Wednesday, February 22, 2017
Think about this one, Computer Security students. Why can’t they identify (or at least communicate with) people who purchased their analyzer?
Serious Breach Linked to Chinese APTs Comes to Light
A report published earlier this month by RSA describes Kingslayer, a supply chain attack that apparently targeted system administrators in some large organizations. The attackers breached the systems of a company that offers event log analyzers and replaced a legitimate application and its updates with a backdoored version.
… While it’s unclear exactly how many organizations downloaded the backdoored software in the April 9-25 timeframe, RSA said the portal that hosted it had numerous subscribers, including four major telecoms providers, over ten western military organizations, more than two dozen Fortune 500 companies, five major defense contractors, and tens of IT solutions providers, government organizations, banks and universities.
While RSA has not named the company whose systems were compromised, investigative journalist Brian Krebs determined that it was Canada-based Altair Technologies Ltd.
… The EventID.Net website hosted EvLog, the software hijacked by the attackers. A notice posted on the site on June 2016 provides some details on the incident and recommendations for potentially affected users.
However, as Krebs pointed out, the advisory does not appear to have been shared on social media and there was no link to it from anywhere on the site – a link was added this week after the journalist contacted Altair Technologies. The company told Krebs it had no way of knowing who downloaded the software so potential victims were not notified directly either.
Stealing data is easy!
Before fighting everyone in the room to plug your smartphone into the communal charger: please don’t.
Or at least, beware.
Coffee shops, airports and almost every other kind of public meeting space have become regular safe havens whenever we’re desperate for that extra juice. But with the ubiquity of USB ports built into today’s phone chargers, this flow of “juice” isn’t just power anymore – it’s data. Important data.
All it takes is one easily disguised charging kiosk, or even a power strip, for hackers to hijack your charge, and once you’re juice-jacked, there’s little that can be done to stop it; from installing malware onto your device, to sucking out personal messages, photos and information – all for the simple cost of offering sweet-relief and a fully-powered phone.
Listen to the show on SCPR.org.
Acquiring personal information is even easier.
The Facebook Algorithm Is Watching You
You can tell a lot about a person from how they react to something.
That’s why Facebook’s various “Like” buttons are so powerful. Clicking a reaction icon isn’t just a way to register an emotional response, it’s also a way for Facebook to refine its sense of who you are. So when you “Love” a photo of a friend’s baby, and click “Angry” on an article about the New England Patriots winning the Super Bowl, you’re training Facebook to see you a certain way: You are a person who seems to love babies and hate Tom Brady.
About time. Note that apparently, there was nothing illegal here, it was ‘just’ unethical. No way to recover any money (from bonuses already paid).
Wells Fargo Fires Four Senior Managers Amid Phony Account Scandal Investigation
… Wells Fargo announced Tuesday that it has terminated four current or former senior managers from the community banking division based on the bank's board of directors' investigation into the phony account scandal.
… All four individuals have been terminated for cause by a unanimous vote by the board of directors. None will receive a bonus for 2016, Wells said, and they will forfeit all of their unvested equity awards and vested outstanding options.
… Consumers have exacted their own sort of punishment on the bank: account openings in October, the first full month of results after news of the account scandal broke, plunged 44%. Account openings in November fell 41% and, in a banking activity report released last week, Wells said that account openings in December fell 31% compared to the prior year.
Interesting but futile? “If we can’t operate under these rule, we’ll re-write them!”
I still worry that I will have to have a (several?) smartphones or social media accounts to get back in the country. Currently, I have neither.
A Stand Against Invasive Phone Searches at the U.S. Border
… Senator Ron Wyden, a Democrat from Oregon, has a few questions about that legal authority. He sent a letter to the secretary of the Department of Homeland Security on Monday, expressing dismay at reports that people were being asked to unlock and hand over their smartphones at the border. He also said he’s planning on introducing a bill to require agents to get a warrant before searching a device, and to prevent DHS from implementing a new policy that would require foreign visitors to turn over their online passcodes before visiting the U.S.
… Wyden asked DHS Secretary John Kelly for detailed statistics on the number of times customs agents asked for or demanded a smartphone or computer password in the past five years as well as since Trump took office in January. He also asked how Customs and Border Protection, or CBP, justifies these searches legally, focusing specifically on the Fifth Amendment, which protects people from testifying against themselves. (I’ve written before how the Fifth Amendment prevents law enforcement from demanding that someone give up a password—and how it may not apply to devices that are unlocked via fingerprint, iris scans, or speech patterns.)
… The senator also took aim at a proposal that Kelly put forward in front of the House Homeland Security Committee two weeks ago. He suggested that visitors may be required to turn over passwords to their social-media accounts or risk being denied entry. The idea alarmed privacy advocates, who say such a rule would give CBP agents an overly broad look into travelers’ digital lives.
Issuing a blanket approval for social-media searches at the border could run into thorny legal issues, too. To get a subject’s personal information from a company like Facebook, Google, or Apple, law enforcement must first obtain a subpoena or a search warrant, which it can then use to ask the company to turn over relevant data. Getting social media passwords straight from a traveler would end-run this system.
Another phone search restriction.
Orin Kerr writes:
If a police agency gets a search warrant and seizes a target’s iPhone, can the agency share a copy of all of the phone’s data with other government agencies in the spirit of “collaborative law enforcement among different agencies”? Not without the Fourth Amendment coming into play, a federal court ruled last week in United States v. Hulscher, 2017 WL 657436 (D.S.D. February 17, 2017).
Read more on The Volokh Conspiracy.
Fast managers, not just fast computers.
AI and the Need for Speed
Artificial intelligence (AI) holds substantial promise for organizations to reduce costs and increase quality, but how AI affects organizations’ use of and relationship to time — in reacting, managing, and learning — may be the most jarring.
Another interesting move. Why start in India? A deal with Modi? Need for workers in the smartphone factories?
LinkedIn will help people in India train for semi-skilled jobs
Microsoft has launched Project Sangam, a cloud service integrated with LinkedIn that will help train and generate employment for middle and low-skilled workers.
The professional network that was acquired by Microsoft in December has been generally associated with educated urban professionals, but the company is now planning to extend its reach to semi-skilled people in India.
Having connected white-collared professionals around the world with the right job opportunities and training through LinkedIn Learning, the platform is now developing a new set of products that extends this service to low- and semi-skilled workers, said Microsoft CEO Satya Nadella at an event on digital transformation in Mumbai on Wednesday.
Project Sangam, which is in private preview, is “the first project that is now the coming together of LinkedIn and Microsoft, where we are building this cloud service with deep integration with LinkedIn, so that we can start tackling that enormous challenge in front of us of how to provide every person in India the opportunity to skill themselves for the jobs that are going to be available.”
Will retail banks be replaced by social media?
Bank Accounts for the Unbanked: Evidence from a Big Bang Experiment
Chopra, Yakshup and Prabhala, Nagpurnanand and Tantri, Prasanna L., Bank Accounts for the Unbanked: Evidence from a Big Bang Experiment (February 12, 2017). Available at SSRN: https://ssrn.com/abstract=2919091
“Over 2.5 billion individuals around the world are unbanked. How they can be brought into the formal financial system is a question of policy and academic interest. We provide evidence on this question from India’s PMJDY program, a “big bang” shock that supplied bank accounts to virtually all of its 260 million unbanked. We analyze activity in the new PMJDY accounts using actual transaction data in the accounts. While the newly included individuals are typically poor, unfamiliar with banking, and do not undergo literacy or other training, transaction levels nevertheless increase as accounts age and converge or exceed levels in non-PMJDY accounts of similar vintage. Usage is led by active transactions and is aided but not entirely explained by benefit transfer programs. The results suggest that the unbanked have unmet (possibly latent) demand for banking, or that the supply of banking perhaps stimulates its own demand.”
TransferWise launches Facebook Messenger bot for easy global money transfers
There’s no App for that? Will the first App to check IDs make the author a fortune? Or does the law say it must be a “person?”
Amazon plans to sell beer and wine at its new high-tech convenience store
… “When we start offering beer and wine, there will be an associate checking identification,” an Amazon spokesperson wrote in an email.
I’m going to be watching this one. How could they steal so much without detection?
Switzerland's ABB hit by $100 million South Korean fraud
Swiss engineering group ABB revealed the discovery of what it called a "sophisticated criminal scheme" in its South Korean subsidiary on Wednesday, which it expects will result in a $100 million pre-tax charge.
… The Swiss company said the alleged theft was limited to South Korea, where it employs around 800 people and generated sales of $525 million in 2015. [And this guy stole 20% of everything they sold? Bob]
"The treasurer of the South Korean unit is suspected of forging documentation and colluding with third parties to steal from the company," ABB said.
A “little” change, but a big investment. How do they “Deliver?” Fly over and just drop the package? Fly onto your porch and set it in full view of package thieves? Open the garage door and set it on your work bench?
UPS tests show delivery drones still need work
… The logistics juggernaut specifically launched an octocopter, or multi-rotor drone, from the top of a delivery van. The drone delivered a package directly to a home, then returned to the van which had now moved down the road to a new location.
… The truck for the test was custom-built to be able to launch the HorseFly drone from its roof, then grab it upon its return with robotic arms. A cage suspended beneath the drone extends through a hatch in the truck, where the drone can be lowered down and loaded up with another package. While docked, the drone recharges through a physical connection between its arms and the truck’s electric battery.
Not even as an historical collection? If I faced or used these weapons, shouldn’t I be allowed to show others what they can do? Am I limited to guns labeled “Not for military use?”
Appeals court rules banned assault weapons are designed to kill or disable enemy on battlefield
Slate – Appeals Court Rules that Second Amendment Doesn’t Protect Right to Assault Weapons: “On Tuesday [February 21, 2017] , the U.S. Court of Appeals for the 4th Circuit ruled that the Second Amendment doesn’t protect assault weapons—an extraordinary decision keenly attuned to the brutal havoc these firearms can wreak. Issued by the court sitting en banc, Tuesday’s decision reversed a previous ruling in which a panel of judges had struck down Maryland’s ban on assault weapons and detachable large capacity magazines. Today’s ruling is a remarkable victory for gun safety advocates and a serious setback for gun proponents who believe the Second Amendment exempts weapons of war from regulation…”
Something all my students should read. In particular, those who think our writing center won’t help them.
… this is the story of how a group of bank examiners at the Federal Reserve Bank of Philadelphia, one of 12 banks in the U.S.’s Federal Reserve System, dramatically improved the clarity and impact of their written reports.
Tools for school?
Tools for home?