Friday, May 12, 2017

An Executive order.  “Management” is accountable?  What a concept! 
Trump signs order on cybersecurity that holds agency heads accountable for network attacks
President Trump on Thursday signed an executive order on cybersecurity that makes clear that agency heads will be held accountable for protecting their networks, and calls on government and industry to reduce the threat from automated attacks on the Internet.
Picking up on themes advanced by the Obama administration, Trump’s order also requires agency heads to use Commerce Department guidelines to manage risk to their systems.  It commissions reports to assess the country’s ability to withstand an attack on the electric grid and to spell out the strategic options for deterring adversaries in cyberspace.

A government recommendation.
Vendors approve of NIST password draft security recommendations – emojis welcome
by Sabrina I. Pacifici on May 11, 2017
Via CSO – “Standards group recommends removing periodic password change requirements – A recently released draft of the National Institute of Standards and Technology’s (NIST’s) digital identity guidelines has met with approval by vendors.  The draft guidelines revise password security recommendations and altering many of the standards and best practices security professionals use when forming policies for their companies.  The new framework recommends, among other things:
  • Remove periodic password change requirements
There have been multiple studies that have shown requiring frequent password changes to actually be counterproductive to good password security, said Mike Wilson, founder of PasswordPing.  NIST said this guideline was suggested because passwords should be changed when a user wants to change it or if there is indication of breach.
  • Drop the algorithmic complexity song and dance
No more arbitrary password complexity requirements needing mixtures of upper case letters, symbols and numbers.  Like frequent password changes, it’s been shown repeatedly that these types of restrictions often result in worse passwords, Wilson adds.  NIST said If a user wants a password that is just emojis they should be allowed.  It’s important to note the storage requirements.  Salting, hashing, MAC such that if a password file is obtained by an adversary an offline attack is very difficult to complete.
  • Require screening of new passwords against lists of commonly used or compromised passwords
One of the best ways to ratchet up the strength of users’ passwords is to screen them against lists of dictionary passwords and known compromised passwords, he said.  NIST adds that dictionary words, user names, repetitive or sequential patterns all should be rejected…”

A risk to digital evidence.
Forensics Tool Flaw Allows Hackers to Manipulate Evidence
A vulnerability in Guidance Software’s EnCase Forensic Imager forensics tool can be exploited by hackers to take over an investigator’s computer and manipulate evidence, researchers warned.  The vendor has classified the attack as an “edge case” and it does not plan on patching the flaw any time soon.
Guidance Software’s forensics products are used by governments, law enforcement agencies and private companies worldwide, including the U.S. Department of Justice, the Department of Homeland Security, the London Metropolitan Police Service, Microsoft, IBM, Apple and Facebook.
The company’s EnCase Forensic Imager is a standalone tool designed for acquiring forensic images of local drives, and for viewing and browsing potential evidence files.

Management is not aware?  Sounds familiar.  
A third of virtual servers are zombies
New research finds that 25% of all physical servers -- and 30% of all virtual servers -- are comatose.  These are systems that have no activity in the last six months.
   this latest research looked at virtual servers as well, and they may represent a significant cost to IT departments.
That's because users may be paying licensing fees on their virtual servers, as well as on the software they support, said the researchers.
Comatose servers, both virtual and physical, may also represent "an unappreciated security risk" because they aren't patched and maintained, according to the research paper by Jonathan Koomey, a research fellow at Stanford University, and Jon Taylor, a partner at the Athensis Group, a consulting firm.
   The problem may be one of motivation: IT managers aren't necessarily measured on well they control costs. 

Does this make local law enforcement more “Federal?”  Will all states eventually have access? 
Joe Cadillic writes:
Letting police have access to everyone’s biomterics is asinine and the potential for abuse is astronomical.
Read more on MassPrivateI.

Facial recognition instead of door locks?  Open the doggie door for Fido, but not for racoons? 
Lighthouse is an Andy Rubin-backed smart security camera that identifies people and pets
The team at Lighthouse, a startup out of Android co-founder Andy Rubin’s Playground accelerator, doesn’t see its new hardware product as a home security camera.  Instead, they see it as an “interactive assistant.”  But Lighthouse, at least at first, will definitely be perceived as another new entrant in the smart camera market.
The device, unveiled for the first time today, sits in the home just like a Nest Cam to monitor what’s going on indoors.  That’s where the overlap with Nest ends, however. Lighthouse incorporates deep learning and 3D-sensing technology to determine who is in the home, where they are inside, and if that’s a normal occurrence or not.  The camera pairs with a companion iOS / Android app over Wi-Fi, so users can determine remotely whether an intruder is in their house.  More innocuously, Lighthouse can also determine whether a dog’s been walked and send alerts when kids get home.  

So much for Privacy.
If you own an HP laptop or tablet you may have had every single thing you’ve typed on it logged and stored on your hard drive.  This is because, according to a report by security researchers, a keylogger has inadvertently been installed on a number of HP devices.  And it’s still there now.
Keystroke logging is a generally nefarious activity whereby someone monitors everything being typed onto a keyboard.  Keyloggers can be hardware- or software-based, and are difficult to detect.  Which is why it’s so unsettling to discover that one is installed on a number of HP devices.

(Related).  HP says, “Oops!”  Oh I feel so much more secure now!
HP says it has a fix for flaw that caused some PCs to log every keystroke
   A fix for 2016 models was released today via Windows Update, while a fix for 2015 models will be released tomorrow on both Windows Update and HP's Web site, HP Vice President Mike Nash told Axios.
Why it matters: Although HP never accessed the data and the logs weren't sent anywhere, just having them created a security threat.  The fix not only deletes the key-logging code but also the files that stored keystrokes.  (However, in theory customers using PC backup software might have copies elsewhere.)

Just a thought: Will insurance companies require heart sensors like this (and others in future) for everyone they insure? 
Study uses Apple Watch heart rate sensor to detect serious heart condition with 97% accuracy
   As part of ongoing research, a deep neural network was trained and paired with Apple Watch's heart rate sensor to automatically distinguish atrial fibrillation from normal heart rhythm in a pool of test patients.  Findings were presented at the Heart Rhythm Society's Heart Rhythm 2017 conference on Thursday.
To train the DNN, researchers collected data — 139 million heart rate measurements and 6,338 mobile ECGs — from 6,158 Cardiogram app users enrolled with the UCSF Health eHeart Study.
   "Our results show that common wearable trackers like smartwatches present a novel opportunity to monitor, capture and prompt medical therapy for atrial fibrillation without any active effort from patients," said the report's senior author Gregory M. Marcus, MD, MAS Endowed Professor of Atrial Fibrillation Research and Director of Clinical Research for the Division of Cardiology at UCSF.

Sobering Thoughts When a Connected Medical Device Is Connected to You

An IoT application.
Nectar Labs brings smart liquor tracking to the bar business
When a bartender pours too much liquor in a drink, or someone slips away with a bottle, it can take a toll on a drinking establishment’s bottom line.  So Nectar Labs has come up with a solution: the connected pourer and stopper.
It uses ultrasound technology and a software platform to precisely measure how much alcohol is left in a given bottle for automating inventory, managing shrinkage (theft or loss) and self-replenishing.  
   The Distilled Spirits Council trade group estimates that the bar business is worth $200 billion a year worldwide, and shrinkage is as much as $50 billion a year.
   The Nectar cap transfers data wirelessly to an app via Bluetooth.  Nectar’s caps and associated platform are designed to seamlessly fit a bar’s current operation.  The pourer and stopper continuously communicates with the app, keeping track of inventory in real time.  When a bottle is finished and replaced, Nectar automatically depletes it from inventory, and when inventory is running low, orders can be placed directly with distributors.

From Silicon Valley to Davos, pundits have been warning that millions of individuals will be thrown out of work by the rapid advance of automation and artificial intelligence.  As economic forecasts go, this idea of a robot apocalypse is certainly chilling.  It’s also baffling and misguided.
Baffling because it’s starkly at odds with the evidence, and misguided because it completely misses the problem: robots aren’t destroying enough...

Executive decisions:
Trump Wants ‘Goddamned Steam,’ Not Digital Catapults on Aircraft Carriers
Navy officials were “blindsided” on Thursday, a spokesman told me, by President Donald Trump’s suggestion that he has convinced the Navy to abandon a long-planned digital launching system in favor of steam on its newest aircraft carrier.

Oh my!
North Korea Angered With New Sanctions
In rare move, North Korea sends letter to U.S. House of Representatives about the latest round of sanctions as tensions between the countries continue to rise.

No doubt my students will be using this to waste the time they should be using to study!   
   the newest application of ML from Google, worldwide leaders in machine learning, isn’t to build a new Mars rover or a chatbot that can replace your doctor.  Rather, its a tool that anyone can use to generate custom emoji stickers of themselves.
   Starting today, when you pull up the list of stickersyou can use to respond to someone, there’s a simple little option: “Turn a selfie into stickers.”  Tap, and it prompts you to take a selfie.  Then, Google’s image-recognition algorithms analyze your face, mapping each of your features to those in a kit illustrated by Lamar Abrams, a storyboard artist, writer, and designer for the critically acclaimed Cartoon Network series Steven Universe.

No comments: