Saturday, November 26, 2016

Want to test drive a Tesla?
Researchers Hijack Tesla Car by Hacking Mobile App
In a video released this week, experts showed how they could obtain the targeted user’s credentials and leverage the information to track the vehicle and drive it away.  There are several conditions that need to be met for this attack and the victim must be tricked into installing a malicious app on their mobile phone, but the researchers believe their scenario is plausible.

Politics or mere amusement?
European Commission target of DDoS attack
by Sabrina I. Pacifici on Nov 25, 2016
Via Politico: “This afternoon, the European Commission was subject to a cyberattack (denial of service) which resulted in the saturation of our Internet connection.”

For my Governance and Software Architecture classes.
The Secret Ballot At Risk: Recommendations for Protecting Democracy
by Sabrina I. Pacifici on Nov 25, 2016
The right to cast a secret ballot in a public election is a core value in the United States’ system of self-governance.  Secrecy and privacy in elections guard against coercion and are essential to integrity in the electoral process.  Secrecy of the ballot is guaranteed in state constitutions and statutes nationwide.  However, as states permit the marking and transmitting of marked ballots over the Internet, the right to a secret ballot is eroded and the integrity of our elections is put at risk.  Thirty-two states and the District of Columbia allow some form of Internet voting–transmitting votes either via email, electronic fax, or Internet portal–typically for use by overseas and military voters.  Because of current technological limitations, and the unique challenges of running public elections, it is impossible to maintain separation of voters’ identities from their votes when Internet voting is used.  Most states that offer Internet voting recognize this limitation and require voters to sign a waiver of their right to a secret ballot.  The authors believe that Internet voting creates a second-class system for some voters–one in which their votes may not be private and their ballots may be altered without their knowledge.  This report examines state laws regarding the right to a secret ballot and the ways in which states are asking voters to waive that right.  We also offer recommendations for how voters and officials can preserve privacy in voting while making use of the Internet and technological advances.  Our findings show that the vast majority of states (44) have constitutional provisions guaranteeing secrecy in voting, while the remaining states have statutory provisions referencing secrecy in voting.  Despite that, 32 states allow some voters to transmit their ballots via the Internet which, given the limitations of current technology, eliminates the secrecy of the ballot.  Twenty-eight of these states require the voter to sign a waiver of his or her right to a secret ballot.  The remainder fail to acknowledge the issue…”

Worth a try, but I bet the courts won’t allow it.  
Wells Fargo Wants Claims Over Fake Accounts Decided Out of Court
Wells Fargo & Co. is trying to keep dozens of customers suing over bogus accounts opened by its employees out of court, saying they agreed to resolve any disputes in arbitration when they began doing business with the bank.
The lender also asked for the lawsuits, filed by 80 customers in federal court in Salt Lake City to be thrown out.

(Related) "It depends on what the meaning of the word 'is' is.”   
Uber seeks EC ruling that it is a digital service, not a transportation company
Uber will seek to convince Europe’s top court next week that it is a digital service, not a transport company, in a case that could determine whether app-based startups should be exempt from strict laws meant for regular companies.
The European Commission is trying to boost e-commerce, a sector where the EU lags behind Asia and the United States, to drive economic growth and create jobs.
The U.S. taxi app, which launched in Europe five years ago, has faced fierce opposition from regular taxi companies and some local authorities, who fear it creates unfair competition because it is not bound by strict local licensing and safety rules.

The downside of ‘really fast access to news!’ 
The CNN porn scare is how fake news spreads
Last night, a twitter account by the name of @solikearose tweeted out a surprising image of CNN broadcasting porn instead of Anthony Bourdain’s scheduled show Parts Unknown.  And then without really much questioning, a bunch of news sites ran with it, claiming that the network showed the footage for about 30 minutes.  
   It looks like the chaos all started when The Independent wrote up a story from this person’s tweets, which was then tweeted out by the Drudge Report.  After that, it spread fast.  Mashable, The New York Post, The Daily Mail, Esquire, and Variety have all published a story, and pretty much all of these articles are based on one or two tweets from @solikerose.  Plus, many of the original stories didn’t include statements from CNN or RCN, the cable company that supposedly aired the porn.
Fact-checking largely didn’t begin until the stories were published.

(Related) Did the Post get suckered too?  Surely not just bad reporting?
No, Russian Agents Are Not Behind Every Piece of Fake News You See
One of the themes that has emerged during the controversy over “fake news” and its role in the election of Donald Trump is the idea that Russian agents of various kinds helped hack the process by fueling this barrage of false news.  But is that really true?
In a recent story, the Washington Post says that this is definitely the case, based on information provided by two groups of what the paper calls “independent researchers.”  But the case starts to come apart at the seams the more you look at it.

A billion-dollar niche?  I wonder how many there are and how I could start my own. 
Amazon in Talks to Buy Dubai’s in $1 Billion Deal Inc. is in talks to acquire Dubai-based online retailer FZ for about $1 billion in a deal that will give the e-commerce giant a footprint in the high-growth Middle East market, according to people familiar with the matter.

One of my students is building one of these for a demonstration in my January Computer Security class.  
$5 PoisonTap Tool Easily Breaks Into Locked PCs
Proving once again that you can do a lot of damage with a little investment and a lot of ingenuity, security researcher Samy Kamkar recently managed to take down a locked, password-protected computer armed with only a US$5 Raspberry Pi.
The low-tech cookie-siphoning intrusion is one of Kamkar's simplest hacks ever.  He previously has unlocked car doors, garages, wireless remote cameras and other devices, with MacGyver-like precision.

Trivia for my geeky students.

Will the TSA open a video feed at US airports?  

Update: I couldn’t find a link to the report the first time I posted about this study.
A Stanford University team won a lot of attention this week by releasing a study on how badly teenagers assess information online.  “Evaluating Information: The Cornerstone of Civic Online Reasoning” examined more than 7,000 students to check their information literacy skills.

My industry.
Hack Education Weekly News
[This blogger is not happy with anything Trump.  You can tell by the icon she uses for the ‘Trump news’ section.  Bob]
   “The United States Department of Education’s Office of Inspector General has found in a recent report that the department’s overall information technology security is ‘not generally effective’ in meeting several federal requirements,” Campus Technology reports.  “The ed department (ED) and its Federal Student Aid (FSA) office scored only 53 points out of 100 in a recent security audit.”
   “Attorneys for Gov. Rick Snyder and state education officials say no fundamental right to literacy exists for Detroit schoolchildren who are suing the state over the quality of their education,” The Detroit News reports.
   Via the Lansing State Journal: “An email sent to Michigan State University last weekend attempting to ‘extort money’ helped the university identify a data breach that affected about 400,000 records and included names, Social Security numbers and MSU identification numbers, a university spokesman said Friday evening.”
   Via EdWeek’s Market Brief: “Two recent reports that track K–12 spending reveal schools’ strong interest in purchasing security-related hardware, products, and technology.”  One of the most popular pieces of technology: gun detectors.  Yes, gun detectors are ed-tech.

Friday, November 25, 2016

Definitely one to grab if you run a home network!
This Web-based Tool Checks if Your Network Is Exposed to Mirai
   The IoT Defense scanner was written using a combination of Python, Node JS and Jade frameworks and scans for nearly a dozen ports that botnets can exploit.  Accessing and using the scanner is free and little instructions are needed, as it does all with a simple click of a button.

And Pew Research just told us that lots of youngsters can’t tell the difference.
Russian propaganda effort helped spread ‘fake news’ during election, experts say
The flood of “fake news” this election season got support from a sophisticated Russian propaganda campaign that created and spread misleading articles online with the goal of punishing Democrat Hillary Clinton, helping Republican Donald Trump and undermining faith in American democracy, say independent researchers who tracked the operation.

I bet their stick just went up!
Cyrus Farivar reports:
A federal appeals court ruled against a criminal defendant who challenged the warrantless use of a stingray that was used to locate him.
The Wednesday decision marks the first time that questions regarding the proper use of stingrays, also known as cell-site simulators, have reached the federal appellate level.
Read more on Ars Technica.

Drew Crawford of King & Spalding writes:
On November 3, 2016, the State of Qatar announced the passage of a new national privacy law.  The law, which requires companies and organizations to protect the personal information they gather from individuals, is the first national-level legal regime governing data protection to be signed into law by a Gulf Cooperation Council (“GCC”) member state.
Read more on JDSupra.

No worries!  AI classes will now be taught by AI. 
Universities’ AI Talent Poached by Tech Giants
Alphabet Inc.’s Google division last week hired the director of Stanford University’s artificial intelligence lab to lead a new AI unit, the latest in a long line of academic stars in artificial intelligence lured away by tech giants.
Fei-Fei Li, a respected computer scientist, wrote in a Facebook post that she joined Google partly to “democratize AI.”  She joined several other top professors who have left academia in recent years for tech industry posts.

It’s not a big deal unless the computers are talking about me behind my back.  Are they?
Don't Freak But Google Researchers Discovered Their AI Translation Tool Invented Its Own Secret Language
   Google’s NMT developers first translated from English to Korean and vice versa, and then from English to Japanese and vice versa.  They were curious to see if the machine could then translate Korean to Japanese without using English as a go between.  The answer was yes it in fact could translate directly.
It's how the Google AI achieves this that is a bit of a mystery.  It appears that the NMT has created its own internal language or "interlingua."  It examines concepts and sentence structures instead of word equivalents.  As a result, the NMT has created translations that are more accurate and natural.  Google’s NMT creators, however, are unsure how the neural networks work or what exact concepts the NMT has learned translate languages directly.  In short, Google's AI has created its own secret language we humans do not fully understand.  A white paper that details the researchers' work, including some detail on the mystery "interlingua," can be found here (PDF).

A site worth bookmarking!
The Data Visualisation Catalogue
by Sabrina I. Pacifici on Nov 24, 2016
“The Data Visualisation Catalogue is an on-going project developed by Severino Ribecca.  Originally, this project was a way for me to develop my own knowledge of data visualisation and create a reference tool for me to use in the future for my own work.  However, I felt it would also be useful to both designers and also anyone in a field that requires the use of data visualisation regularly.  Although there have been a few attempts in the past to catalogue some of the established data visualisation methods, there is no website that is really comprehensive, detailed or helps you decide the right method for your needs.  I will be adding in new visualisation methods, bit-by-bit, as I research each method to find the best way to explain how it works and what it is best suited for.  Most of the data visualised in the website’s example images is dummy data….” 

Politics 101.  Republicans should avoid making suggestions at all costs.  If Trump does well, they can claim him as one of their own.  If Trump fulfills Hillary Clinton’s predictions, they can claim they had nothing to do with his choices.
Republicans Divided Between Romney and Giuliani for Secretary of State

Thursday, November 24, 2016

The first update in quite some time.  My IT Governance students will be interested. 
Six in Philippines May Face Charges Over Bangladesh Bank Heist Charges
The Philippines said Wednesday it has launched criminal proceedings against six bankers accused of failing to stop the laundering of tens of millions of dollars stolen by cyber-criminals from Bangladesh's central bank.
The electronic thieves in February shifted $81 million from the bank's account with the US Federal Reserve in New York to the Rizal Commercial Banking Corp. (RCBC) in Manila in one of the world's biggest bank heists.
The money was transferred to four accounts at an RCBC branch from where it was funnelled into local casinos, according to regulators who fined the bank a record $21 million in August.
Manila's Anti-Money Laundering Council said it filed a criminal complaint at the justice department against RCBC's retail banking group head at the time, its national sales director and four other bank officials.
"The... respondent officers and employees of RCBC facilitated the suspicious transactions involving the four accounts above, by failing to conduct the requisite investigations and enquiries into the accounts," it read.
The complaint, filed on Friday, also cited the Filipino respondents' alleged "deliberate refusal to know the unlawful origins of the funds".

A day for under-the-radar announcements?  
Personal data for more than 130,000 sailors was breached, Navy says
The Navy was notified in October by Hewlett Packard  Enterprise Services  that a computer supporting a Navy contract was “compromised,” and that the names and social security numbers of 134,386 current and former sailors were accessed by unknown persons, the service said in a news release.
   A Navy official familiar with the investigation said the personal data came from the Career Waypoints database, known as C-WAY, which sailors use to submit re-enlistment and Navy Occupational Specialty requests.
   This is at least the second major breach of Navy data linked to its contracting activities with Hewlett Packard.  In 2013, the service announced that Iran had penetrated its unclassified Navy and Marine Corps Intranet.  In March 2014, the Wall Street Journal reported that the breach was due to a sloppily written contract with Hewlett Packard that didn’t require HP to provide security for some of the Navy’s unclassified databases.
It took four months for officials for purge the hackers from the system.

Let’s go where the money is!
Jason Kint reports:
Verizon has topped itself by playing Russian roulette with consumer trust in an attempt to compete with the advertising businesses of Google and Facebook.  In an email announcement last Sunday night to select subscribers, Verizon signaled how it intends to compete with those two powerhouses, outlining its plan to combine offline information, such as postal address, email address and device type, with AOL browser cookies, Apple and Google advertising IDs, and their own unique identifier header.  Coupled with all of their customers’ browsing history and app usage, this mass of customer data will make for a rich competitive product to Facebook and Google.
There’s just one problem: This practice requires explicit opt-in consent from consumers under the new FCC privacy rules.  Although the rules are not yet required to be adopted (and notably on the chopping block in a Trump presidency), it’s hard to argue that Verizon’s plan doesn’t violate the spirit of the rulemaking.
Read more on Recode.

Free is good!

I don’t think I’d send one of these to Scrooge!
Make Your Christmas Tree Tacky Again With Trump’s $149 MAGA Ornament

Wednesday, November 23, 2016

Embarrassing things happen.  Makes it hard to claim they don’t make mistakes.
Twitter accidentally suspends its own CEO's account
For a while late Tuesday, attempts to reach Jack Dorsey's profile produced an error message saying it had been suspended.  That prompted speculation his account might have been hacked or automatically shut down because of a high number of complaints from other users.
After it came back online, Dorsey tweeted that the suspension was the result of "an internal mistake."
That provoked angry responses from some people who asked how many regular users' accounts might also have been accidentally frozen by the company in the past.
   Which users Twitter does or doesn't suspend has become a highly sensitive topic.  The platform has struggled to find a healthy balance between allowing free speech and protecting users from harassment.

I wonder how common this is?  Sounds like a service Tony Soprano would offer…
Catalin Cimpanu reports:
A Cardiff court has sentenced James Frazer-Mann, a 35-year-old man from Barry, the UK to a suspended sentence of 12 months, a fine of £530 ($660), and 180 hours of community service for hiring a hacker to go after his company’s competition and a website where customers had criticized his service.
US authorities discovered Frazer-Mann’s actions after they shut down Liberty Reserve, an online payment system based in Costa Rica that allowed people to transfer money by entering someone’s name, date of birth, and email address.
Read more on BleepingComputer.

Yet another government agency proposing a national ID requirement.
From Papers, Please!
Reversing its longstanding official position that no law or regulation requires air travelers to possess or show any ID credentials, the TSA has given notice of a new administrative requirement for all airline passengers:
In order to be allowed to pass through checkpoints operated by the TSA or TSA contractors, air travelers will be required to have been issued a REAL-ID Act compliant government-issued ID credential, or reside in a state which has been given an “extension” by the DHS of its administrative deadline for a sufficient show of compliance with the REAL-ID Act of 2005.
The TSA will still have a procedure and a form (TSA Form 415) for travelers who don’t have their ID with them at the checkpoint, typically because it has been lost or stolen or is in the process of being replaced or renewed.  But that procedure will no longer be available to people who haven’t been issued any ID, or who have ID from states the DHS hasn’t certified as sufficiently compliant with the REAL-ID Act.
Read more on Papers, Please!

So, what else is new?  Government bureaucracies never seem to move quickly and rarely manage well.
Audit of OPM Security Systems Shows Continued Material Weakness
by Sabrina I. Pacifici on Nov 22, 2016
OPM IG Federal Information Security Modernization Act Audit – FY 2016:  “This audit report again communicates a material weakness related to OPM’s Security Assessment and Authorization (Authorization) program.  In April 2015, the then Chief Information Officer issued a memorandum that granted an extension of the previous Authorizations for all systems whose Authorization had already expired, and for those scheduled to expire through September 2016.  Although the moratorium on Authorizations has since been lifted, the effects of the April 2015 memorandum continue to have a significant negative impact on OPM.  At the end of fiscal year (FY) 2016, the agency still had at least 18 major systems without a valid Authorization in place…”

Must have been a very well written warrant!
Joseph Cox reports:
In January, Motherboard reported on the FBI’s “unprecedented” hacking operation, in which the agency, using a single warrant, deployed malware to over one thousand alleged visitors of a dark web child pornography site.  Now, it has emerged that the campaign was actually several orders of magnitude larger.
In all, the FBI obtained over 8,000 IP addresses, and hacked computers in 120 different countries, according to a transcript from a recent evidentiary hearing in a related case.
Read more on Motherboard.
[From the article: 
The Department of Justice has had an intense battle on its hands over the past few months, especially around the validity of the warrant used for this hacking operation.  According to a filing from the Department of Justice, fourteen court decisions have found that the warrant was not properly issued pursuant to Rule 41 of the Federal Rules of Criminal Procedure, which governs how search warrants can be authorized.
The main issue has been that the judge who signed the warrant, Magistrate Judge Theresa C. Buchanan in the Eastern District of Virginia, did not have the authority to greenlight searches outside of her own district.  In four cases, courts have then decided to throw out all evidence obtained by the malware because of the violation.
But, changes to Rule 41 will likely come into effect on December 1, meaning that magistrate judges will be allowed to authorize warrants just like the one used in the Playpen investigation.

I don’t worry about computers that look out for my health.  I worry about companies that sell that information to advertisers.  (and hackers, always hackers)
Grant Ferowich reports:
Google DeepMind and the National Health Service will partner in a move that alerts providers about abnormalities in patients’ vital signs and blood results—and privacy advocates have already started to cry foul.
The artificial intelligence branch of Google and the Royal Free NHS agreed to a five-year deal that will allow Google’s algorithms to monitor the health data of 1.6 million patients, the Financial Times reports.
The deal’s proponents argue that thousands of deaths per year could be prevented from conditions such as acute kidney damage, the article notes, but critics say such promises are “unproven.”
Read more on Fierce Healthcare.

I take this as a good sign.  Your average cop is probably not inclined to excessive force. 
Police Body Cameras Don’t Reduce Use of Force: Study
New research shows that body cameras don’t consistently lead to a reduction in the use of force by police—nor does their use discourage officers from taking action.
The findings stand in contrast to previous studies that looked at how cameras influence police behavior.
   The researchers in Milwaukee also found that police officers wearing cameras conducted more citizen contacts, traffic checks and other activities used to measure “proactivity” than officers who didn’t.

Should you obey local laws or kiss that market goodbye?  WWTD (What Will Trump Do?) 
Facebook Said to Create Censorship Tool to Get Back Into China
Mark Zuckerberg, Facebook’s chief executive, has cultivated relationships with China’s leaders, including President Xi Jinping.  He has paid multiple visits to the country to meet its top internet executives.  He has made an effort to learn Mandarin.
Inside Facebook, the work to enter China runs far deeper.
The social network has quietly developed software to suppress posts from appearing in people’s news feeds in specific geographic areas, according to three current and former Facebook employees, who asked for anonymity because the tool is confidential.  The feature was created to help Facebook get into China, a market where the social network has been blocked, these people said.  Mr. Zuckerberg has supported and defended the effort, the people added.

Something for all my students.
How to Write Email with Military Precision
   During my active duty service, I learned how to structure emails to maximize a mission’s chances for success.  Since returning from duty, I have applied these lessons to emails that I write for my corporate job, and my missives have consequently become crisper and cleaner, eliciting quicker and higher-quality responses from colleagues and clients.  Here are three of the main tips I learned on how to format your emails with military precision:
1.      Subjects with keywords
2.      Bottom Line Up Front (BLUF).
3.      Be economical.

For those of us who searched the house for hidden Christmas presents?
Amazon Just Found a Way to Let You See Inside the Box Without Opening It (AMZN)
   Amazon rolled out an update for its iOS app last week which allows users to know what’s inside their incoming Amazon boxes before opening them.
To use this latest feature on the app, simply tap your iPhone’s camera icon besides the search box.  Doing this will open up a number of options, from which you need to select the “Package X-Ray” button.  Then hold the camera frame over the barcode of your box and the items inside will be displayed.
   Sadly though, despite the name, this feature does not give you a view of the actual items inside your Amazon boxes.
Instead, the app gives you information regarding the items inside the box.  Also, you will be given a visual of these items which link you back to the product page on the website.

I was somewhat surprised by this…
Disruptive Change in the Taxi Business: The Case of Uber
by Sabrina I. Pacifici on Nov 22, 2016
Disruptive Change in the Taxi Business: The Case of Uber – Judd Cramer, Alan B. Krueger NBER Working Paper No. 22083 Issued in March 2016
“In most cities, the taxi industry is highly regulated and utilizes technology developed in the 1940s.  Ride sharing services such as Uber and Lyft, which use modern internet-based mobile technology to connect passengers and drivers, have begun to compete with traditional taxis.  This paper examines the efficiency of ride sharing services vis-à-vis taxis by comparing the capacity utilization rate of UberX drivers with that of traditional taxi drivers in five cities.  The capacity utilization rate is measured by the fraction of time a driver has a fare-paying passenger in the car while he or she is working, and by the share of total miles that drivers log in which a passenger is in their car.  The main conclusion is that, in most cities with data available, UberX drivers spend a significantly higher fraction of their time, and drive a substantially higher share of miles, with a passenger in their car than do taxi drivers.  Four factors likely contribute to the higher capacity utilization rate of UberX drivers: 1) Uber’s more efficient driver-passenger matching technology; 2)the larger scale of Uber than taxi companies; 3) inefficient taxi regulations; and 4) Uber’s flexible labor supply model and surge pricing more closely match supply with demand throughout the day.”

This is interesting.  Could it be extended to Computer Security?  Law? 
Tele-Mentoring Is Creating Global Communities of Practice in Health Care
   At the start, a team of specialists with a deep knowledge of hepatitis C gathered virtually in a conference room at the University of New Mexico Health Sciences Center.  In that conference room would be a video screen with a matrix of individual primary care providers who were sitting in their own offices and clinics across New Mexico.  Each provider would, in turn, present their patients with hepatitis C and get guidance on caring for each patient from the experts at the university hub.  Each of the other providers learned from every case presentation.

Strategy Analytics: Apple Captures Record 91 Percent Share of Global Smartphone Profits in Q3 2016
Linda Sui, Director at Strategy Analytics, said, “We estimate the global smartphone industry realized total operating profits of US$9.4 billion during Q3 2016.  Apple dominated and captured a record 91 percent share of all smartphone profits worldwide.
   “We estimate Huawei generated US$0.2 billion of smartphone operating profit worldwide in Q3 2016.  Huawei captured 2 percent share of all smartphone profits, taking second spot overall, and becoming the world’s most profitable Android vendor for the first time ever.  
   The full report, Apple Captures 91 Percent Share of Global Smartphone Profits in Q3 2016, is published by the Strategy Analytics Wireless Smartphone Strategies (WSS) service, details of which can be found here:

More stuff I want blocked in the Computer Labs. 
   Several tools are available that can make this happen, from emulators and virtual machines to browser plugins.

This should be simple for my students, they often get things backwards.
This Malware Turns Headphones Into Microphones
Researchers at Ben Gurion University in Israel have created malware that will turn your plugged in headphones into a microphone.
Now, if you've ever plugged old headphones into a standard line in jack, you know that headphones are basically tiny microphones anyway, with vibrations converting themselves into electromagnetic signals.  But this malware is a bit different. Dubbed "Speake(a)r," the malware does the same thing, but through software.  Wired explains:
Their malware uses a little-known feature of RealTek audio codec chips to silently "retask" the computer's output channel as an input channel, allowing the malware to record audio even when the headphones remain connected into an output-only jack and don't even have a microphone channel on their plug.  The researchers say the RealTek chips are so common that the attack works on practically any desktop computer, whether it runs Windows or MacOS, and most laptops, too.
Wired says that in their tests, the researchers at Ben Gurion were able to record sound from as far as 20 feet away with a pair of Sennheiser headphones.  Apparently, even when the compressing the recording to send over the internet, the recording was still distinguishable.

Another challenge for my “Designated Hackers.”  (Why doesn’t NY use these guys?) 
Israeli Firm Can Steal Phone Data in Seconds
Israeli firm Cellebrite's technology provides a glimpse of a world of possibilities accessible to security agencies globally that worry privacy advocates.
   Cellebrite's technology is not online hacking.  It only works when the phone is physically connected to one of the firm's devices.
The company recently demonstrated its capabilities for an AFP journalist.
The password on a phone was disabled and newly taken photos appeared on a computer screen, complete with the exact location and time they were taken.
   The real challenge, Ben-Peretz agrees, is staying in the lead in a race where phone manufacturers constantly launch new models and update software with ever more complicated security.
In the firm's lab they have 15,000 phones -- with around 150-200 new models added each month.

An idea for the Computer Security club: Collect old phones and hack them!

Tuesday, November 22, 2016

Something I could ask my Computer Security class to do?
IoT security camera infected within 98 seconds of plugging it in
Unlike the average Jane or Joe Doe who would not want their security camera to be immediately infected with malware, Rob Graham, CEO of Errata Security, called it “fun” to watch the infection happen.  He tweet-documented his experience.
   It supports Universal Plug and Play (UPnP), not a secure feature but easy for non-techies to setup since basically a person plugs a UPnP device in and it works.  The average user would not likely do this, but Graham said he isolated the camera from his home network by setting it up behind a Raspberry Pi router.
   His security camera ended up with multiple malware infections.  Mirai malware was not the first infection; he said it was “something else similar to it.”

Also see their Breach Litigation report
From Bryan Cave, this free resource on Incident Readiness and Response:
Since the first publication of this handbook in 2014, the legal ramifications for mishandling a data security incident have become more severe.  In the United States, the number of federal and state laws that claim to regulate data security has mushroomed.  The European Union has also enacted a new General Data Protection Regulation which will extend the United States framework for responding to data breaches across the EU, but with significantly enhanced penalties.  This handbook provides a basic framework to assist in-house legal departments with handling a security incident.
Click here for the Data Security Breach Handbook 2016 edition.

Is this why Trump was elected?
Most Students Don’t Know When News Is Fake, Stanford Study Finds
Preteens and teens may appear dazzlingly fluent, flitting among social-media sites, uploading selfies and texting friends.  But they’re often clueless about evaluating the accuracy and trustworthiness of what they find.
Some 82% of middle-schoolers couldn’t distinguish between an ad labeled “sponsored content” and a real news story on a website, according to a Stanford University study of 7,804 students from middle school through college.  The study, set for release Tuesday, is the biggest so far on how teens evaluate information they find online.  Many students judged the credibility of newsy tweets based on how much detail they contained or whether a large photo was attached, rather than on the source.

A couple of the talks at the WSJ’s CEO Conference.
Stephen Wolfram on Communicating With AIs

NSA Chief Michael Rogers Talks Cybersecurity

Almost half the world will be online by end of 2016; poorer countries will lag : Report
By the end of 2016, almost half of the world's population will be using the internet as mobile networks grow and prices fall, but their numbers will remain concentrated in the developed world, a United Nations agency said on Tuesday.
In the world's developed countries about 80 percent of the population use the internet.  But only about 40 percent in developing countries and less than 15 percent in less-developed countries are online, according to a report by the U.N.'s International Telecommunications Union (ITU).

Monday, November 21, 2016

Nice of the FBI to issue a warning, but someone at the banks should have noticed these stories and followed up with their security department.  If I was on the Board, I’d certainly expect that (and would ask about it).
Hackers Program Bank ATMs to Spew Cash
   In Taiwan and Thailand earlier this year, the criminals programmed bank ATMs to spew cash.  Gang members stood in front of the machines at the appointed hour and collected millions of dollars.
Earlier this month, the Federal Bureau of Investigation warned U.S. banks of the potential for similar attacks.  The FBI said in a bulletin that it is “monitoring emerging reports indicating that well-resourced and organized malicious cyber actors have intentions to target the U.S. financial sector.”
   Investigators now believe that the criminals broke into computers at First Commercial’s London office on May 31.  Once inside the network, the criminals sent a malicious software update to the company’s 41 PC1500 ATMs, built by Wincor Nixdorf AG of Germany.  After testing their system on July 9, they instructed the ATMs to empty their cash-carrying cassettes the next day.
   During the six months ended in February 2016, the Buhtrap group launched 13 successful attacks against Russian banks, stealing more than $25 million through the nation’s bank-clearinghouse system, he said.
The computer code to carry out the attacks was released earlier this year by a disgruntled Buhtrap member, and is now being used by others, Mr. Volkov said.

(Related) Perhaps there is a market for Threat Intelligence as a service?
Do You Need a Threat Intelligence Team?

A bit of an update.  I didn’t follow this far enough to see the scope of this request.
The IRS wants to ID every U.S. Coinbase user from 2013 to 2015
The government suspects some Bitcoin holders have been evading taxes
The U.S. Internal Revenue Service has asked a court in California to order Coinbase, a Bitcoin exchange, to hand over the identities of active U.S. users of its service from the beginning of 2013 to the end of 2015.
In a filing Thursday to the U.S. District Court in San Francisco, the IRS said it's investigating whether virtual currency users failed to report income on transactions conducted in the Bitcoin virtual currency. 
   In addition to customer details, the agency is also after transaction records, account statements and records of payments made and processed for the users.
San Francisco-based Coinbase said it would oppose the demand, in part because the government hasn't alleged the company has done anything wrong.

A billion here, a billion there, pretty soon you’re talking real money!
Alibaba Cloud plans to launch 4 new data centres worldwide, eyes larger global market share
Alibaba Cloud, the cloud unit of Chinese e-commerce giant Alibaba Holdings Ltd, has announced that it is planning to open four new data centres across the globe by the end of the year.  The announcement could be interpreted as company's desire to grab global market share from key players such as Amazon and Microsoft.
The new data centres would be located in Japan, Germany, the Middle East and Australia.  These additions would bring the number of the data facilities of the company to a total of 14, including the two in the US.  The new units will extend the company's reach to almost every major continent.
According to a Reuters report, the move marks the latest step in the company's $1 billion infrastructure investment drive.

Something new for my students to ignore?
New Omnity Search – knowledge discovery tool for registered users
by Sabrina I. Pacifici on Nov 20, 2016
“In a rising sea of ever growing and increasingly fragmented knowledge, Omnity enables searchers to efficiently find related documents, even if those documents do not directly cite or link to one another.  This accelerates the discovery of otherwise hidden, high-value patterns of interconnection within and between fields of knowledge as diverse as science, medicine, engineering, law and finance.  Omnity is based on fundamental advances in associative semantic search technology, through which we create landscapes of meaning-based relationships arising from the semantic signatures of entire documents.  In this manner, the knowledge contained within whole documents can be deeply inter-connected, solely through shared ideas.”

Is this how we want to remember 2016?
Politico Magazine – The making of the president, 2016 – a photo journal with stats and quotes
by Sabrina I. Pacifici on Nov 20, 2016

(Related) Or this?
Pew – A Divided and Pessimistic Electorate
by Sabrina I. Pacifici on Nov 20, 2016
Pew Report – Voters skeptical of progress in many areas – even jobs – since 2008.  “Beyond their disagreements over specific policy issues, voters who supported President-elect Donald Trump and Hillary Clinton also differed over the seriousness of a wide array of problems facing the nation, from immigration and crime to inequality and racism.”

Sunday, November 20, 2016

It’s a sad, sad day.  No doubt it will be raining coal in Russia.
RT reports:
Parents beware!  A data breach has been discovered somewhere it was least expected.  The Russian telecom watchdog has tracked 55 websites which disclose personal data from the online letters children write to Father Frost (the Russian version of Santa Claus) ahead of the New Year.
“We’ve discovered 55 websites that sabotage the work of Father Frost and make the personal data of kids from their letters to Father Frost public,” the watchdog, Roskomnadzor, said on its account in the VKontakte social network.
The last, first and middle names, ages, home addresses and telephone numbers of children are being disclosed, it added.
Read more on RT.

Nothing on the HUD website.  Have they been blamed for something they did not do?  Why no response?  Perhaps this happened everywhere and they are trying to figure out who to blame? 
Natalie Parsons reports:
A Fargo woman received a letter from public housing saying she was at risk of identity theft.
It was a result of a US Department of Housing and Urban Development data breach and now she’s worried for her safety.
The Fargo Housing and Redevelopment Authority says almost 600,000 names and social security numbers were posted to an unsecured website viewable to the public and it was not their doing but the US Department of Housing and Urban Development.
Read more on Valley News Live.
I haven’t found any notice or press release on HUD’s site about this incident or any other coverage of this.  It appears that the breach occurred during August and September, and the video from the news station suggests that HUD was unable to determine who may have accessed the exposed information during that period.  Maybe someone with better eyes than mine can read the notification displayed during the news broadcast?

As we add new technologies to the mix, their interactions with older tech creates new pathways for hackers.  I can see the FBI saying, “Siri, please hack into this phone.” 
Strange Hack Uses Siri To Bypass Any iPhone’s Lock Screen And Access Photos
Some curious minds have discovered a weird trick which can bypass an iPhone lock screen and access the photos stored on the device.
YouTube channel iDeviceHelp has published a video described a working implementation of the method on an iPhone 7 Plus running the iOS 10.2.
The iPhone lock screen bypass works by taking advantage of the Siri voice assistant and the voice over feature.  The method won’t work if Siri is not enabled while the device is locked.  Also, you need physical access to the target iPhone.

All the stuff we have to teach our Ethical Hacking students. 
Exclusive: Inside America’s Newest Digital Crime Lab
   “No case is simple anymore because juries want to see analysis and expect CSI in the courtroom,” says Manhattan District Attorney Cyrus Vance, who oversees the sprawling operation that involves cops, computer talent, and an ever-growing roster of cases touched by cyber-crime.
In an exclusive tour of the new lab, Fortune got a glimpse of Law & Order in the digital age.  The lab is Exhibit A in how America’s biggest city is embracing big data analytics and a dash of hacker culture to solve complex crimes.  It also raises hard questions about how to balance these sophisticated crime-fighting tools with civil liberties.

Perhaps we really need the self-driving car? 
Are apps really responsible for increased traffic fatalities?
It'll probably be another week or two before the National Highway Traffic Safety Administration releases its official stats on 2015 traffic fatalities.  However, early data suggests a significant uptick from 2014--potentially 7.7 percent or higher.
What's to blame for that sharp increase?  According to some analysts, it has everything to do with apps.

(Related) Will this App be responsible for run-away spending?
Alexa offers steep, exclusive deals in Amazon's first 'voice shopping weekend'
Amazon is getting a jump on the holiday shopping craze with an all-Alexa weekend.  The online retailer just announced its first “voice shopping weekend.”  Prime members can use an Amazon Echo, Echo Dot, Amazon Tap, Amazon Fire HD tablet, or Amazon Fire TV to ask, “Alexa, what are your deals?”  
Alexa will then tell you about Amazon’s deals for that day. If you like what you hear, you can then tell Alexa to order the item.  
   Anyone who wants to can peruse the deals on Amazon’s website, but ordering the items at the sale price requires a Prime membership and an Alexa-enabled device.

(Related) When Jeff Bezos says he wants to sell everything, he means it!
Fiat Chrysler teams up with Amazon to sell cars online

Just trying to keep up…
Humanity and AI will be inseparable
   Professor Manuela Veloso, head of the machine learning department at Carnegie Mellon University, envisions a future in which humans and intelligent systems are inseparable, bound together in a continual exchange of information and goals that she calls “symbiotic autonomy.”  In Veloso’s future, it will be hard to distinguish human agency from automated assistance — but neither people nor software will be much use without the other.

Try explaining this to a bunch of grad students from a variety of countries without making the whole system sound crazy.
Pentagon and intelligence community chiefs have urged Obama to remove the head of the NSA
The heads of the Pentagon and the nation’s intelligence community have recommended to President Obama that the director of the National Security Agency, Adm. Michael S. Rogers, be removed.
   Action has been delayed, some administration officials said, because relieving Rogers of his duties is tied to another controversial recommendation: to create separate chains of command at the NSA and the military’s cyberwarfare unit, a recommendation by Clapper and Carter that has been stalled because of other issues.
The news comes as Rogers is being considered by President-elect Donald Trump to be his nominee for director of national intelligence to replace Clapper as the official who oversees all 17 U.S. intelligence agencies.  In a move apparently unprecedented for a military officer, Rogers, without notifying superiors, traveled to New York to meet with Trump on Thursday at Trump Tower.
   The driving force for Clapper, meanwhile, was the separation of leadership roles at the NSA and U.S. Cyber Command, and his stance that the NSA should be headed by a civilian. [It never has been as far as I know.  Bob] 
   The NSA is an intelligence agency but part of the Defense Department