Wednesday, September 06, 2017

So, who would benefit? Russia? North Korea? China? Iran? Syria?
Hackers Gain ‘Switch-Flipping’ Access to US Power Grid Control Systems
Security firm Symantec is warning that a series of recent hacker attacks not only compromised energy companies in the US and Europe but also resulted in the intruders gaining hands-on access to power grid operations—enough control that they could have induced blackouts on American soil at will.
Symantec on Wednesday revealed a new campaign of attacks by a group it is calling Dragonfly 2.0, which it says targeted dozens of energy companies in the spring and summer of this year. In more than 20 cases, Symantec says the hackers successfully gained access to the target companies’ networks. And at a handful of US power firms and at least one company in Turkey—none of which Symantec will name—their forensic analysis found that the hackers obtained what they call operational access: control of the interfaces power company engineers use to send actual commands to equipment like circuit breakers, giving them the ability to stop the flow of electricity into US homes and businesses.
… The only comparable situations, he says, have been the repeated hacker attacks on the Ukrainian grid that twice caused power outages in the country in late 2015 and 2016, the first known hacker-induced blackouts.

If you missed all the stories about hacking MongoDB, the hackers thank you for you ignorance.
Liam Tung reports:
Three groups of hackers have wiped around 26,000 MongoDB databases over the weekend and demanded victims to pay about $650 to have them restored.
The new wave of MongoDB ransom attacks marks a resurgence of the massive assault on unsecured instances of the open-source NoSQL database earlier this year. The attacks were discovered by security researchers Victor Gevers and Niall Merrigan.
The current attacks are being tracked by Gevers and fellow researcher Dylan Katz. According to the ‘MongoDB ransacking’ Google Docs spreadsheet that the pair are updating, one group using the address ‘’ has ransacked over 22,000 MongoDB instances.
Read more on ZDNet.

Weak protection for social media users.
If you have an account on Taringa, also known as "The Latin American Reddit," your account details may have compromised in a massive data breach that leaked login details of almost all of its over 28 million users.
… The Hacker News has been informed by LeakBase, a breach notification service, who has obtained a copy of the hacked database containing details on 28,722,877 accounts, which includes usernames, email addresses and hashed passwords for Taringa users.
The hashed passwords use an ageing algorithm called MD5 – which has been considered outdated even before 2012 – that can easily be cracked, making Taringa users open to hackers.
Wanna know how weak is MD5? LeakBase team has already cracked 93.79 percent (nearly 27 Million) of hashed passwords successfully within just a few days.

This will likely generate more headlines and news articles than attacks on the power grid. Did they learn to cheat from the Patriots?
Boston Red Sox Used Apple Watches to Steal Signs Against Yankees
For decades, spying on another team has been as much a part of baseball’s gamesmanship as brushback pitches and hard slides. The Boston Red Sox have apparently added a modern — and illicit — twist: They used an Apple Watch to gain an advantage against the Yankees and other teams.
Investigators for Major League Baseball have determined that the Red Sox, who are in first place in the American League East and very likely headed to the playoffs, executed a scheme to illicitly steal hand signals from opponents’ catchers in games against the second-place Yankees and other teams, according to several people briefed on the matter.
The baseball inquiry began about two weeks ago, after the Yankees’ general manager, Brian Cashman, filed a detailed complaint with the commissioner’s office that included video the Yankees shot of the Red Sox dugout during a three-game series between the two teams in Boston last month.
The Yankees, who had long been suspicious of the Red Sox’ stealing catchers’ signs in Fenway Park, contended the video showed a member of the Red Sox training staff looking at his Apple Watch in the dugout. The trainer then relayed a message to other players in the dugout, who, in turn, would signal teammates on the field about the type of pitch that was about to be thrown, according to the people familiar with the case.
Baseball investigators corroborated the Yankees’ claims based on video the commissioner’s office uses for instant replay and broadcasts, the people said. The commissioner’s office then confronted the Red Sox, who admitted that their trainers had received signals from video replay personnel and then relayed that information to Red Sox players — an operation that had been in place for at least several weeks.
… Stealing signs is believed to be particularly effective when there is a runner on second base who can both watch what hand signals the catcher is using to communicate with the pitcher and can easily relay to the batter any clues about what type of pitch may be coming. Such tactics are allowed as long as teams do not use any methods beyond their eyes. Binoculars and electronic devices are both prohibited.

(Related) Besides, Cory Doctorow is one of my favorite writers. An article worth reading!
Cheating is a given.
Inspectors certify that gas-station pumps are pumping unadulterated fuel and accurately reporting the count, and they put tamper-evident seals on the pumps that will alert them to attempts by station owners to fiddle the pumps in their favor. Same for voting machines, cash registers, and the scales at your grocery store.
The basic theory of cheating is to assume that the cheater is ‘‘rational’’ and won’t spend more to cheat than they could make from the scam: the cost of cheating is the risk of getting caught, multiplied by the cost of the punishment (fines, reputational damage), added to the technical expense associated with breaking the anti-cheat mechanisms.
Software changes the theory. Software – whose basic underlying mechanism is ‘‘If this happens, then do this, otherwise do that’’ – allows cheaters to be a lot more subtle, and thus harder to catch. Software can say, ‘‘If there’s a chance I’m undergoing inspection, then be totally honest – but cheat the rest of the time.’’
This presents profound challenges to our current regulatory model: Vegas slot machines could detect their location and if they believe that they are anywhere near the Nevada Gaming Commission’s testing labs, run an honest payout. The rest of the time, they could get up to all sorts of penny-shaving shenanigans that add up to millions at scale for the casino owners or the slot-machine vendors (or both).
… The most famous version of this is Volkswagen’s Dieselgate scandal, which has cost the company billions (and counting): Volkswagen engineered several models of its diesel vehicles to detect when the engine was undergoing emissions testing and to tilt the engines’ performance in favor of low emissions (which also meant more fuel consumption). The rest of the time, the engines defaulted to a much more polluting mode that also yielded better gas mileage. Thus the cars were able to be certified as low-emissions by regulators and as high efficiency by reviewers and owners – having their cake and eating it too.

Do you really need AI to point out information that should already be in your reports? Perhaps you just need to read the reports!
Banks Testing IBM's AI Tech for Employee Surveillance
Lenders asked International Business Machines Corp. if it were possible to use the technology to also watch retail-banking salespeople, loan officers and other workers, according to Marc Andrews, a manager on the company’s Watson financial services team. Several of the biggest U.S. banks, as well as some regional banks, are testing the software, Andrews said. He declined to name them.
IBM trained Watson to collect information that could’ve helped detect problems at Wells Fargo, which said last week that employees opened as many as 3.5 million bogus checking and credit-card accounts for unsuspecting customers, even more than its original estimate when the scandal broke last year. Watson looks for suspicious logon patterns, unusual levels of unused products or accounts with mismatched contact information or email notifications that have been switched off, Andrews said. The artificial intelligence program, which understands human language, sifts through employee emails for trends such as managers pressuring workers to make sales, he said.
“Banks hadn’t been investing as much into this area until there was a big incident last year,” Andrews said, referring to the Wells Fargo scandal. “Right now, they know right away if an ATM is broken. But if there are trends emerging like a lot of people complaining about an account being opened that they weren’t aware of, how quickly does that surface up to the executives?”
… Some correlations aren’t obvious. In the U.S., a trader’s use of profanity drops shortly before an episode of misconduct, Andrews said, as “maybe they’re trying to be a little more careful.” But in the U.K., traders tend to curse more before committing misdeeds.

What is a fair balance? Answering a child's text message is certainly Okay. Binge watching 'Game of Thrones' probably not.
Europe Court Backs Employee Fired Over Private Messages
Europe's top rights court on Tuesday restricted the ability of employers to snoop on their staff's private messages, in a landmark ruling with wide ramifications for privacy in the workplace.
The highest body of the European Court of Human Rights (ECHR) ruled in favour of a 38-year-old Romanian man who claimed his rights had been violated when he was sacked in 2007 for sending private chat messages in the office.
In a first ruling in January last year, the ECHR found that the snooping was allowed because employers were justified in wanting to verify "that employees were completing their professional tasks during working hours".
But in a review, the 17 most senior judges at the court based in Strasbourg, France, found Tuesday that Romanian courts "had not adequately protected Mr Barbulescu's right to respect for his private life and correspondence".
In a written judgement, backed by 11 votes to six, they found that previous court rulings had "failed to strike a fair balance between the interests at stake", namely the company's right to check on employees and employees' right to privacy.
The judges also found that "an employer's instructions could not reduce private social life in the workplace to zero", meaning that some use of the internet at work for personal reasons was justified.
The ruling will become law in the 47 countries that have ratified the European Convention on Human Rights, meaning some members will have to adjust their national legislation.

Marketing vs Reality? Do managers ever check this stuff?
Facebook’s Ad Metrics Come Under Scrutiny Yet Again
Facebook's advertising metrics have again been called into question, after Pivotal Research Group senior analyst Brian Wieser pointed out a large discrepancy between U.S. census data and the potential reach that the social network promises advertisers.
On Tuesday, Wieser issued a note pointing out that Facebook's Adverts Manager tool promises a potential reach of 41 million 18-24 year-olds in the U.S., while recent census data said there only 31 million people living in the U.S. within that age range.
For 25-34 year-olds, Facebook claims a potential reach of 60 million, versus the 45 million people counted in the census last year.

No comments: