Sunday, January 29, 2017

Live with poor security, die with poor security.  Note that they did make the security upgrades, but only after paying the ransom.  The math is simple.  Pay for the upgrade OR pay for the upgrade plus the ransom. 
Oh my.  This is a somewhat different application of ransomware.  I hope it doesn’t catch on.
The Local reports this incident in Austria:
One of Europe’s top hotels has admitted they had to pay thousands in Bitcoin ransom to cybercriminals who managed to hack their electronic key system, locking hundreds of guests in or out of their rooms until the money was paid.
Furious hotel managers at the Romantik Seehotel Jaegerwirt, a luxurious 4-star hotel with a beautiful lakeside setting on the Alpine Turracher Hoehe Pass in Austria, said they decided to go public with what happened to warn others of the dangers of cybercrime.
The attack, which coincided with the opening weekend of the winter season, was allegedly so massive that it even shut down all hotel computers, including the reservation system and the cash desk system.
The hackers promised to restore the system quickly if just 1,500 EUR (1,272 GBP) in Bitcoin was paid to them.
Managing Director Christoph Brandstaetter said: “The house was totally booked with 180 guests, we had no other choice.  Neither police nor insurance help you in this case.
Read more on The Local.
[From the article: 
Hotel management said that they have now been hit three times by cybercriminals who this time managed to take down the entire key system.
   "The restoration of our system after the first attack in summer has cost us several thousand Euros.  We did not get any money from the insurance so far because none of those to blame could be found."  [What is the real reason?  Bob]
   We know that other colleagues have been attacked, who have done similarly."  [A warning ignored?  Bob] 
   Yet according to the hotel, the hackers left a back door open in the system, and tried to attack the systems again.
On the fourth attempt the hackers had however no chance because the computers had been replaced and the latest security standards integrated, and some networks had been decoupled.
The Seehotel Jaegerwirt, which has existed for 111 years, also has another, innovative, trick in store to keep the hackers out for good.
Brandstaetter said: "We are planning at the next room refurbishment for old-fashioned door locks with real keys.  Just like 111 years ago at the time of our great-grandfathers."

Another ransomware incident.  What is the thinking here?  It’s only a few things on the Internet of Things so we don’t need security? 
Clarence Williams reports:
Hackers infected 70 percent of storage devices that record data from D.C. police surveillance cameras eight days before President Trump’s inauguration, forcing major citywide reinstallation efforts, according to the police and the city’s technology office.
City officials said ransomware left police cameras unable to record between Jan. 12 and Jan. 15.  The cyberattack affected 123 of 187 network video recorders in a closed-circuit TV system for public spaces across the city, the officials said late Friday.
Read more on Washington Post.

Perhaps he should have left his heart monitor somewhere else?
So since I was just talking about biological data (DNA) being obtained as evidence, it seems fitting to also point to a somewhat concerning case in Ohio.  Karin Johnson reports:
A Middletown man was indicted on charges of arson and insurance fraud.
Police said data they were able to retrieve from his electronic heart monitor was one of the key pieces of evidence that led to them charging Ross Compton.
A fire last September destroyed Compton’s house on Court Donegal in Middletown.
In his 911 call, he told a dispatcher, “I grabbed a bunch of stuff, threw it out the window.”
Compton also told the dispatcher that he had an artificial heart.
Middletown police said Compton told them that he was able to pack his suitcases and
throw them out his bedroom window after he broke out the glass with a walking stick.
According to court documents obtained by WLWT, a cardiologist told police that those actions were “highly improbable” because of Compton’s medical condition.
Police sought to prove that by collecting electronic data stored in Compton’s electronic heart device.  They wanted to know Compton’s heart rate, pacer demand and cardiac rhythms before, during and after the fire.
Read more on WLWT.
So where are we going if devices that people wear for their health conditions can be used as evidence against them to obtain warrants, or to convict them?  Does evidence based on the devices meet the Daubert standard?  Are there any Fifth Amendment issues here?  Is this really any different than using a blood draw for alcohol level in a suspected drunk-driving case that resulted in injuries?

Facebook is addressing user concerns.  Will others follow?
Facebook's support for USB security keys is a good move and one others should follow
In an attempt to increase the security of online accounts, Facebook has added support for 2 factor authentication using USB security keys.
The security keys supported are ones that support a standard called U2F which stands for Universal 2nd Factor authentication.  Logging into Facebook still involves using a username and password but the 2nd factor of the process is simply a matter of inserting the key into the computer and touching a metallic part of the key.  The process is faster than using an SMS text message or special authenticator app and it is potentially more secure.
   There are a number of issues with security keys however.  They cost between US$18 and US$50 and they currently only work with modern versions of the Chrome and Opera browsers on computers and Android phones that support NFC.
The other problem is that at present, you can only use a security key using U2F to log into Google, Facebook, GitHub, Salesforce and Dropbox.

Is this one possible future for IoT devices?  What if it called my insurance company or my parole officer or my boss? 
Tostitos bag tells you when you’ve had too much to drink and calls an Uber in Super Bowl campaign
   In a gimmicky, but perhaps well-intentioned, Super Bowl advertising campaign, Tostitos has created a bag of chips that includes an alcohol sensor.  The “Party Safe” bags flash red with the message “Don’t Drink And Drive” if alcohol is detected on your breath and can even use near field communication to call an Uber from your phone.
The battery-powered bags don’t appear to be available to the public, but CNET reporter Amanda Kooser was able to test one out.  After downing a shot of whiskey, Kooser blew and the bag glowed red and offered an Uber coupon for $10 off.  While you might not be able to get your hands on the bag, you can get the coupon.
In a partnership with Mothers Against Drunk Driving, Tostitos will include a coupon for the ride-hailing service on most of its bags.  The coupon is only valid on Super Bowl Sunday (Feb. 5) and is limited to the first 25,000 users.  [So, get drunk early?  Or, use Uber to get to the bar?  Bob] 

For my students.  Find an industry to disrupt.
The $99 Billion Idea
How Uber and Airbnb Fought City Hall, Won Over the People, Outlasted Rivals, and Figured Out the Sharing Economy.

Is this fake news?  I certainly hope so!
Fake News Is About to Get Even Scarier than You Ever Dreamed
   One research paper published last year by professors at Stanford University and the University of Erlangen-Nuremberg demonstrated how technologists can record video of someone talking and then change their facial expressions in real time.  The professors’ technology could take a news clip of, say, Vladimir Putin, and alter his facial expressions in real time in hard-to-detect ways.  In fact, in this video demonstrating the technology, the researchers show how they did manipulate Putin’s facial expressions and responses, among those of other people, too.

No comments: