of the problems with “virtual” currencies – virtual criminals. 
120,000 Bitcoin Stolen in Bitfinex Breach
Hong Kong-based Bitfinex, one of the world’s largest digital currency exchanges, suspended deposits and withdrawals on Tuesday after discovering a security breach that resulted in a large amount of Bitcoin getting stolen.  The incident led to a significant drop in the value of Bitcoin.
Bitfinex launched an investigation and reported the breach to law enforcement.  The investigation so far revealed that 119,756 Bitcoin have been stolen from customers’ wallets.  The exchange platform believes other currencies are not impacted.
The stolen Bitcoin units were worth roughly $72 million before the breach was discovered, but the value of the cryptocurrency dropped by more than 20 percent following the incident.
   No information has been provided on how the security breach occurred. Bitfinex uses the services of BitGo, which specializes in Bitcoin and blockchain security, but BitGo says there is no evidence of a breach on its own servers.
Bitfinex representative Zane Tackett explained on Reddit that the platform uses several security mechanisms, but the attackers somehow managed to bypass them.  The company also has limits in place to prevent hackers from draining wallets, but those limits were circumvented as well.

Targeting phone numbers because they can’t read the text? 
Telegram explains what really happened from its ‘massive’ hacker attack
Telegram today responded to reports that it was the victim of a “massive hacker attack” that originated in Iran.  The messaging app company said that while 15 million accounts were implicated, the hack was not as severe as one might think and only publicly available data was collected.
   Cyber researchers shared with Reuters that Iranian hackers were able to access more than a dozen accounts on Telegram and ultimately identify phone numbers of 15 million users in the country.  It’s been claimed that Rocket Kitten was behind the attack, carrying out “a common pattern of spearphishing campaigns reflecting the interests and activities of the Iranian security apparatus.”
In response to the news, Telegram clarified that while publicly available data was collected from among 15 million users, individual accounts were not directly accessed.  “Such mass checks are no longer possible since we introduced some limitations into our API this year,” the company explained in a blog post.  That said, the company did acknowledge that since its app is based around phone contacts, anyone could “potentially” check to see if a particular phone number is registered in the system — something Telegram said was possible with WhatsApp, Facebook Messenger, and other similar apps.

Too common.  Why spend money securing something you are trying to sell?
200 Million Yahoo Accounts Allegedly Held Ransom For 3 Bitcoins, Roughly $1,800 US
Surprise, surprise, Yahoo has been hacked AGAIN.  This time, 200 million Yahoo accounts are supposedly being shopped around for 3 bitcoins, or roughly $1,800 USD.
A hacker known as Peace has listed the alleged credentials of Yahoo users on The Real Deal marketplace.  He had been trading the data privately, but decided to go public on the dark web. Peace is also supposedly responsible for selling recent dumps of MySpace and LinkedIn accounts.

For my Computer Security students.
How to Know If Someone Has Hacked Your Social Media
Gmail has long had a feature that allows you to see if your account is logged in at several locations.  The feature also allows you to securely log those locations out if you detect any suspicious activity.
If you want to protect your social media presence, there are similar methods to make sure no one is accessing your Facebook or Twitter accounts.

The Ultimate Ransomware Website You Should Know About
Being hit by any kind of malware is nasty, but ransomware packs an extra-tough punch because it locks you out of your own data.  We’ve shown ways to protect yourself from ransomware, and it’s important to stay vigilant in the fight against these terrible attacks.
Now, there’s a site that everyone should visit to learn about ransomware, and it’s called  Sponsored by Kaspersky and Intel Security, the site aims to be a resource for anyone to learn about ransomware, as well as to help people affected by the infection get their stuff back if possible.

Something to amuse my Ethical Hacking students, but not really much of a threat, yet.
The Jeep Hackers Are Back to Prove Car Hacking Can Get Much Worse

Finding tools for Big Brother?
New initiative from Privacy International tracks the global surveillance industry
by Sabrina I. Pacifici on Aug 2, 2016
“A new initiative launched today by Privacy International aims to track the growth and scale of the global surveillance industry, a shadowy sector consisting of companies selling a wide range of electronic surveillance technology to government agencies across the world.  Made available today is the world’s largest publicly available educational resource of data and documents on surveillance, the Surveillance Industry Index (SII), which is based on data collected by journalists, activists, and researchers across the world and is the product of months of collaboration between Transparency Toolkit and Privacy International.  Accompanying the index is a landmark report charting the industry’s development and its current reach.  The SII, which is completely searchable, features over 1500 brochures and data on over 520 surveillance companies as well as over 600 reported individual exports of specific surveillance technologies taken from open source records, including investigative and technical reports, as well as government export licensing data.  The resource will help the public, activists, journalists and policy makers better understand the modern surveillance industry and technologies.”

Unfortunately, terrorist can easily schedule attacks just before the “emergency” expires, to keep any country in crisis mode.
   France’s parliament on July 22 did not simply extend the state of emergency that President Francois Hollande declared in the wake of the horrific Paris attacks last November.  Propelled by the despicable Bastille Day attack a week earlier in Nice, lawmakers significantly expanded emergency powers of police search, seizure and detention.  They also used the emergency powers act to slip more than a dozen new draconian counterterrorism provisions into French criminal law.  In contrast to the emergency measures, which lapse in six months, these changes to France’s criminal codes are permanent.

Interesting.  I wonder if I could use this technique here in the US?
Why ‘Missed Call’ Marketing Has Taken Hold in India
   In India, however, recent census data shows that 75% of the population earns less than Rs. 5,000 ($75) a month.  So how many people can afford their monthly mobile bill?
Surprisingly, the number is very high.  There are two reasons for this.  Handset prices are plummeting.
   The second reason is that a missed call (miskol in the Philippines; beep in Africa; memancing in Indonesia; and flashcall in Pakistan) costs nothing.  Drivers and maids call their employers and disconnect.  The employer calls back, thus effectively transferring charges.
   “Missed call marketing (MCM) is the simple concept of engaging via a free call,” says Anurag Banerjee, chief growth officer of Ozonetel Systems, a provider of cloud communication services that enables businesses to run missed call campaigns on its platform.  A consumer calls a number and hangs up and receives a call back or an SMS sharing the cricket score or whatever.  Most missed call activation campaigns are simple one-or-two-step processes.
   Want to hear Prime Minister Narendra Modi’s latest Mann ki Baat (Words from the heart) speech? Give a missed call. One million people did so after a new phone number was released.
   The Employees Provident Fund Organization has started a missed-call service for its 35 million contributing members which enables them to track their account balance.
   “It needs a smaller infrastructure set-up to receive missed calls and, therefore, it offers huge capacity to receive user requests,” he says.  “Then, using outbound dialing lines, a return call can be made as and when capacity for calling back is available.  Toll-free numbers also allow users to access information at zero cost.  When a user calls toll-free, he gets connected to the brand using inbound dialing lines.  If a large number of callers is expected to access the number, the company has to put in more infrastructure for receiving calls.  Also, at peak load, users get a busy signal.

This can’t be correct, can it?  We don’t negotiate with terrorist and we don’t pay ransoms.  Doing so would make travel to any country short on hard currency a much greater risk.  Are we that dumb? 
Report: U.S. sent $400M cash to Iran as American detainees freed
   The Obama administration strongly denied paying any ransom to Iran, Brennan says, but according to details first reported by the Wall Street Journal, currency worth $400 million was flown into Tehran on a cargo plane around the same time that the Americans were released.
The plane was loaded with cash: Euros, Swiss Francs and other currencies, since any transaction with Iran in dollars is illegal under United States law.
Senior U.S. officials, Brennan reports, claimed the timing was coincidental: President Obama had planned to pay Tehran nearly 2 billion dollars to settle an outstanding legal dispute from before the 1979 Islamic Revolution.
"With the nuclear deal done, prisoners released, the time was right to resolve this dispute as well," Obama said.
But the administration never consulted congress, according to Republican Congressman Ed Royce, who accused the White House of paying ransom to a state sponsor of terrorism, and as details of the cash became public Tuesday, there were instant reverberations on the campaign trail.

Too cool!  I’ll remember this next time I teach statistics.
Credit Suisse is using cheesecake to forecast sales at Nordstrom
When Nordstrom stopped reporting monthly same-store sales, a very important number for investors, an alternative had to be found.
The answer was cheesecake, or The Cheesecake Factory to be exact.
The Cheesecake Factory still reports monthly same-store sales in its quarterly report, often a few weeks ahead of Nordstrom.
"As we have generally considered Nordstrom's customer to be similar to The Cheesecake Factory's (CAKE) customer, we took a deeper look at just how profound the overlap actually is," Michael Exstein, a Credit Suisse analyst, said in a note to clients.
"We found from our analysis that the historical [comparable same-store] sales are in fact very closely correlated, as the companies' store locations are for the most part in very close proximity to one another."
   It seems ridiculous, but it actually seems to work.
A regression analysis comparing historical same-store sales data between the companies shows an R-value of 0.93 — the closer to 1, the closer the two match each other.  When comparing total sales, the R-value drops slightly to 0.89.  (Those values were calculated by Credit Suisse based on historical data through 2013, and just because they were related in the past doesn't mean they will continue to be.)  

Better than Notepad++?
11 Sublime Text Tips for Productivity and a Faster Workflow
If you’re a programmer, you’re either more comfortable using a text editor or a full-blown IDE, and your choice will likely depend on the programming languages you use.  But if you go the text editor route, Sublime Text is the king.

Tuesday, August 02, 2016

For my Computer Security students.  See why I stress Best Practices? 
Defending Our Data: The Need for Information We Do Not Have
by Sabrina I. Pacifici on Aug 1, 2016
Warner, Richard and Sloan, Robert H., Defending Our Data: The Need for Information We Do Not Have (July 29, 2016). Available for download at SSRN:
Data breaches occur at the rate of over two a day.  The aggregate social cost is high.  Security experts have long explained how to defend better.  So why does society tolerate a significant loss that it has the means to avoid?  Current laws are ineffective in providing an adequate incentive to avoid the loss.  As Thomas Smedinghoff notes, laws — current and proposed — “obligate companies to establish and maintain ‘reasonable’ or ‘appropriate’ security measures, controls, safeguards, or procedures.”  However, most the laws “simply obligate companies to establish and maintain ‘reasonable’ or ‘appropriate’ security measures, controls, safeguards, or procedures, but give no further direction or guidance.”  We contend that the consequence is that the laws fail to provide an adequate incentive to improve information security.  The solution is to provide better guidance about what counts as reasonable security measures.  Data breach notification laws may seem like a viable alternative, but we argue they are unlikely to sufficiently improve security.

For my Ethical Hacking students and the Pen-Testing Club.
Researcher Earns $5,000 for Hacking Imgur
Researcher Nathan Malcolm started analyzing Imgur’s systems in the summer of 2015 and quickly discovered several types of vulnerabilities, including clickjacking, cross-site scripting (XSS) and cross-site request forgery (CSRF) issues.
While it had been accepting vulnerability reports, Imgur only launched a bug bounty program in September 2015, shortly after hackers discovered a flaw that allowed them to attach malicious code to image files.  Attackers exploited the security hole to launch a distributed denial-of-service (DDoS) attack against the imageboard website 8chan.

Yeah, we were looking for him but we were not searching for him. 
Pinging a cellphone is justified by exigent circumstances, court holds
In a decision issued today in United States v. Caraballo, the U.S. Court of Appeals for the Second Circuit (per Judge Guido Calabresi) held that police did not violate the Fourth Amendment when they “pinged” a suspect’s cellphone because exigent circumstances existed.  I find the outcome plausible on its facts, but the analysis strikes me as pretty unusual.  
   The second part of the exigent circumstances analysis is more doctrinally novel.  Judge Calabresi quotes a passage from a prior case saying that the amount of force and the degree of privacy invasion used in carrying out a search and seizure are relevant to reasonableness.  From that, he deduces a somewhat different principle:

Maybe cheating a little on emissions tests was not such a good idea?
Bavaria to sue VW over state pension fund losses
As of September 2015, when the emissions manipulation scandal became public, Bavaria held some 58,000 preferred shares in Lower-Saxony-based Volkswagen.  They've lost some 40 percent of their value, and dpa reports that Bavaria is seeking 700,000 euros ($781,480) in damages.

Now this could be amusing!
Washington state suing Comcast over repair fees, credit checks
Washington state has lodged a $100 million consumer-protection lawsuit against cable-television giant Comcast.
Comcast engaged “in a pattern of deceptive practices,” the state claimed Monday, saying it believes Comcast committed more than 1.8 million individual violations of the state Consumer Protection Act, affecting 500,000 state residents.
Attorney General Bob Ferguson briefed the media about the lawsuit Monday, saying that Comcast’s “deceptive” practices came in three areas involving repair charges and credit checks.
   The case revolves in part around a Comcast service plan that customers can subscribe to for a monthly $4.99 fee.  The company says the plan covers repairs to customer-owned wiring related to Xfinity TV, voice and internet.  Comcast marketing material says the plan is “comprehensive.”
But in many cases, the state claims, Comcast charged for or would not repair customer issues, despite the online description of the plan.
“It simply covers the technician visiting the customer’s house and declaring that the customer’s equipment is broken,” the lawsuit says.

So the distribution isn’t random?  Will we see an investigation?  Do we need Pokecops?  (I hereby copyright the word Pokecops so I can sue when they make a movie or TV show about them!  I will also register a trademark, apply for a patent, and ask my old friend Guido to break the kneecaps of any infringers.) 
PokemonNo for sex offenders, New York governor says
At the request from New York Governor Andrew Cuomo, the state’s Department of Corrections and Community Supervision will ban nearly 3,000 paroled sex offenders from playing PokemonGo.
   Cuomo said in a news release.  “These actions will provide safeguards for the players of these augmented reality games and help take one more tool away from those seeking to do harm to our children.”
The governor’s decision came days after two New York state senators released a report that found that Pokemon and game items often appeared next to sex offenders’ houses. Investigators visited 100 homes of offenders convicted of sexual abuse of children or the possession of child pornography and found that Pokemon appeared in front of 57 percent of them.  Overall, the investigation found that 73 of the 100 addresses belonging to sex offenders that were surveyed were within half a block from a Pokemon, PokeStop or a gym — all key locations for the game’s players that could draw children near.
   The governor was concerned that “lures,” a feature in the game that allows a player to attract Pokemon to a specific location, could also be used by predators to attract children hunting the critters.
Cuomo also sent a letter to the game’s creator, Niantic Inc., to ask for its help to prevent offenders from downloading the game.  He asked the state’s Division of Criminal Justice Services to share an updated registry of sex offenders with the company.
In 2008, Cuomo introduced legislation that required state agencies to give information about sex offenders to dozens of social media companies.  The companies then use that list to keep the offenders off their platforms.

It’s there in plain English, but not everyone reads it like I do. 
Federal Agencies Seek Cyberdefenders
The U.S. government is in the process of hiring a small army of information technology specialists to bolster its efforts to protect data held at federal agencies from cybersecurity threats.  The federal government hired 3,000 new cybersecurity and IT professionals in the first six months of the current fiscal year.
In addition, the government is "committed to a plan by which agencies would hire 3,500 more individuals to fill critical cybersecurity and IT positions by January 2017," said Shaun Donovan, director of the Office of Management and Budget.
The hiring spree is just one component of a "first ever" Federal Cybersecurity Workforce Strategy revealed by the White House last month.  [Why is this a separate strategy?  Perhaps there is no “Federal (everything else) Workforce Strategy?”  Bob]
   "However, the supply of cybersecurity talent to meet the increasing demand of the federal government is simply not sufficient," the officials added.  [So it is impossible to meet our goals?  Bob]
The workforce strategy includes four major components:
Education and Training
Recruit Federal Talent
Retain Talent
Identify Requirements  [Shouldn’t this be first?  Bob] 

IT Architecture is changing every day. 
Four U.S. companies rule the world's cloud infrastructure
There are plenty of companies vying for a piece of the worldwide cloud infrastructure market, but the top four -- all in the U.S. -- dominate by such a wide margin as to effectively leave their competitors in the dust.
That's the overriding conclusion of a study released Monday by Synergy Research Group
mazon Web Services, Microsoft, IBM and Google collectively control more than half of the worldwide cloud infrastructure service market, Synergy found, with an overwhelming lead by AWS, which held a 31 percent share in the second quarter.  Microsoft came next with 11 percent, while IBM weighed in at 8 percent, and Google came in with 5 percent.

Why?  Are they falling short on recruiting?  Yes, they are. 
Air Force raises enlistee age limit from 27 to 39
   The new policy comes at a time of a declining defense budget, a shrinking military and falling recruiting goals, however.  From 2009 to 2013, the number of recruits dropped from nearly 32,000 to just over 26,000.  While recruiting goals for 2014 are still being finalized, they’re likely to fall again.

They really want everyone on Windows 10. 
Missed the Free Windows 10 Upgrade? Psst, Here’s a Backdoor!
   Microsoft has left open a small backdoor that you can exploit to get the Windows 10 upgrade after the deadline.  While the offer is closed for the general public, Microsoft invites customers who use assistive technologies on Windows 7, 8, or 8.1 to upgrade for free anytime.
So how do you benefit?  Well, Microsoft isn’t actually checking if you use assistive technologies or not.

Something for my students?  What do they already use and what should I be recommending? 
3 Easy Ways to Learn Anything on Social Media for Free
   According to a 2014 research study by Ofcom, 66% of all adults aged 16+, have at least 1 social networking profile.  That is a staggering number. Also, each person on average spends 31 hours on the Internet every month.
   In this article, I will show you how to extract knowledge from the same online communities that we spend the majority of our online time on.
   have you tried joining one of Facebook’s many free and educational groups?
·  BBC English – To learn or just better your English.
·  The Next Web – On technology and related news.
   You can create your own closed group on Facebook and use it as a platform to connect, collaborate, and learn with your friends.

Monday, August 01, 2016

Hacking for fun and profit? 
Tuoi Tre News reports:
Two Vietnamese commercial banks have taken measures to protect customers who have used their cards in transactions with Vietnam Airlines, in the wake of a breach concerning more than 400,000 membership credentials of the national flag carrier.
An alleged group of Chinese hackers compromised the Vietnam Airlines system on Friday, stealing information from some 410,000 VIP member accounts of the carrier’s Lotusmiles program.
The data, including names, birthdays and addresses of the members, were later made available for download by the hackers, raising further security issues for those affected.
Read more on Tuoi Tre News.

If they were really good, they would not have been detected.
North Korea Hacked Into Emails of Seoul Officials: Report
Seoul prosecutors on Monday accused North Korea of hacking into the email accounts of dozens of South Korean government officials this year, the latest in the series of suspected cyber attacks by Pyongyang.
   "The passwords of 56 accounts were stolen," the statement said.
The hackers set up 27 phishing sites in January posing as popular portals like Google and South Korea's Naver, as well as government and university websites, to steal the passwords.
The prosecutors said the malicious codes used in the latest attack were the same as the ones used by North Korea in previous attacks on the South.  [Suggesting they were following a script?  Bob]
   The latest cyber attack comes just days after South Korean police said the North stole the personal data of over 10 million customers at South Korean online shopping mall Interpark.
Interpark was unaware about the attack until July 11, when it was blackmailed with threats to publicise the leaked data unless the company paid three billion won (US$2.7 million).
The National Police Agency said the North's main spy agency -- the Reconnaissance General Bureau -- had organised the hack in a bid to earn hard currency.

A security company to watch?
Cybersecurity startup PhishMe raises $42.5 million to help employees spot phishing attacks
PhishMe, a cybersecurity startup that helps companies thwart phishing attacks among other targeted malware, has closed a $42.5 million series C round led by existing investor Paladin Capital Group, with participation from Bessemer Venture Partners.
Founded in 2011, Virginia-based PhishMe provides the tools to engage employees across an organization so that they can recognize malicious phishing emails.  Part of this involves conditioning them into being able to spot rogue emails, but it also lets them easily report questionable emails to the appropriate security teams internally.
   Cybersecurity has emerged as one of the hottest categories for investment in recent times — just yesterday, SafeBreach raised $15 million to test companies’ cybersecurity from a hacker’s perspective.  And in the past couple of months, other notable cybersecurity investments include Bay Dynamics raising $23 million for its risk analytics platform, Post-Quantum nabbing $8 million, Darktrace securing $65 million, SecurityScorecard closing a $20 million round, and Cylance attracting $100 million for its A.I.-driven security platform.
So what makes PhishMe stand out for its new investor?
“Despite the growing number of security vendors in the market, we quickly realized the huge potential behind PhishMe’s business proposition,” explained Alex Ferrara, partner at Bessemer Venture Capital.  “The most damaging cyber-attacks almost always involve phishing or spear phishing attempts and that is why empowering the human element or employees to detect these phishing campaigns has become a top priority for modern enterprises.”

Because Microsoft won’t hand over emails stored in Ireland? 
On July 15, the Obama administration unveiled proposed legislation designed to improve the process by which law enforcement agents access digital evidence across borders.  (David Kris has a superb summary of the legislation here.)  This is something that the two of us have long urged, and we were both pleased to see the administration’s ultimate—and extremely thoughtful—proposal.  (Indeed, the proposal reflects many of the human rights and privacy protections that we proposed several months ago.)
In this post, we seek to clarify what the legislation does and why it is necessary—for our economy, our security, and perhaps most of all, our privacy.

Attention Ethical Hacking students!  You can’t use Watson to help with your final exam!  Can you?  (This was the Best Use of Watson?) 
How a Dev Got Watson to Play Pokémon GO For Him
Nintendo's Pokémon GO has already overtaken Candy Crush Saga to become one of the most-used apps.  One of the main draws of the game for many people is that it gets players off their couches and out into the real world in search of Pokémon, and this post by Lynne Slowey on IBM’s Internet of Things blog highlights an impressive use of the Watson API to help players find these virtual creatures.
   When approaching a Pokéstop, the Watson API takes screenshots of the app in the background at regular intervals.  The screenshots are sent to the Watson Visual Recognition API for analysis, with a trained classifier able to tell if there are any Pokémon nearby from those screen shots, with the location broadcast to nearby players.
Hsu’s project ended up winning Best Use of Watson challenge at the AT&T Shape Tech Expo Hackathon in San Francisco.  While it certainly fits with the collaborative gameplay ideal that encourages people to work together and help each other find Pokémon, it also raises the potential for some innovative ways to monetize the game, such as advertising, subscriptions, or to draw players to a physical business location.

The Didi-Uber deal seems more an agreement not to compete than a buyout or merger. 
Did Apple just grab a slice of Uber?
A lot of people will be talking about news this morning that Didi is to buy Uber China in a deal valued at around $35 billion, a deal that puts Apple firmly in the ride-sharing market.
What’s setting speculation free is Apple’s recent billion-dollar investment in Didi and its widely reported Apple Car plans.
   What that means is that for the cost of its billion-dollar Didi investment, Apple now has a stake in Uber and relationships with ride hailing services worldwide.
That’s a pretty useful position to be in when the company appears to be heavily invested in Apple Car.

It’s not Pokémon, but it might be some day.
Chinese consortium agrees to $4.4 billion deal for Caesars online games
   Caesars Entertainment’s main operating unit, Caesars Entertainment Operating Co Inc, is currently involved in an $18 billion bankruptcy and is seeking creditor approval for a restructuring plan.  The transaction between CAC and the Caesars Entertainment parent is part of a complex web of deals that have come under scrutiny by CEOC’s creditors.
Chinese companies are eager to expand beyond their home country, which boasts the world’s largest online gaming market.  In June, Tencent Holdings, China’s biggest gaming group, agreed to buy a majority stake in “Clash of Clans” mobile game maker Supercell from SoftBank Group in an $8.6 billion deal.
Caesars’ online games business, known as Playtika, makes its games such as Bingo Blitz and Slotomania available on Apple’s App Store. Playatika will continue to operate independently with its own management team and its headquarters remaining in Herzliya, Israel, following the deal, the companies said.
Playtika players use virtual currency that cannot be exchanged for real money, although players can spend money by buying items in the games.  Caesars’ World Series of Poker and real-money online gaming businesses are not part of the deal, according to the companies.

GSK and Google parent forge $715 million bioelectronic medicines firm
   Galvani will develop miniaturized, implantable devices that can modify electrical nerve signals. The aim is to modulate irregular or altered impulses that occur in many illnesses.
GSK believes chronic conditions such as diabetes, arthritis and asthma could be treated using these tiny devices, which consist of a electronic collar that wraps around nerves.
   GSK first unveiled its ambitions in bioelectronics in a paper in the journal Nature three years ago and believes it is ahead of Big Pharma rivals in developing medicines that use electrical impulses rather than traditional chemicals or proteins.
The tie-up shows the growing convergence of healthcare and technology.  Verily already has several other medical projects in the works, including the development of a smart contact lens in partnership with the Swiss drugmaker Novartis that has an embedded glucose sensor to help monitor diabetes.

I think that I shall never see
A poem lovely as a synthetic tree.  Doesn’t work does it? 
The ultimate “Green” technology? 
Artificial Leaf That Produces Fuel From CO2 And Sunlight
   “The new solar cell is not photovoltaic — it’s photosynthetic,” Amin Salehi-Khojin, assistant professor of mechanical and industrial engineering at UIC, said. Salehi-Khojin, who is also the senior author of a related study published in the Science journal, added: “Instead of producing energy in an unsustainable one-way route from fossil fuels to greenhouse gas, we can now reverse the process and recycle atmospheric carbon into fuel using sunlight.
The new solar cells can remove carbon dioxide, or CO2, from the atmosphere — like trees do — and farms that use such cells as artificial leaves “could produce energy-dense fuel efficiently,” according to the UIC website.  The fuel produced by the cells is “synthesis gas, a mixture of hydrogen gas and carbon monoxide,” which “can be burned directly, or converted into diesel or other hydrocarbon fuels.”

As a blogger…
Fair Use issues for journalists, researchers, bloggers
by Sabrina I. Pacifici on Jul 31, 2016
When Does ‘Fair Use’ Become Unfair? Copyright law allows journalists to quote just enough — but not too much. Who draws the line? / By Paul Raeburn
“In the United States, copyright protection for authors and other creators comes with the explicit understanding that others have “the right to use copyrighted material without permissions or payment under some circumstances — especially when the cultural or social benefits or the use are predominant.”  That seems straightforward enough.  But it has puzzled and worried journalists for decades…Peter Jaszi and Pat Aufderheide at American University have written a “Set of Principles in Fair Use For Journalism,” which covers most of the questions likely to come up in a newsroom or at a freelancer’s desk…”