Expert Hacks Internal DoD Network via Army Website
A security researcher who
took part in the Hack the Army bug bounty program managed to gain access to an
internal Department of Defense (DoD) network from a public-facing Army
recruitment website.
Hack
the Army ran via the HackerOne platform between November 30 and
December 21, and the results of the program
have now been made public. A total of
371 people registered, including 25 government employees, and they submitted
416 vulnerability reports – the first one came within five minutes of launch.
Roughly 118 of the reports have been classified as unique
and actionable
… The most
noteworthy submission came from a researcher who managed to chain multiple
vulnerabilities in order to get from the goarmy.com Army careers website to an
internal DoD network that can normally be accessed only by authorized users.
… Thanks to the
success of these programs, similar events will likely be launched in the
future.
In the meantime, researchers who find flaws in the DoD’s
*.defense.gov and *.mil websites are still encouraged to report them. The Pentagon recently published its vulnerability
disclosure policy in an effort to provide guidance to white hat
hackers on how to legally report their findings.
For my Computer Security students.
Yahoo Faces SEC Probe Over Data-Breach Disclosures
Yahoo is facing a probe by the Securities and Exchange
Commission over how it handled the disclosure of two massive data breaches. A source familiar with the matter told The
Wall Street Journal the investigation will likely focus on a 2014
cyberattack that saw the personal data of 500 million users released. The company disclosed that breach only in
September 2016, which may have violated civil securities laws, the report said.
The investigation will also cover a 2013
breach that was only announced last December. While the SEC issued guidelines in 2011
calling for companies to disclose any security breaches, the guidelines did not
specify a timeframe, meaning the Yahoo case could set a precedent and provide
clarification.
For my Ethical Hacking students. This could be like texting “Fire!” in a crowded
theater.
The Demon Voice That Can Control Your Smartphone
Researchers have
created creepy sounds that are unintelligible to humans but still capable of
talking to phones’ digital assistants.
… what if there
was a way to talk to phones with sounds other than words? Unless the phones’ owners were prompted for
confirmation—and realized what was going on in time to intervene—they’d have no
idea that anything was being texted on their behalf.
Turns out there’s a gap between the kinds of sounds that
people and computers understand as human speech. Last summer, a group of Ph.D. candidates at
Georgetown and Berkeley exploited that gap: They developed a way to
create voice commands that computers can parse—but that sound like meaningless
noise to humans. These “hidden voice
commands,” as the researchers called them, can deliver a message to Google
Assistant-enabled Android phones nearby through bursts of what sounds like
scratchy static.
… The primary way
people interact with smartphones is by touching them. That’s why smartphone screens can be
thoroughly locked down, requiring a passcode or thumbprint to access. But voice is becoming an increasingly
important interface, too, turning devices into always-listening assistants
ready to take on any task their owner yells their way. Put in Apple’s new wireless earphones, and
Siri becomes your point of contact for interacting with your smartphone without
taking it out of your pocket or bag.
The more sensors get packed into our ubiquitous
pocket-computers, the more avenues someone can use to control them.
For my IT Governance students. Even small things have major impacts. How can you tell it isn’t Russian hackers?
United Airlines Computer Glitches Delay Flights, Infuriate
Flyers
Tempers boiled in departure lounges around the world
overnight as two separate problems with United Airlines' computer systems
caused widespread delays.
… The first glitch,
concerning United's luggage weighing systems, was resolved late Thursday, King
said. Another issue caused more delays
before being resolved at 3 a.m. ET — although King said she did not know its nature nor its cause.
… Amy Zandy, a
32-year-old sales director from Chicago, was among those affected.
"You are literally a global conglomerate," she
told NBC News, referring to United. "You don't have backup systems? You don't know how to manually process this
information?"
Also for my Governance students?
Privacy law scholar Daniel Solove has made two of his
books freely available online:
The Digital
Person: Technology and Privacy in the Information Age (2004) [296 pp]
and
The Future
of Reputation: Gossip, Rumor, and Privacy on the Internet (2007) [257
pp.]
Both books have inspired a lot of scholarly debate and
reflection on the course of privacy and privacy law in this country.
Great thanks to Dan and the publishers for making them
available. Go grab your copies now, if
you don’t have copies already.
An interesting case.
How should this have been handled?
It is an issue that has come up a number of times for me
with one of my other “hats” on: do you send a child to school with a wire to
record what’s going on in the school if they claim they are being harassed or
abused so that you have proof? Maybe
you’ve see bruises on them and can get no real answer from the school. Maybe your child is telling you that a school
administrator is cursing them and threatening them. Maybe you don’t know what to believe. Or maybe you do believe your child, but no one
else will believe what’s going on.
We know, from studies, that students with disabilities are
more likely to be harassed or abused in school. We’ve all seen the horrific footage of such
abuse in other cases. Now it’s your
child who may be being mistreated by school personnel.
What would you do if you decide you can’t just remove
your child from that school because you can’t find an alternative placement? Or maybe there are alternatives, but you
decide that the school should not get away with this because they’ll continue
doing it to other children, if not yours.
What would you do?
If you live in a state where two-party consent is required
for audio and/or video recording, then under the law, they should not secretly
record any conversation – even if, as may be in the case at hand – you have
gone to the police on several occasions to no avail.
So what do you do to protect your child or to get evidence
of what’s going on?
I know what we’ve done in the past, but because my lawyer
would probably prefer I not publicly admit to any possible crimes, I won’t say
here.
But it sounds like there may be that kind of situation in
Pennsylvania, where a Woodland Hills High School administrator allegedly was
verbally abusive and threatened a student with disabilities. CBS reports:
There was harsh criticism of
Allegheny County District Attorney Stephen Zappala outside the Woodland Hills
School District Administration building Wednesday night.
Protestors gathered for a
demonstration sponsored by a group called the Alliance for Police
Accountability.
Brandi Fisher, of the Alliance
for Police Accountability, told the gathering, “Not only does the D.A. need to
charge the principal, the D.A. needs to resign.”
The controversy stems from
Zappala’s recent decision not to file charges against high school Principal Kevin
Murray after an expletive-filled reprimand he gave to a student.
The student secretly recorded the
conversation.
Read more on CBS
Pittsburgh.
The stations’s past coverage of the case is linked from here. The recording allegedly catches the
administrator saying, ““I’m going to [expletive] punch you in the face. Man-to-man, bro. I don’t care if you are [expletive]
14-years-old or not. I will punch you in
your face, and when we go down to court, it’s your word against mine, and mine
wins every time.”
Reading the coverage, it appears that the district decided
that the recording could not legally be used against the administrator because
the recording was made in violation of wiretap laws.
So police can violate the law and the evidence can be used
in many cases under some “good faith” exception,” but evidence against a school
administrator is not entitled to any good faith exception and would have to be
suppressed? And then you charge the
teenager for violating the wiretap law?
Something’s very wrong here.
Maybe Orin Kerr or Scott Greenfield can help me understand
why this is a correct course of action – to not use the tape and to charge the
teenager. Somehow, I doubt I will be
easily convinced.
Is this how to compete in the Digital Age?
Decaf with your deposit? Bank branches transform into cafes,
more
If you’re like many Americans, you may be making fewer
trips to the bank and instead taking care of check deposits with a mobile app
or tracking account balances with a few mouse clicks.
Digital banking is undeniably gaining ground over the old
brick-and-mortar process. But about 84% of banking customers still visit branches at least
occasionally, according to a March 2016 Federal Reserve report.
Interesting. I
wonder if there is a truly neutral version of this? No, not the New York Times.
Local techies launch fact-focused Trump wiki site
Jan Miksovsky was worried about how citizens will be able
to keep up with the Donald Trump administration.
So, in a bout of entrepreneurial spirit, he helped build a
tool to address the matter.
The longtime Seattle software engineer, who spent 16 years at Microsoft before
founding two Seattle
startups, helped gather the crew of developers and writers behind Presterity.org, a web portal
pitched as a Wikipedia-like chronicle of the Trump administration.
The aim isn’t nonpartisan.
“We’d like to create what you might call a reference desk
for people to try to resist the damages of the Trump administration,” Miksovsky
said.
I wondered what went wrong with the polls… A guideline for Mark Zuckerberg?
The Electoral College Blind Spot
(Related)
It Wasn’t Clinton’s Election To Lose
(Related)
The Invisible Undecided Voter
Something to consider in my Spring Quarter Spreadsheet
class. Sounds a bit overblown.
UK research project documents decline of statistics and rise
of big data
by Sabrina
I. Pacifici on Jan 22, 2017
“How statistics lost their power – and why we should
fear what comes next,” by William Davies, The Guardian: “The ability of statistics to accurately represent the world
is declining. In its wake, a
new age of big data controlled by private companies is taking over – and putting democracy in peril… In theory, statistics should help settle
arguments. They ought to provide stable
reference points that everyone – no matter what their politics – can agree on. Yet in recent years, divergent levels of trust
in statistics has become one of the key schisms that have opened up in western
liberal democracies. Shortly before the
November presidential election, a study in the US discovered that 68% of Trump supporters distrusted the
economic data published by the federal government. In the UK, a research project by Cambridge
University and YouGov looking at conspiracy theories discovered that 55% of the
population believes that the government “is hiding
the truth about the number of immigrants living here”.
Perhaps I’ll ask my students to create a 3D Video. The next ‘Avatar?’
Why let Pixar have all the fun? Mindshow lets anybody make 3D
movies in VR
… “It’s a lot like
a cartoon that you can walk around in,” says Visionary CEO and Chief Creative
Officer Jonnie Ross, “but there’s a lot more to it than that.”
In a nutshell, Mindshow is a VR sandbox that allows you to
create virtual scenes, then animate them with your own body movements, voice,
and imagination.
No comments:
Post a Comment