Saturday, May 27, 2017
So, the FBI is spreading “fake news?” Or are they looking for an invitation to browse company records?
FBI probing attempted hack of Trump Organization, officials say
The FBI is investigating an attempted overseas cyberattack against the Trump Organization, summoning [??? Bob] President Donald Trump’s sons, Don Jr. and Eric, for an emergency session with the bureau’s cybersecurity agents and representatives of the CIA, officials tell ABC News.
Law enforcement officials who spoke to ABC News on the condition of anonymity confirmed the attempted hack and said the subsequent meeting took place at the FBI’s New York headquarters on May 8, the day before Trump fired FBI director James Comey. Spokesmen for the FBI, CIA and Secret Service all declined to comment.
Reached by phone, Eric Trump, an executive vice president of the family company, would not confirm or deny that he and his brother had met with the FBI but told ABC News that the company had ultimately not been infiltrated.
“We absolutely weren’t hacked,” Eric Trump said during the brief call. “That’s crazy. We weren’t hacked, I can tell you that.” [Sounds a bit like his father, doesn’t he? Bob]
As federal agencies monitor international computer networks in order to protect government and private sector computer infrastructure and data, the Trump Organization’s networks would be given high priority, according to Richard Frankel, a retired senior official with the FBI's New York office and an ABC News contributor.
"If there was a hack or an attempted hack of ... the company that was owned by the president, that would be at the top of the list of investigations," Frankel said. "If the FBI saw that kind of hack, they'd have to track that. There's no telling what a hacker could get that's connected to the president, corporate records, financial records, even things that were going on during the transition.”
The FBI’s involvement could come with some risks, Frankel said, both for the company and the president. In the course of its investigation, the FBI could get access to the Trump Organization’s computer network, meaning FBI agents could possibly find records connected to other investigations.
Another airline computer system bites the dust. Are we sure this is coincidence?
British Airways cancels flights as major IT failure causes worldwide delays
British Airways has cancelled all flights from Heathrow and Gatwick before 6pm on Saturday due to a major IT failure that is causing “very severe disruption” to its global operations.
… The cause of the issue remained unclear, but passengers on one flight were told by the pilot that the IT problems were “catastrophic”.
… BA added that there was no evidence a cyber attack had caused the outage.
Who would be responsible for a leased POS device?
Chipotle Removes Malware After Breach Strikes Payment SystemsChipotle Mexican Grill Inc., which warned investors and customers last month that it had suffered a data breach, gave the all-clear on Friday, saying it had removed malicious software from its systems.
… Hackers installed the software in order to grab customer data from point-of-sale devices, striking between March 24 and April 18.
“The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device,” Chipotle said in a statement.
For my Computer Security students.
Organizations Concerned About Medical Device Attacks: Study
Many manufacturers and healthcare delivery organizations (HDO) are concerned about medical device attacks, but only few have taken significant steps to address the threat, according to a study commissioned by electronic design automation solutions provider Synopsys.
The study, based on a survey of 550 individuals conducted by the Ponemon Institute, shows that 67 percent of medical device makers and 56 percent of HDOs believe an attack on the medical devices they build or use is likely to occur in the next 12 months.
In fact, roughly one-third of respondents said they were aware of cyber incidents that had a negative impact on patients, including inappropriate therapy or treatment delivery, ransomware attacks, denial-of-service (DoS) attacks, and hijacking of medical devices.
On the other hand, only 17 percent of device manufacturers and 15 percent of HDOs have taken significant steps to prevent attacks. Roughly 40 percent on both sides admitted that they haven’t done anything to prevent attacks.
… The study shows that more than half of device manufacturers and HDOs blame the presence of vulnerable code on lack of quality assurance and testing procedures, while nearly 50 percent also blame the rush-to-release pressure on the development team, accidental coding errors, and lack of training on secure coding practices.
Also for my Computer Security students.
Email attacks are cheap, easy, low risk, and high reward. No wonder a “malicious email is the cyber spy’s favored way in.” An email security breach could impact your organization’s revenue and reputation. Protecting yourself from a breach can be daunting, given how many emails pass through your organization each week.
But if you think of cybercriminals as a business, you can keep up with them more effectively. After all, most want to make a profit.
That’s why they call it “disinformation.”
Thomas Fox-Brewster reports:
The first evidence that the hacker crew responsible for the breach of the Democratic National Committee (DNC) snuck false information into their leaks has been uncovered by a group of researchers.
The hackers, a group called Fancy Bear that U.S. intelligence and law enforcement claim to be sponsored by Russia’s intelligence unit, the GRU, planted the information inside a leak of emails belonging to a journalist and critic of the Putin regime, according to a report from Citizen Lab, a University of Toronto-based organization. That formed part of a massive hacking campaign attempting to steal Google passwords from 218 targets across 39 countries, including former American defense officials.
Read more on Forbes.
Why no announcement?
The Windows Malicious Software Removal Tool has been updated for WannaCry
… all Windows users have access to the Malicious Software Removal Tool (MSRT) even though they may not be aware of it.
… What changed? Initially, Microsoft didn't say, the home page for MSRT, had not been updated as of the 25th.
However, when asked, a company representative said that the May 22nd update was "to detect and remove WannaCrypt malware." WannaCrypt is another name for WannaCry.
You can run MSRT manually by simply typing "MRT" into the Run box. Or, you can find it at
It used to be done with the Mark 1 eyeball. Is automating it really that much more evil?
Throughout New York state, police agencies have for years been using automated license plate readers (ALPR, also known as ANPR in Europe) without the sanction of the legislature or the courts. Earlier this month, the New York Court of Appeals — the state’s highest court — took up the question for the first time and sided with the use of plates to track members of the public, even if they are not suspected of committing any crime.
The town of Rhinebeck, for example, has a population of just 7548, but over the course of three months in 2011, it photographed 164,043 license plates. Of these, just eight were in any way linked to suspicious activity, according to documents obtained by the American Civil Liberties Union. Nonetheless, the movements of all motorists were stored in a long-term database. There are no statewide rules limiting how long such information can be stored.
Read more on TheNewspaper.com.
From the people who bring “double secret probation” to government?
Tim Johnson reports:
U.S. intelligence agencies conducted illegal surveillance on American citizens over a five-year period, a practice that earned them a sharp rebuke from a secret court that called the matter a “very serious” constitutional issue.
The criticism is in a lengthy secret ruling that lays bare some of the frictions between the Foreign Intelligence Surveillance Court and U.S. intelligence agencies obligated to obtain the court’s approval for surveillance activities.
The ruling, dated April 26 and bearing the label “top secret,” was obtained and published Thursday by the news site Circa.
It is rare that such rulings see the light of day, and the lengthy unraveling of issues in the 99-page document opens a window on how the secret federal court oversees surveillance activities and seeks to curtail those that it deems overstep legal authority.
Read more on Miami Herald.
An article for my students to consider.
Rethinking Ethics Training in Silicon Valley
Interesting... Perhaps they could find a search engine to help?
Accused of underpaying women, Google says it's too expensive to get wage data
Google argued that it was too financially burdensome and logistically challenging to compile and hand over salary records that the government has requested, sparking a strong rebuke from the US Department of Labor (DoL), which has accused the Silicon Valley firm of underpaying women.
Google officials testified in federal court on Friday that it would have to spend up to 500 hours of work and $100,000 to comply with investigators’ ongoing demands for wage data that the DoL believes will help explain why the technology corporation appears to be systematically discriminating against women.
Noting Google’s nearly $28bn annual income as one of the most profitable companies in the US, DoL attorney Ian Eliasoph scoffed at the company’s defense, saying, “Google would be able to absorb the cost as easy as a dry kitchen sponge could absorb a single drop of water.”
Smarter than I was at that age. (And I’ve clearly gone downhill from there.)
11-year-old claims classroom punishment violates Geneva Convention
How to get my students interested in AI? My pick would be of interest to Auditors, too.
Here are some companies Google’s new AI investment arm might be interested in
Google is launching a new investment arm aimed at artificial intelligence, according to a report in Axios. A source familiar with Google’s plans says the new program will focus on early-stage startups.
Where the new investment seems to differ most from Google’s existing investing groups is that it’s led by engineers, not venture capitalists. Google VP of engineering Anna Patterson, whose focus as an executive is AI, is in charge of the effort, according to Axios.
… Here are a few startups that reflect areas in which Google may be interested in investing:
Anodot automates the detection of outliers in large datasets. This could be a useful for enterprise companies crunching data in the the cloud. Anodot has raised $12.5 million in funding.
For my geeks!
Virtualization allows one operating system (OS) to run on another OS. But did you know that a Virtual Machine (VM) clone of your hard drive can put your entire computer inside of another computer? With VMs, the possibilities are endless. For most people, though, virtualization enables playing older games using emulation, the ability to sandbox, running multiple OSes, and much more (practical VM uses). You can even set up a Windows virtual machine in Linux.
This article covers how to create a VM clone of your system and how to use it once you’ve managed to create the virtual machine.
Friday, May 26, 2017
Forensics. Perhaps they should ‘wash it’ through Google translate a few times.
Linguistic Analysis Suggests WannaCry Authors Speak Chinese
A linguistic analysis of more than two dozen ransom notes displayed by the WannaCry ransomware suggests that its authors are fluent Chinese speakers and they also appear to know English.
While malware code similarities suggest that WannaCry has been developed by the North Korea-linked threat actor known as Lazarus, some believe the attack does not fit Pyongyang’s style and interests.
Researchers at threat intelligence firm Flashpoint have analyzed 28 WannaCry ransom notes, including ones written in Chinese (both simplified and traditional), Danish, Dutch, English, French, German, Indonesian, Italian, Japanese, Korean, Norwegian, Portuguese, Romanian, Russian, Spanish, Swedish and Turkish.
The linguistic analysis showed that there are significant differences between the notes written in Chinese and the ones written in other languages. Evidence suggests that the Chinese note, which mostly uses proper grammar, punctuation and syntax, was actually written with a Chinese-language keyboard.
… Experts pointed out that the note written in Chinese includes a significant amount of content that is not present in other versions, and they believe it may have served as the source for the English version.
Thousands of Third-Party Library Flaws Put Pacemakers at Risk
Researchers have conducted a detailed analysis of pacemaker systems from four major vendors and discovered many potentially serious vulnerabilities.
The fact that implantable cardiac devices such as pacemakers and defibrillators are vulnerable to hacker attacks has been known for years, and while steps have been taken to address issues, security experts still report finding flaws in these products.
WhiteScope, a company founded by Billy Rios, one of the first security researchers to analyze medical devices, recently conducted an analysis of the implantable cardiac device ecosystem architecture and implementation interdependencies, with a focus on pacemakers.
… Tests conducted on devices acquired from eBay showed that reverse engineering their firmware is made easy by the fact that many of them use commercial, off-the-shelf microprocessors.
… WhiteScope has analyzed four pacemaker programmers and found that they use more than 300 third-party libraries. Of these components, 174 are known to have a total of more than 8,000 vulnerabilities.
“Despite efforts from the FDA to streamline routine cybersecurity updates, all programmers we examined had outdated software with known vulnerabilities,” Rios said in a blog post.
… Another potential problem is the fact that programmers do not require any type of authentication for programming implantable cardiac devices.
Am I aiding and abetting the Streisand Effect? (I certainly hope so.) “Those who do not understand the Streisand Effect are doomed to repeat it?” Worth reading, just to list the errors.
I am really out of patience for people threatening me or my site. Look at this one:
I need to you get rid of an article off of your website: The link is:
[ … ]
If Steffan Dalsgaard didn’t like CYTTA’s press release or their 8-K SEC filing, he had remedies available to him. You threatening my site 2+ years later on his behalf is not among those remedies. If you had additional information to submit as an update or for a correction, you could have submitted it. Instead, you just attempted to intimidate me into removing a post.
So, Daniel, how’s that strategy working out for you and Steffan Dalsgaard so far?
How to get your message out when no one really wants to listen?
Russia's Disinformation Efforts Hit 39 Countries: Researchers
Russia's campaign of cyberespionage and disinformation has targeted hundreds of individuals and organizations from at least 39 countries along with the United Nations and NATO, researchers said Thursday.
A report by the Citizen Lab at the University of Toronto revealed the existence of "a major disinformation and cyber espionage campaign with hundreds of targets in government, industry, military and civil society," lead researcher Ronald Deibert said.
The findings suggest that the cyber attacks on the 2016 presidential campaign of Hillary Clinton -- which US intelligence officials have attributed to Russia -- were just the tip of the iceberg.
Citizen Lab researchers said the espionage has targeted not only government, military and industry targets, but also journalists, academics, opposition figures, and activists.
[I think this is the report they reference: https://citizenlab.org/2017/05/tainted-leaks-disinformation-phish/
Oh hell yes!
Is Privacy Still a Big Deal Today?
Americans value their privacy, but they are also resigned to giving up their personal data in order to transact with a company. Is there a better way for both sides to get what they want?
Perspective. Amazon is getting into the food market by going brick and mortar?
AmazonFresh Pickup expands to Prime members in Seattle, with automatic license-plate recognition
Amazon is expanding its latest brick-and-mortar retail experiment beyond an internal employee beta today, letting Amazon Prime members order groceries online for pickup during designated windows at two locations in the company’s hometown.
The broader launch of the AmazonFresh Pickup service, in Seattle’s Ballard and SoDo neighborhoods, also brings new details about how the pickup process works. Amazon says in an online FAQ that it “may use license plates to automatically recognize your vehicle when you arrive,” helping the company quickly match arriving customers with their orders. Customers can opt-out of automatic check-in from their settings.
Helping my students see what I’m talking about?
Google launches Data GIF Maker to help storytellers convey information through animations
… GIFs continue to be used for many purposes, which is why Google has launched the Data Gif Maker, a tool aimed at helping journalists and storytellers convey information visually through simple animations.
“Data visualizations are an essential storytelling tool in journalism, and though they are often intricate, they don’t have to be complex,” said Simon Rogers, data editor at the Google News Lab, in a blog post. “In fact, with the growth of mobile devices as a primary method of consuming news, data visualizations can be simple images formatted for the device they appear on.”
… Latvian infographics and data visualization company Infogram offers a slick WYSIWYG editor that converts users’ data into infographics that can be published or embedded anywhere, and it was acquired by Prezi earlier this month.
Other companies are making moves to monetize GIFs, specifically. Last month, Tenor launched a real-time analytics tool designed to educate marketers about using GIFs.
Sounds like a candidate for study. Any grants available?
Marshall Project – New Tool That Could Revolutionize How We Measure Justice
by Sabrina I. Pacifici on May 25, 2017
Beth Schwartzapfel – The Marshall Project: “The enormity of the country’s criminal justice system — 15,000 state and local courts, 18,000 local law enforcement agencies, more than two million prisoners — looks even more daunting when you consider how little we know about what is actually going on in there. Want to know who we prosecute and why? Good luck. Curious about how many people are charged with misdemeanors each year? Can’t tell you. How about how many people reoffend after prison? We don’t really know that, either. In an age when everything is measured — when data determines the television we watch, the clothes we buy and the posts we see on Facebook — the justice system is a disturbing exception. Agencies exist in silos, and their data stays with them. Instead, we make policy based on anecdote, heavily filtered through a political lens. This week the nonprofit Measures for Justice is launching an online tool meant to shine a high beam into these dark corners. It is gathering numbers from key criminal justice players — prosecutors offices, public defenders, courts, probation departments — in each of America’s more than 3,000 counties. Staffers clean the data, assemble it in an apples-to-apples format, use it to answer a standard set of basic questions, and make the results free and easy to access and understand…”
Thursday, May 25, 2017
Are the number of investigations going up this fast or are requests made on a higher percentage of investigations? (Investigations that did not normally ask for this information before?)
Apple: National security requests for data skyrocketed in second half of 2016
… According to the report, between 5,750 and 5,999 National Security Letters were issued for data from 4,750 to 4,999 different accounts.
… This marks at least the sixth consecutive half where the number of NSLs rose. In first half of 2014, there were between 0-249 delivered to Apple. In second half 2014, there were between 250-499. In 2015, the government issued 750-999 followed by 1,250-1,499. And in the first half of 216, it issued 2,750-2,999.
According to the report, the government also requested data on 4,254 accounts through more conventional means, like search warrants, subpoenas and other court orders.
Making sense of the GDPR. An article that details what will be in the course.
Free course: The GDPR Attack Plan
The General Data Protection Regulation is an EU reg that kicks in on 25 May 2018 so we've got bang on a year to get organised. It's important within the EU because it relates to how data of their citizens and residents is handled and it's important outside the EU because the regulation can impact non-EU organisations too.
Leaks for money or ‘prestige?”
‘Furious’ UK reportedly stops sharing intelligence with US following Manchester attack leak
… British officials were outraged when photos of debris from the attack were leaked and published in the New York Times, the BBC said on Thursday. The images vividly show part of the explosive device and jacket worn by the suicide bomber.
Though the Times did not disclose how it sourced the images, a senior U.S. law enforcement official authenticated the photos and said they had been provided to American investigators by British authorities.
Leaked information about the identity of the assailant – now confirmed as Salman Abedi - also emerged in U.S. media less than 24 hours after the attack against the U.K.'s wishes.
British Home Secretary Amber Rudd described the leaks as "irritating" and insisted that they "should not happen again."
A Whitehall source added: "We are furious. This is completely unacceptable," according to the BBC.
Consider how difficult this seems. Would most businesses do better?
CIA releases Officially Released Information System database with 50 yrs of FOIA request documents
by Sabrina I. Pacifici on May 24, 2017
Via Muckrock’s work and posting as follows: “The results of the Agency’s ambitious project to track all the information its made public will soon become a valuable tool for government transparency. In 1985, citing concerns regarding “difficulty determining what has been publicly disclosed,” the CIA had a truly great idea that would serve both the Agency and the public’s interest in government transparency – a “proposal to establish a focal point to record CIA information released to the public.” The resulting Officially Released Information System, or ORIS, would take years to finally implement, and thanks [to a recent FOIA] (https://www.muckrock.com/foi/united-states-of-america-10/officially-released-information-system-contents-35179/#file-1338090) – and the CIA’s agreement to release and waive all fees – it might finally become the transparency tool it has the potential to be. The problem of knowing what had already been acknowledged wasn’t a new problem to the Agency, either. The issue extended back to the 1970s for them, and had been brought up again in 1983. Previous attempts had all failed or resulted in incomplete division-specific systems. CIA needed an Agency-wide solution, and it was finally beginning to be technologically feasible.”
Ride-hailing companies will grow eightfold by 2030, dwarfing the taxi industry: Goldman Sachs
Uber may be under pressure in the press — but its business model is still on track to dominate and "ultimately eclipse" the taxi market, according to a new analysis from Goldman Sachs.
Uber, alongside companies like Lyft and China's Didi Chuxing, are part of a new "pay-as-you-go" car era, Goldman said. The investment bank predicts that the number of cars on the road will peak in 2030.
Ride-hailing will grow eightfold by then and could be five times the size of the taxi market, justifying the giant valuations, the report said. At $68 billion and $50 billion, respectively, Uber and Didi are the two most highly valued venture-backed companies, according to data firm CB Insights.
Central to the growth of this industry, according to Goldman Sachs, is the proliferation of self-driving cars.
"We model a scenario in which a fleet manager could generate profit of $14,000 per car over three years, nine times what [a manufacturer] currently makes from selling a car," Goldman's analysts wrote in the report.
(Related). We don’t need cable TV, landline phones, or cars.
Many Uber and Lyft riders are ditching their own cars
… Nearly a quarter of American adults sold or traded in a vehicle in the last 12 months, according to a Reuters/Ipsos opinion poll published on Thursday, with most getting another car. But 9 percent of that group turned to ride services like Lyft Inc and Uber Technologies Inc as their main way to get around.
About the same percentages said they planned to dispose of cars and turn to ride services in the upcoming 12 months.
Though a small percentage, the figure of people switching to ride services could be early evidence that more consumers believe that ride sharing can replace vehicle ownership.
Wednesday, May 24, 2017
It takes a while to settle these things.
Target, states reach $18.5 million settlement on data breach
Target Corp. has reached an $18.5 million settlement over a massive data breach that occurred before Christmas in 2013, New York's attorney general announced Tuesday.
The agreement involving 47 states and the District of Columbia is the largest multistate data breach settlement to date, Attorney General Eric T. Schneiderman's office said. The settlement, which stipulates some security measures the retailer must adhere to, resolves the states' probe into the breach.
… Target had announced the breach on Dec. 19, 2013, saying it occurred between Nov. 27 and Dec. 15 of that year. It affected more than 41 million customer payment card accounts and exposed contact information for more than 60 million customers.
… The settlement requires Target to maintain appropriate encryption policies and take other security steps, though the company has already implemented those measures.
For my Computer Security students.
CEOs and Coffee Shops Are Mobile Computing's Biggest Risks: Report
The balance between encouraging mobility for business purposes and controlling it for security remains as tricky today as ever. Ninety-three percent of organizations are now somewhat or very concerned that the mobile workforce is presenting an increasing number of security challenges. Of these, 47% are 'very concerned'; a figure that has grown from 36% a year ago.
These figures come from the iPass 2017 Mobile Security Report (PDF), published today. iPass is a global provider of always-on, secure Wi-Fi; with more than 60 million hotspots in more than 120 countries.
Something my students and I will explore.
Flashpoint Enhances Risk Intelligence Platform
Just as global intelligence firm Stratfor extracts and presents geopolitical intelligence from the noise of available information, so now does Flashpoint extract cyber business risk intelligence (BRI) from the noise of deep and dark web conversations.
… That process has now come to fruition with today's launch of the Flashpoint Intelligence Platform 3.0. It aims to convert and present the raw intelligence gleaned from the deep and dark web as actionable business risk intelligence that will help customers take a more strategic role in security planning.
A very long and very damning illustration of failure at HHS. So why is the government spending my tax dollars? Perhaps even they do not know.
I was excited back in 2010 when HHS started posting breaches on what some would call the “wall of shame.” I knew that we’d only learn about breaches involving HIPAA-covered entities, but at least we were finally starting to get some actual data. Now, more than 6 years later, it’s become clear to me that it’s probably best to just call time of death on the breach tool, despite its popularity with marketers who look for numbers to support their sales pitches.
In this post, I review some of what we are not seeing on HHS’s breach tool, and why it’s really not a source of accurate or helpful information for those who want to understand breaches and incidents involving health or medical data.
It sure looks like blackmail… The “Program” consists of an App and some hardware.
Joe Cadillic writes:
Since 2016, New York motorists are being
forced asked to let the police spy on their
cellphones for a minimum of 90 days.
In Nassau County, motorists are asked, wink, wink to pay hundreds of dollars to enter the ‘Distracted Driver Education Program’ (DDEP). The Feds, claim to offer motorists a choice, either dispute the texting while driving ticket in court, accept a 5 point moving violation or enter the DDEP.
Before a motorist can enter the DDEP they have to pay a distracted driving citation which can be anywhere from $50 and $400 and have to pay an installation fee of $125.00 for the in-car device.
Read more on MassPrivateI.
[From the article:
"A device called DriveID is installed in the motorist’s primary vehicle and an app is installed on the motorist’s phone. The app receives information from the device which causes the keyboard of the phone to deactivate and the screen to be blocked. The motorist is broken of the habit of reaching for the device. However, voice commands are not disabled, so the motorist can still use apps like “Hey Siri”, which don’t require the user to touch or even look at their device, to control their device legally while driving."
We can, therefore we must!
Helen Christophi reports:
Even trains are spying on us now, a woman claims in a federal class action accusing the Bay Area Rapid Transit District of tracking passengers’ movements by duping them into downloading a seemingly benign crime-reporting app.
Pamela Moreno claimed Monday that BART collects personal information from riders’ cellphones and tracks their location through its BART Watch app, without consent.
Read more on Courthouse News.
Perhaps the “administration” should actually walk around their school? What else have they missed?
The Simcoe County District School Board is warning students and parents of a possible privacy breach after discovering surveillance cameras were secretly installed in some of the music classrooms at Collingwood Collegiate Institute.
The discovery was made late last year and the board has been investigating the matter with Collingwood OPP and the Information and Privacy Commissioner of Ontario (IPC).
All of the monitoring equipment was removed by school board staff after being discovered and is now secured at the board office.
An internal investigation determined the surveillance cameras were installed approximately five years ago by two staff members to address issues of alleged instrument theft. The school’s administration was unaware that the equipment was installed or in place during the five year period, the board said.
Read more on CTV.
So, they could clone you?
Joel Winston writes:
The family history website Ancestry.com is selling a new DNA testing service called AncestryDNA. But the DNA and genetic data that Ancestry.com collects may be used against “you or a genetic relative.” According to its privacy policies, Ancestry.com takes ownership of your DNA forever. Your ownership of your DNA, on the other hand, is limited in years.
It seems obvious that customers agree to this arrangement, since all of them must “click here to agree” to these terms. But, how many people really read those contacts before clicking to agree? And how many relatives of Ancestry.com customers are also reading?
Read more on ThinkProgress.org.
And so it goes…
Appeals court decision keeps lawsuit against NSA surveillance alive
A federal appeals court on Tuesday reversed a lower court’s decision to dismiss Wikimedia’s lawsuit challenging the National Security Agency’s (NSA) mass interception of Americans’ international digital communications.
The lower court had ruled in 2015 that the case, filed by the American Civil Liberties Union (ACLU) on behalf of the Wikimedia Foundation, The Nation magazine, Amnesty International USA, Human Rights Watch and other groups, failed to demonstrate that their communications were being monitored by the NSA.
A panel of three judges on the 4th Circuit Court of Appeals unanimously disagreed with this on Tuesday, allowing Wikimedia to continue its lawsuit.
Google gets “anonymized” data and immediately matches it to your online identity? They get “encrypted” data and can tell who you are and what you purchased? I don’t think the authors of these articles knew much about their topic.
Google’s New Feature Can Match Ad Clicks With In-Store Purchases
… A new feature, born out of partnerships between Google and credit and debit card companies, links in-store purchases to your online identity, CNN reports. That means Google could tell whether you clicked an online ad before buying the product in a shop later.
Companies that Google partners reportedly account for 70% of all credit and debit card purchases in the U.S. According to CNN, credit and debit card companies will send Google encrypted information about store purchases, that can then be compared to collective online profiles of users who clicked on corresponding ads.
Google said that encryption means it cannot see identifiable payment information such as the customer's name or what they bought. The tool also doesn't work for cash payments
This columnist makes an interesting point.
Mark Fields’ abrupt removal from Ford should come as something of a warning to other traditional automakers, especially ones whose shareholders demand answers as to why they aren’t valued as highly as Tesla: profits aren’t enough anymore. Record sales aren’t enough anymore. Making the goddamn F-150, which will always sell in huge volumes even in the event of the apocalypse, somehow isn’t enough.
Fields wasn’t perfect but he was far from being a bad CEO, and right now it’s all about “mobility” and “technology” for Wall Street—even though no one really has a clear view of what that means or how to make it profitable.
Researching the Twits?
Twitter as a data source: An overview of tools for journalists
by Sabrina I. Pacifici on May 23, 2017
Data Driven Journalism: “Journalists may wish to use data from social media platforms in order to provide greater insight and context to a news story. For example, journalists may wish to examine the contagion of hashtags and whether they are capable of achieving political or social change. Moreover, newsrooms may also wish to tap into social media posts during unfolding crisis events. For example, to find out who tweeted about a crisis event first, and to empirically examine the impact of social media. Furthermore, Twitter users and accounts such as WikiLeaks may operate outside the constraints of traditional journalism, and therefore it becomes important to have tools and mechanisms in place in order to examine these kinds of influential users. For example, it was found that those who were backing Marine Le Pen on Twitter could have been users who had an affinity to Donald Trump. There remains a number of different methods for analysing social media data. Take text analytics, for example, which can include using sentiment analysis to place bulk social media posts into categories of a particular feeling, such as positive, negative, or neutral. Or machine learning, which can automatically assign social media posts to a number of different topics…”
A place for my students to share their skills?
IFTTT now lets any developer build and publish applets for others to use
IFTTT, the platform that allows users to create customized, conditional interactions between apps, online services, digital assistants, and devices, has announced that it’s opening its platform to individual developers, allowing them to build and publish their own applets for others to use.
… From today, IFTTT is making this available to individual developers too, via a free “maker” tier that lets anyone build and publish applets.
… It’s worth noting here that up until now, anyone has been able to build applets that work with two IFTTT services for personal use. But with this new offering they can publish their applets for others to use, and showcase everything on a dedicated maker profile page.
Additionally, they can create applets that work on any connected device, regardless of whether they own one of these devices themselves. And above all else, makers can now build applets with multiple actions, as partner companies have been able to do since last year.
… In a way, this launch is a little like smartphone app stores allowing any developer to build and create apps. It enables IoT companies to tap a gargantuan developer pool, with some potentially interesting connected device and service integrations coming to the fore. By opening to individuals, developers could have their applets picked up and featured by some big name partner companies, including Domino’s or Adobe.
Tuesday, May 23, 2017
Stealing a little from a lot of people? Good in theory, but it still sends you to jail.
Russian Hackers Infected 1 Million Phones With Banking Trojan
… The cybercrime gang targeted by Russian authorities used spam SMS messages to deliver the Trojan to individuals in Russia. The messages informed recipients that their ads or photos had been posted on a website, and included links to a site that tricked users into downloading and installing the malware. The threat had been disguised as various apps, including Avito, Pornhub, Framaroot and Navitel.
Once it infected a device, the Trojan allowed the cybercrooks to steal and hide SMS messages coming from banks, and send SMSs to specified numbers. Since many Russian banks allow their customers to conduct transactions via SMS, these features allowed the fraudsters to transfer money from the victims’ accounts into their own.
According to Group-IB, the gang opened more than 6,000 bank accounts to which they transferred the stolen funds. Investigators said the Cron malware was used to steal an average of $100 (8,000 rubles) from 50-60 bank customers each day.
The cybercriminals managed to infect more than one million smartphones and stole nearly $900,000 (50 million rubles).
Not a large breach, but one that points to people/places where one could steal a gun.
Andrew Ruiz reports:
The Florida Department of Agriculture and Consumer Services is warning customers that hackers may have obtained the names of more than 16,000 people who have Florida concealed weapon permits.
The data breach that appears to have originated from overseas affects people who entered information through the department’s online payment system.
Read more on WPTV. While the story leads with the number of names, it’s important to note that 469 Social Security numbers were also acquired by the hackers.
For the Ethical Hacking toolkit.
'Ultrasecure' Samsung Galaxy S8 iris scanner can be easily tricked, say hackers
… A CCC video shows how simple the trick is. In it, someone uses the night mode on a regular Sony digital camera to surreptitiously take an infrared shot of the phone user's eyes, from a moderate distance.
The image is cropped and printed out on, cheekily, a Samsung printer at life size. A contact lens is placed on the printed iris, to give it the appropriate curvature, and the Galaxy S8 accepts this as authentication for unlocking the phone.
For my Forensics students.
Al Saikali of Shook Hardy & Bacon LLP writes about a key issue that has come up a number of times in discussing incident response and liability:
One of the most significant questions in data security law is whether reports created by forensic firms investigating data breaches at the direction of counsel are protected from discovery in civil class action lawsuits. They are, at least according to an order issued last week in In re Experian Data Breach Litigation. 15-01592 (C.D. Cal. May 18, 2017). This post analyzes the decision, identifies important practical takeaways for counsel, and places it in context with the two other cases that have addressed this issue.
Read more on Data Security Law Journal.
Potential jobs for my Computer Security students.
Ira Parghi of Ropes & Gray writes:
Since January 2016, the OCR has entered into resolution agreements with, and imposed Corrective Action Plans (CAPs) on, providers and others in at least 12 matters involving the Security Rule. It has also imposed a Civil Monetary Penalty on one entity. Most of these cases involve stolen, unencrypted laptop computers (at least six cases), mobile devices such as iPads or iPhones, office computers, or portable storage devices.
Notably, while the underlying facts of these cases vary somewhat, their CAPs do not. All 12 of the CAPs hone in on the obligation under the Security Rule to perform an annual Risk Analysis and Risk Management Plan.
Read more on MedCityNews.
For my students.
… We now know that the ransomware spread due an exploit in the Windows Server Messaging Block (SMB) protocol version 1. This is an outdated version of SMB, used to share files and printers among networked computers, that Windows still supports for backwards compatibility. Microsoft patched this issue in March, but affected computers were still vulnerable to attack if they were running the archaic Windows XP or hadn’t applied updated in Windows 7 for months.
On your own system, you can disable SMB 1.0 in just a moment — and because 99 percent of home users don’t need the old and insecure version of this protocol, you can shut it off without any loss of functionality.
Type Turn Windows features into the Start Menu and click the entry for Turn Windows features on or off. Scroll down to SMB 1.0/CIFS File Sharing Support and uncheck the box. Give Windows a moment to apply the changes, then you’ll have to restart your computer to complete the action. Once that’s done, you’ve disabled the awful, insecure protocol from running on your computer.
Hey! Whatever works! Nothing new there.
How the Waymo-Uber Lawsuit Could Rewrite Intellectual Property Rules
… According to Wagner, trade secret law has traditionally not been seen as “a particularly reliable or useful way to protect technology,” partly because it is difficult to keep such technology secret when it is implemented and products based on it are sold. But that conventional wisdom is up for a reexamination. “If Google is successful at putting a dent in Uber’s ability to compete in this field as a result of this case, then people will take notice of that and you will probably see more people using trade secrets” as part of their intellectual property strategies, said Wagner. “On the other hand, if Google is not successful, or even if they win this case and they don’t slow Uber down very much, then people are going to go back to what we traditionally think of in IP, which is unless you have a patent covering the technology, you don’t have a lot of protection.”
Perspective. Does this suggest that everyone is upgrading or are there still people like me who don’t yet own a smartphone?
Gartner: Worldwide Smartphone Sales Grew 9% YoY In Q1 2017
Gartner has just released its smartphone sales report for the first quarter of this year, and according to the provided info, worldwide smartphone sales grew by 9 percent this time around. Companies sold a total of 380 million smartphones in Q1 2017, which is a 9.1 percent increase compared to the same quarter last year. Gartner also says that consumers are spending more to get a better phone now, which actually caused a rise in average selling price for smartphones.
Might be useful in my Statistics class.
Dataset aggregates info on food spending habits using 3 million grocery orders
by Sabrina I. Pacifici on May 22, 2017
Center for Data Innovation – “Online grocery service Instacart has published a dataset containing information on 3 million grocery orders from more than 200,000 de-identified users from 2017. The dataset contains information on what products users purchased, the sequence they bought them in, when they placed the order, and the amount of time between Instacart orders. Instacart is releasing this dataset in the hopes that others will use it to develop algorithms that can predict what items shoppers will buy again or may be interested in.”
What are you listening to? NOT FREE.
… You need some websites and apps that take you out of your comfort zone. With that in mind, here are eight essential websites for broadening your musical knowledge.