Saturday, July 01, 2017
So, it’s not North Korea. But I bet North Korea is watching.
Pavel Polityuk reports:
Ukraine said on Saturday that Russian security services were involved in a recent cyber attack on the country, with the aim of destroying important data and spreading panic.
The SBU, Ukraine’s state security service, said the attack, which started in Ukraine and spread around the world on Tuesday, was by the same hackers who attacked the Ukrainian power grid in December 2016. Ukrainian politicians were quick to blame Russia for Tuesday’s attack, but a Kremlin spokesman dismissed “unfounded blanket accusations”.
Read more on Reuters.
For my Ethical Hacking students. A Network Security tool. (But it also points out weak spots.)
Eternal Blues is a free EternalBlue vulnerability scanner. It helps finding the blind spots in your network, these endpoints that are still vulnerable to EternalBlue.
Just hit the SCAN button and you will immediately start to get which of your computers are vulnerable and which aren’t.
Something fishy here?
US states overwhelmingly reject Trump voter-fraud panel's request for sensitive voter information
… As of Friday night, at least 27 states, including Arizona, California, Kentucky, New Mexico, New York, Oklahoma, Texas, and Wisconsin have denied the commission's request.
… The letter dated June 28 and signed by Kobach asks for registered voters' names, addresses, dates of birth, partial social security numbers, political party, a decade's worth of voter history, information on felony convictions, and whether they have registered in more than one state.
The letter was followed by a separate one from the US Justice Department, which asked states to reveal how they maintain their voter rolls. The commission said all voter data submitted by the states would be made public.
We don’t really know how to do this, but we “gotta do something!”
Facebook found a new way to identify spam and false news articles in your News Feed
Facebook claims that users who post a lot — meaning 50-plus times per day — are very often sharing posts that the company considers to be spam or false news. So now Facebook is going to identify the links that these super-posters share, and cut down on their distribution on the network.
… Facebook isn’t actually looking at the content from these links, Mosseri added. The correlation between these types of users and spammy/false content is strong enough that Facebook doesn’t have to.
A case of “Ready, Fire, Aim?”
U.S. tech sector lobbied to soften ban on Russia spy agency: report
The sanctions imposed on Russia by the Obama administration last December outlawed U.S. companies from having relationships with Russia’s spy agency, the Federal Security Service (FSB), which presented a dilemma to Western tech companies.
According to the report, the FSB also acts as a regulator that approves the importing of technology to Russia that contains encryption, which is used in products such as cellphones and laptops.
Industry groups such as the U.S.-Russia Business Council and the American Chamber of Commerce in Russia were worried about the sanctions' potential impact on sales and contacted officials at the Treasury and State departments, as well as the U.S. Embassy in Moscow.
The campaign began in January and has been successful, according to the report.
With near infinite money comes the ability to explore new technologies – even if it takes years.
Google On The Verge Of A Major Quantum Computing Breakthrough
… Among the tech companies hard at work building their quantum computer, there’s a clear leader emerging: Google and their quest to achieve what they refer to as ‘quantum supremacy.’ Put simply, achieving ‘quantum supremacy’ means being the first to build a truly functional quantum computer that can perform tasks that no other existing computer can.
A couple of months back, news came out that Google, through the group led by University of California professor John Martinis, was ready to put their 6-qubit quantum chip to the test. It was also mentioned then that they were already in the process of designing 30 – 50 qubit devices for their ‘quantum supremacy’ experiment which will require a 49-qubit grid.
More recently, at a conference held in Munich, Germany, one of Google’s engineers, Alan Ho, discussed how the company’s work on quantum computing is progressing. As reported by New Scientist, Ho revealed that he and his team are currently working with a 20-qubit system with a “two-qubit fidelity” of 99.5%. That percentage is a measure of accuracy, or the other side of it, the probability of making mistakes. The higher the rating, the more accurate and less error-prone the system is.… Ho is quick to point out, though, that it will take probably another 10 years before we have error-corrected or coherent systems that will allow quantum computers to function in a practical and scalable way. That said, however, he stresses that if they as a team will be able to successfully achieve quantum supremacy — proving that the use of qubits is superior to using bits — the achievement should be considered a major breakthrough in the field of quantum computing. And he is right given that this would be a game changer, in pretty much the same way microprocessors were in their days.
I may try comics this quarter. Another attempt to get my students communicating.
Free Webinar - Comics In the Classroom
Having your students create comics can be great way to help them get to know each other and for you to get to know them. The process of creating a comic is an excellent way for students to practice developing plot lines. You can learn more about these ideas and others in my free webinar Comics In the Classroom.
Comics In the Classroom is a free webinar that I hosting next week on Thursday at 3pm Eastern Time. The webinar will feature five ways to use comics in your classroom and a handful of tools for creating comics. You'll even get to contribute to the creation of a comic during the webinar.
Comics In the Classroom will last for about an hour. Those who register will receive a special discount code to use on my upcoming back-to-school series of professional development webinars.
Comics In the Classroom will be recorded for those who register but cannot attend the live session. You don't need to email me to get the recording. It will be sent to you if you register for the webinar. Register here.
Friday, June 30, 2017
A simple question: Could your business operate without its computers?
Back to the future for Maersk in the wake of Petya attack
Arguably one of the most sophisticated, IT savvy shipping companies in the world has had to work as if it had gone back in time to the mid-1990s for the past 48 hours.
In the two days since the Maersk Group was hit by the Petya ransomware attack, operations at many of its sites across the globe have returned to manual.
… Reports are emerging too of how operations at Maersk offices around the world have been pared right back in the wake of the crippling attack.
Maersk Australia and New Zealand managing director Gerard Morrison said today that his unit’s phone and email systems had been deliberately shut down by the company to stop the spreading of the malware virus.
Morrison said Maersk’s New Zealand staff had been keeping operations going manually, using Microsoft Excel spreadsheets and hand written information to tell Port of Auckland and Port of Tauranga what to do with the cargo that needed to be unloaded off its ships.
The Port of Auckland revealed that it was receiving information about the imported cargo from Maersk manually through a Gmail account.
In India, meanwhile, Visakha Container Terminal has started handling Maersk Line vessels manually in the wake of the Petya attack.
… In the US, the supply chain fallout from the attack, dubbed by one maritime tech expert as “shipping’s Y2K moment”, has been significant. APM Terminals’ facilty in Mobile, Alabama for instance, has been loading and unloading containers in manual mode, without the normal computerised coordination.
This is not amusing.
Trump’s Election Integrity Commission seeks personal info on all US voters back to 2006
by Sabrina I. Pacifici on Jun 29, 2017
Washington Post – “The chair of President Trump’s Election Integrity Commission has penned a letter to all 50 states requesting their full voter-role data, including the name, address, date of birth, party affiliation, last four Social Security number digits and voting history back to 2006 of potentially every voter in the state. In the letter, a copy of which was made public by the Connecticut secretary of state, the commission head Kris Kobach said that “any documents that are submitted to the full Commission will also be made available to the public.” On Wednesday, the office of Vice President Pence released a statement saying “a letter will be sent today to the 50 states and District of Columbia on behalf of the Commission requesting publicly available data from state voter rolls and feedback on how to improve election integrity.” States began reacting to the letter on Thursday afternoon. “I have no intention of honoring this request,” said Governor Terry McAuliffe of Virginia in a statement. “Virginia conducts fair, honest, and democratic elections, and there is no evidence of significant voter fraud in Virginia.” Connecticut’s Secretary of State, Denise Merrill, said she would “share publicly-available information with the Kobach Commission while ensuring that the privacy of voters is honored by withholding protected data.” She added, however, that Kobach “has a lengthy record of illegally disenfranchising eligible voters in Kansas” and that “given Secretary Kobach’s history we find it very difficult to have confidence in the work of this Commission.” Under federal law, each state must maintain a central file of registered voters. States collect different amounts of information on voters. While the files are technically public records, states usually charge fees to individuals or entities who want to access them. Political campaigns and parties typically use these files to compile their massive voter lists…”
Even our toys are watching us!
Dubai Police to deploy robotic patrols
Dubai: Months after Dubai unveiled the first flying taxis in the world, Dubai Police on Tuesday unveiled another believed world’s first — autonomous, self-driving miniature police cars that are expected to hit the streets by year-end.
The robotic vehicles will be equipped with biometric software to scan for wanted criminals and undesirables who are suspected or are breaking laws, police said.
Indeed, what could possibly go wrong?
Facebook gives moderators "full access" to user accounts suspected of terror links
Facebook has a fleet of low-paid contractors who are tasked with investigating possible connections with terrorism on it site.
The key takeaway: Moderators are granted "full access" to any account once it's been flagged by the social network's algorithms, which are looking for details or connections that might suggest a terror link. Moderators can track track a person's location and read their private messages.
The news comes from The Guardian
… The move appears to go far above and beyond the company's recently outlined efforts to use its artificial intelligence and human resources to counter terrorism on the platform. It's in response to growing pressure from several countries to act and to battle terrorism on their platforms, in the wake of several terror attacks in the UK and Europe.
… Among the chief problems with this largely secret internal surveillance is that Facebook doesn't define "terrorism" or "terrorist content." There is no one single definition, or hard-and-fast rule to follow, making the process of removing content arbitrary. Facebook only says that each company facing this kind of challenge "will continue to apply its own policies and definitions of terrorist content when deciding whether to remove content."
The only thing that is known about the rules that govern what content Facebook allows on its site is that it's a secret.
… Facebook is now employing a largely secret group of unaccountable staff working against a set of arbitrary and unknown rules against two billion people. What could possibly go wrong?
Without any shred of transparency, there's no telling who is or isn't under the watchful eye of Facebook's own internal surveillance.
A tool for Network Security?
JASK emerges from stealth with $12 million and an automated threat detection service
JASK is emerging from stealth today with $12 million in the bank and a machine learning technology that automates network monitoring and management for overtaxed security teams.
The thesis behind JASK’s service is the somewhat depressing (and frightening) thought that these days there aren’t enough security experts to meet the demands of running a modern business. Simply put, people can’t respond to every breach that a company faces, because there aren’t enough professionals trained in cybersecurity.
This VA software was ignored in the rush for states (including Colorado) to develop their own versions of health management systems when Obama care was announced. It’s still viable. Perhaps the VA should have just outsourced its management?
VA Gives Thumbs Up to Commercial IT Software
A U.S. Department of Veterans Affairs decision to pursue a new direction in processing health records has created a highly visible endorsement of the use of commercial off-the-shelf (COTS) information technology by federal agencies. President Trump cited the VA's action as an example of the administration's commitment to vastly improve federal IT management.
The VA earlier this month awarded a contract to Cerner to develop an electronic health record (EHR) system for the department. The Cerner program will replace the existing VA patient data system, known as "VistA," which was developed in-house and has been in use for at least 30 years.
… The VistA system, which VA personnel designed in their off hours decades ago, has been heralded as a pioneering effort in EHR management. The program became a template for both government and private healthcare providers.
However, VA Secretary David Shulkin recently decided that it would be more appropriate for the agency to concentrate on healthcare and leave data processing to commercial specialists.
Play-time for geeks!
… Microsoft provides Windows XP Mode, a full version of XP that runs from within Windows 7. Now, most people have also long since moved on from Windows 7, too. Making this compatibility mode fix, well, a little unhelpful.
Before we begin, you’re going to need to download and install the latest version of Oracle VirtualBox, available here.
Proof enough that Marketing is a very strange science.
50 Free Marketing Tools Any Small Business Can Use
Thursday, June 29, 2017
A weapon of Cyber-War? A North Korean response to sanctions? A Russian attack on the Ukraine that got out of hand?
Tuesday’s massive ransomware outbreak was, in fact, something much worse
Tuesday's massive outbreak of malware that shut down computers around the world has been almost universally blamed on ransomware, which by definition seeks to make money by unlocking data held hostage only if victims pay a hefty fee. Now, some researchers are drawing an even bleaker assessment—that the malware was a wiper with the objective of permanently destroying data.
Initially, researchers said the malware was a new version of the Petya ransomware that first struck in early 2016. Later, researchers said it was a new, never-before-seen ransomware package that mimicked some of Petya's behaviors. With more time to analyze the malware, researchers on Wednesday are highlighting some curious behavior for a piece of malware that was nearly perfect in almost all other respects: its code is so aggressive that it's impossible for victims to recover their data.
In other words, the researchers said, the payload delivered in Tuesday's outbreak wasn't ransomware at all. Instead, its true objective was to permanently wipe as many hard drives as possible on infected networks, in much the way the Shamoon disk wiper left a wake of destruction in Saudi Arabia. Some researchers have said Shamoon is likely the work of developers sponsored by an as-yet unidentified country. Researchers analyzing Tuesday's malware—alternatively dubbed PetyaWrap, NotPetya, and ExPetr—are speculating the ransom note left behind in Tuesday's attack was, in fact, a hoax intended to capitalize on media interest sparked by last month's massive WCry outbreak.
How seriously can you take a threat with no evidence of the ability to do what they claim? What is the downside of ignoring them?
Yonhap News Agency reports:
Banks and other financial institutions in South Korea have been on guard over threats of cyberattacks by alleged financial blackmailers, according to the banks and financial institutions on Tuesday.
No damage has been reported so far, but about 20 banks, brokerages and the Korea Exchange received threats by hacking groups about paralyzing their Web sites.
They received e-mails that set a deadline to transfer funds to the blackmailers to avoid the attacks.
On Monday, four financial institutions — the Korea Financial Telecommunications & Clearings Institute, Suhyup Bank, DGB Daegu Bank and JB Bank — came under a distributed denial of service attack by a hacking extortion group named “The Armada Collective.”
Read more on Yonhap News Agency.
An anti-social attack on social media.
Joseph Cox reports:
Millions of accounts for internet radio service 8tracks are being traded on the digital underground, judging by a set of stolen user details obtained by Motherboard.
8tracks is cross between a social network and an internet radio site, allowing users to stream custom playlists. The site offers both free and paid accounts which only for ad-free listening.
Motherboard obtained a dataset of around 6 million 8track usernames, email addresses, and hashed passwords. For-profit breach notification site LeakBase provided Motherboard with the data, and claims that the full dataset comprises of around 18 million accounts. The passwords appear to be hashed with the SHA1 algorithm, meaning hackers may be able to crack the hashes and obtain some of the original passwords.
Read more on Motherboard.
For my Ethical Hacking students?
'Elsa' Tool Allows CIA to Locate Users via Wi-Fi
WikiLeaks has published a document detailing “Elsa,” a tool allegedly used by the U.S. Central Intelligence Agency (CIA) to track people’s locations via their laptop’s Wi-Fi.
According to its developers, Elsa provides geolocation data by recording the details of Wi-Fi access points, including signal strength, in range of the targeted Windows device. The user’s location and movements can be obtained after the data is sent to third-party location services.
Once Elsa is planted on the target’s computer, it monitors nearby Wi-Fi connections even if the device is not connected to the Internet. Once an Internet connection is available, the malware can send the collected Wi-Fi data to a database containing the geographical location of wireless access points.
See? We’re all citizens of the world. Virtually.
Google Must Delete Search Results Worldwide, Supreme Court of Canada Rules
The Supreme Court of Canada ruled against Google on Wednesday in a closely-watched intellectual property case over whether judges can apply their own country's laws to all of the Internet.
In a 7-2 decision, the court agreed a British Columbia judge had the power to issue an injunction forcing Google to scrub search results about pirated products not just in Canada, but everywhere else in the world too.
Those siding with Google, including civil liberties groups, had warned that allowing the injunction would harm free speech, setting a precedent to let any judge anywhere order a global ban on what appears on search engines. The Canadian Supreme Court, however, downplayed this objection and called Google's fears "theoretical."
"This is not an order to remove speech that, on its face, engages freedom of expression values, it is an order to de-index websites that are in violation of several court orders. We have not, to date, accepted that freedom of expression requires the facilitation of the unlawful sale of goods," wrote Judge Rosalie Abella.
(Related). This one is about free speech, right?
Turkey tells Twitter to shut down American's account
Turkey demanded that Twitter take down a prominent American scholar’s account, saying he had violated the personal rights of the country’s leader President Recep Tayyip Erdoğan.
Twitter alerted American Enterprise scholar Michael Rubin on Monday that it had received a court order from Turkey, dated June 16, saying the social media platform had seven days to take down Rubin’s account, or else the company would face punishments under Turkish law, including potential fines.
Free and anonymous speech. Is the government saying these people DID witness “unlawful conduct” or that they may have?
The DOJ Wants To Take Away Online Privacy. And A Court Says Okay
Even if you didn’t commit a crime, and so no warrant has been issued (per your Fourth Amendment rights), the government can still take away your online anonymity, says a court. Even if all you did was use your First Amendment-protected right to speak about a private company online, the government can unmask you.
… The government is arguing they should be able to find out someone’s identity as long as they are not acting in "bad faith." Glassdoor is arguing that, legally speaking, the government should be required to pass a "compelling interest" test before being given the authority to demand peoples’ identities from a private company.
… In this case the DOJ wants internet protocol (IP) addresses and more from o eight people who published comments about a certain company. The DOJ says these eight people can “offer common employee insights” into the company under investigation and that they are “third party witnesses to potential unlawful conduct.”
Google as victim?
Ends, Means, and Antitrust
… What Constitutes a Competitive Product?
This is by far the most concerning part of the European Commission’s decision, for two reasons.
First, if I search for a specific product, why would I not want to be shown that specific product? It frankly seems bizarre to argue that I would prefer to see links to shopping comparison sites; if that is what I wanted I would search for “Shopping Comparison Sites”, a request that Google is more than happy to fulfill […]
The European Commission is effectively arguing that Google is wrong by virtue of fulfilling my search request explicitly; apparently they should read my mind and serve up an answer (a shopping comparison site) that is in fact different from what I am requesting (a product)?
The second reason is even more problematic: “Google Shopping” is not actually a search product; it is an ad placement:
Reversing the trend?
Staples Is Being Bought for $6.9 Billion
Sycamore Partners said on Wednesday it would acquire U.S. office supplies chain Staples for $6.9 billion, a rare bet by a private equity firm this year in the U.S. retail sector, which has been roiled by the popularity of internet shopping.
Buyout firms largely have refrained from attempting leveraged buyouts of U.S. retailers in the past two years, amid a wave of bankruptcies in the sector that have included Sports Authority, Rue21, Gymboree and BCBG Max Azria.
Sycamore's deal for Staples, however, which Reuters was first to report would come this week, illustrates that some buyout firms are distinguishing between mall-based fashion retailers, which are vulnerable to changing consumer tastes, from retailers with a niche and rich cash flow, such as Staples.
The acquisition also shows that Sycamore, whose buyout fund is dedicated to retail deals, is willing to take on the risk of falling store sales at Staples because of the potential it sees in Staples' delivery unit, which supplies businesses directly.
For my Spreadsheet students.
… So what do you need the Developer tab for? The Developer tab is home to macros that you can use to automate repetitive tasks like sending emails from an Excel spreadsheet or automatically inserting text strings. Using the Developer tools will require a little bit of coding knowledge.
Attention students: News to match your classes.
Google News Redesigned
by Sabrina I. Pacifici on Jun 28, 2017
“Every day people come to Google News for a trusted view of the world. It’s there for everything from moments of political change to gripping sports events to daily local news. To make news more accessible and easier to navigate, we redesigned the desktop website with a renewed focus on facts, diverse perspectives, and more control for users. The new UI has a clean and uncluttered look, designed for comfortable reading and browsing.
- We’ve adopted a card format that makes it easier to browse, scan and identify related articles about a story.
- The new layout focuses on key elements, such as publisher names and article labels, and maintains your view and place on the page as you click in and out of stories and explore topics.
- We dedicated the navigation column on the left to sections that you customize. You can jump quickly to news you enjoy, whether it’s standard sections like Sports or Entertainment, or those created by you and powered by your queries, such as “FIFA World Cup” or “Bollywood.”…” [or “Privacy” or “Security” Bob]
Wednesday, June 28, 2017
Assume that North Korea is behind this one too. Have we now reached the point where we must do something about it?
Maersk Halts Operations at Port of Los Angeles After Cyberattack
Shipping giant A.P. Moller-Maersk shut down its operations at the Port of Los Angeles’ largest terminal Tuesday morning after a cyberattack hobbled its computer systems worldwide.
The closure happened around 6 a.m. at APM Terminals at Pier 400, where Maersk’s operations in Southern California are based, said port spokesman Phillip Sanfield. Maersk is the primary shipper at the terminal and is the port’s largest shipping company by cargo volume, he said.
… the terminal appeared to be mostly unstaffed Tuesday, and Maersk probably had to halt dockside work such as reorganizing empty cargo containers, he said.
… Maersk reportedly ceased operations at the ports of New York, New Jersey, and Rotterdam, Netherlands, as well.
New Cyberattack Goes Global, Hits WPP, Rosneft, Maersk
A new cyberattack similar to WannaCry is spreading from Europe to the U.S. and South America, hitting port operators in New York, Rotterdam and Argentina, disrupting government systems in Kiev, and disabling operations at companies including Rosneft PJSC, advertiser WPP Plc. and the Chernobyl nuclear facility.
More than 80 companies in Russia and Ukraine were initially affected by the Petya virus that disabled computers Tuesday and told users to pay $300 in cryptocurrency to unlock them, Moscow-based cybersecurity company Group-IB said.
… The attack has hit Ukraine particularly hard. The intrusion is “the biggest in Ukraine’s history,” Anton Gerashchenko, an aide to the Interior Ministry, wrote on Facebook. The goal was “the destabilization of the economic situation and in the civic consciousness of Ukraine,” though it was “disguised as an extortion attempt,” he said.
(Related). Probably not the result they were hoping for, but does it make them vulnerable to lawsuit from the victims? Is there a cyber-Good Samaritan law?
Hacker Behind Massive Ransomware Outbreak Can't Get Emails from Victims Who Paid
On Tuesday, a new, worldwide ransomware outbreak took off, infecting targets in Ukraine, France, Spain, and elsewhere. The hackers hit everything from international law firms to media companies. The ransom note demands victims send bitcoin to a predefined address and contact the hacker via email to allegedly have their files decrypted.
But the email company the hacker happened to use, Posteo, says it has decided to block the attacker's account, leaving victims with no obvious way to unlock their files.
… to determine who exactly has paid, the hacker also instructs people to email their bitcoin wallet ID, and their "personal installation key." [This corrects a problem with the WannaCry ransomware. Bob]
Paper – AI and the Law: Setting the Stage
by Sabrina I. Pacifici on Jun 27, 2017
Urs Glasser – Medium – “While there is reasonable hope that superhuman killer robots won’t catch us anytime soon, narrower types of AI-based technologies have started changing our daily lives: AI applications are rolled out at an accelerated pace in schools, homes, and hospitals, with digital leaders such as high tech, telecom, and financial services among the early adopters. AI promises enormous benefits for the social good and can improve human well-being, safety, and productivity, as anecdotal evidence suggests. But it also poses significant risks for workers, developers, firms, and governments alike, and we as a society are only beginning to understand the ethical, legal, and regulatory challenges associated with AI, as well as develop appropriate governance models and responses…”
Perspective. “A trillion here, a trillion there, pretty soon we’re talking about real money!” With apologies to Everett Dirksen.
App economy to grow to $6.3 trillion in 2021, user base to nearly double to 6.3 billion
The global app economy will be worth $6.3 trillion by 2021, up from $1.3 trillion last year, according to a new report this morning from app analytics firm App Annie. During that same time frame, the user base will almost double from 3.4 billion people using apps to 6.3 billion, while the time spent in apps will grow to 3.5 trillion hours in 2021, up from 1.6 trillion in 2016.
Have I mentioned recently that I like lists?
MIT Technology Review – 50 Smartest Companies 2017
by Sabrina I. Pacifici on Jun 27, 2017
“Our editors pick the 50 companies that best combine innovative technology with an effective business model. Each year we identify 50 companies creating new opportunities by combining important technologies and business savvy. Some are large companies that seem to be growing ever larger, like Amazon and Apple. Others, like IBM, or General Electric are old-guard giants betting on technology renewal. And the list is full of ambitious startups like SpaceX, which is changing the economics of space travel with reusable rockets; Face ++, a pioneer in face recognition technology; and additive-manufacturing firms Carbon and Desktop Metal. For additional perspective on the list, which starts here, please see our essay, “It Pays to Be Smart.”
Creating a toolbox for your toolkits.
Tuesday, June 27, 2017
It could happen here! It should happen here! Will it happen here?
Small and medium sized businesses are being warned to take note as a company which suffered a cyber attack is fined £60,000 by the Information Commissioner’s Office (ICO).
An investigation by the ICO found Berkshire-based Boomerang Video Ltd failed to take basic steps to stop its website being attacked.
Sally Anne Poole, ICO enforcement manager, said:
“Regardless of your size, if you are a business that handles personal information then data protection laws apply to you. [What a concept! Bob]
“If a company is subject to a cyber attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.”
“Boomerang Video failed to take basic steps to protect its customers’ information from cyber attackers. Had it done so, it could have prevented this attack and protected the personal details of more than 26,000 of its customers.”
The video game rental firm’s website was subject to a cyber attack in 2014 in which 26,331 customer details could be accessed. The attacker used a common technique known as SQL injection to access the data.
The ICO’s investigation found:
- Boomerang Video failed to carry out regular penetration testing on its website that should have detected errors
- The firm failed to ensure the password for the account on the WordPress section of its website was sufficiently complex
- Boomerang Video had some information stored unencrypted and that which was encrypted could be accessed because it failed to keep the decryption key secure
- Encrypted cardholder details and CVV numbers were held on the web server for longer than necessary
Ms Poole said:
“For no good reason Boomerang Video appears to have overlooked the need to ensure it had robust measures in place to prevent this from happening.
“I hope businesses learn from today’s fine and check that they are doing all they can to look after the customer information in their care.”
The ICO has a range of guidance available to help businesses ahead of the implementation of GDPR on 25 May 2018. This includes website pages dedicated to the data protection reform legislation, and an updated toolkit for SMEs that includes a checklist to help organisations in their GDPR preparations.
SOURCE: Information Commissioner’s Office
Note that DataBreaches.net had covered this breach (search Boomerang Rentals), and had noted its frustrating and customer-irritating incident response.
Of note, I think this monetary penalty by the ICO is fairly consistent with what the Federal Trade Commission here has tried to do, highlighting basic security steps and failures to maintain “reasonable” security. One difference, however, is that the FTC has no authority to impose any monetary penalty like this.
For some reason, I don’t believe this.
HMS Queen Elizabeth, UK’s Largest Warship, Runs On Windows XP, Vulnerable To Hacking
It was recently revealed that HMS Queen Elizabeth, Britain’s largest warship, which left Rosyth Dockyard, Scotland, heading to the North Sea for its first ever sea trials, ran on the outdated operating system, Microsoft Windows XP.
… Mark Deller, commander air on the HMS Queen Elizabeth, defended the use of the operating system on the ship, refusing to admit that it can be hacked. "The ship is well designed and there has been a very, very stringent procurement train that has ensured we are less susceptible to cyber than most," Deller told the Guardian.
Windows XP is the operating system that was incapable of protecting organizations like the National Health System (NHS) of the United Kingdom among others from a massive WannaCry ransomware attack in May 2017. The attack saw the cyber terror group take control of over 300,000 computers in 150 countries.
… “We are a very sanitized procurement train,” Deller stated. “I would say, compared to the NHS buying computers off the shelf, we are probably better than that. If you think more NASA and less NHS you are probably in the right place.”
HMS Queen Elizabeth not vulnerable to cyber attack, defence secretary insists
Britain's most powerful warship is not vulnerable to a cyber attack, the Defence Secretary has insisted, after fears were raised about its software.
… Sir Michael Fallon insisted the security around the computer software on the aircraft carrier is "properly protected".
Should it be a crime to conceal a security breach?
FBI: $1.45 Billion in Losses to Internet Crime Reported in 2016
The FBI has published its Internet Crime Report 2016 based on information received by the Internet Crime Complaint Center (IC3). It shows that 298,728 complaints were received by the IC3 during 2016 (up from 288,012 in 2015); and that reported losses to internet crime totaled more than $1.45 billion (up from $1.07 billion in 2015).
These figures, however, are likely to be only a fraction of the full picture. The FBI estimates that only 15 percent of the nation's fraud victims report their crimes to law enforcement.
For my Ethical Hacking students. Let’s build one!
… The Wi-Fi Pineapple is a piece of hardware that was originally created for network penetration testing. Pen testing is an authorized attack of a system in order to find vulnerabilities. The practise is part of a larger branch of testing known as Ethical Hacking.
Also for my Ethical Hacking students. Can we tap into any Echo, anywhere? (And if so, who should we give one to?)
The Amazon Echo now doubles as a home intercom system
Amazon will officially release the Show in a few days, but in the meantime, the company is introducing a long-awaited intercom feature for existing Echo devices. The addition uses Drop-In, a teleconferencing feature introduced on the Show that lets close friends and family members call into one another’s device with little warning.
I really didn’t like the feature when I tested the device this week — I found it to be pretty intrusive compared to standard calling
… The system works through household groups created during the setup process, rather than in-home Wi-Fi. That means the app can also be used to check in on loved ones from afar, for those who have kids or elderly relatives — or, one imagines, for more nefarious reasons.
Not surprising. By their nature, start-ups are not “mature” in areas like security and privacy.
WASHINGTON, DC, June 27, 2017 – In a report released today from graduate researchers at Carnegie Mellon’s Heinz College, new research examines how educational technology startups balance limited resources and privacy concerns. The graduate researchers found that a disconnect between education providers and edtech startups may be due to the limited consideration startups put into creating, much less communicating, their privacy practices.
Additional findings include that, with startups’ limited resources and emphasis on product development, privacy isn’t often a priority.
… While only exploratory, the study asks important questions about how startups can best protect student data and effectively communicate with the public regarding privacy.
A summary of the report’s findings can be found here.
I don’t know many of these people. Should I?
TIME – The 25 Most Influential People on the Internet
by Sabrina I. Pacifici on Jun 26, 2017
“For our third annual roundup of the most influential people on the Internet, TIME sized up contenders by looking at their global impact on social media and their overall ability to drive news… Here’s who made this year’s unranked list“
Hey, Google! Give me a call. I happen to know a good anti-trust lawyer.
Google hit with record EU fine over Shopping service
Google has been fined 2.42bn euros ($2.7bn; £2.1bn) by the European Commission after it ruled the company had abused its power by promoting its own shopping comparison service at the top of search results.
The amount is the regulator's largest penalty to date against a company accused of distorting the market.
The ruling also orders Google to end its anti-competitive practices within 90 days or face a further penalty.
The US firm said it may appeal.
“I’m shocked. Shocked I tell you!”
Global view of US worsens under Trump, Pew says
… Surveys of residents in 37 nations across the world released on Tuesday found that since Trump took office in January, the US's image overseas has sharply declined and views of the new US leader in general are largely negative.
… When each country was asked which leader they had confidence in to "do the right thing regarding world affairs," only Israel and Russia had more confidence in Trump than former US President Barack Obama.
It would have to be thus, if you are hiring from a global pool of talent.
In Unilever's radical hiring experiment, resumes are out, algorithms are in
When Saniya Jaffer arrived for a job interview at Unilever PLC's Englewood Cliffs, N.J., office last October, she was a finalist for a summer position in information technology. After three rounds of interviews and assessments, the Chicago-native was about to encounter the first human in the process.
Before then, 21-year-old Ms. Jaffer had filled out a job application, played a set of online games and submitted videos of herself responding to questions about how she'd tackle challenges of the job. The reason she found herself in front of a hiring manager? A series of algorithms recommended her.
… The company has made more than 450 hires across the globe this way since the fall of 2016. Its experiment provides a glimpse of a tech-fueled future of recruiting in which humans write job descriptions and make the final decisions, but software and algorithms do the rest. Goldman Sachs Group Inc. and Wal-Mart Stores Inc.'s Jet.com have begun using similar digital tools to hook young workers and broaden their candidate base.
Worth a try?
Management, as seen from below.
Monday, June 26, 2017
This does not bode well for the next election.
Govt Websites in Ohio, Maryland Hacked With Pro-IS Messages
Several government websites in the US states of Ohio and Maryland had to be shut down Sunday after being hacked to display messages supporting the Islamic State group.
Among the affected websites was one belonging to Ohio Governor John Kasich.
Posted on the websites was a message from a group calling itself Team System DZ, vowing revenge against US President Donald Trump.
Technology and lawyers? No comment.
ABA – Cloud Ethics Opinions Around the U.S.
by Sabrina I. Pacifici on Jun 25, 2017
ABA Law Practice Division – “Cloud Ethics Opinions – There’s a compelling business case for cloud computing, but can lawyers use it ethically? We’ve compiled these comparison charts to help you make the right decision for your practice.
Broadly defined, cloud computing (or “Software as a Service”) refers to a category of software that’s delivered over the Internet via a Web browser (like Internet Explorer) rather than installed directly onto the user’s computer. The cloud offers certain advantages in terms of minimal upfront costs, flexibility and mobility, and ease of use. Because cloud computing places data–including client data–on remote servers outside of the lawyer’s direct control, it has given rise to some concerns regarding its acceptability under applicable ethics rules.Learn more about cloud computing in our brief overview…”
What information would you expect to be recorded for each stop? Seven states don’t record the reason for a stop, only four fail to record the race of the driver.
The Stanford Open Policing Project
by Sabrina I. Pacifici on
The Stanford Open Policing Project – “On a typical day in the United States, police officers make more than 50,000 traffic stops. Our team is gathering, analyzing, and releasing records from millions of traffic stops by law enforcement agencies across the country. Our goal is to help researchers, journalists, and policymakers investigate and improve interactions between police and the public.”
Sounds like Economics 101 was right all along. Will politicians lead the charge to go back to lower wages? Will they even acknowledge this study?
Seattle’s Minimum Wage Hike May Have Gone Too Far
… In January 2016, Seattle’s minimum wage jumped from $11 an hour to $13 for large employers, the second big increase in less than a year. New research released Monday by a team of economists at the University of Washington suggests the wage hike may have come at a significant cost: The increase led to steep declines in employment for low-wage workers, and a drop in hours for those who kept their jobs. Crucially, the negative impact of lost jobs and hours more than offset the benefits of higher wages — on average, low-wage workers earned $125 per month less because of the higher wage, a small but significant decline.
Read. It’s something the apes (and my students) can’t seem to do.
Project Gutenberg is the oldest digital library in the world. You might even be reading a classic from there right now in your e-reader.
But don’t you hate how it’s formatted?
Gutenberg is a worthwhile effort, but as a true book lover you just might be turned off by the poor formatting of those old books, crippled by archaic typesets that strain your eyes. The absence of attractive book covers might also irk you.
Standard Books promises to change all that. This volunteer effort is bringing the oomph back to these old classics.
… Standard Books also makes browsing through the catalog easier. It’s a clean interface with a search bar on top and a sort filter below . Click on the attractive book covers and jump to the book page. The free download options cover all popular formats you would need today: EPUB, EPUB3, AZW3, and KEPUB for Kobo devices.
… You too can get involved. It might make you a good reader, but it will surely make you a better editor.
I’m surprised they lasted this long.
Overwhelmed By Air Bag Troubles, Takata Files For Bankruptcy Protection
Long crippled by lawsuits and recall costs over its faulty air bags, Takata, the Japanese auto parts maker, filed for bankruptcy protection in Japan and the U.S. on Sunday.
Takata is on the hook for billions of dollars to banks and automakers, which have been covering the replacement costs of tens of millions of the recalled air bag inflators.
The company plans to sell what's rest of its operations to the rival U.S. auto parts supplier, Key Safety Systems, for $1.588 billion.