Saturday, October 29, 2016
For my Computer Security students. The whole world is against you!
Mirai Botnet Infects Devices in 164 Countries
Mirai, the infamous botnet used in the recent massive distributed denial of service (DDoS) attacks against Brian Krebs’ blog and Dyn’s DNS infrastructure, has ensnared Internet of Things (IoT) devices in 164 countries, researchers say.
In early October, Mirai’s developer released the malware’s source code and also revealed that there were over 300,000 devices infected with it. Soon after, as the botnet was increasingly used in DDoS attacks, Flashpoint security researchers determined that over half a million IoT devices worldwide were vulnerable to Mirai, because they were protected by weak security credentials.
I like it! But it will never happen.
White & Case LLP write:
At a recent Parliamentary meeting to discuss the draft Digital Economy Bill, the UK Information Commissioner recommended imposing personal liability and accountability upon company directors. If such liability is imposed, it will mark a radical departure from the current law, under which directors of companies generally have no personal liability or accountability for breaches of data protection law committed by their companies.
On 13 October 2016, the Information Commissioner, Elizabeth Denham, (the “Commissioner“) gave evidence to a House of Commons Public Bill Committee (the “Committee”) regarding the ICO’s recommendations for the Digital Economy Bill (the “Bill”). The Commissioner expressed support for making directors personally liable for breaches of data protection law by their companies.
Read more on Lexology.
I wonder how often they do a “two-year review?”
Donna Borak reports:
A U.S. bank regulator on Friday disclosed a data breach involving a former agency employee’s unauthorized removal of more than 10,000 records.
The cybersecurity breach was first detected by the Office of the Comptroller of the Currency in September while the agency was undertaking a retrospective two-year review of employees downloading information in an effort to help minimize cyberthreats.
Read more on WSJ.
Update. Why don’t I get students like this? Oh wait, I do!
Oops. I missed this one when Tristan Kirk first reported it:
A notorious teenage hacker who was the brains behind more than 1.7 million cyber attacks around the world is facing jail.
Adam Mudd, 19, sold access to his Titanium Stresser programme, allowing users to crash websites and computers by overloading them with requests.
He is believed to have made more than £300,000 before his 18th birthday through subscriptions to his programme, which fueled 1,738,828 cyber attacks around the globe between September 2013 and March last year.
Mudd designed the distributed denial of service (DDoS) software from his bedroom when he was just 15, first roadtesting it by crashing the West Herts College’s website while he was studying computer science there.
Read more on The Evening Standard.
A novel use of technolgy!
Ontario police are broadcasting thousands of text messages to phones used close to the site of a murder.
Police hope the messages will bring forward new evidence and eyewitnesses to the murder of John Hatch last year.
The phones have been identified as being in use on 16 December close to the route Mr Hatch travelled on the night he was killed.
About 7,500 people are expected to receive the messages asking them to contact police.
Read more on BBC.
Of note: the OPP said it used a court order to discover the numbers of all the active phones known to have been used last year in the vicinity.
"Après moi le deluge." I expect many more “concrete injuries.”
Klein Moynihan Turco LLP write:
On October 24, 2016, the United States District Court for the Southern District of California refused to dismiss claims brought by two former inmates and their counsel regarding violations of a California privacy law. The plaintiffs commenced a class action against Securus Technologies, Inc. (“Securus”), a self-proclaimed “inmate communications provider,” alleging that Securus unlawfully monitored and recorded telephone conversations between the inmates and their counsel. The California Invasion of Privacy Act (“CIPA”) “makes it a felony to, ‘without permission from all parties to the conversation, eavesdrop on or record, by means of an electronic device, a conversation, or any portion thereof, between a person who is in the physical custody of a law enforcement officer or other public officer, or who is on the property of a law enforcement agency or other public agency, and that person’s attorney . . . .’”
Read more on JDSupra.
[From the article:
Among other arguments contained in its motion to dismiss, Securus alleged that the plaintiffs’ allegations were insufficient to provide standing. The Court rejected this argument, holding that a violation of CIPA is indeed a concrete and particularized injury in fact.
An interesting article. (The GIF headline is a nice touch!)
HOW THE UAE IS RECRUITING HACKERS TO CREATE THE PERFECT SURVEILLANCE STATE
“Be careful what you wish for, 'cause you just might get it.” I toss these at my international students just to watch the amazed expression on their faces…
The Economics Of The Uber Employment Decision Is Not Quite What You Think - Drivers Are Now Poorer
Much excitement in left wing circles as Uber loses a case at an employment tribunal. The argument was over what is the legal status of Uber drivers? Are they really self-employed? Or do they have a closer relationship with the firm, something closer to employment, or even as an employee? This is of course a legal question and one that depends upon the vagaries of UK employment law. However, the underlying economics here is rather clear–the result, whichever way it goes, isn’t going to change the overall conditions for Uber drivers very much, if at all. The net effect is in fact to make them slightly poorer. Because all of those things which come with closer employment relationships actually come out of the wages of the workers in the first place.
What benefit is there for NYC?
Study: NYC's Airbnb ban costs $500M
Airbnb hosts in New York City could generate a half billion dollars each year by renting out their homes to tourists, according to a new analysis, but that money will likely disappear under the state’s new penalties targeting short-term rentals.
The business-friendly American Action Forum calculated the price of short-term rentals in the city and found that Airbnb hosts have the potential to earn $500 million each year. They did not account for empty rooms that remain unfilled on any given night.
… Critics of Airbnb say the short-term rental website is raising the cost of living in New York City, but others point out it provides economic opportunity to residents and feeds tax dollars into the state and city coffers.
Hack Education Weekly News
… Via Edsurge: “U.S. Dept. of Ed. Unveils Free Online Tool for Rapid Evaluation of Edtech Products.”… Via The New York Times: “Obama Brought Silicon Valley to Washington.” (Is that a good thing?) [At least the large contributors. Bob]
… Via Inside Higher Ed: “A divided federal appeals court on Wednesday upheld a lower court’s ruling that a Minnesota community college was justified when it kicked a student out of a nursing program because of Facebook comments administrators deemed to be unprofessional and threatening to fellow students.”
… Via the Education Law Center: “Several New Jersey civil rights and parent advocacy organizations have filed a legal challenge to new high school graduation regulations recently adopted by the State Board of Education. The new rules make passing the controversial PARCC exams a requirement for a New Jersey high school diploma and will also prevent students who opt out from graduating.” [What happens if no one passes? Bob]
… Via the MIT Media Lab: “Blockcerts – An Open Infrastructure for Academic Credentials on the Blockchain.” [Why? Bob]
… Also via Edsurge: “Pursuing Academic Freedom and Data Privacy Is a Balancing Act.”
… Via The Next Web: “Survey shows millennials fall for cyber scams more often than seniors.”
Inspired by the Privacy Foundation’s seminar on Encryption and Privacy, I thought I’d point you to these tools created by Drexel University that illustrate how easy/complex encryption is. I encrypt the instructions for a mini-project, then point the students to the encryption/decryption calculator. They have to create keys and encrypt a message to me.
This guide is intended to help with understanding the workings of the RSA Public Key Encryption/Decryption scheme.
RSA Express Encryption/Decryption Calculator
This worksheet is provided for message encryption/decryption with the RSA Public Key scheme
Friday, October 28, 2016
What scams could hackers run with this data?
Allie Coyne reports:
More than one million personal and medical records of Australian citizens donating blood to the Red Cross Blood Service have been exposed online in the country’s biggest and most damaging data breach to date.
A 1.74 GB file containing 1.28 million donor records going back to 2010, published to a publicly-facing website, was discovered by an anonymous source and sent to security expert and operator of haveibeenpwned.com Troy Hunt early on Tuesday morning.
The database was uncovered through a scan of IP address ranges configured to search for publicly exposed web servers that returned directory listings containing .sql files.
Read more on ITNews.com.au.
See the Red Cross’s statement and FAQ here.
It works. Is it because we have a poor education system? Because people fear the IRS? Because they trust anyone on the phone?
Justice Department charges dozens in massive Indian call center scheme
The callers in India, claiming to be officials with the Internal Revenue Service or immigration services, would present those who answered the phone with an ultimatum. Pay us, or we’ll fine you, deport you or arrest you.
Their network was expansive, and their work lucrative. Justice Department officials announced charges against 61 people and entities Thursday and said the call center scheme had scammed at least 15,000 victims out of more than $250 million.
Be careful what you hack.
Teen Arrested for Cyberattack on 911 Emergency System
An 18-year-old teen from Arizona was arrested this week after one of his iOS exploits caused serious disruption to 911 emergency systems.
According to the Maricopa County Sheriff’s Office, Meetkumar Hiteshbhai Desai was booked on three counts of Computer Tampering, which in this case is a Class 2 felony, considered an extremely serious crime in Arizona and other states, due to the fact that it involved critical infrastructure.
The Maricopa County Sheriff’s Office Cyber Crimes Unit launched an investigation after being notified of disruption to the 911 service in the Phoenix metro area and possibly in other states.
Desai apparently learned of an iOS bug that can be exploited to manipulate devices, including trigger pop-ups, open email, and abuse phone features. The teen created several exploits and published one of them on a website, linking to it from his Twitter account in an effort to prank his followers.
While Desai claimed he wanted to publish a link to an exploit that only displayed pop-ups and caused devices to reboot, he mistakenly tweeted a link to an exploit that caused iPhones and iPads to continually dial 911 and hang up.
For the Computer Security SIG.
How Hackers Play Capture the Flag
Because your face is an open book?
Facebook Inc.’s software knows your face almost as well as your mother does. And like mom, it isn’t asking your permission to do what it wants with old photos.
While millions of internet users embrace the tagging of family and friends in photos, others worried there’s something devious afoot are trying to block Facebook as well as Google from amassing such data.
As advances in facial recognition technology give companies the potential to profit from biometric data, privacy advocates see a pattern in how the world’s largest social network and search engine have sold users’ viewing histories for advertising. The companies insist that gathering data on what you look like isn’t against the law, even without your permission.
Read more on Crain’s.
Laura Sydell reports:
Nearly half of all American adults have been entered into law enforcement facial recognition databases, according to a recent report from Georgetown University’s law school. But there are many problems with the accuracy of the technology that could have an impact on a lot of innocent people.
Read more on NPR.
How does one enforce this law? Police drones? How does one fly a drone if you can’t see where you are going?
Lisa Vaas reports:
Sweden last week banned the use of camera drones without a special permit, infuriating hobby flyers and an industry group but likely pleasing privacy campaigners.
Drone pilots will now have to show that there’s a legitimate benefit that outweighs the public’s right to privacy – and there are no exemptions for journalists, nor any guarantee that a license will be granted.
Read more on Naked Security.
An interesting question.
… As the jobs-based economy gives way to the gig economy, winners and losers are determined by the type of worker you are — or can become.
Workers with specialized skills, deep expertise, or in-demand experience win in the gig economy. They can command attractive compensation, garner challenging and interesting work, and secure the ability to structure their own working lives. Workers who possess strong technical, management, leadership, or creative abilities are best positioned to take advantage of the opportunity to create a working life that incorporates flexibility, autonomy, and meaning.
Entrepreneurial workers also win. The gig economy rewards hustle. Workers entrenched in a passive, complacent employee mindset that relies on their employer to provide a sense of stability, career progression, and financial security will struggle.
This could be interesting.
FCC Derails ISP Customer Data Gravy Train, Requires Explicit Consent For Sharing Sensitive Information
The FCC rule was passed this morning with a 3-2 vote. It requires ISPs, or internet providers, to obtain a customer’s explicit consent before sharing certain information with third parties. FCC Chairman Tom Wheeler remarked, “It's the consumers' information. How it is used should be the consumers' choice. Not the choice of some corporate algorithm.”
Kiss your cash goodbye? This year is set to be a turning point for credit
Is this the beginning of the end for cash?
As consumers have increasingly used credit and debit cards and made purchases online and on apps, they’ve used less and less cash; in 2016, consumers will spend a greater amount on cards than they do with cash for the first time, according to the market-research firm Euromonitor International, which has been tracking consumer payments over the last several decades.
… South Korea’s government, for example, started to promote credit cards around 1997 in an effort to boost consumption in the country and cut down on cash payments, which are harder to track for tax purposes, according to The Economist.
… Although a switch to a digital payment system would potentially save countries a lot of money, since cash is expensive to make and keep in circulation, many citizens have concerns about banks and governments having access to information on what they’re spending, regardless of whether they’re actually involved in any improper or illegal activities.
Perspective. I never would have guessed a number this high.
68 Percent of Millennial Small Business Owners Rely on Social Media for Brand Promotion
… New data (PDF) from Magisto shows that 68 percent of Millennial small business owners and entrepreneurs depend on social media channels for developing awareness of their own brands.
…and Jeff Bezos doesn’t care!
Amazon spending ahead of holidays hurts profits
Amazon.com Inc. disappointed investors with a lower-than-expected third-quarter profit, as the company beefed up its spending on fulfillment centers, shipping costs, video content and product development ahead of the all-important holiday season.
Without Amazon Web Services (AWS), its cloud-based computing service business, Amazon would have lost money. AWS on its own reported revenue of $3.2 billion and operating income of $861 million. Amazon’s total operating income in the quarter was $575 million, with net income of $252 million, or 52 cents a share, while analysts were looking for about 78 cents a share.
Search thousands of historical documents from the Nuremberg trials
by Sabrina I. Pacifici on Oct 26, 2016
“The Harvard Law School Library uniquely owns and manages approximately one million pages of documents relating to the trial of military and political leaders of Nazi Germany before the International Military Tribunal (IMT) and the subsequent twelve trials of other accused Nazi war criminals before the United States Nuremberg Military Tribunals (NMT) during the period 1945-49. Considered by many to be the most significant series of trials in history, these trials were established to prosecute those in authority in the Nazi regime for war crimes and crimes against humanity, to document those atrocities so that a permanent historical record would be created, and to establish a standard of conduct acceptable in time of war. The documents — which include trial transcripts and full trial exhibits and related materials — have been studied by lawyers, scholars and other researchers in the areas of history, ethics, genocide, and war crimes, and are of particular interest to officials and students of current international tribunals involving war crimes and crimes against humanity. To preserve the contents of these documents — which are now too fragile to be handled — and to provide expanded access to this material, the Library has undertaken a multi-stage digitization project, originally conceived in the late 1990s and implemented in stages since then. The Nuremberg Trials Project is an open-access initiative to create, present and make accessible digitized images of the Library’s Nuremberg documents, document descriptions, associated transcripts in both full-text and image formats and general information about the trials.”
· Examine trial transcripts, briefs, document books, evidence files, and other papers from the trials of military and political leaders of Nazi Germany.
Secrecy News reports portions of CIA Records Search Tool will be posted for public access
by Sabrina I. Pacifici on Oct 27, 2016
FAS – Secrecy News – Steven Aftergood: “The Central Intelligence Agency said this week that it will post its database of declassified CIA documents online, making them broadly accessible to all interested users. The database, known as CREST (for CIA Records Search Tool), contains more than 11 million pages of historical Agency records that have already been declassified and approved for public release. Currently, however, CREST can only be accessed through computer terminals at the National Archives in College Park, MD. This geographic restriction on availability has been a source of frustration and bafflement to researchers ever since the digital collection was established in 2000. (See CIA’s CREST Leaves Cavity in Public Domain, Secrecy News, April 6, 2009; Inside the CIA’s (Sort of) Secret Document Stash, Mother Jones, April 3, 2009). But that is finally going to change. The entire contents of the CREST system will be transferred to the CIA website, said CIA spokesperson Ryan Trapani …”
Thursday, October 27, 2016
For my Governance and Architecture students.
The Harvard Business Review Slack bot gives free business and career advice
The Harvard Business Review has made a Slack bot to serve up advice for business leaders, startup founders, and everyone else working with a team or in an office setting.
The HBR bot, which became available last week, draws on more than 200 HBR articles about best practices, from how to bounce back from a failed negotiation to the best ways to give team feedback.
Each piece of advice comes with an article and a bullet list of do’s and don’ts for the TL;DR crowd.
… HBR bot is made with Slackbot, a customizable bot made by Slack.
The bot is free, but the HBR paywall limits reading to four articles per month.
Should my Computer Security students plan for this? What evidence to gather and how to present it?
Department Releases Intake and Charging Policy for Computer Crime Matters
… In the course of recent litigation, the department yesterday shared the policy under which we choose whether to bring charges under the Computer Fraud and Abuse Act: the 2014 Intake and Charging Policy for Computer Crime Matters. This document guides federal prosecutors in determining when to open an investigation or charge an offense under the Computer Fraud and Abuse Act.
Is AI the next tool for IBM to rule the world? Do we have a choice?
IBM: In 5 years, Watson A.I. will be behind your every decision
… The Watson system is set to transform how businesses function and how people live their lives. "Our goal is augmenting intelligence," Rometty said. "It is man and machine. This is all about extending your expertise. A teacher. A doctor. A lawyer. It doesn't matter what you do. We will extend it."
… Watson technology will touch hundreds of millions of people by the end of this year alone, IBM's CEO said.
And in many cases, its user may not know it.
… With Watson working behind the scenes on OnStar Go, drivers could get help avoiding traffic when they're low on gas, have a cup of coffee ordered and paid for before they get to their favorite café and get a reminder to get off the highway two exits early to make it easier to stop at the pharmacy after work.
According to Barra, the Watson-based OnStar Go will begin rolling out in cars in early 2017, and by the end of that year "millions of vehicles" will have it.
"We believe in the auto industry, in a period of five years, we'll see more change than in the last 50," Barra said.
A tool for disintermediation? (Surprised I knew such a big word, aren’t you?)
Scotland to Start Own Stock Exchange Using Blockchain Technology
Scotland may get its own stock exchange using the latest, if unproven, technology to underpin the system.
Scotex is seeking to raise as much as 15 million pounds ($18.4 million) to start a regulated equity market next year, according to a statement on Thursday. Executed trades will be processed by the type of distributed-ledger technology that drives bitcoin.
… On Wall Street, blockchain tech is being hailed as a way to reduce payment times from days or weeks to real time, freeing up billions of dollars in capital that’s now tied up until accounts are verified.
Scotex says trades on its exchange will clear nearly instantly and won’t require a clearinghouse, which collects collateral and monitors risks between traders. The company says investors and brokers will get their money within 15 minutes after a trade is executed.
Insurance by the drink, and other innovations.
Some cool insurance products are finally on the horizon
Trōv: In Australia you can buy on-demand insurance for belongings through Trōv. You pick an item you want to insure, such as a laptop or camera. Using a cellphone app, you swipe the coverage on when you need it and off when you don’t.
Fluo: In France, Fluo analyzes the travel insurance you may already have through your credit cards and sells you additional travel coverage to fill the gaps. You request an analysis and get an answer in two minutes through an app. The company says it soon will be able to analyze customers’ homeowners insurance policies.
Bought by Many: In the United Kingdom and China, London-based Bought by Many lets you join others with similar needs and challenges to find affordable coverage. The company negotiates with insurers to get the best rates for the group on various types of insurance. Examples of U.K. groups include bearded-dragon owners seeking pet insurance, people with Crohn’s disease shopping for travel insurance, and art collectors seeking home insurance. The bargaining power saves members an average of 18.6%, the company says.
… One reason the U.S. lags behind other countries is how insurance is regulated. Here, each state regulates insurance, so to roll out a product nationwide, insurers have to get approval from 51 insurance departments representing the states and the District of Columbia. Launching a product elsewhere is often simpler because a company gets approval from a single governmental authority.
I wonder who programmed the “back your semi up to this dock” part?
Uber has quietly launched its own 'Uber for trucking' marketplace called Uber Freight
The plan builds on Uber's acquisition of Otto, a self-driving trucking company that Uber bought in July for $65 million.
… The first product from Uber Freight is a marketplace to connect a shipper with a truck, much like the Uber app connects drivers and riders.
The way most shipping works for most companies today is by going through a brokerage firm, [There’s that disintermediation again. Bob] which makes calls to trucking companies and arranges the best deals for its customers. The broker takes a commission of between 15 and 20%.
To start, the Uber Freight marketplace will eliminate that middleman and offer shippers real-time pricing of what it will cost to move their goods based on supply and demand. And yes, that might mean there's even surge pricing for trucks, although a lot of the marketplace details are still being worked out.
Make your life better?
Gathering good reading material from around the internet is hard. You can't trust your friends on Facebook. Twitter is too noisy. And even if you're a master of RSS, you probably spend too much time sorting through filler.
This is where Pocket hopes it can make a difference. For the last nine years, the company—originally called Read It Later—has essentially run a glorified bookmark service, letting people save articles into a slick reading view on mobile devices and the web. To date, Pocket's 25 million registered users have stashed more than 3 billion links for later perusal.
Now, Pocket is turning all those saved stories into recommendations, helping people find reading material regardless of whether they do any bookmarking themselves.
Perhaps it is not as dumb an idea as I thought.
Amazon reports huge growth in Dash Button orders, adds 60 new brands from PoopBags to Pop-Tarts
… Amazon said Monday Dash Button orders are up five times over the last year. The company has added Bai, Cheez-It, Folgers, Fresh Kitty, Meow Mix, Milk Bone, PoopBags, Pop-Tarts, Powerade, Purrell Hand Sanitizing Wipes, ZonePerfect and others to its lineup of more than 200 buttons.
… For some brands, like Hefty, Peet’s Coffee, and Arm & Hammer, the majority of orders are coming from people using their Dash Buttons for quick refills, Amazon said.
Wednesday, October 26, 2016
Actually, this is more concerning. Any 12-year-old can now take down the Internet!
Dyn DNS DDoS likely the work of script kiddies, says FlashPoint
Business risk intelligence firm FlashPoint has put out a preliminary analysis of last week’s massive denial of service attack against Dyn DNS, and its conclusion is it was likely the work of amateur hackers — rather than, as some had posited, state-sponsored actors perhaps funded by the Russian government.
… Its reasoning is based on a few factors, including a detail it unearthed during its investigation of the attack: namely that the infrastructure used in the attack also targeted a well-known video game company.
“While there does not appear to have been any disruption of service, the targeting of a video game company is less indicative of hacktivists, state-actors, or social justice communities, and aligns more with the hackers that frequent online hacking forums,” writes FlashPoint’s Allison Nixon, John Costello and Zach Wikholm in their analysis.
The attack on Dyn DNS was powered in part by a botnet of hacked DVRs and and webcams known as Mirai. The source code for the malware that controls this botnet was put on Github earlier this month. And FlashPoint also notes that the hacker who released Mirai is known to frequent a hacking forum called hackforums[.]net.
Can we use this to estimate what a large DDoS attack might cost?
Government-Ordered Internet Shutoffs Cost $2.4 Billion Last Year
Governments pay a significant price when they disrupt access and connectivity to the Internet because such shutdowns undermine economic growth, jeopardize lives, and erode confidence, Brookings Institution said in a study.
… India suffered the biggest impact valued over $968 million and North Korea was the lowest at $313,666, according to the report. There had been 14 shutdowns of national apps such as Twitter or Facebook, which was the most costly type of disruption at $1.04 billion. There were 36 instances of nation-wide internet access cutoff, making that the most frequent type of disruptions.
Interesting. This has apparently been resolved, but consider what your organization’s reaction to a seemingly random contact claiming your database is insecure might be. Read the full article.
We need your help to contact an organization that has thus far been unresponsive to numerous notifications that we have sent about a discovered data breach! Read on to understand the issue and see how you can help!
We know that we have become a bit of a broken record when it comes to data breaches, and more specifically when it comes to unsecured databases recently. It’s no secret there are tens of thousands of open, unsecured databases of all types and sizes just sitting out there on the Internet, waiting to have their data plucked off, plundered or otherwise compromised by anyone with the time and inclination to do so.
It was no surprise when our researchers recently came across an open MongoDB installation containing data on more than 8 million users. What was surprising – and disappointing – is what has happened after the discovery.
Read more on RBS.
What to Do When You Suspect a Data Breach: FTC Issues Video and Guide for Businesses
by Sabrina I. Pacifici on Oct 25, 2016
“If your business has experienced a data breach, you are probably wondering what to do next. The Federal Trade Commission’s new Data Breach Response: A Guide for Business, an accompanying video and business blog can help you figure out what steps to take and whom to contact. Among the key steps are securing physical areas, cleaning up your website, and providing breach notification. The guide also includes a model data breach notification letter. For related advice on implementing a plan to protect customer information and prevent breaches, check out the FTC’s Protecting Personal Information: A Guide for Business and Start with Security: A Guide for Business. The guide and the video are both in the public domain, so business people can share them with employees and customers, and through their websites and newsletters.”
… If the end game is preventing something bad from happening, companies typically waste time and money on futile attempts to build an impenetrable wall of systems. Even if it were possible to build a wall that’s 100% secure, it wouldn’t begin to protect the rapidly growing amount of sensitive data that flows outside the firewall through devices and systems beyond the company’s direct control.
It’s far more important to focus on two things: identifying and protecting the company’s strategically important cyber assets and figuring out in advance how to mitigate damage when attacks occur.
Resources for Ethical Hacking.
Data Leaked by Pagers Useful for Critical Infrastructure Attacks
Pagers are still used in industrial environments and many organizations don’t realize that the messages sent with these devices can be highly useful to malicious actors looking to launch a targeted attack.
After analyzing the use of pagers in the healthcare industry, researchers at Trend Micro have focused their attention on the risk they pose to industrial environments, particularly in critical infrastructure sectors.
Industrial control systems (ICS) can rely on pagers to transmit information that is crucial for the operation of a facility, including events and deviations in the production process. Pagers are particularly popular as backup communication systems and in areas where cellular coverage is weak.
The problem is that the messages sent to these devices are typically unencrypted, allowing anyone with the technical knowhow and some inexpensive equipment to intercept the information.
If we can buy it, we don’t need a subpoena, right?
Nicky Woolf reports:
Telecommunications giant AT&T is selling access to customer data to local law enforcement in secret, new documents released on Monday reveal.
The program, called Hemisphere, was previously known only as a “partnership” between the company and the US Drug Enforcement Agency (DEA) for the purposes of counter-narcotics operations.
Read more on The Guardian.
IBM may have a winner here.
IBM expands Watson's reach with data platform, iOS integration, bots, education efforts
The barrage of announcements comes as IBM hosts a Watson conference in Las Vegas. IBM CEO Ginny Rometty will use a keynote speech to outline the Watson portfolio, ecosystem and customer base.
Discuss, debate, does no one educate?
The Political Environment on Social Media
by Sabrina I. Pacifici on Oct 25, 2016
Pew – “In a political environment defined by widespread polarization and partisan animosity, even simple conversations can go awry when the subject turns to politics. In their in-person interactions, Americans can (and often do) attempt to steer clear of those with whom they strongly disagree. But online social media environments present new challenges. In these spaces, users can encounter statements they might consider highly contentious or extremely offensive – even when they make no effort to actively seek out this material. Similarly, political arguments can encroach into users’ lives when comment streams on otherwise unrelated topics devolve into flame wars or partisan bickering. Navigating these interactions can be particularly fraught in light of the complex mix of close friends, family members, distant acquaintances, professional connections and public figures that make up many users’ online networks. A new Pew Research Center survey of U.S. adults finds that political debate and discussion is indeed a regular fact of digital life for many social media users, and some politically active users enjoy the heated discussions and opportunities for engagement that this mix of social media and politics facilitates. But a larger share expresses annoyance and aggravation at the tone and content of the political interactions they witness on these platforms…”
The war in streaming TV?
AT&T's new streaming TV service will give you 100+ channels for $35 a month
… The service will debut in November.
DirecTV Now will be a package of live TV delivered over the internet wherever you are — no cable box or satellite dish necessary.
… DirecTV Now's $35 price point undercuts the early industry norms for live-streaming TV. The market leader Sling TV charges $20 for "25+" channels, and its highest package has about 50 channels for $40. Sony's PlayStation Vue charges $54.99 for about 100 channels, and its lowest package gives you "60+" channels for $39.99 a month. Other competitors including Hulu and YouTube are reportedly readying their own packages for streaming live TV but have yet to name a price.
… "It's pay TV as an app," AT&T's senior vice president of strategy and business development, Tony Goncalves, told Business Insider in a recent interview.
Tuesday, October 25, 2016
Don’t forget! The Privacy Foundation at the University of Denver Sturm College of Law is hosting their October Seminar:
Privacy and Encryption: The Clash of Law & Technology
Friday, October 28, 2016. $30 includes admission to seminar, reception, and 3-hour CLE credit. To register, contact: Maggie Stephenson, Faculty Support Specialist, 303.871.6044 email@example.com
Attention Ethical Hacking students! We have a new target.
'Driverless' beer run; Bud makes shipment with self-driving truck
Anheuser-Busch hauled a trailer loaded with beer 120 miles in an autonomous-drive truck, completing what's believed to be the first commercial shipment by a self-driving vehicle.
The trip happened last week in Colorado as Anheuser-Busch, collaborated with Otto, a subsidiary of Uber that is developing self-driving truck technology. The semi drove autonomously on the highway between Fort Collins, Colorado and Colorado Springs, Colorado.
Update. This was inevitable. All policies come from and if successful will benefit management. The proper argument is the unreasonable and unethical bits.
Former Wells Fargo Employees File $2.6B Lawsuit
by Sabrina I. Pacifici on Oct 24, 2016
Via FindLaw – Alexander Polonsky, et al. v. Wells Fargo, Los Angeles Superior Court, September 22, 2016.
“The lawsuit was filed by two former employees, but seeks compensation for any and all Wells Fargo employees penalized for not meeting sales quotas over the past 10 years. In September, the bank fired over 5,000 employees for opening some two million accounts in customers’ names without their authorization. The lawsuit claims Wells Fargo is punishing lower level employees for policies that came from, and were intended to benefit higher level executives: “Wells Fargo knew that their unreasonable quotas were driving these unethical behaviors that were used to fraudulently increase their stock price and benefit the CEO at the expense of the low-level employees.”
· See also the New York Times DealBook – Voices From Wells Fargo: ‘I Thought I Was Having a Heart Attack’: “The scandal at Wells Fargo over the creation of unauthorized accounts shook its customers’ faith in the bank, but it took an even sharper toll on the company’s workers. A number of them say they faced a stark choice: Create new accounts by any means possible, or risk being fired for falling short of their sales goals…”
How are users informed of the need to change a default password? Big red headlines on page one of the installation sheet or a mention in passing on page six?
Chinese Firm Says It Did All It Could Ahead of Cyberattack
A Chinese electronics maker that has recalled millions of products sold in the U.S. said Tuesday that it did all it could to prevent a massive cyberattack that briefly blocked access to websites including Twitter and Netflix.
Hangzhou Xiongmai Technology has said that millions of web-connected cameras and digital recorders became compromised because customers failed to change their default passwords.
… The hack has heightened long-standing fears among security experts that the rising number of interconnected home gadgets, appliances and even automobiles represent a cybersecurity nightmare. The convenience of being able to control home electronics via the web also leaves them more vulnerable to malicious intruders, experts say.
… "The issue with the consumer-connected device is that there is nearly no firewall between devices and the public internet," said Tracy Tsai, an analyst at Gartner, adding that many consumers leave the default setting on devices for ease of use without knowing the dangers.
(Related) Check your security!
… Bullguard, an industry-leading developer of security software, has an online tool called IoT Scanner. It scans any internet-connected device or network to see if there are any vulnerabilities that can be exploited to gain access to said device or network.
If it does find a security vulnerability, it’ll give you details of the problem that you can use as a first step toward bolstering your network security. Give it a try. It can’t hurt. Run the Deep Scan if you can.
Note that even if the IoT Scanner gives you the green light, you should know that there are some internet-capable devices that you should never connect to the Internet of Things.
How to build in a security problem?
Lyft customers face potential hack from recycled phone numbers
Giving up an old cell phone number for a new one may seem harmless. But for Lyft customers, it can potentially expose their accounts to complete strangers.