Saturday, January 14, 2017
I’m going to need more information (and some legal advice) for this one to make sense. How is writing a key logger illegal? Or is selling software illegal?
Lorenzo Franceschi-Bicchierai reports:
A 21-year-old from Virginia plead guilty on Friday to writing and selling custom spyware designed to monitor a victim’s keystrokes.
Zachary Shames, from Great Falls, Virginia, wrote a keylogger, malware designed to record every keystroke on a computer, and sold it to more than 3,000 people who infected more than 16,000 victims with it, according to a press release from the U.S. Department of Justice.
Read more on Motherboard.
Today’s theme seems to be cheating and fraud. Here’s hoping my students can learn from the failure of others.
Here’s How Much Wells Fargo’s Fake Accounts Scandal Is Hurting the Bank
The first real indications of how Wells Fargo's phony accounts scandal is impacting its business are in, and they aren't pretty.
Wells Fargo reported financial results Friday from the fourth quarter of 2016, the first complete period since the bank's employees were caught opening millions of fake accounts for unwitting customers. After eliminating aggressive sales quotas that were blamed for the fraudulent behavior, Wells Fargo is now struggling to attract new business and grow revenue. The bank said it plans to close at least 400 branches by the end of 2018—a departure from the past several years in which it rapidly opened new locations even as other banks shuttered their own.
There were signs that the sham account scandal had scared potential customers away from Wells Fargo, according to metrics the company reported along with its financial earnings.
… For the first time, Wells Fargo also put specific figures on how much the fallout from the fake accounts fiasco is costing it in legal fees and other expenses. The bank expects to spend an additional $40 million to $50 million per quarter this year on lawyers as well as on other third parties it is commissioning—in some cases at the mandate of government regulators—to conduct independent reviews of its sales practices.
Is cheating a “Best Practice” in the EU? Stay tuned for the answer!
Diesel emissions inquiries widen to Renault and Fiat
European carmakers were drawn into a widening probe of diesel emissions testing on Friday, with French prosecutors examining Renault and British authorities seeking answers from Fiat Chrysler Automobiles NV.
… Shares in Renault fell more than 4 percent to their lowest level in around a month after a source at the Paris prosecutor's office said it had launched a judicial investigation into possible cheating on exhaust emissions at the French carmaker.
Another example of ‘disintermediation’ for my Data Management students.
Life Insurers Draw on Data, Not Blood
Life insurers are making it easier to get policies online, often waiving medical exam and instead relying on digital prescription-drug, motor-vehicle and other records
We don’t need banks? Would this work in the US?
Cellphones have lifted hundreds of thousands of Kenyans out of poverty
In Kenya, a so-called “mobile money” system allows those without access to conventional bank accounts to deposit, withdraw, and transfer cash using nothing more than a text message.
It turns out that using cell phones to manage money is doing more than just making life more convenient for the Kenyans who no longer have to carry paper notes. It’s also helping pull large numbers of them out of poverty.
That’s the central finding of a new study published in Science Thursday, which estimated that access to M-PESA, the country’s most popular mobile money system, lifted hundreds of thousands of Kenyans above the poverty line.
“Amazon made me do it!”
Walmart to ramp up ecommerce drive
Walmart is beginning the next stage of its plan to overhaul its ecommerce operations, as online chief Marc Lore sets about integrating key elements of its internet business with Jet.com to further reduce prices and compete better against Amazon.
Mr Lore was made head of online operations at the world’s largest retailer when it bought Jet.com last September for $3.3bn.
… A key motivation behind Walmart’s Jet.com acquisition was to secure the online expertise of Mr Lore and his executives that it was lacking internally.
… Walmart is also working towards using Jet.com’s proprietary system of “basket economics”, whose technology automatically changes the final cost of a customer’s online purchases based on the type of payment used, number of items bought and where those items are being distributed from.
New York cabbies could use this too!
Language learning app busuu teams up with Uber for English course for drivers
Language learning app busuu has announced a partnership with Uber to offer free English language lessons for its drivers in London.
Another resource for my geeks. Add encryption and a few other bells and whistles and this might be worth using!
App.net, the social network that promised to beat Twitter at its own game, is shutting down. App.net will cease to exist on March 15th, 2017. However, the code at the heart of the site will be open-sourced, enabling someone else to take on the challenge of battling Twitter. Maybe.
… Caldwell and Berg are keeping the spirit of the site alive by open-sourcing the code behind App.net. This will all be available on the App.net GitHub page, and may inspire someone, somewhere to try something similar.
It looks like Trump has started a new industry: Trump Watching
We’re launching a regular series tracking President-elect Donald Trump’s adherence, or lack thereof, to democratic norms. These norms are not necessarily legally required, but help make up the fabric that holds together broader democratic values, such as accountability and the rule of law. Our aim is to provide a digestible breakdown of when and how Trump administration policy and actions diverge from custom, practice, and precedent in politics and law.
Dilbert defines “Fairness.”
Friday, January 13, 2017
Who would want to hack the hackers? (Pretty much everyone.)
We’ll keep it updated with registration deadlines and new conferences so check back often.
Mobile Forensics Firm Cellebrite Hacked
A hacker claims to have stolen hundreds of gigabytes of data from Cellebrite, the Israel-based mobile forensics company rumored to have helped the FBI hack an iPhone belonging to the terrorist Syed Rizwan Farook.
Vice’s Motherboard reported that an unnamed hacker breached Cellebrite’s systems and managed to steal 900 Gb of data, including customer usernames and passwords, databases, data collected by the company from mobile devices, and other technical information.
The stolen files were reportedly traded in some IRC chat rooms, but the hacker claimed he had not leaked the data to the public. The motives of the attack are unclear, but the hacker apparently decided to disclose the breach as a result of changes in surveillance legislation and the “recent stance taken by Western governments.”
Motherboard said the data provided by the hacker appeared to be legitimate and Cellebrite confirmed that one of its external servers had been accessed by an unauthorized party. The company has launched an investigation, but its initial analysis suggests that the attacker breached a server storing a legacy database backup of my.Cellebrite, the firm’s end-user license management system.
For my Ethical Hacking students.
Suspected NSA tool hackers dump more cyberweapons in farewell
… The Shadow Brokers' latest dump includes 61 files, many of which have never been seen before by security firms, said Jake Williams, founder of Rendition InfoSec, a security provider.
Williams has been examining the tools, and said it will take time to verify their capabilities. His initial view is that they’re designed for detection evasion.
For instance, one of the tools is built to edit Windows event logs. Potentially, a hacker could use the tool to selectively delete notifications and alerts in the event logs, preventing victims from realizing they’ve been breached, he said.
But all iPhone users know this, right?
There's a hidden map in your iPhone of everywhere you've been
There's a feature on your iPhone that tracks your frequent locations on a map and logs the times you arrived and departed. Here's how to access it and turn it off, in case this freaks you out.
Steps my Computer Security students may want to take.
Microsoft Launches Privacy Dashboard
… To take advantage of the dashboard, users simply need to log in with their Microsoft accounts, then head to account.microsoft.com/privacy to review the collected data and clear it if they want to.
An interesting approach. (If “Separate” is invulnerable, go after the “Equal” but.)
Kate Martin reports:
Public records advocate Arthur West has filed a lawsuit against the city of Tacoma.
This time, West says he wants access to more information about the Tacoma Police Department’s use of a controversial piece of surveillance equipment called a cell site simulator, commonly known by the brand name Stingray.
In his December filing, though, West says the police’s device interferes with cellphone signals without a license from the Federal Communications Commission, the federal agency that regulates the use of the airwaves.
West, an Olympia resident who says he travels frequently to Tacoma, wrote in his filing that the Tacoma Police Department’s use of the Stingray prevents him and others from calling 911 in an emergency.
Read more on The News Tribune.
I’m going to go with, “Why not? Big Brother is inevitable.” I would also question if access to “raw” data is the best way to go. Who will turn that into usable intelligence?
Why Is Obama Expanding Surveillance Powers Right Before He Leaves Office?
On Thursday, the Obama administration finalized new rules that allow the National Security Agency to share information it gleans from its vast international surveillance apparatus with the 16 other agencies that make up the U.S. intelligence community.
With the new changes, which were long in the works, those agencies can apply for access to various feeds of raw, undoctored NSA intelligence.
Sadly, only one in Colorado.
The CSO guide to top security conferences
… From major events to those that are more narrowly focused, this list from the editors of CSO, will help you find the security conferences that matter the most to you.
We’ll keep it updated with registration deadlines and new conferences so check back often.
Cyber Security Training & Technology Forum (CSTTF)
August 30 - 31, 2017
Colorado Springs, Colorado
August 30 - 31, 2017
Colorado Springs, Colorado
For my Data Management students. Now everything (100%) must work perfectly. Was the infrastructure ready?
India’s Digital ID Rollout Collides With Rickety Reality
… The system, which relies on fingerprints and eye scans to eventually provide IDs to all 1.25 billion Indians, is also expected to improve the distribution of state food and fuel rations and eventually facilitate daily needs such as banking and buying train tickets.
But Mr. Prakash couldn’t confirm his customers’ identities until he dragged them to a Java plum tree in a corner of his village near New Delhi’s international airport. That was the only place to get the phone signal needed to tap into the government database.
… But the technology is colliding with the rickety reality of India, where many people live off the grid or have fingerprints compromised by manual labor or age.
… Iris scans are meant to resolve situations where fingerprints don’t work, but shops don’t yet have iris scanners.
… Ajay Bhushan Pandey, chief executive of the government agency that oversees Aadhaar, said kinks will be ironed out as the system is used, as is the case with software rollouts. It works 92% of the time, and that will rise to 95%, he said.
I’ll add this to my RSS feed, assuming this isn’t a false news report.
the guardian – BBC sets up team to debunk fake news
by Sabrina I. Pacifici on Jan 12, 2017
“The BBC is to assemble a team to fact check and debunk deliberately misleading and false stories masquerading as real news. Amid growing concern among politicians and news organisations about the impact of false information online, news chief James Harding told staff on Thursday that the BBC would be “weighing in on the battle over lies, distortions and exaggerations”. The plans will see the corporation’s Reality Check series become permanent, backed by a dedicated team targeting false stories or facts being shared widely on social media. “The BBC can’t edit the internet, but we won’t stand aside either,” Harding said. “We will fact check the most popular outliers on Facebook, Instagram and other social media. “We are working with Facebook, in particular, to see how we can be most effective. Where we see deliberately misleading stories masquerading as news, we’ll publish a Reality Check that says so…”
These don’t all work yet.
Pew Fact Sheets – Evolution of Technology
by Sabrina I. Pacifici on Jan 12, 2017
A new set of fact sheets can be used as a one-stop shop for anyone looking for information on digital technology trends. Record shares of Americans now own smartphones, have home broadband. January 12, 2017.
For my Raspberry Pi geeks: I want the Harry Potter newspaper!
Raspberry Pi roundup: Read all about it, in today’s Daily Prophet online
Appropriately, then, for the first Raspberry Pi roundup after the festive season, we’ve got a copy of the Daily Prophet that does what a wizarding newspaper is supposed to do, thanks to the technical wizardry of Piet Rullens.
Rullens turned a trip to the Harry Potter theme park in Orlando into an attractively designed and authentic-looking Daily Prophet poster, thanks to a cunningly placed Raspberry Pi 3 and some skillful cutting. An IR distance sensor, when tripped, fires up the screen, which plays a clip of Rullens at the amusement park.
For my students who still have a hard time believing that large companies don’t always show a profit.
Lyft lost $600 million last year, but it's making progress in its ride-hailing war with Uber
Lyft lost $600 million in 2016 in its battle with Uber for ride-hailing dominance, according to leaked financial data obtained by The Information's Amir Efrati.
While that loss seems staggering, things are looking up for Lyft: the $5.5 billion startup generated $700 million in revenue last year, The Information reports.
Thursday, January 12, 2017
China does it now and the US has the technology but will never do it? Somehow that doesn’t compute.
Big Brother collecting big data — and in China, it's all for sale
Living in China, it's safe to assume pretty much everything about you is known — or easily can be known — by the government. Where you go, who you're with, which restaurants you like, when and why you see your doctor.
… "You could go so far as to make the argument that social media and digital technology are actually supporting the regime," says Ronald Deibert, the director of The Citizen Lab, a group of researchers at the University of Toronto's Munk School of Global Affairs. They study how information technology affects human and personal rights around the world.
… An investigation by a leading Chinese newspaper, the Guangzhou Southern Metropolis Daily, found that just a little cash could buy incredible amounts of information about almost anyone. Friend or fiancé, business competitor or enemy … no questions asked.
Joe Cadillic gets so excited when someone else posts something that he’s been
about about for ages.
In August, Joe recognized that DHS offering extra security for elections by declaring the election process as “critical infrastructure” had the potential to expand DHS’s power waaaay too much.
Of course, the government sees it differently and as a Good Thing. As AP reported this past week:
Citing increasingly sophisticated cyber bad actors and an election infrastructure that’s “vital to our national interests,” Homeland Security Secretary Jeh Johnson is designating U.S. election systems critical infrastructure, a move that provides more federal help for state and local governments to keep their election systems safe from tampering.
“Given the vital role elections play in this country, it is clear that certain systems and assets of election infrastructure meet the definition of critical infrastructure, in fact and in law,” Johnson said in a statement Friday. He added: “Particularly in these times, this designation is simply the right and obvious thing to do.”
But what does this involve? Although it seems to give DHS more responsibility, do local election boards have any added responsibility to ensure the fairness of the election process? It turns out that entities who get tagged as “critical infrastructure – including storage facilities, polling places and vote tabulation locations, plus technology involved in the process, including voter registration databases, voting machines and other systems used to manage the election process and report and display results – don’t have to participate.
But perhaps one the most concerning parts of this all is that:
The designation allows for information to be withheld from the public when state, local and private partners meet to discuss election infrastructure security — potentially injecting secrecy into an election process that’s traditionally and expressly a transparent process. U.S. officials say such closed door conversations allow for frank discussion that would prevent bad actors from learning about vulnerabilities. DHS would also be able to grant security clearances when appropriate and provide more detailed threat information to states.
That secrecy could also be used to withhold information about absolutely shabby security or insider wrong-doing. And that’s not acceptable.
Jon Rappoport is concerned, too, as Joe was obviously delighted to read Rappoport’s opinion:
In truth, the Dept. of Homeland Security is spearheading a movement to connect, cross reference, and integrate every major apparatus of data- collection in both the private and public sectors.
This is the ongoing op.
It is not partisan. It flies the banner of no political party. It pretends to protect the citizenry.
But, in fact, it is the major long-term threat to the citizenry.
Are Joe and Jon over-reacting, or are too many of us under-reacting? And if most of us are under-reacting, there will be no way to salvage anything of our privacy soon, as DHS amasses more and more information and databases.
Of course they do. Higher always wants the troops to tell them where they are, what they see and what they are going to do about it. The other side would also like that information. Perhaps one of my students will solve this problem and get rich?
DARPA wants to create secure data-sharing tech
… The Defense Advanced Research Projects Agency, the research arm of the Department of Defense, said it's working on a project that would use software and networking technology to securely share information on unsecured commercial and military networks.
My students will probably be the ones to install the AI that makes their job redundant.
Report – changing face of business and the part artificial intelligence has to play
by Sabrina I. Pacifici on Jan 11, 2017
Accenture via World Economic Fortune: “Artificial Intelligence (AI) may be the single most disruptive technology the world has seen since the Industrial Revolution. Granted, there is a lot of hype out there on AI, along with doomsday headlines and scary movies. But the reality is that it will positively and materially change how we engage with the world around us. It’s going to improve not only how business is done, but the kind of work we do – and unleash new levels of creativity and ingenuity. In fact, research from Accenture estimates that artificial intelligence could double annual economic growth rates of many developed countries by 2035, transforming work and fostering a new relationship between humans and machines. The report projects that AI technologies in business will boost labor productivity by up to 40 percent. Rather than undermining people, we believe AI will reinforce their role in driving business growth. As AI matures, it will potentially serve as a powerful antidote for the stagnant productivity and shortages in skilled labor of recent decades.”
Something others should emulate?
6 ways Amazon is trying to win friends and influence governments in Europe
They’ve already got most of our money, perhaps they’ll lend us some?
Amazon's New Credit Card Primed To Disrupt Retail
… Yesterday, Amazon announced its latest benefit for Amazon Prime members: an Amazon Prime credit card that offers 5% off every Amazon purchase, plus multiple other benefits.
Turns Out Many Consumers Are Interested in Banking With Google, Amazon, and Facebook
Roughly one in three banking and insurance customers globally would consider switching their accounts to Google, Amazon, or Facebook if the Silicon Valley giants offered financial services, according to a new survey on Wednesday.
(Related). Another ‘benefit?’
How did Amazon know my new Visa card information before me?
… None of us, it seems, were aware of VAU – Visa Account Updater. This allows subscribing merchants to receive automatic updates to cardholder account information, including account numbers and expiry dates. It sounds ominous, but the idea is to save retailers – and customers – the hassle of recurring payments being declined when a registered card has expired.
Lenovo, HP, And Dell Lead the Shrinking PC Market
Overall shipments of PCs dropped 5.7% year-over-year in 2016 to 260 million, according to a report Wednesday by market research firm International Data Corporation.
Lenovo was the biggest PC maker last year with 55.5 million PCs shipped, a 3% decline from the 57 million shipped in 2015. The company has a 21.3% share of the PC market, IDC said.
HP, Inc. is a close second, however, with shipments of 54.2 million PCs in 2016, up 1.3% year over year. It had 21% of the PC market.
Dell Technologies came in third with 40.7 million PCs shipped in 2016, up 4.3% from the previous year. Dell had about 14% of the PC market.
As for Apple, the technology giant shipped 18.4 million PCs in 2016, a nearly 10% drop from 2015.
Do people still print?
… you need to know about Google Cloud Print. This service by Google makes it possible for you to print to ANY printer from anywhere — even when you’re halfway across the globe — as long as you have an internet connection and the printer is set up beforehand.
Toys for geeks or the future for everyone?
Opera showcases ‘future of the web’ with Neon, a new concept browser for Windows and Mac
… The Opera Neon browser start page displays browser tabs as little circular icons that can be dragged around and reordered. The left sidebar includes a video player, download manager, and image gallery, while a new visual sidebar on the right hosts other active pages that can be pulled into the middle. The Neon browser can automatically manage tabs so that the most frequently used tabs will float to the top on their own volition, while those used less frequently will sink to the bottom.
… “Web browsers of today are basically from the last millennium, [That makes me feel old. Bob] a time when the web was full of documents and pages,” said Opera browser chief Krystian Kolondra. “With the Opera Neon project, we want to show people our vision for the future of the web.”
Stuff my niece and nephew already know.
Some history for my spreadsheet students. A TED talk.
Meet the inventor of the electronic spreadsheet
Dan Bricklin changed the world forever when he codeveloped VisiCalc, the first electronic spreadsheet and grandfather of programs you probably use every day like Microsoft Excel and Google Sheets.
Wednesday, January 11, 2017
Why assume this hack failed? Perhaps it did exactly what it was supposed to do.
Dan Adams reports:
Marijuana shops across the country, including seven medical dispensaries in Massachusetts, are being affected by the apparent hack of a sales and inventory system widely used in the cannabis industry.
[…] MJ Freeway, a Denver company whose “seed-to-sale” tracking software is used by hundreds of marijuana companies to comply with state regulations, said its main servers and backup system each went down Sunday morning and remained offline as of Monday afternoon.
[…] A spokeswoman for MJ Freeway said the outage, first reported by the industry publication Marijuana Business Daily, was the work of unknown hackers.
[…] Ward said encryption prevented the hackers from reading data about MJ Freeway’s retail clients, which include five nonprofits in charge of seven medical dispensaries in Massachusetts, or those shops’ patients and customers. But the attackers did succeed in corrupting, or garbling, the data and making it unusable. The company has not received a demand for ransom or any other communication from the alleged hackers, she added.
Read more on Boston Globe.
Okay, this is interesting. Did the hacker(s) intend to corrupt the data or was that a byproduct of a failed attempt to access/exfiltrate encrypted data? What was the motivation behind this attack? To get data for extortion? To interfere with access to marijuana? To try to cross-match with another database for political purposes? Something else?
Searching is Okay if required to solve a problem for the customer, sharing isn’t.
Apple Store employees fired after accusations of snooping on customers’ devices for sexual selfies and sharing them
Cory Doctorow reports:
Last October, an Apple Store in Brisbane, Australia terminated some of its employees after they were accused of searching customers’ devices for sexually explicit selfies and sharing them with colleagues, rating them on a scale of 1-10.
The employees were also accused of covertly photographing female customers and co-workers, including “upskirt” photos.
Though Apple fired the employees, it denied that they engaged in these activities. The Australian privacy commissioner is investigating the allegations.
Read more on BoingBoing.
For my Data Management students. Another business whose product is data.
FarmLogs raises $22 million to help farmers improve crop yield with big data
… FarmLogs uses data science and machine learning smarts to help farmers garner insights into what’s happening in their fields in order to maximize their yield, reduce waste, and increase profitability. The platform monitors metrics such as crop health, rainfall, nitrogen levels, and more, while enabling users to record and share scouting notes with photos from specific locations in a field. Farmers can access this data through native mobile apps for Android and iOS.
Today, FarmLogs claims its platform is used by more than a fifth of row crop farms in the U.S.
For my Computer Security students. Be worthy of the high paying ones.
1 million cybersecurity job openings in 2017
A Forbes story in January 2016 reported there were 1 million cybersecurity job openings in 2016. Some things are worth repeating. There are 1 million cybersecurity job openings in 2017, give or take. Not much has changed over the past year.
Can armies of interns close the cybersecurity skills gap? asked a Fast Company story in September of 2016. Not likely. In the U.S., and internationally, there's not enough cybersecurity grads -- or computer science grads with cyber credits. In the U.S., students can graduate from some of the top computer science programs with little to no cybersecurity courses.
For every cybersecurity grad, there's a job.
… Then fire away with the best of these 200 most commonly asked IT security interview questions, posted as a free resource by Skyhigh Networks. This will help narrow down to the IT workers who can think like hackers, and who possess the soft skills to combat them.
Another fun tool I can use to harass my students?
TinyTap Talk or Type - Voice Response Activities
TinyTap is a service that lets you create educational games for your students to play on their iPads, Android tablets, and in their web browsers. For the most part the style of games that are created on TinyTap are identification activities in which students either choose an answer or type an answer to a question. Recently, TinyTap added the option for students to speak responses to game questions.
TinyTap's Talk or Type feature lets you create activities that your students can interact with by speaking.
For the toolkit.
Tuesday, January 10, 2017
You might think this would have occurred years ago, but then you realize it a government bureaucracy trying to do something for the first time.
OCR has announced a settlement involving a breach that I never even reported on this site at the time and that doesn’t appear to have been in the news at the time. A quick look at HHS’s “Wall of Shame” shows two entries for the incident at issue: one entry says it was reported on January 31, 2014 as “Loss – Paper/Films.” The second entry says it was reported on April 4, 2014 as “Other – Paper/Films.” Let’s see what the press release from OCR says:
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced the first Health Insurance Portability and Accountability Act (HIPAA) settlement based on the untimely reporting of a breach of unsecured protected health information (PHI). Presence Health has agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 and implementing a corrective action plan.
… With this settlement amount, OCR balanced the need to emphasize the importance of timely breach reporting with the desire not to disincentive breach reporting altogether.
On January 31, 2014, OCR received a breach notification report from Presence indicating that on October 22, 2013, Presence discovered that paper-based operating room schedules, which contained the PHI of 836 individuals, were missing from the Presence Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois. The information consisted of the affected individuals’ names, dates of birth, medical record numbers, dates of procedures, types of procedures, surgeon names, and types of anesthesia. OCR’s investigation revealed that Presence Health failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and OCR.
So they were late by more than one month. The press release doesn’t indicate how late they were, but the Resolution Agreement notes that notifications to individuals did not occur until February 3, 2014 (104 days post-discovery), notification to media outlets did not occur until February 5, and notification to HHS did not occur until January 31.
The Resolution Agreement also indicates that Presence explained its delay as being due to a “miscommunication between workers.” But in investigating Presence, OCR had also uncovered other breaches in which notification had not been timely made. As a result, the corrective action plan requires revision of policies and procedures for receiving and addressing reports of breaches from both internal sources and external parties.
As a tease to readers:
In the near future, Protenus will be releasing its report on 2016 health data breaches. Their analyses includes some data on the gap between breach, discovery, and reporting, and how many entities actually comply with the 60-day of discovery timeline. Their analyses, in light of today’s resolution agreement, should make for some interesting conversations – and sweating – in C-Suites.
Assumptions galore. What does the Board of Directors know about their vulnerability? How often should you backup a database?
The other night on Twitter, after I and others communicated concern as the number of attacks on misconfigured MongoDB installations rose to 27,000 in a relatively short period, @Cyber_War_News and I had a respectful disagreement about the seriousness of the situation:
still shocked that yall shocked and fussing about the mongodb ransom spike.
well we all know 95% are dev and waste databases, others are most likely backed up, i see no major issue really
In light of the above, I thought I’d highlight what we can learn from the MongoDB ransacking sheet created by Victor Gevers and Niall Merrigan. They’ve added a sheet about the victims they’ve provided assistance to. For the first 118 victim entries, consider the following:
· Only 13 report that they had recently backed up the now-wiped database; the rest reported no recent backups.
· 7 reported paying the ransom; none of those had gotten their data back.
· 86 of the databases (73%) were production databases, with an additional 11 instances being coded as “staging,” and 4 instances coded as “development.” The remaining were coded as “unknown,” left blank, or had other designations.
Maybe the first 118 cases are an atypical sample of the more than 27,000 that have been hit, but also consider this:
For the 40+ U.S. entries in the sheet, the production databases included:
· a travel organization that issued tickets and stored search and customer data in the database;
· an online advertising firm that stored online ads tracking data;
· a school that stored a student database;
· an Internet app (Social Media) that stored user data;
· a Consumer Services organization that stored customer data;
· an Online Media entity that stored customer data;
· an Online Service (Webshop) that stored orders and customer data; and
· an Online Service (Financial) that stored transaction logs.
Many other U.S. entries were noted as “production” without more specific information entered yet.
And of course, the problem is not confined to U.S. databases. A French healthcare research entity had its database with cancer research data wiped out. They reported no recent backup. And an online financial service in Argentina also had its production database wiped out; that one contained payroll data. They, too, had no recent backup.
As of yesterday, more than 93 terabytes of data had been wiped out.
So should we be concerned about these attacks? I think we should.
But in light of the fact that this is not a new problem, will the Federal Trade Commission consider any enforcement actions against some entities for not using “reasonable security” to protect personally identifiable information? Could the FTC argue that even if they haven’t specifically provided any guidance on MongoDB or other NoSQL databases, the information was out there and entities or their third-party vendors should have known by now?
For my Ethical Hacking students. Why didn’t you find these keys first? (Is this the only place you should look?)
"Truffle Hog" Tool Detects Secret Key Leaks on GitHub
A free and open source tool called “Truffle Hog” can help developers check if they have accidentally leaked any secret keys through the projects they publish on GitHub.
Truffle Hog is a Python tool designed to search repositories, including the entire commit history and branches, for high-entropy strings that could represent secrets, such as AWS secret keys.
Something for our Computer Forensics students.
A data breach investigation blow-by-blow
Someone has just sent me a data breach. I could go and process the whole thing, attribute it to a source, load it into Have I been pwned (HIBP) then communicate the end result, but I thought it would be more interesting to readers if I took you through the whole process of verifying the legitimacy of the data and pinpointing the source.
Won’t this get the lawyer a visit from the “Obfuscation is good” committee?
Amy B. Wang reports:
“‘Terms and conditions’ is one of the first things you agree to when you come upon a site,” Jenny Afia, a privacy lawyer and partner at Schillings law firm in London, told The Washington Post. “But of course no one reads them. I mean, most adults don’t read them.”
Afia was a member of a “Growing Up Digital” task force group convened by the Children’s Commissioner for England to study internet use among teens and the concerns children might face as they grow up in the digital age.
The group found more than a third of internet users are younger than 18, with 12- to 15-year-olds spending more than 20 hours a week online.
Most of those children have no idea what their privacy rights are, despite all of them agreeing to terms and conditions before starting their social media accounts, Afia said. The task force, which included experts from the public and private sector, worked for a year and released its report Wednesday.
Read more on The Denver Post. I love how the task force translated the legalese into short, comprehensible English for kids and teens. We need more of that!
Falsifying data for job security? Sounds like their ‘one size fits all’ process for eliminating books needs a revision. Since this impacts funding, it’s fraud.
To save books, librarians create fake 'reader' to check out titles
Chuck Finley appears to be a voracious reader, having checked out 2,361 books at the East Lake County Library in a nine-month period this year.
But Finley didn't read a single one of the books, ranging from "Cannery Row" by John Steinbeck to a kids book called "Why Do My Ears Pop?" by Ann Fullick. That's because Finley isn't real.
The fictional character was concocted by two employees at the library, complete with a false address and drivers license number.
… The goal behind the creation of "Chuck Finley" was to make sure certain books stayed on the shelves — books that aren't used for a long period can be discarded and removed from the library system.
Interesting, but I would never do this in isolation. It is very difficult to pull intelligence targeting one location. Better to see what could happen anywhere and figure out how to deal with it at your airport. Reads more like a plan to keep celebrities safe from ‘the little people.’
Inside LAX's New Anti-Terrorism Intelligence Unit
I’m trying to ensure that my students use all the data they can find.
UK – There is no shortage of open data – Is anyone using it?
by Sabrina I. Pacifici on Jan 9, 2017
ComputerWeekly.com: “The UK government’s data portal, data.gov.uk, currently shows 36,552 published datasets available, but how usable are they, and is anyone actually downloading them?… There are examples of data being linked in useful ways. In several, but by no means all, cities in the UK and Europe, Citymapper draws on open datasets, including mapping data and public transport timetables, to show people where they are and what their options are for getting where they want to go. To do this, the data should, first and foremost, be available and up to date. It should also be in machine-readable format. Bus timetables in PDF form are not much fun for human beings – and they are almost useless for navigation apps. Citymapper is often cited as an open data success story, but is comparatively rare. A counter example was raised at the summit by a question concerning threesixtygiving.org. On its website, threesixtygiving says it “supports organisations to publish their grants data in an open, standardised way and helps people to understand and use the data in order to support decision-making and learning across the charitable giving sector”. But a questioner from the floor pointed out that UK government data on grants is not currently open…”
Because I read a lot!
… You’d be surprised how many ebooks you can get without paying a cent, and that applies to both fiction and non-fiction. Where can you find these free ebooks? Well, we’re glad you asked…
I have some students who live for comic book movies.
Comic Book and Sci-fi Movies 2017: listed and ranked with trailers
… The following list is ranked in order of how epic I feel each film in the greater 2017 collection will be. For me, “epic” doesn’t necessarily mean “award-winning” or even “good for most viewers.” In this market of sequels and chapter-cut releases, EPIC mostly means “if you liked what came before, you’re going to love this.”
Monday, January 09, 2017
Even in ‘on ground’ classes, faculty and students rely on access to our computer system to find assignments, upload homework and record grades.
I’ve been sitting on this one for a while because it wasn’t clear if any personal info was involved. CBS had reported that Los Angeles Valley College in Valley Glen was subject to a cyber attack over the winter break, but it was not known how large the breach was or its scope.
Now Breitbart is reporting that the school’s website and email system was taken down on New Year’s Day by ransomware, and the school paid $28,000 to free hostage data:
1,900 students and faculty were locked out of their computers with the message: “You have 7 days to send us the BitCoin after 7 days we will remove your private keys and it’s impossible to recover your files,” according to the campus newspaper.
It took the college 72 hours of computer systems freezing up throughout the Valley Glen campus before college administrators caved and made the payment the day after school had reopened. But even after the criminals delivered a decryption “key” to unlock LAVC servers, it will take weeks to unlock every campus computer and try to assess damages.
Read more on Breitbart.
Heads of intelligence agencies should never use technology without a babysitter. Clearly, they can’t concentrate on security while surfing the politics of Washington.
Man Pleads Guilty to Hacking Accounts of U.S. Officials
… According to authorities, between October 2015 and February 2016, the hacker group used social engineering and other techniques to gain access to the online accounts of U.S. government officials and their families, and government computer systems. In addition to CIA director John Brennan, the group also targeted U.S. spy chief James Clapper, and senior figures in the FBI, the DHS, the White House and other federal agencies.
The hackers published their victims’ personal details online and harassed them over the phone.
For my Data Management students. If this data is valuable, should Uber sell it to the highest bidder?
Uber is finally releasing a data trove that officials say will make driving better for everyone
The combative ride-hailing giant Uber is extending an olive branch to cities — in the form of data that transit wonks have coveted for years.
The San Francisco-based company shared a vast trove of transportation data Sunday that it said local officials could use to help cut down on commute times and improve traffic flow. The data, on a public website that shows the time it takes to travel between neighborhoods in various cities, is derived from the company’s extensive logs of trips taken by millions of Uber riders each day.
… Uber’s move underscores a new power dynamic emerging among technology companies, researchers and governments. Technology companies, from Uber to Facebook, hold growing stores of data about user behavior, and officials and academics want access to it. They believe it contains valuable insights that could benefit the public.
The challenge for the public interest is that many technology companies will share data only on their terms
I used to look forward to new technologies introduced at CES. Now I worry I’ll need a Smartphone to make coffee and toast in the morning. (Will people who reach their data limits starve?)
LG threatens to put Wi-Fi in every appliance it introduces in 2017
In the past few years, products at CES have increasingly focused on putting the Internet in everything, no matter how "dumb" the device in question is by nature. It's how we've ended up with stuff like this smart hairbrush, this smart air freshener, these smart ceiling fans, or this $100 pet food bowl that can order things from Amazon.
Now that phenomenon is reaching its logical endpoint: during the company's CES press conference today, LG marketing VP David VanderWaal says that "starting this year" all of LG's home appliances will feature "advanced Wi-Fi connectivity."
I told you this was coming. (And it’s Block Chain, not Bitcoin)
Wall Street Clearing House to Adopt Bitcoin Technology
… The company that serves as the back end for much Wall Street trading — the Depository Trust and Clearing Corporation, or D.T.C.C. — said on Monday that it would replace one of its central databases, used by the largest banks in the world, with new software inspired by Bitcoin. The organization, based in New York, plays a role in recording and reporting nearly every stock and bond trade in the United States, as well as most valuable derivatives trades.
IBM, which has been making a big push into blockchain technology, will be leading the project for the D.T.C.C. and aims to have it fully functioning by early next year.
Perspective. Increasingly, I find I have to teach history as well as Computer Science. This Quarter I had to explain to my students what an LP was.
Streaming Now Officially the Number One Way We Listen to Music in America
… Overall on-demand audio streams surpassed 251 billion in 2016–a 76 percent increase that accounts for 38 percent of the entire music consumption market. Plus, “the on-demand audio streaming share [of total music consumption] has now surpassed total digital sales (digital albums + digital track equivalents) for the first time in history.”
As previously reported by BuzzAngle, there were more streams on an average day in 2016 than song downloads for the entire year. (An average of 1.2 billion streams per day versus 734 million downloads for all of 2016.)
So that’s what that was…
Audubon Online Guide to Identifying Birds
by Sabrina I. Pacifici on Jan 8, 2017
If you are at all interested in birding, bird watching, feeding birds at your feeders, then please take some time to visit this beautiful and educational site. It provides extensively documented information on specific birds and raptors, including multiple sets of photographs of species and subspecies, stories about each subject as well as audio of bird calls, quizzes to test your birding ID skills, as well as teaching us about the flyways traveled by birds each spring and fall. Birds and raptors are with us regardless of the seasons or our geographic location – take the opportunity to learn more about them, and to participate in bird and raptor conservation efforts.