Thursday, September 21, 2017

Is North Korea trading US stocks?
Hackers May Have Profited From SEC Corporate Filing System Attack
The vulnerability of governments and businesses to cyberattacks was exposed again Wednesday when a top U.S. financial regulator said hackers had breached its electronic database of market-moving corporate announcements, and may have profited from the information they stole.
The hack of an aspect of the U.S. Securities and Exchange Commission’s Edgar filing system occurred last year, the regulator said in a statement. While the SEC has been aware of the breach since 2016, it wasn’t until last month that the agency concluded that the cybercriminals involved may have used their bounty to make illicit trades. The regulator disclosed the intrusion for the first time Wednesday.
… The SEC didn’t say which companies may have been impacted by the 2016 intrusion. Chris Carofine, a spokesman for Clayton, declined to comment when asked what type of information was improperly accessed.

This is just poor training. Why would you have anyone type a URL when you could copy and paste?
Equifax tweets fake phishing site to concerned customers

It keeps getting more complicated for Equifax.

The credit agency's Twitter account tweeted links on Wednesday to a fake site pretending to be Equifax, further bungling the company's response to a massive hack that affected 143 million customers.
Equifax, like many companies, handles customer service and complaints through its Twitter account. But in tweets replying to people asking for help and more information, it occasionally directed them to ""
The domain, designed to look like a phishing site, was set up to criticize how the company handled the situation.
The official account tweeted links to the same site multiple times since September 9, two days after the breach was first announced. The links have been deleted, but screenshots show it was not a one-time flub.
It's easy to mistake the fake site for the real one: The company created it earlier this month to share information on the major data breach.
Security experts criticized Equifax's decision to use this domain and website because it looks a lot like a scam site. Soon after it launched, some browsers flagged it as a phishing site. Experts warned hackers could create similar websites and trick people into giving up personal information.

(Related). In humor, truth? A video for my Computer Security class.
Equifax F.A.Q.

An interesting follow-up! If you want to avoid detection, piggyback on software the target already uses and trusts. Very slick.
Attack on Software Firm Was Sophisticated, Highly Targeted
While initially shouting out loud that the compromise was addressed before any harm was done to users, Avast on Wednesday confirmed that this was in fact a highly targeted attack and that a secondary payload was executed on some of the impacted systems.
Analysis of the logs found on the C&C server revealed that 20 machines in a total of 8 organizations received the second-stage payload. However, the logs only covered just over three days, and the actual number of machines that received the payload could be of hundreds, Avast says.
The security firm wouldn’t reveal the names of targeted organizations, but says that these were “select large technology and telecommunication companies in Japan, Taiwan, UK, Germany and the US.” This clearly means that most of the CCleaner users weren’t of interest to the attackers.

Another follow-up.
NotPetya cyber attack on TNT Express cost FedEx $300m
Falling victim to the Petya cyber attack cost FedEx around $300m during the last quarter of the financial year, the company has revealed in its latest earnings report.
Operations of FedEx's TNT Express unit in Europe were disrupted by the attack and the company previously warned that the financial cost of the incident was likely to be significant. But now, with the publication of its first quarter earnings FedEx has revealed the cost of falling victim to Petya to be an estimated $300 million in lost earnings.
… While no data breach or data loss occurred as a result of Petya, the company previously warned that it may not be able to recover all of the systems affected by the cyber attack.

Technology restrained?
Court upholds Illinois biometrics law on use of facial scans
by Sabrina I. Pacifici on Sep 20, 2017
Fortune – “A federal judge this week delivered a key victory for customers who claim the digital scrapbook company Shutterfly violated their privacy by collecting scans of their faces without permission. In a 19-page opinion, U.S. District Judge Joan Gottschall rejected Shutterfly’s argument that an Illinois state law, which restricts how companies can use biometric data, should not apply.”

What could possibly go wrong?
Apparently Joe Cadillic and I aren’t the only ones who thought that a Ravens promo raised a lot of warning flags, although our concern wasn’t as regulatory as much as privacy-oriented. Joe sent along this update:
Jeff Barker reports:
Massachusetts biotech firm still intends to give away DNA test kits to fans at a Ravens game this season, according to the team, but the promotion first must undergo scrutiny from a federal agency and the state.
The “DNA Day” event, scheduled for last Sunday’s Ravens-Cleveland Browns game at M&T Bank Stadium, was postponed after the federal Centers for Medicare & Medicaid Services raised questions with the state about approvals, state and federal officials said.
Read more on Baltimore Sun.
[From the article:
Fans attending the game were to receive test kits and, if they chose to participate, swab the inside of their cheek, drop the sample into a bin at the stadium and register with the company online to receive a free analysis.

Another example of, “Gee, maybe that algorithm isn’t perfect?” No doubt the FBI will be asking for a list of Amazon’s customers who purchased the suggested items...
Amazon ‘Reviewing’ Its Website After It Suggested Bomb-Making Items
Amazon said on Wednesday that it was reviewing its website after a British television report said the online retail giant’s algorithms were automatically suggesting bomb-making ingredients that were “Frequently bought together.”
The news is particularly timely in Britain, where the authorities are investigating a terrorist attack last week on London’s Underground subway system. The attack involved a crude explosive in a bucket inside a plastic bag, and detonated on a train during the morning rush.
The news report is the latest example of a technology company drawing criticism for an apparently faulty algorithm. Google and Facebook have come under fire for allowing advertisers to direct ads to users who searched for, or expressed interest in, racist sentiments and hate speech. Growing awareness of these automated systems has been accompanied by calls for tech firms to take more responsibility for the contents on their sites.

Kade N. Olsen and Craig A. Newman report on a court opinion in the D-Link case – a case that addresses some of the issues also raised in LabMD vs. FTC:
Yesterday, a District Court in Northern California weighed in on the U.S. Federal Trade Commission’s (FTC) authority to protect consumers from “unfair” and “deceptive” data security practices. The decision, which granted in part and denied in part the defendant’s motion to dismiss, is a mixed bag for the Commission.
As we previewed earlier this year, the FTC filed suit against D-Link Systems, Inc. (“D-Link”), a company that manufactures and sells home networking devices. According to the FTC, D-Link failed to protect its products from “widely known risks of unauthorized access” by not providing “easily preventable” measures against “‘hard-coded’ user credentials and other backdoors,” not maintaining the confidentiality of the private key D-Link used with consumers to validate software updates, and not deploying “free software, available since at least 2008, to secure users’ mobile app login credentials.” These practices, the FTC maintained, were both (1) “deceptive” and (2)“unfair” under Section 5 of the FTC Act, 15 U.S.C. § 45.
Read more on Patterson Belknap Data Security Law Blog. Here’s the part that may give LabMD a smile or a “That’s what we think, too” nod:
But, the court ultimately found “merit” in D-Link’s argument that the FTC had failed to plead sufficiently that consumers had been injured. As followers of our LabMD coverage will recall, Section 5(n) of the FTC Act provides that the Commission cannot declare an act “unfair” unless, inter alia, that act “causes or is likely to cause substantial injury to consumers.”
The district court explained that the FTC did “not allege any actual consumer injury in the form of a monetary loss or an actual incident where sensitive data was accessed or exposed.” It was not enough, Judge Donato held, that the FTC claimed that D-Link “put consumers at ‘risk.’” Without “concrete facts” of a “single incident where a consumer’s financial, medical or sensitive data has been accessed, exposed or misused in any way,” the unfairness claim depended on “wholly conclusory allegations” of “potential injury.”

I’m not sure I would go that far…
America needs Amazon more than Amazon needs America
… There may be blood in the water in Silicon Valley, but it isn’t coming from Amazon. The company’s stock is up roughly 30% this year, unperturbed by tepid financial results and the angry tweets of US president Donald Trump. Its business practices remain unfettered by federal regulators and seem unlikely to be criticized at the local and state level so long as HQ2 is on the auction block.
… As for the American public, why would they turn against Amazon? By one estimate, 85 million people, or roughly two-thirds of US households, are subscribers to Prime, Amazon’s $99-a-year membership program. They rely on it for everything from toilet paper to blenders to bluetooth speakers, spending an annual average of $1,300. Bezos wants Prime to be such a good deal “you’d be irresponsible not to be a member.” Put another way, that you’d be irresponsible not to like Amazon.

Perspective. Does the need to access technology now override security concerns?
Saudi Arabia to lift ban on internet calls
Saudi Arabia will lift a ban on internet phone calls, a government spokesman said, part of efforts to attract more business to the country.
All online voice and video call services such as Microsoft’s Skype and Facebook’s WhatsApp that satisfy regulatory requirements will become accessible at midnight (2100 GMT), Adel Abu Hameed, spokesman for the telecoms regulator CITC said on Twitter on Wednesday.
The policy reversal represents part of the Saudi government’s broad reforms to diversify the economy partly in response to low oil prices, which have hit the country’s finances.

Perspective. Think about this one. Your camera ‘knows’ when you are taking a picture of a cake or a bird. Perhaps it will rat you out to Mom & Dad when you start Sexting?
Facebook's New 'AI Camera' Team Wants to Add a Layer to the World
Take a video of a birthday cake’s candles sparkling in an Instagram story, then tap the sticker button. Near the top of the list you’ll see a slice of birthday cake.
It’s a little thing. This simple trick is not breathtaking nor magical. But it is the beginning of something transformative. Smartphones already changed how most people take pictures. The latest Silicon Valley quest is to reimagine what a camera is, applying the recent progress in artificial intelligence to allow your phone to read the physical world as easily as Google read the web.
… The AI Camera team is responsible for giving the cameras inside these apps an understanding of what you’re pointing them at. In the near future, your camera will understand its location, recognize the people in the frame, and be able to seamlessly augment the reality you see.

Researchers at the University of Nottingham and Kingston University have created an algorithm that can translate any front-facing 2D photo into a bizarrely realistic 3D image.
… You can play around with the tool for yourself online. The researchers kindly provide a few photos for you to test out, and you can also upload a photo of yourself to try.

For my Computer Security students.
Preventing and Responding to Identity Theft
by Sabrina I. Pacifici on Sep 20, 2017
You can be a victim of identity theft even if you never use a computer. Malicious people may be able to obtain personal information (such as credit card numbers, phone numbers, account numbers, and addresses) by stealing your wallet, overhearing a phone conversation, rummaging through your trash (a practice known as dumpster diving), or picking up a receipt at a restaurant that has your account number on it. If a thief has enough information, he or she may be able to impersonate you to purchase items, open new accounts, or apply for loans. The Internet has made it easier for thieves to obtain personal and financial data. Most companies and other institutions store information about their clients in databases; if a thief can access that database, he or she can obtain information about many people at once rather than focus on one person at a time. The Internet has also made it easier for thieves to sell or trade the information, making it more difficult for law enforcement to identify and apprehend the criminals…”

For all my students.

For my cable cutting students.

Interesting App. What could similar Apps do for my students? Read their textbooks, for example?
LC – An App to Answer Your Questions about the Constitution
by Sabrina I. Pacifici on Sep 20, 2017
Margaret M. Wood, legal reference librarian in the Law Library. “Two years ago, in honor of Constitution Day—celebrated annually on September 17—I wrote a post about the publication “Constitution of the United States: Analysis and Interpretation,” also referred to as the “Constitution Annotated.” Along with the U.S. Code, it is one of my favorite work resources. Unfortunately, it is a behemoth of a work—it takes two hands to hold the volume, which weighs a good 10 pounds. Fortunately, the text is also available online through and through the U.S. Government Publishing Office, whose digital system includes both the most recent edition (2016) as well as historic editions back to 1992. But given my penchant for bringing work topics into social situations, even the online version is not very practical. I cannot, very easily, fire up the computer during a conversation at a dinner or cocktail party. However, fortunately for me, there is an app for the “Constitution Annotated.” It debuted in 2013, when was still in beta, and has since been updated…”
[From the App description:
This app:
- Delivers the full text of “Constitution of the United States of America: Analysis and Interpretation”
- Contains a clause-by-clause discussion of the entire Constitution
- Discusses all Supreme Court cases and selected historical documents relevant to interpreting the Constitution
- Lists all federal, state, and local laws struck down by the Supreme Court, and all cases where the Court overturned its prior precedent
- Contains a table of contents, table of cases, and an index

No comments: