Saturday, December 24, 2016

If you wanted information that would help you understand an adversary and perhaps predict its strategy, what data would you try to collect? 
Exclusive: FBI probes FDIC hack linked to China's military - sources
The FBI is investigating how hackers infiltrated computers at the Federal Deposit Insurance Corporation for several years beginning in 2010 in a breach senior FDIC officials believe was sponsored by China's military, people with knowledge of the matter said.
   After FDIC staff discovered the hack in 2010, it persisted into the next year and possibly later, with staff working at least through 2012 to verify the hackers were expunged, according to a 2013 internal probe conducted by the FDIC's inspector general, an internal watchdog.
The intrusion is part of series of cybersecurity lapses at the FDIC in recent years that continued even after the hack suspected to be linked to Beijing.  This year, the FDIC has reported to Congress at least seven cybersecurity incidents it considered to be major which occurred in 2015 or 2016.  

Will Apple do for Russia what it would not do for the FBI?  I doubt they can. 
Swati Khandelwal reports:
Russian Ambassador Andrei Karlov was shot dead by an off-duty police officer in Ankara on December 19 when the ambassador was giving a speech at an art gallery.  The shooter managed to pretend himself as his official bodyguard and later shot to death by Turkish special forces.
After this shocking incident, Apple has been asked to help unlock an iPhone 4S recovered from the shooter, which could again spark up battle similar to the one between Apple and the FBI earlier this year.
Read more on The Hacker News.

(Related).  On the other hand…
Cynthia Kroet reports:
The Belgian federal prosecutor told newspaper De Tijd in an interview published Friday that cell phone data linked to the Paris attacks investigation can no longer be accessed because Belgian law mandates it be deleted after 12 months for privacy reasons.
Frédéric Van Leeuw said there is still new information to be uncovered on the cell phones used to plan last year’s Paris attacks, and called upon the government to resolve the situation.

I try to pound these (and others) into my students’ heads!  Really worth reading! 
Craig Hoffman raises some valid points about lessons that can be learned following a security incident. Here are just a few of his points:
·         Acknowledging that trust but verify is important (e.g., if someone says a network is segmented, check the ACLs and firewall rules to confirm this).
·        Knowing that you can have great security tools and generate terabytes of logs, but someone has to review the logs.
·         Determining that assumptions about a vendor’s role in maintaining and managing the security of the service it is offering may have been wrong.
Read his full commentary on BakerHostetler Data Privacy Monitor.

My students might think this is so obvious it doesn’t need mentioning, but that has never been my experience. 
The Unblinking Eye: Employee Monitoring in the IoT Era
   Even if it’s not their primary function, many IIoT applications could be used to monitor employees in unintended ways.  Use of such data, if it’s not obtained properly, could damage a company’s reputation or put it on the defense in litigation.
Take, for example, sensors that some industrial companies embed in employee uniforms and helmets.  These kinds of sensors can detect hazardous conditions such as toxic gases, or warn of over-exertion based on the reading of an employee’s heartbeat.  Or consider GPS-enabled devices or mobile applications that permit employers to track the precise physical location of workers in order to deploy them most efficiently to new work assignments.
But what if information gleaned from these devices was used to detect patterns about an employee’s movements, which could be used to draw negative conclusions about the employee’s efficiency or performance?  Yet an employee’s slow pace in moving between work stations, or frequent departures for bathroom breaks, might be due to a legally protected medical condition rather than laziness.  Penalizing the employee based on this data might set the employer up for a disability discrimination claim.  Similarly, an employer may face whistleblower or retaliation claims if a manager is able to use location data to figure out which employee went to the human resources office to lodge a complaint about him or her.  It is inevitable that employers will seek to use IoT data to better manage their employees, as well as their inventory and equipment, but employers will need to guard against inappropriate or even unlawful uses of this data.

I will be most amused if there is justification for withholding this information.
Nicholas Iovino reports:
A federal judge Thursday ordered the Department of Justice to give her files on a secret telephone data-mining program so she can determine if it can withhold the records from the public.
The Electronic Frontier Foundation sued the Department of Justice in July 2015 after it refused to release files on the Hemisphere Project.  The secret program, revealed in a New York Times article in September 2013, involved placing AT&T employees in law enforcement agencies to track records on trillions of phone calls dating back to 1987.
U.S. Magistrate Judge Maria-Elena James found Thursday that the government failed to justify a slew of Freedom of Information Act exemptions it cited to avoid revealing details of the clandestine project.  She ordered the Justice Department to deliver the files for her to review behind closed doors.
Read more on Courthouse News.
[From the article: 
The Justice Department cited two FOIA exemptions: Exemption 5, for attorney-client, work-product and deliberative-process privileges; and Exemption 7, for information that may reveal confidential sources or law enforcement techniques that could help criminals evade prosecution.
In the 36-page ruling, James found the government often recited elements necessary to establish the exceptions without stating why the records met standards for withholding from the public.
“The government argues the agency’s task should not be ‘herculean’ in providing supporting evidence for its claimed exemptions,” James wrote.  “But while the government need not expose the very information contained in the withheld documents, here it does not provide the sufficient information for this Court to assess its assertion of privilege.  The Court is not asking the government to make a herculean effort, merely something beyond regurgitation of the elements.”

Brilliant!  May we assume someone will read all the posts to all the social media sites by every visa applicant?  Will they recognize terrorist writing when they see it?  As the article says, terrorists are unlikely to incriminate themselves. 
U.S. asks foreign travelers to voluntarily disclose social media profiles
Starting this week, the federal government began asking some travelers to the U.S. to supply details about their social media accounts.
   The collection of social media data, which was first proposed by Homeland Security this summer, does not apply to U.S. citizens.  Instead, it is for now aimed at foreigners from 32 countries who apply to arrive in the U.S. under the “visa waiver program”—an online tool that lets short-term visitors skip the formal process of applying for a visa.
   The social networks include VKontakte, which serves as Russia’s Facebook, as well as, a text-sharing tool that is popular with the terrorist group ISIS.  Meanwhile, the form also lists little-used services like Vine and Google+ but omits the wildly-popular Snapchat.
   Meanwhile, it’s unclear if the program, first reported by Politico, will improve security.  The reason is that would-be terrorists, even a dim-witted ones, would be unlikely to disclose their social media profile to the U.S. government.
The 32 countries affected by the visa waiver program are mostly European and affluent ones.

What a brave new world that has such lawyers in it.  (Actually, didn’t Shakespeare have a rather less positive opinion of lawyers?) 
Ambrogi – The 10 Most Important Legal Technology Developments of 2016
by Sabrina I. Pacifici on Dec 23, 2016
Via LawSites: “What were 2016’s most important developments in legal technology?  Every year since 2013, I’ve posted my picks of the year’s top developments in legal tech (2015, 2014, 2013).  As another year wraps up, it’s time to look back at 2016.  What follows are my picks for the year’s most important legal technology developments.  As in past years, the numbers are not meant to be rankings — each of these is important in its own way.  I also refer you back to my prior years’ posts, as much of what I said in them remains true today…”

A resource for my Computer Security and my Disaster Recovery students.
NIST – Guide for Cybersecurity Event Recovery
by Sabrina I. Pacifici on Dec 23, 2016
NIST Special Publication 800-184 Guide for Cybersecurity Event Recovery, 2016. Michael Bartock, Jeffrey Cichonski, Murugiah Souppaya, Matthew Smith, Greg Witte. Karen Scarfone.
“Abstract – In light of an increasing number of cybersecurity events, organizations can improve resilience by ensuring that their risk management processes include comprehensive recovery planning.  Identifying and prioritizing organization resources helps to guide effective plans and realistic test scenarios.  This preparation enables rapid recovery from incidents when they occur and helps to minimize the impact on the organization and its constituents.    This publication provides tactical and strategic guidance regarding the planning, playbook developing, testing, and improvement of recovery planning.

There might just be something useful here!  
More Than 300 Ed Tech Tutorial Videos
Throughout the year I offer webinars on a variety of educational technology topics.  But I also publish a tutorial or two on my YouTube channel every week.  That playlist now contains more than 300 tutorials on everything from graphics editing to podcasting to tips for new Chromebook users.  The entire playlist can be found here or viewed as embedded below.

This could be amusing, it is only sites on the register.  The little New Jersey town I grew up in had at least three houses where George Washington spent the night.  (“Washington slept here” signs weer really common throughout NJ)  
Explore Maps of Historical Sites in Every U.S. State
The Traveling Salesman Problem is a website developed by William Cook at the University of Waterloo.  The site features interactive maps that chart the short distance between a series of places.  One of those maps is of all of the places in the United States National Register of Historic Places, all 49,603 of them.  You can view the whole country in one map or visit each state's individual map.
Naturally, I jumped to the map of Maine's historic places to see how many I was familiar with.  One that's close to my home is this old cattle pound that I often stop at while riding my bike in the summer.  I clicked on the image on the map and was able to click through to the asset detail provided by the National Parks service.  The asset detail includes when the site was added to the national registry and why it is significant.

Friday, December 23, 2016

Do we know what is happening in our systems?  Is anyone asking? 
Fairbanks Hospital in Indianapolis is notifying an undisclosed number of patients that employees could have been accessing protected health information of patients since at least November 2013 (and possibly earlier).  The information that was accessed included current and former patients’ social security numbers, contact information, diagnosis, treatment and health insurance.
In a notification dated December 16, the hospital writes that they are unaware of any actual or attempted misuse of any protected health information.
Of concern, it appears that their investigators were not able to determine whether any employee actually accessed any patient’s record inappropriately.  So it may well be that some employees snooped on records, and yet, the hospital would not have been able to detect that.  And if it couldn’t detect whether the employees were accessing PHI records inappropriately, it sounds like they might have to notify every patient seen at the hospital since November 2013. has sent an inquiry to Fairbanks via their site contact form and will update this post as more information becomes available.
From their notification:
   What Happened? On October 18, 2016, Fairbanks became aware that some files on our internal network that contained patient information were electronically accessible to Fairbanks employees, including employees who were not intended to have access to patient information.  Fairbanks hired an outside computer forensics expert to determine the nature and scope of this issue.  The investigation has determined that this issue existed since at least November of 2013, however we are unable to determine whether the issue existed prior to that time.  

The economics of hacking.  Supply and demand.  The disruption of new technology.  All well understood processes, right?
Maria Korolov reports:
The black market value of stolen medical records dropped dramatically this year, and criminals shifted their efforts from stealing data to spreading ransom ware, according to a report released this morning.
Hackers are now offering stolen records at between $1.50 and $10 each, said Anthony James, CMO at San Mateo, Calif.-based security firm TrapX, the company that produced the report.
That down a bit since this summer, when a hacker offered 10 million patient records for about $820,000 — or about $12 per record — and even a bigger drop from 2012, when the World Privacy Forum put the street value of medical records at around $50 each.
Read more on Network World.
[From the article:
The information in medical records can be used for medical billing fraud as well as identity theft and other big-money scams.

But the market has become saturated, said James.  With about 112 million records stolen in 2015 alone, the medical info of nearly half all Americans is already out there.

For my Data Management students.  
If you want to see how mobile technology can disrupt the very basics of business models and habits established over hundreds if not thousands of years, look at what’s happening in India.  A telecommunications revolution, towards fourth generation (4G) mobile services, will transform the consumer landscape over the next 5-10 years.  This revolution will transform India the same way automobiles changed America 100 years ago but at ten times the speed — computers, laptops, and tablets will be marginalized as India leapfrogs to mobile 4G by 2020.  The consequences are far more revolutionary than have been considered by multinational companies and entrepreneurs.  In order to create value in India in the coming decade, companies must have a mobile-first strategy.
Some background: Until the mid-1980s, having telephone service in India was considered the ultimate luxury and less than 0.001% of the population possessed a phone.  By July 2016, virtually every Indian had a mobile telephone and access to text messaging, primarily using 2G technology.

(Related).  Maybe not everyone has a phone?  
Uber’s Drive Into India Relies on Raw Recruits
How do you train a million new Uber drivers in a country where most people have never driven a car, tapped on a smartphone or even used an online map?

I didn’t know Uber had such power!  (Or is it that now states have so little?) 
Md. approves alternative screening process for ride-hailing drivers, amid threats Uber would leave
The Maryland Public Service Commission approved an alternative screening process that would allow Uber and Lyft to continue operating in the state without conducting fingerprint-based background checks of their drivers.
The decision Thursday averted a showdown with California-based Uber — which had threatened to leave Maryland — and represented a victory in the ride-hailing companies’ battles against regulations that would have threatened their ability to maintain tens of thousands of drivers in the state.
Uber and Lyft had argued that the electronic checks they use, supplemented by court records, are as, or more, thorough than the law-enforcement-backed methods suggested by regulators.

Might be amusing to
House Intel Committee Releases Declassified Snowden Report
by Sabrina I. Pacifici on Dec 22, 2016
News release: “The House Permanent Select Committee on Intelligence today released a declassified version of its investigative report on Edward Snowden, the former National Security Agency contractor who fled to China and then Russia after stealing an estimated 1.5 million classified documents.  The report, including redactions for classified information, was the result of a two-year inquiry into Snowden’s background, likely motivations, and methods of theft, as well as the damage done to U.S. national security as a result of his actions.  The report was completed in September 2016 and submitted to the Intelligence Community for a declassification review.  
To read the declassified report, click here.  To read Intelligence Committee highlights of the report, click here.
  • Via The Guardian – “…The report’s credibility was immediately condemned by Snowden’s lawyer Ben Wizner.  He dismissed the report and insisted that Snowden acted to inform the public.  “The House committee spent three years and millions of dollars in a failed attempt to discredit Edward Snowden, whose actions led to the most significant intelligence reforms in a generation,” Wizner said. “The report wholly ignores Snowden’s repeated and courageous criticism of Russian surveillance and censorship laws. It combines demonstrable falsehoods with deceptive inferences to paint an entirely fictional portrait of an American whistleblower.”
  • Snowden’s Twitter response: Unsurprising that HPSCI’s report is rifled with obvious falsehoods. The only surprise is how accidentally exonerating it is

Does he have a point?
McDonald's sued because 'Extra Value Meal' is 41 cents more

For my Spreadsheet class this Spring.

We are trying to get an AI course approved. 

This must be one of Trump’s lawyers? 

Thursday, December 22, 2016

Do we retaliate against their military or the top officials who authorized the hack?  What do we do?  Rigging their election would seem redundant. 
Cybersecurity firm finds evidence that Russian military unit was behind DNC hack
   The firm CrowdStrike linked malware used in the DNC intrusion to malware used to hack and track an Android phone app used by the Ukrainian army in its battle against pro-Russia separatists in eastern Ukraine from late 2014 through 2016.
While CrowdStrike, which was hired by the DNC to investigate the intrusions and whose findings are described in a new report, had always suspected that one of the two hacker groups that struck the DNC was the GRU, Russia’s military intelligence agency, it had only medium confidence.
Now, said CrowdStrike co-founder Dmitri Alperovitch, “we have high confidence” it was a unit of the GRU.  CrowdStrike had dubbed that unit “Fancy Bear.”

(Related).  Think of it as a ‘Targeting” App that feeds coordinates directly to Russian artillery.   
Russia Used Android Malware to Track Ukrainian Troops: Report
The Russia-linked cyberespionage group known as Fancy Bear has tracked Ukrainian artillery forces by planting a piece of Android malware in a legitimate military application, threat intelligence firm CrowdStrike reported on Thursday.
   This summer, the company’s analysts came across an Android application package (APK) file named “Попр-Д30.apk.”  The file contained Russian-language artifacts and its name referenced the D-30, a Russian-made 122 mm towed howitzer that first entered service in the 1960s.
The D-30 is still used by the Ukrainian military and, in 2013, artillery officer Yaroslav Sherstuk created an Android app designed to help personnel reduce the time to fire the gun from minutes to under 15 seconds.  According to its developer, the application has roughly 9,000 users.
   “CrowdStrike Intelligence assesses a tool such as this has the potential ability to map out a unit’s composition and hierarchy, determine their plans, and even triangulate their approximate location.  This type of strategic analysis can enable the identification of zones in which troops are operating and help prioritize assets within those zones for future targeting,” CrowdStrike wrote in its report.

Ransomware is cheap, but then we (hackers) can automate it.
How Much Do Businesses Pay for Stolen Data?
   Last week, IBM released the results of a survey that looked at people’s attitudes toward ransomware.  Among 600 U.S. business executives, nearly half said they’d experienced attacks.  And fully 70 percent of those who’d been attacked said they paid to get their data back.
   45 percent of companies that paid ransoms coughed up more than $20,000 to get their files back, and 20 percent paid hackers more than $40,000.

This could be useful.
PersonalData.IO helps you get access to your personal data
by Sabrina I. Pacifici on Dec 21, 2016
PersonalData.IO is a free and open platform for citizens to track their personal data and understand how it is used by companies.  It is part of the MyData movement, promoting a human-centric approach to personal data management.  A lot of readers of this blog will be familiar with Freedom of Information laws, a legal mechanism that forces governments to be more open.  Individuals, journalists, startups and other actors can use this “right-to-know” to understand what the government is doing and try to make it function better.  There are even platforms that help facilitate the exercise of this right, like MuckRock, WhatDoTheyKnow or FragDenStaat.  These platforms also have an education function around information rights.  In Europe we enjoy a similar right with respect to personal data held by private companies, but it is often very hard to exercise it.  We want to change that, with PersonalData.IO.”

(Related).  How law enforcement gets your data?
US State Police Have Spent Millions on Israeli Phone Cracking Tech
This is part of a Motherboard mini-series on the proliferation of phone cracking technology, the people behind it, and who is buying it.  Follow along here.
When cops have a phone to break into, they just might pull a small, laptop-sized device out of a rugged briefcase.  After plugging the phone in with a cable, and a few taps of a touch-screen, the cops have now bypassed the phone’s passcode.  Almost like magic, they now have access to call logs, text messages, and in some cases even deleted data.
   Cellebrite, an Israel-based firm, sells tools that can pull data from most mobile phones on the market, such as contact lists, emails, and wiped messages.  Cellebrite's products can also circumvent the passcode locks or other security protections on many current mobile phones.  The gear is typically used to gather evidence from a criminal suspect's device after it has been seized, and although not many public examples of abuse are available, Cellebrite’s tools have been used by non-US authorities to prosecute dissidents.
Previous reports have focused on federal agencies' acquisition of Cellebrite tools.  But as smartphones have proliferated and increasingly become the digital center of our lives, the demand and supply of mobile forensics tools has trickled down to more local bodies.
   According to a spreadsheet detailing what models of phones Cellebrite can handle, the UFED can extract data from thousands of different mobile devices.  It can’t, however, extract the passcode on the iPhone 4s or above.

How should we take this?  Is crime up 27% or are we discovering new ways to use Facebook data to predict, defend against, or identify the perpetrators of crime?     
Governments are demanding more and more user data from Facebook
   On Wednesday, the social network said that government requests for user account data rose 27% in the first half of 2016 compared to the second half of last year.

A way to ‘lock up’ academic research?
Facebook’s secretive hardware team signs rapid collaboration deal with 17 universities
Facebook’s shadowy Building 8 research team needs help from academia to invent futuristic hardware.  But today’s pace of innovation doesn’t allow for the standard 9-12 month turnaround time it takes universities to strike one-off research partnerships with private companies.
Enter SARA, aka Facebook’s “Sponsored Academic Research Agreement.”  It’s a deal forged by Building 8 head Regina Dugan with 17 top universities to get collaboration on new projects started in just weeks or even days.  SARA eliminates the need for time-consuming further negotiation and faculty approvals.

A Brief Economic History of Time
   Time’s unknowable perils contributed to the flourishing of economic thought.  But then something interesting happened.  The creature became the creator: The economy re-invented time.  Or, to put things less obliquely, the age of exploration and the industrial revolution completely changed the way people measure time, understand time, and feel and talk about time.
Just think: What do you look forward to when you’re at work?  Maybe it’s a happy hour, the weekend, or, in the more distant future, retirement.  Each of these are distinct periods of time, and each is an invention of the last 150 years of economic change.
   Three forces contributed to the modern invention of time.  First, the conquest of foreign territories across the ocean required precise navigation with accurate timepieces.  Second, the invention of the railroad required the standardization of time across countries, replacing the local system of keeping time using shadows and sundials.  Third, the industrial economy necessitated new labor laws, which changed the way people think about work.

Report – Artificial Intelligence, Automation, and the Economy
by Sabrina I. Pacifici on Dec 21, 2016
“Accelerating artificial intelligence (AI) capabilities will enable automation of some tasks that have long required human labor.  These transformations will open up new opportunities for individuals, the economy, and society, but they have the potential to disrupt the current livelihoods of millions of Americans.  Whether AI leads to unemployment and increases in inequality over the long-run depends not only on the technology itself but also on the institutions and policies that are in place.  This report examines the expected impact of AI-driven automation on the economy, and describes broad strategies that could increase the benefits of AI and mitigate its costs…”

Perspective.  I don’t get it, but apparently we should be teaching game creation.
Super Mario Run breaks records with 40 million downloads in its first 4 days
   Previous third-party estimates suggested the new game was on track to topple Pokémon Go’s previous early performance and approach the 40 million mark, but this official number confirms it.
In a press release issued by Nintendo, the company says that in addition to its top ranking in the “free” chart of the App Store in 140 different global markets (of the 150 where it’s available), it’s also now in the top 10 ranking for best grossing games in 100 different markets.

For my geeks.
   PIXEL represents our best guess as to what the majority of users are looking for in a desktop environment: a clean, modern user interface; a curated suite of productivity software and programming tools, both free and proprietary; and the Chromium web browser with useful plugins, including Adobe Flash, preinstalled.  And all of this is built on top of Debian, providing instant access to thousands of free applications.
   So, after three months of hard work from Simon and Serge, we have a Christmas treat for you: an experimental version of Debian+PIXEL for x86 platforms.  Simply download the image, burn it onto a DVD or flash it onto a USB stick, and boot straight into the familiar PIXEL desktop environment on your PC or Mac.  Or go out and buy this month’s issue of The MagPi magazine, in stores tomorrow, which has this rather stylish bootable DVD on the cover.
A school can now run PIXEL on its existing installed base of PCs, just as a student can run PIXEL on her Raspberry Pi at home.  She can move back and forth between her computing class or after-school club and home, using exactly the same productivity software and programming tools, in exactly the same desktop environment.  There is no learning curve, and no need to tweak her schoolwork to run on two subtly different operating systems.

Helping my students avoid “the dog ate my homework” syndrome.
   Ultimately, you can never be too careful.  The more backups of your data you make, the better.  In this article, I’ll highlight the best free backup software for Windows.

I have no artistic ability.  Is this as good as they say?
   For the uninitiated, Prisma allows you to turn your photos into works of art.  You choose a photo, then choose from a range of different styles designed to emulate famous artists.  And seconds later your photo looks like it has been painted rather than shot.
You can grab the latest version of Prisma on Android and on iOS now.