Tuesday, January 24, 2017

Quis custodiet ipsos custodes?  The OIG and every terrorist in the world. 
Summary Report on Audits of Security Controls for TSA Information Technology Systems at Airports
by Sabrina I. Pacifici on Jan 23, 2017
“Our previous reports identified numerous deficiencies in security controls for TSA’s IT systems and equipment at airports.  These deficiencies included inadequate physical security for TSA server rooms at airports, unpatched software, missing security documentation, and incomplete reporting of IT costs.  TSA has undertaken various actions to address the recommendations we made in these reports.  Based on our review of the corrective actions taken as of May 2016, we consider most of the recommendations resolved and closed.  However, TSA has not yet resolved recommendations we made in two key areas.  TSA officials indicate it will take time, money, and contract changes to include security requirements in the Security Technology Integrated Program, a data management system that connects airport screening equipment to servers.  TSA also disagrees that closed-circuit televisions, including cameras, at airports constitute IT equipment and that TSA is responsible for maintaining them.  Further, as a result of our analysis to compile this report, we are making two new recommendations to improve security controls for TSA’s IT systems at airports.  Specifically, TSA needs to assess the risk of not having redundant data communications capability to sustain operations at airports in case of circuit outages.  Additionally, while TSA has undertaken reviews of security controls for its IT systems at airports, it would benefit from establishing a plan to conduct the reviews on a recurring basis nationwide.”

In theory, this research should have been done before Pattern Locks were introduced.  But, where’s the fun in that?
Researchers Crack Android’s Popular Pattern Lock Security Within 5 Attempts
Researchers from Lancaster University, Northwest University in China, and the University of Bath have demonstrated that attackers could easily unlock a phone in less than five attempts.
First off, what is Pattern Lock?  In order to unlock a device’s content or functions, users must draw a pattern on a grid of dots.  Users typically have five chances to get it right before they are locked out.  40% of Android users utilize Pattern Lock and prefer it over using a PIN or password.
Researchers took video of owners unlocking their phones with Pattern Lock.  The attacks worked regardless of screen size or content on the phone’s screen, and were able to be tracked from roughly eight feet away.  Hackers were then able to use software to track the owner's fingertip movements relative to the position of the device.  The researchers collected 120 patterns and were able to unlock 95% of them within five attempts.
Ironically, the more complicated passwords were easier to crack.  Guixin Ye, the leading student author from Northwest University, remarked, “Contrary to many people's perception that more complex patterns give better protection, this attack actually makes more complex patterns easier to crack and so they may be more secure using shorter, simpler patterns”.  Researchers were able to uncover all but one of the “complex” patterns, 87.5% of the “medium” patterns and 60% of “simple” patterns on their first attempt.

For my Computer Security, Ethical Hacking and Forensic students.
FTC Releases New Report on Cross-Device Tracking
by Sabrina I. Pacifici on Jan 23, 2017
“The Federal Trade Commission has released Cross-Device Tracking: An FTC Staff Report that describes the technology used to track consumers across multiple Internet-connected devices, the benefits and challenges associated with it, and industry efforts to address those challenges.  The report concludes by making recommendations to industry about how to apply traditional principles like transparency, choice, and security to this relatively new practice.  The report draws upon comments and discussions from a November 2015 Cross-Device Tracking Workshop and explains that cross-device tracking associates multiple devices with the same consumer and links a consumer’s activity across her devices (e.g., smartphones, tablets, personal computers, and other connected devices).  It describes how cross-device tracking facilitates seamless experiences, can help to prevent fraud and more effectively target ads, and can increase competition in advertising.  However, the report also acknowledges that cross-device tracking often takes place without consumers’ knowledge.  It also discusses that consumers have limited choices to control such tracking, and that it can result in caches of more—and more sensitive—data that need to be protected.”

For my Ethical Hacking and Forensic students.
Researchers Link "de-identified" Browsing History to Social Media Accounts
While the use of cookies and other tracking mechanisms used to track computers is widespread and well understood, it is often believed that the data collected is effectively de-identified; that is, the cookies track the computer browser, not the person using the computer.
This is the message often promulgated by the advertising industry: tracking cookies allow targeted advertising without compromising personal privacy.  Now new research from academics at Stanford and Princeton universities demonstrates that this need not be so.
In the new study 'De-anonymizing Web Browsing Data with Social Networks' (due to be presented at the 2017 World Wide Web Conference Perth, Australia, in April) the researchers show that de-identified web browsing histories can be linked to social media profiles using only publicly available data.  Once the social media profile associated with a browsing pattern is known, the person is known.

Should you join them?
Messaging App Has Bipartisan Support Amid Hacking Concerns
Aides to Trump, Obama and de Blasio use Signal, a smartphone app that encrypts messages
Signal, a smartphone app that allows users to send encrypted messages, is gaining popularity in the political world amid rising fears about hacking and surveillance in the wake of a tumultuous election year.

When I teach a Data Management class, articles like this really start the conversation going.  Yes, people value Data Management.  
Collibra nabs $50M led by ICONIQ to fix companies’ data governance
Data governance and management startup Collibra … has raised $50 million in its latest round of funding.
   “Big data” has been the term du jour in the enterprise software space for at least the past two years… the phrase has become so over-used that it’s almost a punch line.
However, behind the jargon is a hard fact that data is important.  It’s good for businesses to know where their data comes from, how reliable it is, and how best to use it.
That’s the problem that Collibra purports to solve.  Services that it covers includes compliance with BCBS 239, CCAR MRAs and GDPR; demonstrating data protection and security; fixing bad dataanalytics; and data discovery.
“Data’s day has come.  And with that, organizations have recognized that data can only be leveraged as a strategic resource to the extent it can be accessed and, most important, trusted,” said Felix Van de Maele, CEO and co-founder of Collibra, in a statement.

Is Ford, like Tesla, saying, “We don’t need no stinking dealers!”  
Ford teams with startup for online car shopping
Ford Motor Credit Co. said Monday that it would use software developed by AutoFi Inc. to let car buyers shop for a Ford or Lincoln car and secure a loan online through its dealers’ websites.
As part of the new deal, Ford Motor Credit also announced an equity investment in AutoFi.  It didn’t disclose the amount.
AutoFi doesn’t make any credit decisions or loans itself.  The company operates a marketplace where dealers can select which banks, credit unions or other lenders can pitch loans to car buyers.  Customers can choose among competing offers.  AutoFi gets paid a fee by both the dealer and the lender if its service is used in a purchase.

Perspective.  Then ask yourself, ‘Should I care?’
1. In 2014, over 561 billion text messages were sent in one month.  That equates to 18.7 billion text messages per day, 779 million text messages per hour, 13 million text messages per minute, or 216,000 text messages per second.  Now imagine how much worse it’s gotten in the two years since!
2. In 2016, Millenials prefer texting to calling for all communications.  Of those aged between 18–24, when given a choice between only being able to text or only being able to call, about 75 percent chose texting.  Not only that, but about 75 percent of Millenials prefer to receive texts for things like appointments, payments, order alerts, etc.
3. Messaging apps are taking over traditional text messages.  As of 2015, about 49 percent of smartphone owners between 18–29 years of age preferred to use messaging apps.  The older folks are catching on, too: about 37 percent of those aged 30–49 and 24 percent of those aged 50+ use messaging apps.

But do they have the one I need?  
CourtListener – free legal research website – millions of legal opinions from federal and state courts
by Sabrina I. Pacifici on Jan 23, 2017
“Search millions of opinions by case name, topic, or citation. 418 Jurisdictions.  Sponsored by the Non-Profit Free Law Project.  With CourtListener, lawyers, journalists, academics, and the public can research an important case, stay up to date with new opinions as they are filed, or do deep analysis using our raw data.”

(Related)  I wonder what Watson could do with this data?
Judge Profiles on CourtListener Now Show Oral Arguments Heard
by Sabrina I. Pacifici on Jan 23, 2017
Free Law Project Blog – “We’re proud to share that we’ve now linked together our database of judges and our database of oral argument recordings.  This means that as of now if you look at the profile page for a judge, you may see a list of oral argument recordings for cases that judge heard.  Clicking on the button at the bottom takes you back to our database of oral argument recordings where you can further refine your search.  If the judge is active, there is an icon in the upper right that lets you subscribe to a podcast of the cases heard by that judge.  At this time, these features are only available for the Supreme Court and for jurisdictions where the judges for specific cases are provided by the court website.   We hope to expand this in the future.  To our knowledge, a linkage like this has never previously existed on any system, and we hope that it will make research and exploration faster and easier for our users.  To get started with this addition, you can browse the judges in CourtListener, or explore our APIs and Bulk Data, where files now include this information.”  [Awesome!]

Perspective.  The world is changing when a retailer can create content that meets or beats the content creators.
Oscars: Amazon Nabs Streaming's First Best Picture Nomination With 'Manchester by the Sea'
With the nomination of Amazon Studios' Manchester by the Sea for best picture on Tuesday morning, the Academy of Motion Picture Arts and Sciences has officially put streaming services in the Oscar features game. 
Amazon has not only scored its first Oscar nominations with Manchester, it has also become the first streaming service to earn a best picture nod.

For such a simple (and cheap) device, a lot of big players seem interested in connecting to it.  Perhaps they see it as a way to identify geeks they might like to hire?
Google To Enable Its AI And Machine Learning Tech On Raspberry Pi This Year
If you’re a Raspberry Pi developer that is at all interested in artificial intelligence (AI) and machine learning, we’ve got a treat in store for you.  Google is looking to bring its AI and machine learning tools to the Raspberry Pi starting this year, but it wants your help and input to make it happen.
Google has launched a survey that includes questions about how often developers spend working on software and hardware projects, and if they are interested in fields ranging from wearables to drones to IoT to robotics to 3D printing.  It will use input gained from this survey to narrow its focus on the tools that are provided later this year.

Cluster HAT, the easiest way to build a Raspberry Pi Zero cluster
I recently compiled a list of Raspberry Pi clusters and reader Alex Hortin wrote in to suggest I looked at a cluster framework for up to four Raspberry Pi Zeros called the Cluster HAT produced by 8086 Consultancy. 

No comments: