Saturday, May 20, 2017
Good for them. (I hope.)
Victims Call Hackers’ Bluff as Ransomware Deadline Nears
With the clock ticking on whether a global hacking attack would wipe out his data, Bolton Jiang had no intention of paying a 21st-century ransom.
Since a week ago, when the malware first struck, Mr. Jiang has been busily fixing and replacing computers at the electronics company where he works in Shanghai. Paying is a bother, he said, and there was no guarantee he would get his data back.
… A number of people and companies have struck a defiant tone. The Japanese conglomerate Hitachi, which had been identified in the news media as a victim, declined to confirm those reports on Friday but said that it had no intention of paying a ransom and that it aimed to be fully secure against future attacks by Monday. [Sounds like they were not secure before. Bob]
(Related). Only works if you have not rebooted your machine.
WannaCry Ransomware Holding Your Windows PC Hostage? Recover It With This Tool
… Yesterday, a tool called WannaKey hit Github promising free recovery of data on PCs corrupted with Wanna Decrypter. This tool carried a number of caveats, though, with a big one being that it's exclusive to Windows XP, and the PC could not be rebooted after being infected.
Today, another developer has built on WannaKey's abilities and released wanakiwi, a tool with the same goal of recovering data, but will work on all versions of Windows between XP and 7 (that includes Vista and server variants). Unfortunately, this wanakiwi carries the same caveat of being useless after an infected PC has been rebooted.
(Related). “We don’t need no stinking updates!”
Almost all WannaCry victims were running Windows 7
Sometimes, the old reliable tired and true methods are best.
Caitlin E. Reilly reports:
The number of organizations that fell prey to a recurring W-2 email scam that involved identity thieves posing as company executives rose subatantially in 2017, an Internal Revenue Service official said May 18.
In the first four months of 2017, 870 organizations reported to the IRS that they received a W-2 phishing email, up from about 100 organizations in the first four months of 2016, Powell said. Of the 870 organizations, about 200 lost data, up from about 50 in 2016, she said.
Read more on BNA.
So I guess my W-2 phishing list is doing a pretty good job of keeping up with the incidents where losses are reported. As of today, I have 203 on the list.
No one gets a pass! Controversy2?
Dell Cameron reports:
Controversial cellphone tracking technology is being deployed as a tool in President Donald Trump’s expanding effort to arrest and deport illegal US residents.
In March, US Immigrations and Customs Enforcement (ICE) deployed a cell-site simulator, often colloquially referred to as a “Stingray,” to track a Michigan man in the country illegally, according to recently unsealed court documents reported first by The Detroit News.
Read more on Gizmodo.
Soon we will blot out the sun! Bwahahaha!
You no longer have to register your drone
A federal appeals court has shot down a rule requiring hobbyists to register their drones.
Appeals court judges in Washington, D.C. agreed on Friday with a drone enthusiast’s challenge to a FAA requirement that all hobbyists register their drones in a national database and pay a $5 fee.
… The court found that the FAA’s drone registration rule, which debuted in Dec. 2015, conflicts with previous federal legislation from 2012 that said that the FAA lacks the authority to regulate “model aircraft.” The appeals court categorizes drones as model aircraft.
… “Congress is of course always free to repeal or amend its 2012 prohibition on FAA rules regarding model aircraft,” the judges said. “Perhaps Congress should do so. Perhaps not. In any event, we must follow the statute as written.”
Apparently, this was not a joke? A whole new field for lawyers? Government legislation to require only lukewarm coffee?
US woman burned by Starbucks coffee awarded $100,000
Joanne Mogavero, from Florida, suffered first and second degree burns when the lid popped off a cup of coffee at a Starbucks in 2014, a jury was told.
Her lawyers had argued that Starbucks should warn its customers that lids could pop off.
The jury awarded Ms Mogavero $85,000 for pain and suffering and more than $15,000 to cover medical bills.
… In a statement, Ms Mogavero's legal team said a Starbucks representative had testified during the court hearing in Duval County, Florida, that the company gets 80 complaints a month about problems with lids popping off or leaking.
…no matter how truthful, their timing (and risk analysis) is terrible. Perhaps we should have Canada build a fence?
Boeing scrambles to save big Canada fighter jet deal: source
Boeing Co on Friday rushed to fix a gamble that looks to have gone wrong, with the defense unit of the U.S. plane maker seeking to fend off a Canadian threat to scrap the purchase of 18 Super Hornet jets, a source familiar with the matter told Reuters.
That move follows Canada's threat on Thursday that it could ditch its plans to buy the jets if the United States backed Boeing's claims that Canadian plane maker Bombardier Inc dumped jetliners in the U.S. market.
Political insiders say the Liberal government of Prime Minister Justin Trudeau is furious about Boeing's allegations, which comes at a time when trade relations between the United States and Canada are at a low.
… He said Boeing could lose $10 billion to $20 billion in military sales to Canada, encompassing order for jets, helicopters and maritime surveillance planes.
… The U.S. Commerce Department on Thursday launched an investigation into Boeing's claims.
"This is a strong shot across the bow to the United States to say 'Shut this thing down pretty damn quickly,'" said a Canadian defense industry source.
… The Boeing saga further increases tensions between Canada and the United States in the run-up to talks on renewing the North American Free Trade Agreement (NAFTA), with the Trump administration on Thursday setting the clock ticking toward a mid-August start of renegotiations..
(Related). Another artful deal?
Trump’s $110 Billion Arms Deal With Saudi Arabia May Be Illegal
One of many things I did not see coming. Note: They have not been replaced with robots (yet).
London airport's new control tower won't have anyone inside
London City Airport is installing a "digital air traffic control tower" that will be operated by controllers sitting in an English village about 70 miles away.
The new tower will use 14 high-definition cameras and various sensors to provide a 360-degree view of the airfield. Live video and data will be sent to the remote controllers via "super-fast secure fiber connections," the airport said.
… The technology is currently only in use at two remote northern airports in Sweden, though many others around the world are expressing interest in the system, Beauchamp said.
The airport promises that the cameras and screens will provide "a level of detail greater than the human eye."
… The airport and NATS say they have the tools to keep the new system safe from hackers and other threats. [I wish they had said they were using the tools… Bob]
Something I intend to arm my Ethical Hacking students with. “Beware of geeks bearing animosity!”
Coffee Shop Customer Delivers ‘Obnoxious’ Table Neighbors A Delicious Lesson
When recently faced with “loud and rude” people sitting next to him at a coffee shop in Paris, information security consultant Khalil Sehnaoui didn’t get mad.
Instead, he got even. After hearing that they’d just decided on what to call their brand new business, he quietly bought up the corresponding domain name.
Something to drop on my spreadsheet students.
Geek out, dudes! (and dudettes!)
For everyone else? Sometimes, you just want to pop the bubble wrap.
Friday, May 19, 2017
Not a lot of detail here, but of interest to my International students.
Hackers Steal 17 Million Users' Data From Indian Restaurant App Zomato
India's largest restaurant and food delivery app Zomato announced Thursday that the data of 17 million users had been stolen from its database, including names, email addresses and protected passwords.
The startup said the "hashed" passwords could not be decrypted but recommended users change their login details if they use the same password for other services.
Zomato's chief technology officer Gunjan Patidar said customers' financial information was stored separately from the stolen data and was not compromised by the hack.
Like cutting a backdoor into a bank vault…
EU Authorities Fight Back Against "Black Box" ATM Attacks
A black box attack is a logical attack against cash dispensers. It requires gaining access to the inner workings of the machine, usually, notes Europol, "by drilling holes or melting."
Once access is achieved, the cash dispenser is disconnected from its core working, and connected instead to the hacker's own electronic device -- the so-called black box. The attacker then simply issues the necessary commands to empty the cash dispenser; an act known as 'jackpotting', which bypasses any need for a card or transaction authorization.
Since a black box attack simply empties the whole machine, rather than attempting to extract available cash from an individual account, a single successful attack can potentially steal hundreds of thousands of Euros.
The cost of “older operating systems.” Compare to the cost of updating?
Microsoft Withheld Update That Could Have Slowed WannaCry: Report
In mid-march, Microsoft distributed a security update after it detected the security flaw in its XP operating system that enabled the so-called WannaCry ransomware to infiltrate and freeze computers last week.
But the software giant only sent the free security update -- or patch -- to users of the most recent version of the Windows 10 operating system, the report said.
Users of older software, such as Windows XP, had to pay hefty fees for technical support, it added.
"The high price highlights the quandary the world's biggest software company faces as it tries to force customers to move to newer and more secure software," it said.
A Microsoft spokesperson based in the United States told AFP: "Microsoft offers custom support agreements as a stopgap measure" for companies that choose not to upgrade their systems.
"To be clear, Microsoft would prefer that companies upgrade and realise the full benefits of the latest version rather than choose custom support."
According to the FT, the cost of updating older Windows versions "went from $200 per device in 2014, when regular support for XP ended, to $400 the following year," while some clients were asked to pay heftier fees.
The newspaper argued the high costs led Britain's National Health Service -- one of the first victims of the WannaCry attack -- to not proceed with updates.
Microsoft ended up distributing the free patch for the older versions on Friday -- the day the ransomware was detected.
At the corner of Law and Technology.
The Promise — and Perils — of ‘Smart’ Contracts
‘Smart’ contracts on the blockchain are generating a lot of interest because of their innovative nature and potential to substantially boost efficiency in many areas of law and business. But these contracts — digital agreements that automatically fulfill themselves — come with serious limitations as well.
… In the paper, we talk about four different categories of increasingly decentralized and increasingly automated contracts. The first is what you described — what we would call just an electronic agreement. So you go to any website that you sign up for, you click a button, and there is a link there. And you can see, typically, an incredibly long and detailed contract that no one ever reads. But that is a human-readable contract. It’s the same contract you could get on paper. It just happens to be on a screen.
One step from that is what Harry Surden, who’s a law professor at [the University of Colorado at Boulder], calls a “data-oriented contract.” So let us now put the terms of the contract in machine-readable form, which limits what we can do in that contract, but we can do it in ways that computers can at least understand what it means to say “a hundred dollars,” or what it means to say, “purchase this share of stock,” or something.
The next step is what Surden calls a “computable contract.” So now we are at the point where the machines can, to some extent, process and enforce the contract. But there is still the fallback of the legal system if something goes wrong.
A smart contract, in theory at least, takes away the legal system entirely. Now there is nothing but that digital agreement. That is the entirety of the relationship, and everything from the negotiating of the agreement, all the way to the full enforcement and clearing of the agreement, happens digitally.
I have visions (Okay, nightmares) of loading my pickup and driving to New Jersey.
Uber launches Uber Freight, its app for long-haul trucking jobs
Uber today officially launched Uber Freight, the company’s new service that will match truckers with companies who need cargo shipped across the country.
Uber Freight has its own app, of course, which is available today on iOS and Android. There’s a sign-up page for drivers, who will be vetted before they’re allowed to use the Uber Freight. The service “take[s] guesswork out of finding and booking freight, which is often the most stressful part of a driver’s day,” according to Uber, which says it’s dismantling a process that typically takes “several hours and multiple phone calls.”
… The app is full of a list of available jobs and the routes they require (say, Tulsa, OK to Memphis, TN), and each listing tells the driver what they’ll be hauling and how much they’ll be paid. Once they arrive in that destination and make the delivery they can then, like an Uber cab driver, find the next job.
Disruption. Interesting in any industry.
German Newcomer Lidl Threatens Walmart in Discount Grocery Wars
… Lidl, pronounced "Leedle," will go head to head with another German discounter, Aldi, and other grocers using its well-honed strategy of operating no-frills, small stores of about 20,000 square-feet and a heavy emphasis on store brands it says are on par with national brands. Some 90% of merchandise will be its own products, a tactic that offers higher margins and more control over inventory and offer low prices.
… Lidl, which is well established in Europe with about 10,000 stores, could grow to have a $8.8 billion in sales by 2023 with 630 stores, according to a 2016 forecast by Kantar Retail. And rivals are taking notice.
(Related). Victim of disruption?
Walmart Will Never Beat Amazon
Walmart can spend hundreds of millions of dollars buying up online retailers. It can shatter more neighborhood stores. But it will never beat Amazon.
For a simple reason: it isn't a technology company. It’s a retailer using technology, and that’s not good enough to attract software developers—the ultimate source of competitive advantage in the Internet space.
(Related). An interesting opinion piece.
Why Amazon is eating the world
… Consensus is that we’ve hit a tipping point and the retail industry is finally seeing some major collateral damage from Amazon’s monster growth — and mainstream/non-tech news has started giving this a lot of coverage. There is a lot of discussion about whether Amazon’s advantage is sustainable or whether other retailers (namely, Walmart) will be able to mitigate Amazon’s dominance as they start to replicate Amazon’s model.
… This all said, I believe that Amazon is the most defensible company on earth, and we haven’t even begun to grasp the scale of its dominance over competitors. Amazon’s lead will only grow over the coming decade, and I don’t think there is much that any other retailer can do to stop it.
For my geeks.
Why user interface designers must take cues from science fiction and games
John Underkoffler gave an illuminating talk about the future of computing interfaces — and how slow the tech industry has been about creating new ones — at our recent GamesBeat Summit event in Berkeley, Calif.
… Alex McDowell, the production designer for the 2002 film Minority Report, had to build the world behind Steven Spielberg’s film based on a short story by sci-fi author Philip K. Dick. He turned to Underkoffler for the science to help knit it all together.
… Please check out the video of Underkoffler’s talk.
Thursday, May 18, 2017
For my Computer Security students. Train, rinse, repeat. (And keep repeating!)
Wanna stop WannaCrypt? Don't pay ransoms, backup data, and train employees
A common refrain: What did they know and when did they know it?
In Freedom of Information Act lawsuit EPIC v. FBI, EPIC has obtained the FBI notification procedures that would have applied to the Russian cyberattacks during the 2016 Presidential election. The documents obtained by EPIC establish that the FBI Cyber Division is to “notify and disseminate meaningful information to victims and the CND [Computer Network Defense] community.” The Cyber Division specifically notifies the “individual, organization, or corporation that is the owner or operator of the computer at the point of compromise or intrusion.” The analysis to determine whether or not to notify the victim, as well as FBI procedures for approval or deferral of notification, the timing of notification, the method of notification, and more were all redacted by the agency. EPIC intends to challenge theses withholdings. The FBI’s response raises questions about whether the agency fulfilled the obligation to properly notify the victims of the Russian cyberattacks. The Intelligence Community assessed that both major US political parties were attacked. The FBI also produced notification procedures for threats to life or serious bodily injury, and certain procedures under the Foreign Intelligence Surveillance Act. Next in the case, EPIC anticipates the release, on May 26, of FBI communications with political organizations and federal agencies concerning the Russian interference.
Amusing. Makes you wonder where their lawyers were trained. (Is there a Trump School of Law?) Some interesting details in this long post!
“Shoot the messenger:” NYC hospital and vendor threaten DataBreaches.net for reporting on their security failure
On May 3, Kromtech Security’s research team, conducting routine research, found that confidential and sensitive patient information was exposed on a misconfigured rsync backup device. As best as they could determine, the data were from patients of Bronx-Lebanon Hospital Center in New York City, but the vendor responsible for the backup device was iHealth Solutions.
As is also their practice, Kromtech downloaded some of the data for verification and research purposes, then attempted to notify the entities. Kromtech generally does not go public with their findings until after they have been able to reach an entity to ensure that the data are secured.
When Kromtech was not able to reach anyone on May 3 to notify them, they contacted DataBreaches.net to request assistance in trying to contact the vendor or the hospital. It took some time – including some frustratingly long calls to the hospital to try to reach an actual person – but eventually, messages were left for both the vendor and the hospital that they had a problem requiring urgent attention.
On May 4, I was gratified to receive several phone calls confirming that the data had been secured and thanking me for my efforts to notify them.
It was a brief honeymoon. On May 9, Kromtech published their report and I published my first report on the incident without any statement from the hospital or vendor, neither of whom had provided a promised statement.
Then on May 12, coordinated threat letters arrived via email from external counsel for both iHealth and Bronx-Lebanon Hospital. DataBreaches.net understands that Kromtech Security also received similar letters.
Some good, some bad.
When you visit a site that features a tweet button or an embedded tweet, Twitter is able to recognize that you’re on that site and use that information to target you with ads. And now it’s going to hang onto that information for a bit longer but give you more control over it.
… Coinciding with the update, Twitter has also added a new section to the settings menu on its site and in its mobile apps that details the information Twitter uses to target a person with ads and lets that person deselect individual interest categories and request a list of the companies that use Twitter’s Tailored Audiences option to target them with ads based on information like their email address, Twitter handle or whether they visited the advertiser’s site or used its mobile app.
At the same time Twitter is giving people more control over how they are targeted, it is removing support for Do Not Track, which people can use to ask every website they visit not to track their behavior in order to target them with ads.
What will be “the next big thing?” Here are a couple of possibilities.
The five big announcements from Google I/O
1/ Google Lens
It will be a while before Google Lens is available, but today it was the centrepiece of the keynote.
The app uses image recognition to identify objects appearing in your camera lens in real-time. It means you can point a smartphone at a flower and be told exactly what it is.
Or, and this feature drew a massive cheer here, you can point it at the sticker on the back of a wifi router - the one containing the long password you need to enter - and the app will know it’s a wifi password and automatically connect you to the network without the need for manual input. [A “must have” for my Ethical Hacking students! Bob]
Other uses could be pointing it at a restaurant and getting instant reviews or menus, or even scanning a menu in a different language, having it translated, and being able to ask “what does that dish look like?” and be shown a photograph of the meal.
4/ VPS - visual positioning system
Most of us are familiar with GPS - global positioning system - but that technology can only get you so far. Though terrific for travelling around large areas outside, GPS has real limitations when you need something more accurate.
Google thinks VPS - visual positioning system - is how to fill that gap. Using Tango, a 3D visualisation technology, VPS looks for recognisable objects around you to work out where you are, with an accuracy of a few centimetres.
A day late and a dollar short? Does this mean taxis will charge like Uber?
Square Will Replace Meters in Washington Taxis
Washington, D.C., is enlisting Square Inc.’s help as its taxi commission tries to help the city’s cabbies compete with Uber drivers. By the end of August, all of the taxis in Washington have to tear out their traditional meters and start using smartphones or tablets, in what the city government has been describing as a complete reimagining of how the cab system works. On Wednesday, the Department of For-Hire Vehicles is announcing that Square will process the payments going through those mobile devices.
How to add a few million potential customers in countries where smartphones are a bottleneck…
Google and Indian e-taxi giant Ola unveil Progressive Web App that brings native experience to low-end smartphones
Ola, the Uber of India, has announced a partnership with Google to launch a so-called Progressive Web App (PWA) designed to open its platform to millions of users who don’t yet have the latest and greatest smartphones.
… Basically, they offer many benefits over traditional native apps, including being lightweight and requiring less data to operate. This is key in emerging markets where access to affordable mobile internet and powerful smartphones is limited.
(Related). Keeping the flow of cheap phones coming?
Apple Is Now Assembling a Low-Cost iPhone in Southern India
Perspective. How do we make money from this?
Pew – Tech Adoption Climbs Among Older Adults
“A record 46 million seniors live in the United States today, and older Americans – those age 65 and older – now account for 15% of the overall U.S. population. By 2050, 22% of Americans will be 65 and older, according to U.S. Census Bureau projections. At the same time America is graying, recent Pew Research Center surveys find that seniors are also moving towards more digitally connected lives. Around four-in-ten (42%) adults ages 65 and older now report owning smartphones, up from just 18% in 2013. Internet use and home broadband adoption among this group have also risen substantially. Today, 67% of seniors use the internet – a 55-percentage-point increase in just under two decades. And for the first time, half of older Americans now have broadband at home.”
Apparently, not a big deal?
E.U. Fines Facebook $122 Million Over Disclosures in WhatsApp Deal
Europe’s love affair with Facebook may be coming to an end.
On Thursday, the European Union’s powerful antitrust chief fined the social network 110 million euros, or about $122 million, for giving misleading statements during the company’s $19 billion acquisition of the internet messaging service WhatsApp in 2014.
The fine — one of the largest regulatory penalties against Facebook — comes days after Dutch and French privacy watchdogs ruled that the company had broken strict data protection rules. Other European countries, notably Germany, are clamping down on social media companies, including issuing potentially hefty penalties for failing to sufficiently police hate speech and misinformation.
The European Union’s antitrust chief, Margrethe Vestager, said that Facebook had told the European Commission, the executive arm of the European Union, that the social network would not combine the company’s data with that of WhatsApp, which has more than one billion users.
Yet last August, Facebook announced that it would begin sharing WhatsApp data with the rest of the company. That could allow it to gain an unfair advantage over rivals, by giving it access to greater amounts of data to help support its online advertising business.
… In response, Facebook said that it had acted in good faith in its deliberations with Europe’s antitrust officials, and that it would not appeal the financial penalty.
“The errors we made in our 2014 filings were not intentional,” Facebook said in a statement. “The commission has confirmed that they did not impact the outcome of the merger review.”
Trends are trending!
US Courts – Interactive Database Aids the Study of Judiciary Trends
“A recently enhanced database that houses information about civil and criminal federal cases dating to 1970 is now available to researchers and the public on the Federal Judicial Center’s website as part of a partnership with the Administrative Office of the U.S. Courts. The interactive database contains docket information from district, appellate, and bankruptcy court filings and terminations, including plaintiff and defendant names, filing date, termination date, disposition of the case, type of lawsuit, jurisdiction, and docket number. It excludes judges’ names as a preventative measure against judge-shopping by plaintiffs. Use of the database is free and it allows for multiyear data analyses. Data can be downloaded in annual and multi-year batches, or users can select their target cases using the database’s interactive feature. For several decades it has been a frequent tool for academic researchers studying workload trends in the federal Judiciary. For example, it’s been used in the past to examine how plea bargaining and charging outcomes have changed over time in response to changes in sentencing laws and to analyze the market impacts of corporate lawsuits involving publicly traded companies. It is also useful as a sort of “shopping list” for the PACER database, the federal Judiciary’s online service that makes judicial opinions, motions, pleadings and other actual records of cases available to the public. Using the database on the FJC’s site in conjunction with PACER can help users zero in on the types of records sought, saving unnecessary document downloads. The revamped database adds in some data sets that were not in earlier versions: civil-case plaintiff and defendant names and docket numbers. It will also be updated with recent case information more frequently than in the past.
Tools for geeks?
Google opens Android Instant Apps SDK to all developers
At its I/O 2017 developer conference today, Google launched the Android Instant Apps SDK. Now all developers can write Android Instant Apps, as opposed to just a handful of partners.
For the toolkit.
… Along with biking directions that take you along the friendliest routes, Google Maps can display elevation levels, which are pulled from geographical data. If you are searching for the most bicycle-friendly routes, take advantage of this information!
… Serious cyclists don’t mind a hill or two. Because they know that if there’s a tough climb, then there’s also a pleasant descent. Either way, give Google Maps a try the next time you decide to push the pedals. There are many bicycling websites and bike apps that can help you find the best bike paths, and Google Maps should be one of them.
I’m not a big fan either, but this may help me communicate with my students. Also, Colorado seems to be mentioned a lot.
The Emoji States of America – a new way to present government data
I admit to not being and emjoi aficionado, so to make up for this apparent deficit, I offer you The Emoji States of America – via Axios Visuals Editor Lazaro Gamio:
“This visualization is a modified version of Chernoff Faces, a technique that maps multiple statistical values to the features of a face. Because it’s 2017, we expanded on the technique and made Chernoff Emojis. Each part of the emoji is controlled by the state’s ranking in a given metric, which range from the uninsured rate to the percent of adults who report getting enough sleep.”
- Eyebrows: The more furrowed the brow, the lower a state ranks in the unemployment rate. (Worst: New Mexico; best: Colorado)
- Eye size: The larger the eyes in each face, the larger the share of adults over 25 with a bachelor’s degree. (First: Colorado; last: West Virginia)
- Chin: The more noticeable this feature is, the higher this state ranks in obesity rates. (Highest: Louisiana; lowest: Colorado).”
Wednesday, May 17, 2017
Is subtle better?
Botnet Spread via NSA Hacking Tools for Weeks
The ransomware attack that stormed the world over the past several days wasn’t the first to leverage the leaked EternalBlue/DoublePulsar NSA hacking tools for distribution, Proofpoint researchers have discovered.
… Symptoms of infection, however, aren’t as visible as with WannaCry: loss of access to shared Windows resources and degradation of PC and server performance. What’s more, the malicious code also shuts down SMB networking to prevent infections with other malware.
According to ProofPoint security researcher Kafeine, this attack might have been much larger than the ransomware outbreak. Furthermore, Kafeine suggests that, because Adylkuzz specifically patched the vulnerability targeted by WannaCry, it might have limited the latter’s infection.
What is certain, however, is that “the Adylkuzz campaign significantly predates the WannaCry attack, beginning at least on May 2 and possibly as early as April 24.” Kafeine also notes that the infection is ongoing and is potentially quite disruptive, although not as flashy as the ransomware rampage.
… “For organizations running legacy versions of Windows or who have not implemented the SMB patch that Microsoft released last month, PCs and servers will remain vulnerable to this type of attack. Whether they involve ransomware, cryptocurrency miners, or any other type of malware, these attacks are potentially quite disruptive and costly. Two major campaigns have now employed the attack tools and vulnerability; we expect others will follow and recommend that organizations and individuals patch their machines as soon as possible,” Kafeine says.
What a cheerful thought.
Cyberwar Is Officially Crossing Over Into the Real World
Online warfare already affects wreaks havoc on the physical world, and it's only going to get worse.
The devastating effects of a massive cyberattack are no more confined to a computer network than any other action carried out online. People use the computers and the internet all the time to make things happen in the physical world.
A cyberattack isn’t just a cyberattack. It’s an attack.
Hospitals, pharmacies, and major corporations like FedEx and the Spanish telecommunications giant Telefonica were among the 200,000 victims hobbled by a global ransomware attack on Friday, which locked people’s computers and demanded Bitcoin payment in exchange for access. In the United Kingdom, some hospitals canceled procedures and other appointments as a result.
… Among the many questions prompted by the fallout of the attack is an increasingly urgent one: At what point will a cyberattack prompt a more traditional form of retaliation? More importantly: When should it?
Might be useful.
Webinar: Combining Pen Testing & Incident Detection
… Join SecurityWeek and Rapid7's Eric Sun for actionable takeaways from penetration testing engagements, and see how customers are combining detection technologies to find intruders earlier in the attack chain.
Join this live webcast on Thursday, May 18th at 1PM ET
My Computer Security students will need to catch up!
Cyber Kid Stuns Experts Showing Toys Can be 'Weapons'
An 11-year-old "cyber ninja" stunned an audience of security experts Tuesday by hacking into their bluetooth devices to manipulate a teddy bear and show how interconnected smart toys "can be weaponized".
American wunderkind Reuben Paul, may be still only in 6th grade at his school in Austin, Texas, but he and his teddy bear Bob wowed hundreds at a timely cyber security conference in The Netherlands.
… "From terminators to teddy bears, anything or any toy can be weaponised."
To demonstrate, he deployed his cuddly bear, which connects to the icloud via wifi and bluetooth smart technology to receive and transmit messages.
Plugging into his laptop a rogue device known as a "raspberry pi" -- a small credit card size computer -- Reuben scanned the hall for available bluetooth devices, and to everyone's amazement including his own suddenly downloaded dozens of numbers including some of top officials.
Then using a computer language programme, called Python, he hacked into his bear via one of the numbers to turn on one of its lights and record a message from the audience.
Is this the US equivalent of “By appointment to the Queen?” And it’s free and open source!
In encryption push, Senate staff can now use Signal for secure messaging
Without any fanfare, the Senate Sergeant at Arms recently told Senate staffers that Signal, widely considered by security researchers and experts to be the most secure encrypted messaging app, has been approved for use.
The news was revealed in a letter Tuesday by Sen. Ron Wyden (D-OR), a staunch privacy and encryption advocate, who recognized the effort to allow the encrypted messaging app as one of many "important defensive cybersecurity" measures introduced in the chamber.
For my Computer Security students.
As the scale and complexity of the cyber threat landscape is revealed, so too is the general lack of cybersecurity readiness in organizations, even those that spend hundreds of millions of dollars on state-of-the-art technology. Investors who have flooded the cybersecurity market in search for the next software “unicorn” have yet to realize that when it comes to a risk as complex as this one, there is no panacea — certainly not one that depends on technology alone.
Spending millions on security technology can certainly make an executive feel safe. But the major sources of cyber threats aren’t technological. They’re found in the human brain, in the form of curiosity, ignorance, apathy, and hubris. These human forms of malware can be present in any organization and are every bit as dangerous as threats delivered through malicious code.
With any cyber threat, the first and last line of defense is prepared leaders and employees, whether they are inside an organization or part of an interconnected supply chain.
Now that’s an offer Congress will not be able to refuse.
Putin offers to provide Congress with details of Trump disclosures to Russian envoys
Russian President Vladimir Putin said Wednesday he would be willing to provide the U.S. Congress a record of President Trump’s meeting with top Russian envoys, possibly offering new details on the disclosures of reportedly highly classified intelligence information.
The remarkable offer for the Kremlin to share evidence with U.S. oversight committees came with the caveat that the request for the transcript would have to come from the Trump administration.
Another case of “I don’t get it.” They fine Facebook for what they did, but do not order or even ask them to stop doing it.
Facebook Gets Slap on the Wrist From 2 European Privacy Regulators
… As part of their separate announcements on Tuesday, the Dutch and French officials said that Facebook had not provided people in their countries with sufficient control over how their details are used. [How will user data be used 25 years from now? Bob] They said that the social network had collected digital information on Facebook users as well as nonusers on third-party websites without their knowledge.
The French regulator, the Commission Nationale de l’Informatique et des Libertés, or CNIL, said that it had fined Facebook 150,000 euros, or about $164,000, for failing to meet France’s data protection rules.
… Despite the financial penalty, the agency has not ordered Facebook to alter how it handles data on people in France who use the service.
(Related). Another real challenge for Facebook.
Facebook promised to tackle fake news. But the evidence shows it's not working
When Facebook’s new fact-checking system labeled a Newport Buzz article as possible “fake news”, warning users against sharing it, something unexpected happened. Traffic to the story skyrocketed, according to Christian Winthrop, editor of the local Rhode Island website.
“A bunch of conservative groups grabbed this and said, ‘Hey, they are trying to silence this blog – share, share share,’” said Winthrop, who published the story that falsely claimed hundreds of thousands of Irish people were brought to the US as slaves. “With Facebook trying to throttle it and say, ‘Don’t share it,’ it actually had the opposite effect.”
… Articles formally debunked by Facebook’s fact-checking partners – including the Associated Press, Snopes, ABC News and PolitiFact – frequently remain on the site without the “disputed” tag warning users about the content. And when fake news stories do get branded as potentially false, the label often comes after the story has already gone viral and the damage has been done. Even in those cases, it’s unclear to what extent the flag actually limits the spread of propaganda.
Think of the potential for “lock-in!” Today, everyone has a smartphone. Tomorrow everyone might have an Amazon Echo, if Jeff Bezos can make it portable!
Amazon’s Echo continues to grow. Its latest upgrade is the ability to make voice calls and send messages to other Echo devices in the U.S. You could already use IFTTT to send canned text messages through your Echo, but this update expands that.
… To call someone, make sure you have a contact for them in your phone that contains the same phone number they have on their Amazon account.
To place a call, just say Alexa, call Mark. Your Echo will light up with a green ring during an incoming call, and your phone will chime too. Say Alexa, answer the call to pick it up. If you don’t want to make a live call, say Alexa, message Mom and tell your Echo what you’d like to send. The recipient will hear a chime and see a green ring, and can say Alexa, play my messages to hear them later.
Simpler? Fixed start, dump and end points. Fixed route with trach cans that have sensors for easy location. Compare that to the random walk of personal automobiles. Might work for some mail delivery routes too.
Volvo’s testing an autonomous garbage collection truck
The Swedish car maker has partnered with local waste and garbage specialists Renova for a project that’s setting out to explore “how automation can contribute to enhanced traffic safety, improved working conditions, and lower environmental impact,” according to a statement issued by Volvo.
Dilbert’s take on the United Airlines debacle?
Tuesday, May 16, 2017
“See? We don’t need missiles to be dangerous!”
In Computer Attacks, Clues Point to Frequent Culprit: North Korea
Intelligence officials and private security experts say that new digital clues point to North Korean-linked hackers as likely suspects in the sweeping ransomware attacks that have crippled computer systems around the world.
The indicators are far from conclusive, the researchers warned, and it could be weeks, if not months, before investigators are confident enough in their findings to officially point the finger at Pyongyang’s increasingly bold corps of digital hackers.
I wonder if this is also North Korea. They have some experience hacking film studios.
Upcoming Disney Film Target of Online Piracy Threat
A hacker or hackers claim to have stolen an unreleased film from Walt Disney Co. and threatened to release it online unless the company pays a ransom, Chief Executive Robert Iger told employees.
Speaking at a town hall for Disney's ABC News division Monday where the topic of piracy was raised, Mr. Iger said Disney wouldn't pay the ransom, according to a person who was present.
… The hackers have threatened to first release five minutes of the movie and then more in 20-minute chunks, Mr. Iger told the Disney employees.
… It comes, however, at a time of increased concern about digital vulnerabilities throughout the business world, including in Hollywood. Hackers recently uploaded an entire season of "Orange is the New Black" to online file-sharing services before Netflix Inc. released the episodes on its streaming service.
Another nation state hacker.
Small Countries’ New Weapon Against Goliaths: Hacking
Hackers in Vietnam have been attacking foreign companies and other targets for years, seeking information and using tactics that suggest links to the Vietnamese government, a cybersecurity company said Monday.
The findings, laid out in a report released by the company, FireEye, come as companies and experts look beyond traditional sources of attacks like China and Russia to deal with new or rising threats. Smaller countries are now trying their hand at hacking, experts say, as they seek to follow dissidents, undermine enemies or comb corporate files for trade secrets.
Seems trivial in comparison to the ransomware attack last weekend.
Hackers Hit Bell Canada, Access Customer Information
Bell Canada on Monday said that an unknown hacker managed to access customer information on nearly 2 million customers, including email addresses, customer names and/or telephone numbers.
The company said that approximately 1.9 million active email addresses and approximately 1,700 names and active phone numbers were accessed illegally in the attack.
There is no indication that any financial, password or other sensitive personal information was accessed, a statement read.
The telco said the incident is not connected to the recent global WannaCry ransomware attacks, and believes there is “minimal risk involved for those affected” by the situation.
A recap for my Computer Security students.
15 Most Famous Cyberattacks of All Time
If we choose to use Big Data for medical research, this is going to come up every time.
Google received 1.6 million NHS patients' data on an 'inappropriate legal basis'
Sky News has obtained a letter sent to Professor Stephen Powis, the medical director of the Royal Free Hospital in London, which provided the patients' records to Google DeepMind.
It reveals that the UK's most respected authority on the protection of NHS patients' data believes the legal basis for the transfer of information from Royal Free to DeepMind was "inappropriate".
The development raises fresh concerns about how the NHS handles patients' data after last week's cyberattack on hospitals and GP surgeries, which could have been prevented if staff had followed guidance issued a month earlier.
… As Dame Fiona writes, she had informed Royal Free and DeepMind in December that she "did not believe that when the patient data was shared with Google DeepMind, implied consent for direct care was an appropriate legal basis".
Big Data for the military.
The Pentagon’s New Algorithmic Warfare Cell Gets Its First Mission: Hunt ISIS
By year’s end, the Pentagon wants computers to be leading the hunt for Islamic State militants in Iraq and Syria, through turning countless hours of aerial surveillance video into actionable intelligence.
It’s part of Project Maven, a fast-moving effort launched last month by Deputy Defense Secretary Bob Work to accelerate, improve, and put to wider use the military’s use of machine learning.
… Thousands of military and civilian intelligence analysts are “overwhelmed” by the amount of video being recorded over the battlefield. These analysts watch the video, looking for abnormal activities. Right now, about 95 percent of the video shot by drone aircraft is from the campaign against ISIS in Iraq and Syria.
GAO – Internet of Things: Status and implications of an increasingly connected world
by Sabrina I. Pacifici on May 15, 2017
Technology Assessment: Internet of Things: Status and implications of an increasingly connected world, GAO-17-75: Published: May 15, 2017. Publicly Released: May 15, 2017.
Question: Is there already a public transit App for Denver and I just missed it? If not, why not? I’d like to know if the bus will be here in one minute or I just missed it and the next one won’t be here for a half hour.
Uber app to display real-time public transit data so you can easily combine modes of transport
… For this feature — available only in the Android Uber app for now — the ride-hailing giant has teamed up with Transit, a Canadian-headquartered urban transport information service that operates in more than 125 cities globally, to show live departure times whenever a rider’s destination is near a transit stop.
Tapping on a specific departure will take the user to the Transit app for full directions, service information, and so on.
While this may seem like a counterintuitive move for Uber, given that it seems to be encouraging riders to use alternative transport, Uber is actually acknowledging the ways people already use its service. They may take an Uber car to a train station to travel a significant distance and then walk or jump into another Uber when their train reaches its destination. So this is Uber providing an element of conveniences to its users — it saves them having to continuously switch between the Uber app and other transport data services.
Something for my entrepreneurs to consider.
Why Amazon Is Leaving Legacy Retailers in the Dust
… “Their model is [that] the product is almost a commodity,” Kahn notes. “They can control those products, but what they’re differentiating on is the retail experience and technology. So, they take out all the pain points in shopping, and they lock you in. Amazon Prime is the perfect example.”