Saturday, September 09, 2017

More on Equifax.
Equifax security breach debacle thickens with improbable denials
… there’s no mention of whether the stolen data is encrypted or not.
… The credit-reporting service said late Thursday in a statement that it discovered the intrusion on July 29. Regulatory filings show that three days later, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. None of the filings lists the transactions as being part of 10b5-1 scheduled trading plans.
Melin later reported on Equifax’s claim that none of the three — the CFO, the president of U.S. information solutions, and president of workforce solutions — knew about the breach when they sold their stock:
The three “sold a small percentage of their Equifax shares,” Ines Gutzmer, a spokeswoman for the Atlanta-based company, said in an emailed statement. They “had no knowledge that an intrusion had occurred at the time.”
You can draw your own conclusions.
… The fact that the breached entity (Equifax) is offering to sign consumers up for its own identity protection services strikes me as pretty rich.

(Related). Business should never be about, “What can we get away with?”
Equifax updates user agreement at prodding of New York Attorney General
Equifax has changed its terms of service to note that users checking to see if they've been affected by a massive breach it endured are not waiving their right to file a class action lawsuit.
Prior to the update, users on social media pointed out that individuals using Equifax's tool to see if their information was compromised in a massive data breach could be giving up their rights to file or join a lawsuit against the company.

This suggests to me that they will move to machines that have not been “White Hat Tested.”
Virginia scraps touchscreen voting machines
The Virginia State Board of Elections moved Friday to do away with touchscreen voting machines in the state by November’s election, a move aimed at boosting security.
The board decided to phase out the machines this year after the Virginia Department of Elections recommended that the touchscreen voting machines be decertified. The recommendation came after security experts breached numerous types of voting machines with ease at the DEF CON cybersecurity conference in Las Vegas in July, according to The Richmond Times-Dispatch.
The move comes amid heightened concerns over foreign interference in future elections, in light of the U.S. intelligence community’s conclusion that Russia used cyberattacks and disinformation to interfere in the 2016 presidential election.
Virginia’s gubernatorial election will take place in November, meaning that the move to get rid of the machines would result in 22 localities having to replace their equipment less than two months before the vote.

Like a tax haven for patents. I like it!
How to Protect a Drug Patent? Sell it to a Native American Tribe
The drugmaker Allergan announced Friday that it had transferred its patents on a best-selling eye drug to the Saint Regis Mohawk Tribe in upstate New York — an unusual gambit to protect the drug from a patent dispute.
Under the deal, which involves the dry-eye drug Restasis, Allergan will pay the tribe $13.75 million. In exchange, the tribe will claim sovereign immunity as grounds to dismiss a patent challenge through a unit of the United States Patent and Trademark Office. The tribe will lease the patents back to Allergan, and will receive $15 million in annual royalties as long as the patents remain valid.
… Mr. White said the tribe was approached in April by a Dallas law firm, Shore Chan DePumpo, which proposed the idea. The tribe has already taken ownership of patents owned by a technology company that Mr. White declined to name, but said the Allergan arrangement is the tribe’s first pharmaceutical deal.

Perspective. Banks are finally getting into the Mobile Banking business! (Perhaps it should be called ‘Banking as a Service?”
Zelle, a payment network backed by major US banks, is launching a standalone app
Zelle, a new payment service backed by more than 30 US banks, will launch its standalone app on September 12th to take on competitors like Venmo and Square Cash. The network had been quietly powering money transfers for major US banks including Bank of America, Chase, Wells Fargo, and Citibank since launching in June.
While the Zelle app won’t have social components like a share feed, comments, or a Like button, the company says it’s targeted toward users who value instantaneous transactions. Since the network works directly with banking partners, money can be transferred between accounts — regardless of bank affiliations — for free, and can be withdrawn in minutes. In comparison, Venmo balances need to be “cashed out,” and it can take at least 24 hours until that money is available in your bank account. Venmo parent company PayPal recently offered instant withdrawal for 25 cents per transaction, but has yet to roll out a similar feature on Venmo.
To use the Zelle app, customers have to sign up for a Zelle account then link their bank information. Users can send money using a contact’s email address or phone number, but the recipient must also sign up for a Zelle account to complete the transaction. You can avoid all of this by continuing to use your bank’s own app which is likely already powered by Zelle, but it’s an option for someone who wants a single-purpose app for quickly transferring money.

Is it still “too good to be true?”
With the number of video streaming services increasing all the time, it’s tempting to assume the death of cinema is nigh. After all, why would you pay $10 for one film when you can enjoy a whole month of Netflix for less?
Perhaps I’m being facetious. Going to the movie theater is still an enjoyable activity. However, it’s hard to deny that with progressively larger TV screens, better picture quality, and improvements in speaker systems, the difference between watching at home and heading to the cinema is narrowing.
One company — MoviePass — is trying to reverse the trend and inject new life into the theater-going experience. But what is MoviePass? How does it work? And how can it save you money? Keep reading to find out everything you need to know about using MoviePass.

I think my student know of many more sites like these, but this is a start.
Ah, schadenfreude! So universal is our tendency to laugh at the misfortune of others that the Germans invented a term for it. Not to be left behind, the internet coined its own term: “Fail.” Let’s witness the best (or worst?) of these.
Well, let’s be clear, this isn’t the worst of the web. Fails are all about genuine attempts that went horribly wrong. Fails encompass everything from unintentional slapstick to hilarious arguments. And they don’t discriminate between sites, whether you are Facebook, Google Maps, or something else.

An obvious downside of Artificial Intelligence.

Friday, September 08, 2017

Almost everyone has been hacked. What will you do about it?
Equifax Says Cyberattack May Have Affected 143 Million Customers
Equifax, one of the three major consumer credit reporting agencies, said on Thursday that hackers had gained access to company data that potentially compromised sensitive information for 143 million American consumers, including Social Security numbers and driver’s license numbers.
… “This is about as bad as it gets,” said Pamela Dixon, executive director of the World Privacy Forum, a nonprofit research group. “If you have a credit report, chances are you may be in this breach. The chances are much better than 50 percent.”
Criminals gained access to certain files in the company’s system from mid-May to July by exploiting a weak point in website software, according to an investigation by Equifax and security consultants. The company said that it discovered the intrusion on July 29 and has since found no evidence of unauthorized activity on its main consumer or commercial credit reporting databases.
… “On a scale of 1 to 10 in terms of risk to consumers, this is a 10,” said Avivah Litan, a fraud analyst at Gartner.
… Last year, identity thieves successfully made off with critical W-2 tax and salary data from an Equifax website. And earlier this year, thieves again stole W-2 tax data from an Equifax subsidiary, TALX, which provides online payroll, tax and human resources services to some of the nation’s largest corporations.
Cybersecurity professionals criticized Equifax on Thursday for not improving its security practices after those previous thefts, and they noted that thieves were able to get the company’s crown jewels through a simple website vulnerability.
“Equifax should have multiple layers of controls” so if hackers manage to break in, they can at least be stopped before they do too much damage, Ms. Litan said.
Potentially adding to criticism of the company, three senior executives, including the company’s chief financial officer, John Gamble, sold shares worth almost $1.8 million in the days after the breach was discovered. The shares were not part of a sale planned in advance, Bloomberg reported.
… Equifax has created a website,, to help consumers determine whether their data was at risk.
… Beyond compromising the personal data of millions of consumers, the breach also poses a potential national security threat. In recent years, Chinese nation-state hackers have breached insurers like Anthem and federal agencies, siphoning detailed personal and medical information. These hackers go wide in their assaults in an effort to build databases of Americans’ personal information, which can be used for blackmail or future attacks.

Again? Same thing every election cycle?
Software to capture votes in upcoming national election is insecure
The Chaos Computer Club is publishing an analysis of software used for tabulating the German parliamentary elections (Bundestagswahl). The analysis shows a host of problems and security holes, to an extent where public trust in the correct tabulation of votes is at stake. Proof-of-concept attack tools against this software are published with source code.

Might be amusing to try this in my Computer Security class.
EU Defense Ministers Put to Test in Mock Cyberattack
A major cyberattack targets European Union military structures, with hackers using social media and "fake news" to spread confusion, and governments are left scrambling to respond as the crisis escalates.
This was the scenario facing a gathering of EU defence ministers in Tallinn on Thursday as they undertook a exercise simulating a cyber assault on the bloc -- the first mock drill of its kind at such a senior level in Europe.
... NATO now considers cyberspace to be a conflict domain alongside that of air, sea and land.
"We are not creating programmers from the ministers but we want them to understand that these quickly developing situations could demand quick political decisions -- that's the idea of the exercise," Estonian Defence Minister Juri Luik said.
- 'Exciting' exercise -
Estonian officials said the aim was to improve ministers' understanding of the kinds of target that could be hit by a cyberattack, the effects such an attack could have and how they could respond -- as well as the need for clear, coordinated communication with the public on what can be a complex issue.
German Defence Minister Ursula von der Leyen said the two-hour exercise was "extremely exciting".
"The adversary is very, very difficult to identify. The attack is silent, invisible... it is cost-effective for the adversary because he does not need an army, but only a computer with internet connection," she said.

A hack-the-hackers project for my Digital Forensics students: get copies of these tools and find a way to detect or block them.
Shadow Brokers Release Tool Used by NSA to Hack PCs
The hacker group calling itself Shadow Brokers continues to release tools and exploits allegedly stolen from the U.S. National Security Agency (NSA), including a sophisticated espionage platform that can be used to take full control of targeted computers.
In the past year, Shadow Brokers has apparently tried to make a significant amount of money by offering to sell various tools and exploits used by the Equation Group, a cyber espionage actor linked by researchers to the NSA.
After several failed attempts, the Shadow Brokers’ latest offer involves monthly leaks for which interested parties have to pay a fee ranging between 100 Zcash (roughly $24,000) and 16,000 Zcash (roughly $3.8 million) -- older dumps can be acquired for a few hundred Zcash while the price of future dumps will increase exponentially. An analysis of their cryptocurrency addresses showed that the hackers have made at least tens of thousands of dollars from the monthly dump service.
With the September release, announced on Wednesday, Shadow Brokers informed interested entities that they will offer two dumps every month, and that Monero digital currency is no longer accepted.

Now here is a thankless job…
What North Korea thinks about Trump — according to the man who interprets his tweets for Kim Jong Un
… Pak Song Il, the North Korean tasked with interpreting US politics, statements, and military posture, told Osnos during a trip to Pyongyang that Trump had thrown him for a loop.
"When he speaks, I have to figure out what he means, and what his next move will be," Pak said. "This is very difficult."
"He might be irrational — or too smart. We don’t know," Pak said.

News Use Across Social Media Platforms 2017
As of August 2017, two-thirds (67%) of Americans report that they get at least some of their news on social media – with two-in-ten doing so often, according to a new survey from Pew Research Center.
… For the first time in the Center’s surveys, more than half (55%) of Americans ages 50 or older report getting news on social media sites. That is 10 percentage points higher than the 45% who said so in 2016. Those under 50, meanwhile, remain more likely than their elders to get news from these sites (78% do, unchanged from 2016).

Too good to be true? A follow-up.
MoviePass Bungles Its First Big Test With Subscribers To Its $9.95/Month Service
Movie ticket subscription purveyor MoviePass is off to a rocky start, with delays in delivering membership cards to new subscribers and a significant number of customers complaining that a buggy app is preventing them from getting in to the movies they were expecting to see.
… on Thursday the New York City-based ticket subscription service advised via a mass email titled “Important MoviePass Updates” that it would not be delivering membership cards to new paying subscribers within the ‘5-7 days business days’ period that it had promised upon receiving their initial $9.95 payments.
The email explained: “Though our processing facility has increased production, there is currently a 2-3 week delay in card delivery.” The communique cited “unprecedented demand” as the cause of the problem.
… Google Play Store data indicates that the MoviePass app has been downloaded over 100,000 times. Of the 2,500 users who have rated the app, approximately half gave it the lowest possible rating of one star out of five. I took it upon myself to check out the app, and after less than a minute of experience with it I found myself frustrated and feeling that those scathing reviews were well justified.
The first thing the app does is demand access to the user's smartphone files and photos, as well as the ability to track their location. If a user declines to provide MoviePass with what appears to be unlimited access to their private information, the app immediately freezes them out of the service, even though they have paid for it.

Robot law. (I wonder if this would improve student averages too?)

Thursday, September 07, 2017

These holes are designed in as “features.” Security is “not required?”
Alexa, Siri are easily hacked, you won’t even hear it coming
… Chinese researchers have demonstrated that Alexa, Siri, Cortana, and Google Assistant can be easily told to do things without the knowledge, much less permission, of their owners. All by saying commands that no human can actually hear.
Like any kind of wave, sound covers a wide range of frequencies, only a small part of which is actually audible to humans. Anything below 20 Hz and above 20 kHz is imperceptible to our ears that, for all intents and purposes, they might not as well be nonexistent. But the mics in our phones and smart speakers are completely capable of detecting sound beyond those ranges and, in fact, use them for some purposes. Sadly, that fact can be exploited to give them commands that will put users at risk.
The researchers were able to set up a device using nothing more than an off the shelf smartphone and around $3 worth of parts like an amp and a speaker. Within a certain distance, they were not only able to trigger the personal assistants, they were also able to get them to do actions. Imagine getting your phone to visit a malicious website or get your smart speaker to open the door.
There is one major caveat to this attack, nicknamed “DolphinAttack” that does minimize its effectivity. The attacker has to be within a certain distance from the phone or speaker for it to work, from a few inches to a few feet. Still, that might be far enough to do some damage.
Unfortunately, the companies developing these voice assistants can’t simply tell them to ignore any audio coming from outside the normal human range. These platforms use higher, imperceptible frequencies in order to better analyze audible voice commands. Some also use these “unused” frequencies for features like seemingly magical instant connectivity. It’s not an easy hole to plug, but considering how large a gaping hole it is, the developers should get scrambling to work on a fix.

Vocal theft on the horizon
Your voice is yours alone – as unique to you as your fingerprints, eyeballs and DNA.
Unfortunately, that doesn’t mean it can’t be spoofed. And that reality could undermine one of the promised security benefits of multi-factor authentication, which requires “something you are,” along with something you have or you know. In theory, even if attackers can steal passwords, they can’t turn into you.
But given the march of technology, that is no longer a sure thing. Fingerprints are no longer an entirely hack-proof method of authentication – they can be spoofed.
That will soon be true of your voice as well.
The risk goes well beyond recent warnings from the Federal Communications Commission (FCC) and Better Business Bureau (BBB) about spam callers trying to get a victim to say the word “yes,” which they record and then use to authorize fraudulent credit card or utility charges, or to “prove” that the victim owes them money for services never ordered.

Something for my students to consider (before they start applying for jobs)?
… there are several ways you can delete your social media accounts and history. You aren’t only limited to the traditional means, such as deleting your profile through Facebook. In fact, there are lots of online services and apps that can help you with this task.

And it wasn’t even Justin Bieber?
Joe Dahlke reports:
Five nurses at Denver Health Medical Center were suspended for three weeks after opening a bag to inappropriately view a deceased patient’s genitals, a hospital spokesman said Tuesday.
The incident was reported after a different nurse overheard one of the suspended nurses make a comment about it, according to a Denver Health spokesman.
Read more on KDVR.

(Related). What is our obsession with nudity?
ITV reports:
The Duke and Duchess of Cambridge have said they are “pleased” a French court found in their favour after topless pictures of Kate were published in French Closer.
A court court awarded the Duke and Duchess almost £95,000 in damages following the pictures being made public.
Read more on ITV.

So, they only did it once (on this flight) and the DoT only fines for multiple incidents of rule breaking?
Feds won’t fine United over dragging incident, despite finding rules violations
The federal government will not fine United Airlines in the violent dragging of a passenger off one of its airplanes after the man refused to give up his seat to a crew member in April, according to a letter obtained by an airline passengers’ rights group.
In the letter, dated May 12 and released Wednesday by nonprofit advocacy group Flyers Rights, the U.S. Department of Transportation explains that while United violated some rules concerning overbooking procedures, there was no evidence of race or nationality-based discrimination in the incident, and United hadn’t engaged in a pattern of rule-breaking that would warrant a fine.
… “The airlines really have only one regulator — and that’s the DOT,” Hudson said in an interview Wednesday. “In addition to the bumping rule, they’re supposed to enforce and prohibit any unfair or deceptive conduct by airlines.”
Hudson called Dao’s dragging off the airplane “egregious” and said the finding of no action reflected poorly on the DOT.
… In its letter, DOT argued that while United flouted certain regulations, the airline remedied the compensation error 10 days later, and Dao wasn’t properly given written notice of the federal rules because he needed immediate medical care for his injuries.

No, they haven’t suddenly become vegetarians. If the pesticide never touches the crop, can they call it “Organic?”
Why John Deere Just Spent $305 Million on a Lettuce-Farming Robot
Look out weeds. Tractor giant John Deere just spent $305 million to acquire a startup that makes robots capable of identifying unwanted plants, and shooting them with deadly, high-precision squirts of herbicide.
… Pesticides and other chemicals are traditionally applied blindly across a whole field or crop. Blue River’s systems are agricultural sharp shooters that direct chemicals only where they are needed.
The startup’s robots are towed behind a regular tractor like conventional spraying equipment. But they have cameras on board that use machine-learning software to distinguish between crops and weeds, and automated sprayers to target unwanted plants.
… Willy Pell, director of new technology at Blue River, says the system has shown it can reduce herbicide use by 90 percent.

Sharpen your spreadsheets! How much would it be worth to have Amazon here in Denver?
Amazon is looking for a 2nd headquarter city, a ‘full equal to Seattle’
Today the company announced that it is opening a search for a city in North America to make its second headquarters, envisioned as a “full equal” to Amazon’s existing home in Seattle, Washington.
At full-capacity, the site would be expected to be of similar, or even bigger, size to the Seattle operation, which today is a major cornerstone of Seattle’s business life, employing 40,000 people, covering 8.1 million square feet with 33 buildings including 24 restaurants. HQ2, as Amazon is calling the new headquarters, is expected to employ 50,000 and will get $5 billion in investment, the company said.
… “Amazon HQ2 will bring billions of dollars in up-front and ongoing investments, and tens of thousands of high-paying jobs.

I’m thinking about a “How to pass this class” infographic.

Robot overlords have an upside?

Wednesday, September 06, 2017

So, who would benefit? Russia? North Korea? China? Iran? Syria?
Hackers Gain ‘Switch-Flipping’ Access to US Power Grid Control Systems
Security firm Symantec is warning that a series of recent hacker attacks not only compromised energy companies in the US and Europe but also resulted in the intruders gaining hands-on access to power grid operations—enough control that they could have induced blackouts on American soil at will.
Symantec on Wednesday revealed a new campaign of attacks by a group it is calling Dragonfly 2.0, which it says targeted dozens of energy companies in the spring and summer of this year. In more than 20 cases, Symantec says the hackers successfully gained access to the target companies’ networks. And at a handful of US power firms and at least one company in Turkey—none of which Symantec will name—their forensic analysis found that the hackers obtained what they call operational access: control of the interfaces power company engineers use to send actual commands to equipment like circuit breakers, giving them the ability to stop the flow of electricity into US homes and businesses.
… The only comparable situations, he says, have been the repeated hacker attacks on the Ukrainian grid that twice caused power outages in the country in late 2015 and 2016, the first known hacker-induced blackouts.

If you missed all the stories about hacking MongoDB, the hackers thank you for you ignorance.
Liam Tung reports:
Three groups of hackers have wiped around 26,000 MongoDB databases over the weekend and demanded victims to pay about $650 to have them restored.
The new wave of MongoDB ransom attacks marks a resurgence of the massive assault on unsecured instances of the open-source NoSQL database earlier this year. The attacks were discovered by security researchers Victor Gevers and Niall Merrigan.
The current attacks are being tracked by Gevers and fellow researcher Dylan Katz. According to the ‘MongoDB ransacking’ Google Docs spreadsheet that the pair are updating, one group using the address ‘’ has ransacked over 22,000 MongoDB instances.
Read more on ZDNet.

Weak protection for social media users.
If you have an account on Taringa, also known as "The Latin American Reddit," your account details may have compromised in a massive data breach that leaked login details of almost all of its over 28 million users.
… The Hacker News has been informed by LeakBase, a breach notification service, who has obtained a copy of the hacked database containing details on 28,722,877 accounts, which includes usernames, email addresses and hashed passwords for Taringa users.
The hashed passwords use an ageing algorithm called MD5 – which has been considered outdated even before 2012 – that can easily be cracked, making Taringa users open to hackers.
Wanna know how weak is MD5? LeakBase team has already cracked 93.79 percent (nearly 27 Million) of hashed passwords successfully within just a few days.

This will likely generate more headlines and news articles than attacks on the power grid. Did they learn to cheat from the Patriots?
Boston Red Sox Used Apple Watches to Steal Signs Against Yankees
For decades, spying on another team has been as much a part of baseball’s gamesmanship as brushback pitches and hard slides. The Boston Red Sox have apparently added a modern — and illicit — twist: They used an Apple Watch to gain an advantage against the Yankees and other teams.
Investigators for Major League Baseball have determined that the Red Sox, who are in first place in the American League East and very likely headed to the playoffs, executed a scheme to illicitly steal hand signals from opponents’ catchers in games against the second-place Yankees and other teams, according to several people briefed on the matter.
The baseball inquiry began about two weeks ago, after the Yankees’ general manager, Brian Cashman, filed a detailed complaint with the commissioner’s office that included video the Yankees shot of the Red Sox dugout during a three-game series between the two teams in Boston last month.
The Yankees, who had long been suspicious of the Red Sox’ stealing catchers’ signs in Fenway Park, contended the video showed a member of the Red Sox training staff looking at his Apple Watch in the dugout. The trainer then relayed a message to other players in the dugout, who, in turn, would signal teammates on the field about the type of pitch that was about to be thrown, according to the people familiar with the case.
Baseball investigators corroborated the Yankees’ claims based on video the commissioner’s office uses for instant replay and broadcasts, the people said. The commissioner’s office then confronted the Red Sox, who admitted that their trainers had received signals from video replay personnel and then relayed that information to Red Sox players — an operation that had been in place for at least several weeks.
… Stealing signs is believed to be particularly effective when there is a runner on second base who can both watch what hand signals the catcher is using to communicate with the pitcher and can easily relay to the batter any clues about what type of pitch may be coming. Such tactics are allowed as long as teams do not use any methods beyond their eyes. Binoculars and electronic devices are both prohibited.

(Related) Besides, Cory Doctorow is one of my favorite writers. An article worth reading!
Cheating is a given.
Inspectors certify that gas-station pumps are pumping unadulterated fuel and accurately reporting the count, and they put tamper-evident seals on the pumps that will alert them to attempts by station owners to fiddle the pumps in their favor. Same for voting machines, cash registers, and the scales at your grocery store.
The basic theory of cheating is to assume that the cheater is ‘‘rational’’ and won’t spend more to cheat than they could make from the scam: the cost of cheating is the risk of getting caught, multiplied by the cost of the punishment (fines, reputational damage), added to the technical expense associated with breaking the anti-cheat mechanisms.
Software changes the theory. Software – whose basic underlying mechanism is ‘‘If this happens, then do this, otherwise do that’’ – allows cheaters to be a lot more subtle, and thus harder to catch. Software can say, ‘‘If there’s a chance I’m undergoing inspection, then be totally honest – but cheat the rest of the time.’’
This presents profound challenges to our current regulatory model: Vegas slot machines could detect their location and if they believe that they are anywhere near the Nevada Gaming Commission’s testing labs, run an honest payout. The rest of the time, they could get up to all sorts of penny-shaving shenanigans that add up to millions at scale for the casino owners or the slot-machine vendors (or both).
… The most famous version of this is Volkswagen’s Dieselgate scandal, which has cost the company billions (and counting): Volkswagen engineered several models of its diesel vehicles to detect when the engine was undergoing emissions testing and to tilt the engines’ performance in favor of low emissions (which also meant more fuel consumption). The rest of the time, the engines defaulted to a much more polluting mode that also yielded better gas mileage. Thus the cars were able to be certified as low-emissions by regulators and as high efficiency by reviewers and owners – having their cake and eating it too.

Do you really need AI to point out information that should already be in your reports? Perhaps you just need to read the reports!
Banks Testing IBM's AI Tech for Employee Surveillance
Lenders asked International Business Machines Corp. if it were possible to use the technology to also watch retail-banking salespeople, loan officers and other workers, according to Marc Andrews, a manager on the company’s Watson financial services team. Several of the biggest U.S. banks, as well as some regional banks, are testing the software, Andrews said. He declined to name them.
IBM trained Watson to collect information that could’ve helped detect problems at Wells Fargo, which said last week that employees opened as many as 3.5 million bogus checking and credit-card accounts for unsuspecting customers, even more than its original estimate when the scandal broke last year. Watson looks for suspicious logon patterns, unusual levels of unused products or accounts with mismatched contact information or email notifications that have been switched off, Andrews said. The artificial intelligence program, which understands human language, sifts through employee emails for trends such as managers pressuring workers to make sales, he said.
“Banks hadn’t been investing as much into this area until there was a big incident last year,” Andrews said, referring to the Wells Fargo scandal. “Right now, they know right away if an ATM is broken. But if there are trends emerging like a lot of people complaining about an account being opened that they weren’t aware of, how quickly does that surface up to the executives?”
… Some correlations aren’t obvious. In the U.S., a trader’s use of profanity drops shortly before an episode of misconduct, Andrews said, as “maybe they’re trying to be a little more careful.” But in the U.K., traders tend to curse more before committing misdeeds.

What is a fair balance? Answering a child's text message is certainly Okay. Binge watching 'Game of Thrones' probably not.
Europe Court Backs Employee Fired Over Private Messages
Europe's top rights court on Tuesday restricted the ability of employers to snoop on their staff's private messages, in a landmark ruling with wide ramifications for privacy in the workplace.
The highest body of the European Court of Human Rights (ECHR) ruled in favour of a 38-year-old Romanian man who claimed his rights had been violated when he was sacked in 2007 for sending private chat messages in the office.
In a first ruling in January last year, the ECHR found that the snooping was allowed because employers were justified in wanting to verify "that employees were completing their professional tasks during working hours".
But in a review, the 17 most senior judges at the court based in Strasbourg, France, found Tuesday that Romanian courts "had not adequately protected Mr Barbulescu's right to respect for his private life and correspondence".
In a written judgement, backed by 11 votes to six, they found that previous court rulings had "failed to strike a fair balance between the interests at stake", namely the company's right to check on employees and employees' right to privacy.
The judges also found that "an employer's instructions could not reduce private social life in the workplace to zero", meaning that some use of the internet at work for personal reasons was justified.
The ruling will become law in the 47 countries that have ratified the European Convention on Human Rights, meaning some members will have to adjust their national legislation.

Marketing vs Reality? Do managers ever check this stuff?
Facebook’s Ad Metrics Come Under Scrutiny Yet Again
Facebook's advertising metrics have again been called into question, after Pivotal Research Group senior analyst Brian Wieser pointed out a large discrepancy between U.S. census data and the potential reach that the social network promises advertisers.
On Tuesday, Wieser issued a note pointing out that Facebook's Adverts Manager tool promises a potential reach of 41 million 18-24 year-olds in the U.S., while recent census data said there only 31 million people living in the U.S. within that age range.
For 25-34 year-olds, Facebook claims a potential reach of 60 million, versus the 45 million people counted in the census last year.

Tuesday, September 05, 2017

Can the US look forward to the same problem?
German Merkel’s website hit by Cyber Attack coming from Russian IP Addresses
… Julia Kloeckner, Vice Chairman of Merkel’s Christian Democratic Union, said on Monday that her political website was attacked 3000 times on Sunday before and during the debate between Merkel and Social democratic leader Martin Schulz.
Julia added in her statement that the attacks such as these have been emerging from the past 2 months and a surge has been witnessed in last two weeks.

Perspective. Is this about the cost of content or a story about not knowing the value of Cricket?
Facebook Just Made Its Biggest Live Streaming Bet - and Lost
As Facebook gets serious about video, the social giant's ambitions for live streaming were on display on Monday in India where it put a bid north of $600 million to win the digital streaming rights of IPL, one of the most popular cricket tournaments in the country.
Facebook, which has explored several partnerships with sport giants for live streaming in the recent months, made the highest bid of Rs. 3,900 crore (roughly $610 million) for the digital rights for streaming IPL within India for a period of five years. However, it lost the auction to Star India, which won worldwide digital and TV rights with a bid of Rs. 16,347.50 crore (roughly $2.5 billion), superseding all bids for individual markets, including that of Facebook.

Go ahead and bribe me, I don't teach in public schools, so I don't have to follow their silly rules. And I have an International audience both in my classrooms and on my Blog.
Silicon Valley Courts Brand-Name Teachers, Raising Ethics Issues
… Ms. Delzer also has a second calling. She is a schoolteacher with her own brand, Top Dog Teaching. Education start-ups like Seesaw give her their premium classroom technology as well as swag like T-shirts or freebies for the teachers who attend her workshops. She agrees to use their products in her classroom and give the companies feedback. And she recommends their wares to thousands of teachers who follow her on social media.
… Ms. Delzer is a member of a growing tribe of teacher influencers, many of whom promote classroom technology. They attract notice through their blogs, social media accounts and conference talks. And they are cultivated not only by start-ups like Seesaw, but by giants like Amazon, Apple, Google and Microsoft, to influence which tools are used to teach American schoolchildren.

Is this how Fake News gets Fake-er?
Examining the Alternative Media Ecosystem through Production of Alternative Narratives of Mass Shooting Events on Twitter
by Sabrina I. Pacifici on Sep 4, 2017
Examining the Alternative Media Ecosystem through the Production of Alternative Narratives of Mass Shooting Events on Twitter, Kate Starbird, University of Washington, HCDE.
“This research explores the alternative media ecosystem through a Twitter lens. Over a ten-month period, we collected tweets related to alternative narratives—e.g. conspiracy theories—of mass shooting events. We utilized tweeted URLs to generate a domain network, connecting domains shared by the same user, then conducted qualitative analysis to understand the nature of different domains and how they connect to each other. Our findings demonstrate how alternative news sites propagate and shape alternative narratives, while mainstream media deny them. We explain how political leanings of alternative news sites do not align well with a U.S. left-right spectrum, but instead feature an anti-globalist (vs. globalist) orientation where U.S. Alt-Right sites look similar to U.S. Alt-Left sites. Our findings describe a subsection of the emerging alternative media ecosystem and provide insight in how websites that promote conspiracy theories and pseudo-science may function to conduct underlying political agendas.”

Monday, September 04, 2017

This was released Friday, no doubt hoping the news would be ignored over the holiday weekend.
Roughly four million records containing the personal details of Time Warner Cable (TWC) customers were discovered stored on an Amazon server without a password late last month.
The files, more than 600GB in size, were discovered on August 24 by the Kromtech Security Center while its researchers were investigating an unrelated data breach at World Wrestling Entertainment.
   Not all of the TWC records contained information about unique customers.  Some contained duplicative information, meaning the breach ultimately exposed less than four million customers.  Due to the size of the cache, however, the researchers could not immediately say precisely how many were affected.

Something my Computer Security students will need to defend against.
Junk call nightmare flooded woman with hundreds of bizarre phone calls a day
   "I am in the middle of a cell phone nightmare," France, who lives in Hilton Head Island, South Carolina, told Ars in an e-mail after three days worth of the calls.  "My phone started ringing three days ago and has continued to ring every few minutes since then.  Each time it is from a different number...  I can’t conduct a client call, can’t text because calls coming in interrupt the process, can’t even take photos for the same reason."
   US consumers receive 2.4 billion robocalls a month, and the ones from spoofed numbers are among the hardest to stop, according to the Federal Communications Commission.  Recognizing that today's robocall blocking systems are often useless against spoofed robocalls, the FCC recently called upon carriers to increase their efforts to block them.
France's case posed even greater challenges than usual because she may have been victimized by a targeted attack rather than a run-of-the-mill robocaller.  There's also a question about whether the calls received by France were technically "robocalls."

Endorsing a “filtered news” site.  (Is the article claiming that mainstream media loved Donald Trump “fake news?”)  At minimum, a bias for Hillary? 
Hillary Clinton endorsed a startup — and then it fell victim to a cyber attack
Hillary Clinton is allegedly at the center of another cyber attack — except this time it involves a startup that’s trying to become something of a social network for her political supporters.
The saga began Sunday night when Clinton — to the apparent surprise of her followers — took to Twitter to offer her personal endorsement of a new, relatively unknown website called Verrit.
I'm excited to sign up for @Verrit, a media platform for the 65.8 million!  Will you join me and sign up too?
In the words of its creator, Peter Daou, Verrit is his attempt to create an online hub for Clinton backers so that they can find easy-to-share facts, stats and other “information you can take out to social media when you’re having debates on key issues people are discussing,” he said in an interview.

Perhaps I can finally get my students interested in research?
Tech companies spend more on R&D than any other companies in the U.S.
   Led by Amazon, Alphabet, Intel, Microsoft and Apple, tech companies spent more on research and development than any other companies in the S&P 500 that reported such data, according to FactSet data from the most recent fiscal year.
Amazon spent $16.1 billion on R&D last year, a figure that should strike fear into its competitors, as these investments could make the online retailer even more dominant.

For my moody students.
This is Your Brain on Snapchat
Do you spend a lot of time on Facebook?  Do your students spend every spare minute on Snapchat?  Have you wondered how this affects your mood or your students' moods?  If so, KQED and PBS Learning Media have a resource that you should share with your students.
How Do Different Social Media Platforms Affect Your Mood? is a video produced by KQED.  The five minute video explains the findings of some research on the correlations between social media use and moods.  The correlation between mood and social media use is also explained.  The video correctly points out that correlation is not necessarily indicative of causation.

What would you do if I sang out of tune
Would you stand up and walk out on me?
Lend me your ears and I'll sing you a song
And I'll try not to sing out of key

Sunday, September 03, 2017

It couldn’t happen here, could it?  Sounds like I should have my Computer Security class conduct a survey.
Pharma is hiding data breaches, claims UK survey
The results of the Crown Records Management (CRM) survey, undertaken by Censuswide - comes just weeks after US pharma giant Merck & Co revealed it had fallen victim to the Petya ransomware attach.
The new survey polled 408 IT decision-makers in companies of between 100 and 1,000 employees across the country, and provided some shocking results which suggest many of the UK's data breaches are going unreported.
   Some of the statistics for the pharmaceutical sector are below, with mixed results:
·         23 per cent have chosen not to report a breach to more senior management or the appropriate authorities;
·         15 per cent don’t know who to report a breach to – only the retail sector polled worse;
·         23 per cent know somebody in their company who hasn’t reported a data breach; and

All the celebrity gossip magazines have reported on his medical issues in great detail.  What would be the Best Practice for securing medical records.  Should there be a Celebrity Level of protection that is better than the Regular Gut Level? 
Good grief.  When I saw this headline, my first thought was that maybe OurMine had hacked the NY Daily News, but it seems the headline was for real.  Justin Bieber had reportedly sought emergency medical care, an employee had been fired for allegedly accessing his medical records without necessity, and somehow the press found out about it all. 
How did that happen?
I have no idea whether the Northwell Health employee who was terminated for allegedly accessing his medical records did what she is accused of doing.  That’s a second – and important – issue, to be sure.  But how did news of this all make it to a newspaper?  If the media found out about it from the legal action the fired employee took, did the suit actually name Bieber, and if so, did it have to?  Or did the media find out from some other source?  If so, who or what?  Was there a HIPAA breach in addition to any HIPAA breach Northwell had alleged?
I don’t know if HHS will investigate this seeming breach given how overwhelmed they are with breaches to investigate, but I have a number of questions I’d like answered, including:
  1. Does Northwell Health have logs that show whether or not the employee accessed Mr. Bieber’s records?  If they do have logs, did they show the proof of their allegations to the employee and her counsel?  If not, why not, and could this media circus have been avoided by the way they handled the accusation against the employee?
  2. Because of Mr. Bieber’s celebrity status, many systems would have additional precautions in place, such as using a fake name and “break the glass” security to further limit access to files.  From media reports, it appears that Mr. Bieber may have been admitted under an alias, but what other privacy protections did Northwell have in place?
  3. If Mr. Bieber is named in the complaint, did Northwell Health make any motion to seal the employment complaint to protect Mr. Bieber’s privacy?
It’s possible or even likely  that I may be more concerned about this incident/disclosure than Mr. Bieber may be. As a healthcare professional, a privacy advocate, and as a patient of the Northwell Health System, I think all patients should be concerned by what happened to him because a failure to protect his privacy – when there should have been heightened vigilance to protect it – doesn’t bode well for the protection of the privacy of us “little folks.”
So yes, I will be following this case. Northwell Health did not immediately reply to a preliminary inquiry I sent them. That inquiry included whether  “break the glass” protection had been in place for Bieber’s records, whether Northwell has logs/audits showing access to Bieber’s records that demonstrate that the employee did access them, and whether the former employee had any obligation not to reveal Mr. Bieber’s identity or details in any employment complaint.
This post will be updated as more information becomes available.

I have given up asking my favorite Computer Store to stop asking me questions like: “Do you still live at …”  My response of, “Yes, but you still aren’t invited to dinner” falls on deaf ears.