Tuesday, December 19, 2017
Another failure to change the defaults.
California Voter Data Stolen from Insecure MongoDB Database
An improperly secured MongoDB database has provided cybercriminals with the possibility to steal information on the entire voting population of California, Kromtech security researchers reported.
The information was taken from an unprotected instance of a MongoDB database that was exposed to the Internet, meaning that anyone connected to the web could have accessed, viewed, or edited the database’s content.
Named 'cool_db', the database contained two collections, one being a manually crafted set of voter registration data for a local district, while the other apparently including data on the voting population from the entire state of California: a total of 19,264,123 records.
Bob Diachenko, head of communications, Kromtech Security Center, explains that the security firm was “unable to identify the owner of the database or conduct a detailed analysis.” It appears that the database has been erased by cybercriminals who dropped a ransom note demanding 0.2 Bitcoin for the data.
Given the presence of said ransom note, the incident is believed to be related to the MongoDB ransack campaign that resulted in tens of thousands of databases being erased in January 2017. Similar attacks were observed in September as well, when MongoDB decided to implement new data security measures.
… Kromtech's security researchers haven’t determined who compiled the voter database but believe that a political action committee might have been behind it, given the unofficial name the repository had.
… The researchers note that the database has been taken down after being initially discovered in early December. The Secretary of State of California was aware of the leak and “looking into it,” Diachenko said.
Smarter criminals will be monitoring Police social media accounts.
Australia Police Accidentally Broadcast Arrest Plans on Social Media
Australian police accidentally broadcast on social media details of an operation to arrest a suspected North Korean agent -- three days before he was taken into custody, media reported Wednesday.
The Sydney-based man, described by authorities as a "loyal agent of North Korea", was arrested on Saturday and charged with trying to sell missile parts and technology on the black market to raise money for Pyongyang in breach of international sanctions.
But a minute of conversation about the case between federal police officers, including the timing of the arrest, was broadcast on Periscope Wednesday and linked to on Twitter, The West Australian reported Tuesday.
The newspaper said it had listened to the discussion, which included a suggestion that officers are "not going in all guns blazing, it's only half-a-dozen people and a forensic van".
The paper added that while the tweet was deleted, the broadcast remained live—and was watched by 40 people – before it was also removed after the publication alerted federal police.
… Federal police confirmed part of a conversation was mistakenly broadcast via its Periscope account while "testing a piece of social media broadcasting equipment". [This is another reason why you should NEVER test with live data. Bob]
For my Computer Security students, who understand that “official” isn’t always the same as “true.”
It’s Official: North Korea Is Behind WannaCry
Cybersecurity isn’t easy, but simple principles still apply. Accountability is one, cooperation another. They are the cornerstones of security and resilience in any society. In furtherance of both, and after careful investigation, the U.S. today publicly attributes the massive “WannaCry” cyberattack to North Korea.
Another topic for my Computer Security class.
Normative Challenges of Identification in the Internet of Things: Privacy, Profiling, Discrimination, and the GDPR
Wachter, Sandra, Normative Challenges of Identification in the Internet of Things: Privacy, Profiling, Discrimination, and the GDPR (December 6, 2017). Available at SSRN: https://ssrn.com/abstract=3083554
“In the Internet of Things (IoT), identification and access control technologies provide essential infrastructure to link data between a user’s devices with unique identities, and provide seamless and linked up services. At the same time, profiling methods based on linked records can reveal unexpected details about users’ identity and private life, which can conflict with privacy rights and lead to economic, social, and other forms of discriminatory treatment. A balance must be struck between identification and access control required for the IoT to function and user rights to privacy and identity. Striking this balance is not an easy task because of weaknesses in cybersecurity and anonymisation techniques. The EU General Data Protection Regulation (GDPR), set to come into force in May 2018, may provide essential guidance to achieve a fair balance between the interests of IoT providers and users. Through a review of academic and policy literature, this paper maps the inherit tension between privacy and identifiability in the IoT. It focuses on four challenges: (1) profiling, inference, and discrimination; (2) control and context-sensitive sharing of identity; (3) consent and uncertainty; and (4) honesty, trust, and transparency. The paper will then examine the extent to which several standards defined in the GDPR will provide meaningful protection for privacy and control over identity for users of IoT. The paper concludes that in order to minimise the privacy impact of the conflicts between data protection principles and identification in the IoT, GDPR standards urgently require further specification and implementation into the design and deployment of IoT technologies.”
(Related). And here’s why that is important.
Cybersecurity can cause organizational migraines. In 2016, breaches cost businesses nearly $4 billion and exposed an average of 24,000 records per incident. In 2017, the number of breaches is anticipated to rise by 36%. The constant drumbeat of threats and attacks is becoming so mainstream that businesses are expected to invest more than $93 billion in cyber defenses by 2018. Even Congress is acting more quickly to pass laws that will — hopefully — improve the situation.
Despite increased spending and innovation in the cybersecurity market, there is every indication that the situation will only worsen. The number of unmanaged devices being introduced onto networks daily is increasing by orders of magnitude, with Gartner predicting there will be 20 billion in use by 2020. Traditional security solutions will not be effective in addressing these devices or in protecting them from hackers, which should be a red flag, as attacks on IoT devices were up 280% in the first part of 2017. In fact, Gartner anticipates a third of all attacks will target shadow IT and IoT by 2020.
This new threat landscape is changing the security game. Executives who are preparing to handle future cybersecurity challenges with the same mindset and tools that they’ve been using all along are setting themselves up for continued failure.
The government goes to Facebook (and other social media) because “That’s where the data is!”
Governments are asking Facebook for a lot more user account data
The number of user data requests Facebook received from governments around the world in first half of 2017 reached an all time high of 78,890, up 21 percent on the 64,279 requests it received in the second half of 2016.
The social network revealed the figure in its Transparency Report covering January to June 2017. Previously it was called the Government Requests Report, but it's since been renamed as it now also includes data regarding intellectual property requests.
The largest source of user data requests came from the US, where the government served Facebook 32,716 requests for data from 52,280 accounts.
Might be an interesting topic for a Data Management paper.
The Supreme Court Should Heed Friendly Advice on Microsoft Ireland
A slew of interesting amicus briefs were filed in the Microsoft Ireland case last week. They include independent briefs (meaning not for either party) by the United Kingdom, Ireland, European Commission (EC) and more. Not surprisingly, 36 state governments also filed in support of the United States, reminding the court of the many difficulties faced in accessing sought-after evidence that have resulted from the Second Circuit ruling, and urging reversal as a result.
Of the many issues raised, one of the most interesting – and still unresolved – is the question as to whether and in what situations a decision in favor of the U.S. government will generate a conflict of laws. The issue is at the heart of the Irish government and EC briefs. It is also raised in the brief of the New Zealand Privacy Commissioner. But despite the extensive amount of ink spent on the matter, the answers remain murky – as is the reality. The actual answer: It depends.
Given that reality, the e-Discovery Institute’s brief is particularly notable – and one that I hope that Court takes into account.
Monopoly is getting harder to define.
Germany Says Facebook Abuses Market Dominance to Collect Data
Germany’s top antitrust enforcer opened a new front against big tech firms on Tuesday when it said the way Facebook Inc. harvests user data constitutes an abuse of market dominance.
In what lawyers call a novel use of competition law, Germany’s Federal Cartel Office published preliminary investigative findings Tuesday that accuse Facebook of abusing its power as the dominant social network in Germany to strong-arm users into allowing it to collect data about them from third-party sources, like websites with “like” buttons.
(Related) What social media is really “dominant?”
Snapchat is still the network of choice for U.S. teens — and Instagram is Facebook’s best shot at catching up
Some good news for Snap: Despite its sluggish business and slumping stock price, Snapchat still dominates among teenagers, a core demographic that represents the future wave of internet consumers and what they care about.
RBC Capital published the latest update to its regular social media survey this week, and a few things stood out — especially in the battle over teenagers, where Snapchat, Instagram and Facebook are all fighting for the next generation’s attention.
So, could there be Trump videos in our future?
Bloomberg’s TicToc 24/7 news channel launches as Twitter doubles down on live video
… Starting at 8 a.m. on the East Coast, Bloomberg begins broadcasting TicToc, a 24/7 news channel that exists solely on Twitter.
The landing page for TicToc marries a video livestream with a curated Twitter stream. In essence, it combines the second-screen experience many have hacked together over the years as they watch big events like the Super Bowl or the Oscars. Live TV viewing has long been one of Twitter’s most popular use cases, and over the past year the company has sought to integrate that experience into its platform.
Something to amuse my geeky friends.
Paper Signals - Build Physical Objects to Control With Your Voice
Paper Signals is a neat resource produced by Google that could prove to be a fun way to provide students with hands-on programming experience. Paper Signals is a set of templates that students can follow to program physical objects to respond to voice commands.
There are some physical products that you will need to have on hand in order to use Paper Signals. You may already have the necessary items in your school. First, you'll need a printer to print a template (you'll be folding and cutting paper). Second, you're going to need a small circuit board, some wires/ cables, and a bit of glue. If you don't want to source those items yourself, you can buy a little kit for less than $25.
Learn more about Paper Signals in the video embedded below.
Just like social media users?
Because this is important enough to catch the attention of one of the best statistics websites? No, it’s important because I’m a fan.
… I consulted the most comprehensive archival material related to “Star Wars.” No, not the archives of Jocasta Nu in the heart of the Jedi Temple. I’m talking about Wookieepedia, one of the best-maintained databases on anything and everything Star Wars. We pulled the color of every lightsaber described in “Star Wars”1 — that’s the chart you see above. That comes out to 132 unique lightsabers with a known blade color. (Even Darksaber.)