Saturday, February 18, 2017

This happened in 2013 and they are finally agreeing to improve their security? 
Jerry DeMarco reports:
Horizon Blue Cross Blue Shield of New Jersey agreed to pay $1.1 million and improve data-security practices to settle charges that it failed to properly protect the privacy of nearly 690,000 state policyholders whose personal information was contained on two laptops stolen from the insurer’s Newark headquarters.
The insurance giant — New Jersey’s largest healthcare provider — agreed to the settlement after state Division of Consumer Affairs investigators found that the company’s failure to comply with federal data security standards threatened to expose private information of its members, Division Director Steve Lee said.  That included names, addresses, birthdates, insurance identifications — and, in some instances, Social Security numbers and limited clinical data.  The policyholder data on the stolen laptops was password protected, but not encrypted, as required by federal law.
Read more on Hackensack Daily Voice.
Horizon was recently in the news again about the 2013 breach after the Third Circuit ruled that plaintiffs had standing under the FCRA.  You can read that coverage here.
The following is the full text of the state’s press release about today’s settlement announcement:
   The investigation further revealed that the laptops stolen in 2013 were issued to employees not required to store ePHI on their laptops, in violation of a company policy limiting access to ePHI information to employees who needed it to accomplish their job functions.

“Don’t worry, you can trust us!”  Some of this is “We don’t know” and some is “Telling you would make us look really stupid.” 
Grant Hermes reports:
Calling it a “catch-22”, Oklahoma state officials declined to release which state agency was discovered to have been attacked by hackers, claiming on Wednesday that releasing the name could compromise the agency further.
Last week, the state director of Oklahoma CyberCommand [Does Colorado have a CyberCommand?  Bob] told a House of Representative committee an agency had been attacked and confirmed the CyberCommand was investigating a “suspicion” the agency was forced to pay a ransom for its data.
However, the investigation revealed that no money had been paid to hackers, according to Tuesday’s joint statement from Governor Mary Fallin’s Office and the Office of Management and Enterprise Services.
Read more on News9.
Apparently the agency that was hacked was one of 20 agencies that had not yet complied with a statewide effort to bring all agencies under one cybersecurity umbrella.  I bet they come into compliance/sign on now.

This is interesting.  The data is out there already.  Collecting it into one place is Okay, and using it is Okay, but if I feel intimidated it suddenly reverts to not Okay? 
Bryan Schott reports:
One Utah lawmaker wants to take action against those who dig up personal information about someone and post it online to intimidate them.
Sen. Howard Stephenson, R-Draper, has filed an anti-doxing bill which makes it a second-degree felony if someone posts personal information online, and that information is used to harass someone.  Doxing is short for “document tracing.”
[From the article: 
The bill lays out a list of "identifying information" that, if published online, would fall under this statute. It includes:
·         Address
·         Social security number
·         Telephone number
·         Bank account number
·         Photograph
If the information is already available through legal means, like government records, then posting it online would not fall under this statute.
[From the Bill:  
This bill:
prohibits the disclosure or dissemination of identifying information with the intent or knowledge that the information will be further disseminated;
[Silly non-lawyer me, but if I put the information on my website and in order to access it you had to “agree” not to disseminate it, would I also be exempt?  Bob]

Start spying on them young, it makes them easier to control. 
German parents told to destroy Cayla dolls over hacking fears
An official watchdog in Germany has told parents to destroy a talking doll called Cayla because its smart technology can reveal personal data.
The warning was issued by the Federal Network Agency (Bundesnetzagentur), which oversees telecommunications.
Researchers say hackers can use an unsecure bluetooth device embedded in the toy to listen and talk to the child playing with it.
   The Cayla doll can respond to a user's question by accessing the internet.  For example, if a child asks the doll "what is a little horse called?" the doll can reply "it's called a foal".

For my Data Management students.
Why big data projects fail and how to make 2017 different
   In my experience, the two main obstacles are lack of skill or expertise, and a mismatch between the technology strategy and overall company needs.  

How much is “new” or ‘different” worth?  How can you tell true disruption from hype? 
Real Estate Is Latest Target for Would-Be Disrupters
A real-estate startup called Compass Inc. has hired hundreds of sales agents away from older rivals, collected $225 million from marquee investors and amassed a valuation of over $1 billion, all with the pitch that its software can make brokers more efficient.
Real-estate veterans say they’re baffled by how the four-year-old firm, active in only a few cities, could be considered one of the most valuable brokerages in the U.S.—a skepticism increasingly familiar to incumbents in old-line industries facing well-funded startups.  Property brokerages typically command modest valuations on Wall Street, as they have few assets and limited growth prospects.
   Executives at the New York-based firm say it is poised for years of fast expansion, with its software eliminating much busy work for brokers.  In theory, this allows them to show more homes and deliver more sales, which, in turn, serves as a recruiting tool—enabling the rapid growth sought by investors.
   Home-reservation service Airbnb Inc. boasts a $30 billion valuation that is just 15% below the word’s biggest hotel company by room count, Marriott International Inc., and 50% more than of No. 2 Hilton Worldwide Holdings.  Electric-car maker Tesla Inc. is fast approaching Ford Motor Co.’s $49 billion market value despite bringing in less than 7% of the Detroit giant’s revenue.

Ah, Bill, when did you go so wrong? 
The robot that takes your job should pay taxes, says Bill Gates
Robots are taking human jobs.  But Bill Gates believes that governments should tax companies’ use of them, as a way to at least temporarily slow the spread of automation and to fund other types of employment.

European parliament calls for robot law, rejects robot tax
European lawmakers called on Thursday for EU-wide legislation to regulate the rise of robots, including an ethical framework for their development and deployment and the establishment of liability for the actions of robots including self-driving cars.

But they rejected a proposal to impose a so-called robot tax on owners to fund support for or retraining of workers put out of a job by robots.

   The IFR and others argue that automation and the use of robots create new jobs by increasing productivity, and point to a correlation between robot density and employment in advanced industrial nations, for example in the German car industry.

Did Trump copy India or vice versa?
Does India Need a Radically Different Approach for Rapid Growth?
   At the 2017 One Globe Forum in New Delhi, experts tried to zero in on actionable insights which could help overcome India’s myriad challenges and boost the country’s journey towards becoming a knowledge economy.
   In a session titled “Make in India: creating a 100 million jobs by 2022,” moderator Mahendra Bapna, senior advisor at the Indian Institute of Technology (IIT) Jodhpur, observed that for manufacturing to take off, India needs to “move beyond rhetoric and create a clear strategy and favorable policy environment and improve the ease of doing business.”
   Building on this, Makarand Chipalkatti, managing director of Dr. Chips Consulting, added that it is critical to also improve the ease of starting and closing a business. [Including declaring bankruptcy?  Bob] 
   In a discussion on artificial intelligence (AI), robotics and jobs, Vikram Chachra, CEO and managing director of investment firm Eight Capital, cautioned that as AI and robotics enter manufacturing, there will be a major impact on jobs.

Interesting.  Imagine Castro vouching for Tony Montana.
   Therefore, if a country is unwilling or unable to systematically provide that information, its citizens would be banned from entering the United States.
   The order appears to envision the U.S. government seeking and relying on information from some of the most repressive and dysfunctional regimes in the world, about the citizens who are fleeing them, often because of that repression and dysfunction.  Would the United States rely on the Iranian regime, for example, to vet the requests of Iranian political dissidents and fleeing religious minorities, and to provide the U.S. government reliable information about those dissidents or minorities so the US can grant them a visa?

Friday, February 17, 2017

Closer to an Act of War?  As we digitize our army, the potential for similar attacks has been considered and is likely well guarded against.  The soldiers’ personal smartphones?  Maybe not so much… 
Israeli soldiers hit by Android malware from cyberespionage group
   The Israeli soldiers were lured via Facebook Messenger and other social networks by hackers who posed as attractive women from various countries like Canada, Germany, and Switzerland.  The victims were tricked into installing a malicious Android application, which then scanned the phone and downloaded another malicious app that masqueraded as an update for one of the already installed applications.  
   Once installed on the phone, this malicious app allows hackers to execute on-demand or scheduled commands.  The commands can be used to read text messages, access the contacts list, take pictures and screenshots, eavesdrop at specific times of the day, and record video and audio.

The Kaspersky researchers concluded that this is likely only the "opening shot" of the operation and that it is a targeted attack against the Israel Defense Forces, "aiming to exfiltrate data on how ground forces are spread, which tactics and equipment the IDF is using, and real-time intelligence gathering."  

(Related).  We called this “Targeting.” 
Many Ukrainian Organizations Targeted in Reconnaissance Operation
CyberX, a company that specializes in ICS security, has been monitoring a well-organized campaign that has targeted at least 70 entities with ties to Ukraine, including the country’s critical infrastructure.
The campaign, dubbed Operation BugDrop, has been underway since at least June 2016.  It involves malware delivered via spear phishing emails and malicious macro-enabled Office documents.
The BugDrop malware is capable of collecting system information, passwords and other browser data, and audio from the microphone.  It can also steal files from local, shared and USB drives, including documents, spreadsheets, presentations, archives, databases and text files.

My Computer Security class starts today, so this might interest my students.
Researchers at Kaspersky Lab have analyzed several Android applications for connected cars and determined that most of them lack important security features, making it easier for hackers to unlock the vehicles.
   Kaspersky has analyzed seven of the most popular connected car Android applications, which have been installed by millions of users.
   All the tested applications can be used to unlock a vehicle’s door and some of them also allow the user to start the engine.  However, the aforementioned security features are mostly missing from the apps – only one encrypts the username and password, and none of them use obfuscation, overlay protection, root detection or code integrity checks.
The lack of security mechanisms makes it easier for a piece of malware that has infected the Android device to take control of the smart car app.  And while hijacking the application does not allow an attacker to drive away with the car, it does allow them to unlock it and disable its alarm, which can make it easier to steal.

An article the FBI should read.
RSA: Elite cryptographers scoff at idea that law enforcement can ‘overcome’ encryption
U.S. Attorney General Jeff Sessions’ call for a way to “overcome” cryptography met with scorn from a panel of elite cryptographers speaking at this week’s RSA Conference 2017 in San Francisco.
“Any one of my students will be capable of writing good crypto code,” says Adi Shamir, the ‘S’ in RSA and a professor at the Weizmann Institute in Israel.
   Shamir noted that the current, most respected encryption algorithm was devised by Belgians, and noted that other major crypto advances were made by Japanese, Israelis and others.  “It’s not uniquely American,” he says.  Forcing backdoors in American crypto products would be shooting U.S. interests in the foot, he says.  “Other countries would be happy to step in with un-backdoored cryptography,” he says.
   Landau notes that in the Apple v. FBI case last year, the problems of decrypting a terrorist’s iPhone were overblown by the FBI, which said it could only get in with Apple’s help.  Later, the FBI hired a private firm to do the work, and a researcher demonstrated how to do it with about $150 worth of off-the-shelf gear.
Shamir says that the Israeli company that purportedly helped the FBI was later hacked and its methods publicly disclosed by the attackers.  “You need to be careful about helping the FBI,” he says with a smile.

Even if the data is factual, it could trigger bias in the responders.  Would responders slow down if the heard: “The address is the Trump Re-Election headquarters.” 
Nathan Munn reports:
Police in Canada’s capital city of Ottawa are being supported by a so-called “virtual backup” team that provides front-line officers with unprecedented amounts of information as they race to service calls.
The unit, known as the Ottawa Police Strategic Operations Centre (OPSOC), has been active since October 2016.  But civil liberties advocates are raising concerns about the project, pointing out that it monitors protesters on social media and is developing ‘predictive policing’ capabilities based on crime data that could contain hidden biases.
Read more on Motherboard.

Privacy in the future?  What will cause this system to deny you entry? 
Joe Cadillic writes:
A retail store in St.Louis called Motomart is demanding customers submit to having their faces scanned before they’re allowed entry !
Think about what that means, police are identifying every single customer using DHS’s REAL ID’s.
According to a Fox2Now article, once it gets dark, employees put up signs that say: “Facial Recognition Software in Use – Please Look at Above Camera for Entry.”
Read more on MassPrivateI.

For my Data management students.
How Chief Data Officers Can Get Their Companies to Collect Clean Data
In analytics, nothing matters more than data quality.  The practical way to control data quality is to do it at the point where the data is created.  Cleaning up data downstream is expensive and not scalable, because data is a byproduct of business processes and operations like marketing, sales, plant operations, and so on.  But controlling data quality at the point of creation requires a change in the behaviors of those creating the data and the IT tools they use.

Don’t worry, Watson can explain it all. 
The moral dilemmas of the Fourth Industrial Revolution
by on
World Economic Forum: “Should your driverless car value your life over a pedestrian’s?  Should your Fitbit activity be used against you in a court case?  Should we allow drones to become the new paparazzi?  Can one patent a human gene?  Scientists are already struggling with such dilemmas.  As we enter the new machine age, we need a new set of codified morals to become the global norm.  We should put as much emphasis on ethics as we put on fashionable terms like disruption.  This is starting to happen . Last year, America’s Carnegie Mellon University announced a new centre studying the Ethics of Artificial Intelligence; under President Obama, the White House published a paper on the same topic; and tech giants including Facebook and Google have announced a partnership to draw up an ethical framework for AI.  Both the risks and the opportunities are vast: Stephen Hawking, Elon Musk and other experts signed an open letter calling for efforts to ensure AI is beneficial to society…”

The most important thing our Congressional Representatives could possibly do? 
Gardner, Polis, Tipton, Introduce KOMBUCHA Act
Today Sen. Cory Gardner (R-Colo.), Rep. Jared Polis (D-Colo.), and Rep. Scott Tipton (R-Colo.) introduced bipartisan, bicameral legislation that would eliminate federal alcohol taxes on kombucha and update regulations for kombucha companies in Colorado and nationwide.
   Kombucha is a fermented tea that has been consumed for over 2,000 years.  Trace amounts of up to 1 percent alcohol can occur naturally in the production process, which currently triggers the type of federal excise taxes usually reserved for alcoholic beverages.  The KOMBUCHA Act eliminates those unintended tax and regulatory burdens by increasing the applicable alcohol-by-volume limit for kombucha from 0.5 percent to 1.25 percent.
   The kombucha industry is one of the fastest growing beverage categories with a current economic impact of $600 million and expected growth to $1.8 billion by 2020.  Colorado's kombucha industry is estimated at $20 million in annual sales and provides hundreds jobs across the state.

Perhaps he is considering running for President.
Facebook’s Mark Zuckerberg pens letter warning against threats to globalism
Facebook Inc Chief Executive Mark Zuckerberg laid out a vision on Thursday of his company serving as a bulwark against rising isolationism, writing in a letter to users that the company’s platform could be the “social infrastructure” for the globe.
In a 5,700-word manifesto, Zuckerberg, founder of the world’s largest social network, quoted Abraham Lincoln, the U.S. president during the country’s 19th century Civil War known for his eloquence, and offered a philosophical sweep that was unusual for a business magnate.
   Quoting from a letter Lincoln wrote to Congress in the depths of the Civil War, he wrote to Facebook’s 1.9 billion users: “The dogmas of the quiet past, are inadequate to the stormy present.”
   Zuckerberg’s letter was “a bit more ambitious and a bit more of the 30,000-foot view than I see from most tech company CEOs,” Peter Micek, global policy and legal counsel at Access Now, an international digital rights group, said in a phone interview.
But Zuckerberg stayed away from certain subjects on which Facebook could be vulnerable to criticism, mentioning the word “privacy” only once, Micek said.

Thursday, February 16, 2017

If you had poor Computer Security for years, you can expect to find years’ worth of security breaches when you finally take a good hard look!  
Yahoo warning users that hackers forged cookies to access accounts
Yahoo is warning some customers that state-sponsored attackers have accessed their accounts by using a sophisticated cookie forging attack, which doesn't require obtaining user passwords.
   An email from Yahoo forwarded to ZDNet said:
"Our outside forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users' accounts without a password.  Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account."
   It's not known how many customers are affected, though state-sponsored attacks are typically targeted and are in small numbers.
   Yahoo said that hackers were later able to get access to accounts without needing passwords after stealing the company's source code used to generate cookies.
   Yahoo began sending out emails on Wednesday, as news broke that Verizon, which is buying the web giant, lowered its price for the company by $250 million as a result of the two hacks.

…because it’s not always Russia. 
Iranian Spies Target Saudi Arabia in "Magic Hound" Attacks
A cyber espionage operation linked to Iran and the recent Shamoon 2 attacks has targeted several organizations in the Middle East, particularly in Saudi Arabia.
Researchers at Palo Alto Networks have been monitoring the campaign, which dates back to at least mid-2016.  Dubbed “Magic Hound,” the operation has been aimed at energy, government and technology sector organizations that are located or have an interest in Saudi Arabia.

Grounds for immediate termination?  Surely, they are not defending themselves against the President of the United States? 
GOP demands inquiry into EPA use of encrypted messaging apps
   Federal employees with concerns about the impact of President Donald Trump's administration have turned to encrypted messaging apps, new email addresses and other ways to coordinate their defense strategies, according to a report earlier this month from Politico.
That article and others prompted Rep. Darin LaHood, a Republican from Illinois, and Rep. Lamar Smith, a Republican from Texas, to send a letter to EPA Inspector General Arthur A. Elkins, Jr. asking him to "determine whether it's appropriate to launch a full-scale review" of EPA workers' use of encrypted apps.
   "Over the past few years, we have seen several examples of federal officials' circumventing Federal Records Act requirements and transparency generally," they wrote.  "In this instance, the Committee is concerned that these encrypted and off-the-record communication practices, if true, run afoul of federal record-keeping requirements, leaving information that could be responsive to future Freedom of Information Act (FOIA) and congressional requests unattainable."
   The letter on Wednesday cited a recent review from the EPA inspector general that found between July 1, 2014 and June 30, 2015, only 86 of the 3.1 million text messages sent or received on government-issued devices were preserved and archived as a federal record.

(Related).  Perhaps it’s just because encryption is much more available?

Disruption.  Is the telephone industry doomed? 
Amazon and Google Want to Turn Their Smart Home Speakers Into Telephone Replacements
Both Amazon and Google are working on turning their popular AI-based speaker products into replacements for a home telephone, reports The Wall Street Journal.
The Amazon Echo and/or the Google Home could be used to make and receive phone calls, with the two companies planning to add the updated functionality as soon as this year.
   Google and Amazon are said to be working to overcome concerns about privacy, telecom regulations, and emergency services, plus the "inherent awkwardness" of making phone conversations via a speaker.  The two companies are worried consumers won't want to speak on a device that is able to record conversations.  Both the Echo and the Home continuously record audio to enable AI responses.

Interesting to see software companies trying to lock in car manufacturers.  Who will win the self-driving wars?
Tata Motors drives with Microsoft: Here’s what the deal is about; 10 key points of the tie-up

Reading is good.

Wednesday, February 15, 2017

I’m trying to figure out what to tell my International students. 
What Are Your Rights if Border Agents Want to Search Your Phone?
   American border agents have the legal authority to conduct searches at the United States border that a police officer on the street wouldn’t.  Laws created that allow agents to search bags without a judge’s approval, for purposes of immigration or security compliance, have been extended to digital devices.
   Can agents force you to unlock your phone or laptop?
No.  But they can ask you to comply voluntarily and make the experience rather uncomfortable if you resist. Travelers must decide how much trouble they’re willing to put up with.
You may end up losing your device, since agents could seize the device for weeks before it is returned.  They could also copy the data.  (That data must be destroyed “as expeditiously as possible” if it is not valuable, according to Homeland Security policy.)
   Can agents force you to turn over social media passwords?
No.  But those who unlock their phones are most likely giving agents full access to their social media accounts, even if they don’t tell them the passwords.

(Related).  “Papers, fingerprints, retina and iris scans, blood sample and full DNA workup please, Comrade Citizen.”
Biometric Checkpoints in Trump’s America
President Donald Trump’s controversial travel ban called for, among other things, the speedy completion of a “biometric entry-exit tracking system” for all travelers to the United States.
If this sounds familiar, it’s because the idea has been debated in Washington for more than a decade.  The implementation of such a system was one of the recommendations from the sprawling document known as the 9/11 Report, published 13 years ago by the National Commission on Terrorist Attacks Upon the United States.
In fact, members of Congress mandated the creation of an enhanced entry-exit database before the attacks of 2001, as part of immigration reform in 1996.  After the September 11 attacks, Congress set a 2006 deadline for the implementation the system, and specified that agencies government-wide—not just “scattered units at Homeland Security and the State Department”— should be able to access it.  When the federal government missed that deadline, Congress issued a new target for 2009.
   Keeping track of foreigners who are coming and going, the thinking goes, could prevent a terrorist attack from being carried out in the United States by non-citizens overstaying their visas.  The “large majority of jihadist terrorists in the United States,” however, have been American citizens or legal residents, according to a terrorism-tracking project by the think tank New America.  “Every jihadist who conducted a lethal attack inside the United States since 9/11 was a citizen or legal resident,” according to New America’s research.

I’m not sure I get this at all.  Is there an international body that enforces the Geneva Conventions?  Would this apply only during wars or do we need new definitions of “armed” conflict?  Did any company in any country at war ever declare itself “neutral” and refuse to contribute to the war effort? 
'Digital Geneva Convention' needed to deter nation-state hacking: Microsoft president
Microsoft President Brad Smith on Tuesday pressed the world's governments to form an international body to protect civilians from state-sponsored hacking, saying recent high-profile attacks showed a need for global norms to police government activity in cyberspace.
Countries need to develop and abide by global rules for cyber attacks similar to those established for armed conflict at the 1949 Geneva Convention that followed World War Two, Smith said.  Technology companies, he added, need to preserve trust and stability online by pledging neutrality in cyber conflict.

Interesting.  Isn’t there some old law about record retention? 
Trump staffers using app that deletes their messages: report
Trump administration staffers are reportedly communicating by using an encrypted messaging app that erases messages shortly after they have been received.
The Washington Post reported on Tuesday that officials were using the app, called Confide, to avoid being caught talking to the media, as President Trump moves to crack down on leaks.
The Post report followed a report from Axios last week that reported Confide had become a favorite app for Republican staffers.
   The reports raise questions though about the possible violation of federal records keeping laws that require certain government employees to use their official email address for communications.  [Thought so.  Bob] 
“The whole f---ing campaign was about Hillary's emails and now Trump's team is violating the Presidential Records Act by using Confide,” tweeted former Obama staffer Tommy Vietor.

Am I missing the clues?  I read this as, ‘our earlier guesses were wrong.’
New clues into how FBI cracked the iPhone
The FBI has released highly redacted contract solicitation documents it sent to companies when trying to crack the iPhone of Syed Farook, one of the shooters in the San Bernardino terrorist attack in December 2015.
   However, both Thompson and Locaria say that formatting within the documents released last week by the FBI suggests that the bureau went to a company that is not already a government contractor.  Cellebrite has been a government contractor for several years. 
   "It's odd they're redacting requirements that don't identify the contractor specifically," he said.
“There are several clauses that only require offerors to make certain representations,” such as certifying that they have an affirmative action plan in place.  “The fact they redact them may indicate that they are not in compliance with these traditional government contract requirements,” he added. 

Tuesday, February 14, 2017

When you get the Ransom note, it’s already too late to secure your databases.  
I’ve reported on this concern before, but Tom Spring has a nice write-up on ThreatPost that begins:
Recent attacks against insecure MongoDB, Hadoop and CouchDB installations represent a new phase in online extortion, born from ransomware’s roots with the promise of becoming a nemesis for years to come.
“These types of attacks have grown from ones of opportunity to full-scale automated and systematic assaults targeting misconfigured servers containing sensitive data that can be easily hijacked,” said Zohar Alon, co-founder and CEO, security firm Dome9.
First spotted on Dec. 27 by Victor Gevers, an ethical hacker and founder of GDI Foundation, attacks in the past two months shot up from 200 to near 50,000.
Security researchers at Rapid7 estimate that 50 percent of the 56,000 vulnerable MongoDB servers have been ransomed.  When it comes to similar misconfigured databases; 58 percent of the 18,000 vulnerable Elasticsearch servers have been ransomed and of the 4,500 CouchDB servers vulnerable 10 percent have been ransomed.
“It’s about the path of least resistance for hackers interested in the biggest potential reward,” said Bob Rudis, chief data security officer at Rapid7.  “Hackers have decided it’s easier to end-run an enterprise’s multi-million dollar security system and instead simply target an open server.”
But these servers are NOT being ransomed even though there are “ransom demands.”  What researchers from GDI Foundation have found is that the servers are just being wiped and a ransom note left in their place.  But if entities pay the “ransom,” they still don’t get the database back because it appears that the databases are not being copied and exfiltrated.
Read more on ThreatPost.  And read GDI Foundation’s warning on Hadoop, as Hadoop installations have also been attacked.

Perhaps we can get a better understanding?
DHS Uses Cyber Kill Chain to Analyze Russia-Linked Election Hacks
   On Dec. 29, 2016, the DHS and FBI published an initial Joint Analysis Report (JAR) detailing the tools and infrastructure used by Russian hackers designated by DHS as “GRIZZLY STEPPE” in attacks against the United States election.  The previous report, however, didn’t deliver on its promise, security experts argued.  
While the original report included a series of IOCs, some said that they were of low quality, had limited utility to defenders, and were published as a political tool attempting to connect the attacks to Russia.
The new report is described by DHS as an Analytical Report (AR) providing a “thorough analysis of the methods threat actors use to infiltrate systems” in relation to the GRIZZLY STEPPE hackers.  The report provides additional details on IOCs, along with analysis along phases of the cyber kill chain, and suggests specific mitigation techniques that could be used to counter GRIZZLY STEPPE attackers.
DHS analysts leveraged the Cyber Kill Chain framework created by Lockheed Martin that describes the phases of an attack.  The report summarizes the activity of the campaign using each phase of the Cyber Kill Chain, which are Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on the Objective.

It’s why I make my students give presentations.
Gartner and industry experts on the booming market for security awareness training
Andrew Walls, research vice president for security, risk and privacy at analyst firm Gartner, estimated the security awareness training market at more than $1 billion in late 2014.
   A new report from Cybersecurity Ventures states that training employees how to recognize and defend against cyber attacks is the most underspent sector of the cybersecurity industry - a sector that can be worth $10 billion by 2027. 
   Training the world's employees on how to detect and respond to spear phishing and other hacks aimed at users will cost billions of dollars.  But it may be the world's best ROI in the war against cybercrime - which is predicted to cost organizations $6 trillion annually by 2021.

My students need to understand that businesses do not make decisions like this based only on the technology. 
Woolworths shifts infrastructure to Azure
   "To cater for the [business'] extensive growth, the team made the decision that rather than continue to host the service internally, we would seek a cloud alternative," Rana said.
"The series of unique requirements we had made our decision to move to Microsoft Azure clear cut."
At last count Woolworths’ technology environment spanned 550 major applications supporting 25,000 point-of-sale (PoS) units, 7000 self-service checkouts, and 11,000 back-office workstations.  It relies on an SAP system for its core merchandising activities.
Three data centres with 6500 servers supported its applications, alongside 3200 in-store servers and 250 servers across its distribution centres.
   Woolworths would only consider a locally-based, multi-region, active-active cloud solution that could guarantee its uptime and availability, Rana said.
"Trying to replicate this internally would have been far too costly."
   The Woolworths IT team now no longer needs to manually scale its environment to deal with periods of peak load, Rana said - something that was previously impossible.

Just a thought, but do you suppose Jeff Bezos designed this for his own use and amusement? 
Amazon Is Challenging Microsoft and Cisco With a Yet Another Service

I wonder if I could do something like this for my students. 
Apple Shows Off Sneak Peek of Original Series 'Planet of the Apps'
   In the clip shown to attendees of the Code Media conference, app developers have 60 seconds to get Planet of the Apps' group of advisors — Jessica Alba,, Gwyneth Paltrow and Gary Vaynerchuk — excited about their projects.  Those picked work directly with their advisors, preparing them to pitch in front of a group of venture capitalists from Bay Area firm Lightspeed Venture Partners. 

My students will be amused. 
Dubai To Put Autonomous Taxi Drones In The Skies 'This Summer'
When the ruling family decrees that a quarter of all journeys in a city state will be autonomous by 2030, someone somewhere is obliged to make that start happening as soon as possible.
   The flying taxis are being manufactured by Chinese drone-making firm EHang and can carry a person weighing up to 100 kilograms (about 220 pounds) along with a small suitcase.  Passengers don’t need to learn how to fly the drones, EHang's co-founder Derrick Xiong told FORBES staff writer Aaron Tilley in an interview this time last year.
“They just need to press a button and then it vertically takes off, flies from point A to point B, and lands.”

(Related).  Where are we, here in the US?
Fix self-driving car rules or face needless deaths, GM warns government

Okay, believe it or not but the old fuddy-duddy that I am missed the fact that Playboy had stopped running pictures of nude girls.  Here’s the interesting bit: they think they have a way to compete against Internet nudes!
Playboy Is Naked Again And It Is Awesome
Just in time for Valentine's Day, Playboy has announced its 63-year-old magazine will return to publishing naked women.
In 2015, the magazine, faced with competition from the internet where anything goes when it comes to sex, stopped running images of unclothed young ladies.
By all accounts, including my own, the results were terrible.
Now, Playboy Enterprises is back in the skin game with its March/April 2017 issue.
I took the liberty of downloading a copy. (Want one? It's $5.99.)

For the gamers at school.
Humble Bundle
This special one-week bundle features over $600 in incredible games and books for just $30.  100% of your payments will go to the American Civil Liberties Union, the International Rescue Committee, and Doctors Without Borders/Médecins Sans Frontières (MSF).  
Redeem the games on Steam.  All of the games in this bundle are available on Steam for Windows, and some for Mac and Linux too.  A number of the games are available DRM-free as well.
Take the books anywhere.  The ebooks are available in PDF, ePUB, and MOBI formats, meaning you can read them anywhere at any time.  Instructions and a list of recommended reading programs can be found here.  The audiobooks are available in MP3 and FLAC format, meaning you can listen to them anywhere, too!  Instructions can be found here.

Monday, February 13, 2017

It’s not just Russia. 
Malware Attacks on Polish Banks Linked to Lazarus Group
BadCyber reported earlier this month that the systems of several Polish banks had been infected with a new piece of malware.  The attackers hijacked the website of the Polish Financial Supervision Authority ( and abused it to deliver malware to its visitors.
While there is no evidence that money has been stolen from banks or their customers, some of the organizations whose systems have been infected have noticed large outgoing data transfers.
   Several high profile attacks have been attributed to the Lazarus Group, including the 2014 attack on Sony, and the Dark Seoul and Operation Troy campaigns.  The actor has targeted government, military, media, aerospace, financial and manufacturing organizations primarily in South Korea and the United States.
Researchers also discovered links between Lazarus and an attack on a bank in the Philippines believed to have been carried out by the same cybercriminals that stole $81 million from Bangladesh’s Central Bank.

“Welcome home, comrade citizen.  E-Papers please.” 
A US-born NASA scientist was detained at the border until he unlocked his phone
Bikkannavar says he was detained by US Customs and Border Patrol and pressured to give the CBP agents his phone and access PIN.  Since the phone was issued by NASA, it may have contained sensitive material that wasn’t supposed to be shared.  Bikkannavar’s phone was returned to him after it was searched by CBP, but he doesn’t know exactly what information officials might have taken from the device.  
   The officer also presented Bikkannavar with a document titled “Inspection of Electronic Devices” and explained that CBP had authority to search his phone.  Bikkannavar did not want to hand over the device, because it was given to him by JPL and is technically NASA property.  He even showed the officer the JPL barcode on the back of phone.  Nonetheless, CBP asked for the phone and the access PIN.  “I was cautiously telling him I wasn’t allowed to give it out, because I didn’t want to seem like I was not cooperating,” says Bikkannavar.  “I told him I’m not really allowed to give the passcode; I have to protect access.  But he insisted they had the authority to search it.”
   “In each incident that I’ve seen, the subjects have been shown a Blue Paper that says CBP has legal authority to search phones at the border, which gives them the impression that they’re obligated to unlock the phone, which isn’t true,” Hassan Shibly, chief executive director of CAIR Florida, told The Verge.  “They’re not obligated to unlock the phone.”
Nevertheless, Bikkannavar was not allowed to leave until he gave CBP his PIN.
   Eventually, the phone was returned to Bikkannavar, though he’s not sure what happened during the time it was in the officer’s possession.  When it was returned he immediately turned it off because he knew he had to take it straight to the IT department at JPL.  Once he arrived in Los Angeles, he went to NASA and told his superiors what had happened.  Bikkannavar can’t comment on what may or may not have been on the phone, but he says the cybersecurity team at JPL was not happy about the breach.  Bikkannavar had his phone on hand while he was traveling in case there was a problem at work that needed his attention, but NASA employees are obligated to protect work-related information, no matter how minuscule.  We reached out to JPL for comment, but the center didn’t comment on the event directly.

Man jailed 16 months, and counting, for refusing to decrypt hard drives
He’s not charged with a crime.  US judge demands he help prosecutors build their case.

Fancy AI stuff.  Would they solve the ‘student dilemma?’  (Do what I say or flunk!) 
Google's DeepMind puts AI agents in Prisoner's Dilemma to see if they fight or cooperate
DeepMind, the Alphabet owned subsidiary working of Google’s ambitious artificial intelligence projects, recently published a new study, which explores how AI agents handle situations involving social dilemmas.  To describe the phenomenon, researchers at DeepMind refer to the age-old game of Prisoner’s Dilemma.

The world, she is a-changing.
FedEx takes on Amazon with the new FedEx Fulfillment program
For the last several months, when we’ve mentioned Amazon and FedEx in the same sentence, it’s been to report on how the online retail company has been encroaching upon the shipment firm’s space.  After all, Amazon now has its own fleet of airplanes, ships, and more.  But now the tables are making a bit of a turn.  Earlier this week, FedEx announced the launch of FedEx Fulfillment, a new network geared towards small and medium-sized businesses that will allow them to store their goods at FedEx warehouses across the United States and Canada.  The global shipment company then sends packages off to their final destinations when customers place orders.

The economics of minimum wage?
Minimum Wage and Corporate Policy
by on
Gustafson, Matthew and Kotter, Jason D., Minimum Wage and Corporate Policy (January 2017).  Available for download at SSRN:
“We provide evidence that minimum wage changes significantly affect the investment and financing policies of labor intensive public firms.  
   Difference-in-differences estimates indicate that labor intensive firms in bound state-years respond to federal minimum wage increases by quickly and significantly reducing both investment and leverage, relative to similar labor intensive firms in other states.  

Sunday, February 12, 2017

For my Computer Security students (and divorce lawyers everywhere?)
Cheating Frenchman sues Uber for tipping off wife about affair
A businessman in southern France is suing ride-hailing company Uber over his wife's discovery of rides he took to see his lover, his lawyer said.
The man says he once requested an Uber driver from his wife's phone.
Despite logging off, the application continued to send notifications to her iPhone afterwards, revealing his travel history and arousing her suspicions.
   "My client was the victim of a bug in an application," his lawyer David-André Darmon told AFP news agency after the case was lodged at a court in Grasse.
"The bug has caused him problems in his private life," Mr Darmon added.
   The glitch affected iPhones before a software update in December, the newspaper said.  Android phones did not appear to be affected.

A question for my students.  What will the AI need to know to make a diagnosis and where will they get that data?
AI May Soon Beat The Best Doctors In The World
Soon, doctors might be able to treat you before you actually get sick.

Code-Dependent: Pros and Cons of the Algorithm Age
Algorithms are instructions for solving a problem or completing a task.  Recipes are algorithms, as are math equations.  Computer code is algorithmic.  The internet runs on algorithms and all online searching is accomplished through them.  Email knows where to go thanks to algorithms.  Smartphone apps are nothing but algorithms.  Computer and video games are algorithmic storytelling.  Online dating and book-recommendation and travel websites would not function without algorithms.  GPS mapping systems get people from point A to point B via algorithms.  Artificial intelligence (AI) is naught but algorithms.  The material people see on social media is brought to them by algorithms.  In fact, everything people see and do on the web is a product of algorithms.  Every time someone sorts a column in a spreadsheet, algorithms are at play, and most financial transactions today are accomplished by algorithms.  Algorithms help gadgets respond to voice commands, recognize faces, sort photos and build and drive cars.  Hacking, cyberattacks and cryptographic code-breaking exploit algorithms.  Self-learning and self-programming algorithms are now emerging, so it is possible that in the future algorithms will write many if not most algorithms.

I’m always looking for ‘the next big thing!’
Is Snapchat the next tech titan?
"When Snapchat first became popular in 2013, many thought the messaging app would disappear almost as quickly as its vanishing messages," said The Economist.  Instead, it captured the imagination of tens of millions of millennials.  Now its parent company, Snap, is poised to go public in March at an expected valuation of roughly $20 billion, the biggest initial public offering for a U.S. tech company since Facebook.  But unlike that social media juggernaut, which strives to create a record of its users' lives, "Snapchat offers liberating impermanence."  Users love that they can share impromptu pictures and videos with groups of friends without worrying about them living online forever.  About 41 percent of Americans ages 18 to 34 use Snapchat every day; about 161 million around the globe open the app daily.
"Snapchat may be a messaging app, but in many ways, it's also a new kind of television," said Christopher Mims at The Wall Street Journal.  Snap reports that its users watch 10 billion videos a day.

A part of the discussion in every class I teach.  A January snapshot. 
We think the world is dominated by Facebook, but is it really the world’s favourite social network?  And what about the second most popular social networks?  Lets check the world map!

(Related).  Still big numbers, but perhaps all the Twits were already following President Trump?
Twitter only grew by two million users during Trump mania — Facebook grew by 72 million

Not that Trump doesn’t already say everything you could possibly imagine…  Make a video!
Trump with love