Saturday, December 16, 2017

Coming soon to an airport near us?
Australian airport hack was “a near miss” says government’s cybersecurity expert
A 31-year-old Vietnamese man has been jailed for a hacking attack that compromised the computer network of Perth International Airport, and reportedly resulted in the theft of building plans and sensitive security protocols.
Alistair MacGibbon, cybersecurity advisor to Australian Prime Minister Malcolm Turnbull, told local media that “a significant amount of data” was taken by the hacker, although radars and other systems linked to aircraft operations were not accessed.
… What is perhaps most interesting to us is just how the hacker managed to breach sensitive computer systems at the international airport.
The answer is sadly predictable. The hacker simply used the login credentials of a third-party contractor to gain unauthorised access to what should have been a well-secured network.
… it should never be acceptable for someone to log into a corporate network remotely with just a username and password. At the very least, additional measures such as two-factor authentication and IP whitelisting can be used to reduce the chances of an unauthorised hacker crowbarring their way onto the network.
In the case of this particular attack, with the hacker apparently being based in Vietnam, a simple geo-IP lookup could have ascertained that an attempt was being made to log into the airport’s network from a country where external contractors may not be expected to be located.




Is this the future?
Estonia, the Digital Republic
Its government is virtual, borderless, blockchained, and secure. Has this tiny post-Soviet nation found the way of the future?




For my Data Management students.
Study Examines Value of Data
In mitigating an asset-risk by risk transfer (such as an insurance policy), the value of the asset is directly related to the cost of the transfer (the insurance premium). The same principle should be applied to other forms of risk mitigation, such as defending the asset. Where the asset is data, an information security policy should reflect the value of the data -- but this assumes that the value of data is understood.
Trustwave, a Chicago, IL-based threat, vulnerability and compliance management firm, wanted to see how organizations value the prime categories of the data they hold -- which it assumes to be personally identifiable information (PII), payment card data (PC), intellectual property (IP), and email content information. It commissioned Quocirca to analyze the financial value placed by different industry segments in different geographical regions on these four categories of data. Five hundred IT and risk managers were surveyed in the U.S., Canada, Australia, Japan and the UK (100 for each region).
Two specific metrics are used in the ensuing report (PDF): the per capita value (PCV) for data; and a data risk vigilance (DRV) score. PCV is calculated by dividing the overall value of a data set by the number of records it contains. It consequently provides a subjective view for each organization. The same principle was also applied to discover the comparative data PCVs for the criminal fraternity and regulators.
The second metric, the DRV score, isn't simply a question of security budgets, but aggregates ten factors -- four relating directly to risk, four to data value assessments and two to the impact of data theft.




Looks like we don’t have universal agreement on this topic.
Radio NZ reports that John Edwards, New Zealand’s Privacy Commissioner, has taken a position opposing the United States in its case involving information held in an Irish centre owned by Microsoft.
America’s government wants to access private information about a US citizen accused of drug trafficking, which is held in an Irish centre owned by Microsoft.
Rather than asking Ireland to hand over the information, the government wants to seize it under US search warrant laws.
Mr. Edwards’s submission took the position that if the U.S. were to prevail, that would enable them to seize information held in New Zealand under a U.S. search warrant, which is… well… not acceptable.
How many countries have to push back against the long arm of a U.S. search warrant, and will the U.S. Supreme Court care what they say/think?




If we don’t say these words out loud, people will forget they exist.”
CDC gets list of forbidden words: fetus, transgender, diversity
… Policy analysts at the Centers for Disease Control and Prevention in Atlanta were told of the list of forbidden words at a meeting Thursday with senior CDC officials who oversee the budget, according to an analyst who took part in the 90-minute briefing. The forbidden words are “vulnerable,” “entitlement,” “diversity,” “transgender,” “fetus,” “evidence-based” and “science-based.”




For my Spreadsheet and my Statistics students.




I’m going to save this for later…




An update on the Dotcom case.
New Zealand judge dismisses 7 of Kim Dotcom's 8 arguments against extradition to US
… The arguments were part of Dotcom's appeal of a High Court decision made earlier this year, which states that he is eligible to be extradited to the US. That appeal will be heard in February, according to the New Zealand Herald.
,,, The eighth argument, which was allowed to remain, involves a decision by the deputy solicitor-general in June to order that clones be made of the electronic devices seized from Dotcom's home, so that they could be sent to the US.
… Dotcom has been fighting extradition to the US since 2012, when his now defunct Megaupload file-hosting site was shut down by the US government and Dotcom and his associates were arrested in New Zealand.


Friday, December 15, 2017

After a full Quarter of Computer Security lectures, I’d like to believe that my students would have known to “LOCK THE DOOR!”
Homeless man steals $350,000 from Paris airport
A homeless man stole 300,000 euros ($353,000) from an unlocked room in Paris' Charles de Gaulle Airport on Friday.
The money was taken from an office belonging to cash-handling company Loomis in Terminal 2F of the airport at 5:30 p.m. local time, according to a spokesman at the courthouse in Bobigny, the capital of the region in which the airport is located.
He said that security camera footage shows the man, who is believed to be around 50 years old, rummaging through garbage cans near the Loomis office. The man then leans against the office door and seems surprised when it opens.
The footage shows the man putting down a suitcase and entering the office. He emerged a few minutes later with two bags full of bank notes, according to the spokesman. Leaving his own suitcase behind, he exited the airport and walked away.




For my Computer Security students.
Companies that want to help their employees become better stewards of cybersecurity need to go beyond regular trainings on password security and other basic protocols. The best way to train employees to defend against hackers is to teach them how to think like one.
… Encourage employees to attend hackathons — even if only perhaps to observe or learn. These events give people a chance to take a step back from their day-to-day work for a moment and think creatively to solve some kind of problem, which is what “hacking” is all about.
… When something major happens in your industry, encourage teams to share findings and analysis. That’s not to say everyone needs to be writing up ten page reports — a few quick thoughts will do. The idea is to condition your workforce to make it second nature to share information and insights.




Maybe that wasn’t as simple as the FCC thought.
The next front in the net neutrality war: Feds versus the states
The United States is about to go to war with itself over net neutrality.
In the hours after the Trump administration scrapped rules that required internet providers to treat all web traffic equally, a handful of states mobilized in a bid to reverse the decision by the Federal Communications Commission in court — or perhaps write their own new regulations as a replacement.
To start, a coalition of state attorneys general, led by New York, pledged on Thursday that they would sue the FCC to stop its rollback from taking place. Meanwhile, policymakers in at least two states — California and Washington — said they’d try on their own to prevent companies like AT&T, Charter, Comcast* and Verizon from blocking websites, slowing down web traffic or prioritizing their movies, music and other content above their rivals’ offerings.
Legislating is an especially fraught, difficult proposition. The order adopted by the FCC on Thursday doesn’t just kill the existing net neutrality rules — it explicitly seeks to override local policymakers from pursuing their own laws. And the FCC’s Republicans on Thursday signaled that they’d vigorously pursue any states that tried that anyway.


(Related). Another way to end-run the system?
Motherboard & VICE Are Building a Community Internet Network
… The good news is a better internet infrastructure is possible: Small communities, nonprofits, and startup companies around the United States have built networks that rival those built by big companies. Because these networks are built to serve their communities rather than their owners, they are privacy-focused and respect net neutrality ideals. These networks are proofs-of-concept around the country that a better internet is possible.
Today, Motherboard and VICE Media are committing to be part of the change we’d like to see. We will build a community network based at our Brooklyn headquarters that will provide internet connections for our neighborhood. We will also connect to the broader NYC Mesh network in order to strengthen a community network that has already decided the status quo isn’t good enough.
We are in the very early stages of this process and have begun considering dark fiber to light up, hardware to use, and organizations to work with, support, and learn from. To be clear and to answer a few questions I've gotten: This network will be connected to the real internet and will be backed by fiber from an internet exchange. It will not rely on a traditional ISP.
In hopes of making this replicable, we will document every step of this process, and will release regular updates and guides along the way. Next year, we’ll publish the Motherboard Guide to Building an ISP, a comprehensive guide to the technical, legal, and political aspects of getting a locally-owned internet network off the ground.


(Related) Perhaps do-it-yourselfers will save the day?
Daniel Oberhaus reports that Denver Gingerich, a programmer in NYC, has been developing a surveillance-free cell phone network.
Earlier this year, Gingerich published the code for Sopranica, a DIY, surveillance-free cell phone network. At the moment, it consists of a protocol that allows anyone to register for a phone number to make calls and send texts over the internet totally anonymously. In the future, this protocol will be paired with a network of small radio devices run by members of a community that will replace users’ reliance on cell phone towers run by telecommunications companies.
Read more on Motherboard.




For an organization that is supposed to deal in facts, they seem to have great difficulty determining what to say when something happens.
DOJ now says early release of FBI agents' private texts to reporters was 'not authorized' by the department
The Justice Department acknowledged in a statement on Thursday night that copies of private text messages exchanged between two former special counsel investigators were disclosed to certain members of the media before they were given to Congress, even though those disclosures "were not authorized."


(Related)
DOJ says no wrongdoing in release of FBI agent's texts
… In a statement to CNN Thursday, Flores rejected the accusation that the DOJ did anything improper, explaining that members of Congress received the texts "before any member of the media was given access to view the same copy of the texts."




Explain this to a jury? I’m not sure the programmers get it.
Accountability of AI Under the Law: The Role of Explanation
“The ubiquity of systems using artificial intelligence or “AI” has brought increasing attention to how those systems should be regulated. The choice of how to regulate AI systems will require care. AI systems have the potential to synthesize large amounts of data, allowing for greater levels of personalization and precision than ever before|applications range from clinical decision support to autonomous driving and predictive policing. That said, common sense reasoning [McCarthy, 1960] remains one of the holy grails of AI, and there exist legitimate concerns about the intentional and unintentional negative consequences of AI systems [Bostrom, 2003, Amodei et al., 2016, Sculley et al., 2014]. There are many ways to hold AI systems accountable. In this work, we focus on one: explanation. Questions about a legal right to explanation from AI systems was recently debated in the EU General Data Protection Regulation [Goodman and Flaxman, 2016, Wachter et al., 2017], and thus thinking carefully about when and how explanation from AI systems might improve accountability is timely. Good choices about when to demand explanation can help prevent negative consequences from AI systems, while poor choices may not only fail to hold AI systems accountable but also hamper the development of much-needed beneficial AI systems. Below, we briefly review current societal, moral, and legal norms around explanation, and then focus on the different contexts under which explanation is currently required under the law. We find that there exists great variation around when explanation is demanded, but there also exists important consistencies: when demanding explanation from humans, what we typically want to know is how and whether certain input factors affected the final decision or outcome. These consistencies allow us to list the technical considerations that must be considered if we desired AI systems that could provide kinds of explanations that are currently required of humans under the law. Contrary to popular wisdom of AI systems as indecipherable black boxes, we find that this level of explanation should often be technically feasible but may sometimes be practically onerous|there are certain aspects of explanation that may be simple for humans to provide but challenging for AI systems, and vice versa. As an interdisciplinary team of legal scholars, computer scientists, and cognitive scientists, we recommend that for the present, AI systems can and should be held to a similar standard of explanation as humans currently are; in the future we may wish to hold an AI to a different standard.




A tool that might be useful…
Avast Open Sources Machine-Code Decompiler in Battle Against Malware
In an effort to boost the fight against malicious software, anti-malware company Avast this week announced the release of its retargetable machine-code decompiler as open source.
Dubbed RetDec, short for Retargetable Decompiler, the software utility is the result of seven years of development and was originally created as a joint project by the Faculty of Information Technology of the Brno University of Technology in the Czech Republic, and AVG Technologies. Avast acquired AVG Technologies in 2016.
The tool allows the security community to perform platform-independent analysis of executable files. With its source code published to GitHub under the MIT license, RetDec is now available for anyone to freely use it, study its source code, modify it, and redistribute it.




Useful for the high volume of “No, I won’t change your grade” emails that occur at Quarter end.




Another useful tool?




Finding a place for my students. (Preferably far, far away.)
Forbes – The World’s Biggest Public Companies
This resource is structured so that the reader may scroll through the list of companies, where you will find respective metadata on each organization that includes: Country, Industry, CEO, Market Cap. From the initial brief company overview, readers may choose to view additional data on each company that includes: Revenue, Number of Employees, Sales, Assets, Profits, and related Forbes articles.


Thursday, December 14, 2017

Just in case you thought this had been resolved…. Would a non-cyber (old timey) bank robbery be likely to create an international incident?
Philippine Bank Accuses Bangladesh of Heist 'Cover-Up'
A Philippine bank on Tuesday accused Bangladesh's central bank of a "massive cover-up" over an $81-million cyber-heist last year, as it rejected allegations it was mostly to blame.
Unidentified hackers shifted $81 million in February last year from the Bangladesh central bank's account with the US Federal Reserve in New York to a Manila branch of the Rizal Commercial Banking Corp (RCBC).
The money was quickly withdrawn and laundered through Manila casinos.
With only a small amount of the stolen money recovered and frustration building in Dhaka, Bangladesh's Finance Minister A.M.A Muhith said over the weekend he wanted to "wipe out" RCBC.
RCBC on Tuesday said Muhith's remarks were "extremely irresponsible".
"Last year's theft of $81 million of Bangladesh's Central Bank's (BB) funds was an inside job and BB is engaging in a massive cover-up by maligning RCBC and refusing to divulge its findings," the bank said in a statement on Tuesday.
The Philippines last year imposed a record $21-million fine on RCBC after a "special examination" of the bank and its role in the audacious cyber heist.
Philippine authorities have filed money laundering charges against the RCBC branch manager.




Some vendors to monitor your employees, customers, or neighbors.
John Russell reports:
The Legal Aid Society has sued the Manhattan district attorney for refusing to divulge whether he buys information from social-media companies as a way to track civil rights protesters and conduct other “social monitoring.”
Though the district attorney’s office is the only defendant in the Article 78 Petition, the nonprofit Legal Aid Society specifically asks for information on “the extent to which the state of New York and New York City employ the services of Geofedia, Inc., Media Sonar Technologies Inc., and X1 Discover, Inc.”
Read more on Courthouse News.


(Related).
The Legal Risks of Monitoring Employees Online




A simple tool for the Computer Security toolkit.
Catalin Cimpanu reports:
A team of three researchers from the University of California, San Diego (UCSD) has created a tool that can detect when user-registration-based websites suffer a data breach.
The tool, named Tripwire, works on a simple concept. Researchers say that Tripwire registers one or more accounts on websites by using a unique email address that they do not use for anything else.
Each email account and the website profile used the same password. Tripwire would check at regular intervals if someone used this password to access the email account, which would indicate the website suffered a breach and an attacker used the stolen account data to log into the associated email account.

Tripwire finds 19 data breaches during test run

In a live test, researchers said they registered accounts at over 2,300 sites. At the end of the study’s period, scientists said that attackers accessed email accounts for 19 of these sites, including one with a userbase of over 45 million.
UCSD researchers reached out to each website, but to their astonishment, none notified users of the breach.
Read more on BleepingComputer.
[From the article:
UCSC researchers published the source code for the Tripwire tool on GitHub, and they hope that companies would deploy it internally as an additional breach detection system.
The research team also presented their work on Tripwire at the ACM Internet Measurement Conference in London, this November. Their work on Tripwire is documented in a research paper titled "Tripwire: Inferring Internet Site Compromise."




A “Proof of concept” exercise?
Traffic to Major Tech Firms Rerouted to Russia
Internet traffic for some of the world’s largest tech firms was briefly rerouted to Russia earlier this week in what appeared to be a Border Gateway Protocol (BGP) attack.
OpenDNS-owned Internet monitoring service BGPmon reported the incident on Tuesday. BGPmon noticed that 80 IP prefixes for organizations such as Google, Microsoft, Apple, Facebook, NTT Communications, Twitch and Riot Games had been announced by a Russian Autonomous System (AS).
It happened twice on Tuesday and each time it only lasted for roughly three minutes. The first event took place between 04:43 and 04:46 UTC, and the second between 07:07 and 07:10 UTC.




Soon, only Russia will provide “facts.”
Report – A big year for fact-checking, but not for new U.S. fact-checkers
“All the talk about political lies and misinformation since last year’s election has been good for the fact-checking business in the United States — but it has not meant an increase in fact-checkers. In fact, the number has dropped, much as we’ve come to expect during odd-numbered years in the United States. We’re still editing and adding to our global list of fact-checkers for the annual census we’ll publish in January. Check back with us then for the final tally. But the trend line in the United States already is following a pattern we’ve seen before in the year after a presidential election: At the start of 2017, there were 51 active U.S. fact checkers, 35 of which were locally oriented and 16 of which were nationally focused. Now there are 44, of which 28 are local and 16 are mainly national. This count includes some political fact-checkers that are mainly seasonal players. These news organizations have consistently fact-checked politicians’ statements through political campaigns, but then do little if any work verifying during the electoral “offseason.” And not all the U.S. fact-checkers in our database focus exclusively — or even at all — on politics. Sites such as Gossip Cop, Snopes.com and Climate Feedback are in the mix, too…”




My guess is that this is much too logical to gain much support. How can you “spin” the facts if anyone can refute your claims?
POGO – Revealing the Lost World of Government Reports
POGO – “Congress is considering a simple but important step in overseeing federal agencies. A recently introduced bill would require a one-stop, easy-to-use, online location for all congressionally mandated reports. This may put an end to the world of lost and hidden government reports. Each year, Congress mandates that federal agencies report on programs, laws, and other aspects of government, big and small. Whether it’s an analysis of Medicare’s ability to provide health care to seniors, the price impact of agricultural subsidies, problems with the Navy’s aircraft carrier program, or Amtrak’s ability to keep the trains running on time, Congress wants to know. In fact, agencies complete several thousand congressionally mandated reports annually in order to keep both elected officials and the public informed. Of course, government reports are intended to shine a light on government operations and national issues, but in an odd and persistent twist, Congress, the press, and the public can’t always find the reports after they are published. Surprisingly, no government agency or congressional office currently has the job to keep track of the reports. Instead, each agency has its own system of issuing and transmitting reports. Major reports of national and political focus are closely tracked and covered in the press. However, those that are less notable, but still important, may slip between the bureaucratic cracks…”




Clearly, “useful” is in the eye of the beholder. Who else will Office share information with?
Microsoft levels up Word, Excel, and Outlook with more AI capabilities
Microsoft is adding a host of new capabilities to its Office productivity suite that are aimed at using machine learning to help people get their work done more efficiently. Outlook, Excel, and Word will all benefit, with new features rolling out to a limited set of users in the coming months and then expanding to a broader set of people later on.
Outlook’s web client will provide users with an interface that will automatically offer them responses to questions layered inside emails, while Excel has a new feature that suggests charts and pivot tables. Word will get a feature that will help users define acronyms based on information shared within their organization.
… Microsoft isn’t alone in pushing intelligent productivity capabilities, either: Google has spent time pushing its own machine learning-based features inside G Suite, including support for automatically generating charts and pivot tables. Inbox, Google’s experimental email product that’s focused on productivity, has a marquee Smart Reply feature that’s supposed to allow users to quickly respond to the content of emails they receive by clicking on one of three buttons.




The mouse goes to India to learn Cricket?
Analysis: Fox's Star to bring Disney cash and cricket in India
… Through the $75 billion deal, which a source said is expected to be announced Thursday morning, Disney would be able to distribute its programming on Star India, operator of 69 TV channels in eight languages, as well as the popular Hotstar streaming service. Disney also would gain global rights to professional cricket.


Wednesday, December 13, 2017

I’m shocked, shocked I tell you! You can’t even trust potential lawyers!
Hard disk mysteriously stolen after DU compiled attendance of law students
Prawesh Lama reports:
A computer’s hard disk along with its CPU was stolen from Law Faculty in Delhi University on December 3 — the day officials started compiling the attendance of faculty members and that of over 7,000 law students.
The law faculty’s dean, Ved Kumari, in her complaint alleged that the stolen CPU contained records of attendance of both students and teachers.
Read more on Hindustan Times.
[From the article:
Out of over 7,000 students, the attendance of around 200 students were reportedly below the minimum required attendance mark. It is mandatory for every student to have at least 70% attendance to be eligible to sit for an examination. The law faculty has its semester exam this month.






Something for my Ethical Hacking students to try? Okay, probably not.
https://www.schneier.com/blog/archives/2017/12/remote_hack_of_.html
Remote Hack of a Boeing 757
Last month, the DHS announced that it was able to remotely hack a Boeing 757:
"We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration," said Robert Hickey, aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate.
"[Which] means I didn't have anybody touching the airplane, I didn't have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft." Hickey said the details of the hack and the work his team are doing are classified, but said they accessed the aircraft's systems through radio frequency communications, adding that, based on the RF configuration of most aircraft, "you can come to grips pretty quickly where we went" on the aircraft.






...because it’s so easy, that’s why!
https://www.bespacific.com/wired-how-email-open-tracking-quietly-took-over-the-web/
Wired – How Email Open Tracking Quietly Took Over the Web
Bryan Merchant: “There are some 269 billion emails sent and received daily. That’s roughly 35 emails for every person on the planet, every day. Over 40 percent of those emails are tracked, according to a study published last June by OMC, an “email intelligence” company that also builds anti-tracking tools. The tech is pretty simple. Tracking clients embed a line of code in the body of an email—usually in a 1×1 pixel image, so tiny it’s invisible, but also in elements like hyperlinks and custom fonts. When a recipient opens the email, the tracking client recognizes that pixel has been downloaded, as well as where and on what device. Newsletter services, marketers, and advertisers have used the technique for years, to collect data about their open rates; major tech companies like Facebook and Twitter followed suit in their ongoing quest to profile and predict our behavior online…”






Could we do this here? Would nervous parents insist they need to keep in touch with their kids?
https://www.theguardian.com/world/2017/dec/11/france-to-ban-mobile-phones-in-schools-from-september
France to ban mobile phones in schools from September
The French government is to ban students from using mobile phones in the country’s primary, junior and middle schools.
Children will be allowed to bring their phones to school, but not allowed to get them out at any time until they leave, even during breaks.






Shouldn’t judges do it whenever they have a question?
https://www.bespacific.com/aba-issues-ethical-guidance-on-when-judges-should-use-the-internet-for-independent-factual-research/
ABA issues ethical guidance on when judges should use the internet for independent factual research
The American Bar Association Standing Committee on Ethics and Professional Responsibility has issued Formal Opinion 478 that provides the nation’s judicial branch guidance related to the ethical boundaries of independent factual research on the internet. The guidance is consistent with the ABA Model Code of Judicial Conduct, but notes that judicial notice is governed by the law of evidence in each jurisdiction. The opinion draws a bright-line distinction between independent investigation of “adjudicative facts” and research of “legislative facts” of law and policy. Formal Opinion 478 also provides guidance on internet research by judges of the lawyers and the parties involved in the case. “Stated simply, a judge should not gather adjudicative facts from any source on the Internet unless the information is subject to proper judicial notice,” Formal Opinion 478 said. “Further … judges should not use the Internet for independent fact-gathering related to a pending or impending matter where the parties can easily be asked to research or provide the information. The same is true of the activities or characteristics of the litigants or other participants in the matter.” The opinion provides five hypothetical situations, and provides an analysis of each and how they might be handled by a judge. The ABA Standing Committee on Ethics and Professional Responsibility periodically issues ethics opinions to advise lawyers, courts and the public in interpreting and applying ABA model ethics rules to specific issues of legal practice, client-lawyer relationships and judicial behavior. Formal Opinion 478 and previous ABA ethics opinions are available on the ABA Center for Professional Responsibility website under “Latest Ethics Opinions.” Go to www.abalegalfactcheck.com for the ABA’s new feature that cites case and statutory law and other legal precedents to distinguish legal fact from fiction.”






Perspective. Try a search for your hot button.
https://trends.google.com/trends/yis/2017/GLOBAL/
Year in Search 2017






For the Movie club...
https://seekingalpha.com/article/4131425-costco-partners-moviepass
Costco Partners With MoviePass
… Costco and MoviePass announced that they have partnered (along with MoviePass streaming affiliate, Fandor) to offer a "Movie Lovers' Package" to the public.
… the Costco offer provides a one-year subscription to MoviePass and Fandor for a flat fee of $89.99. The deal is available exclusively to Costco members and only until December 18th.



Tuesday, December 12, 2017

Somehow, this does not give me that warm fuzzy feeling.
Hackers hit U.S., Russian banks in ATM robbery scam: report
A previously undetected group of Russian-language hackers silently stole nearly $10 million from at least 18 mostly U.S. and Russian banks in recent years by targeting interbank transfer systems, a Moscow-based security firm said on Monday.
Group-IB warned that the attacks, which began 18 months ago and allow money to be stolen from banks’ automated teller machines (ATMs), appear to be ongoing and that banks in Latin America could be targeted next.
… The firm said it was continuing to investigate a number of incidents where hackers studied how to make money transfers through the SWIFT banking system, while stopping short of saying whether any such attacks had been carried out successfully.
SWIFT said in October that hackers were still targeting its interbank messaging system, but security controls instituted after last year’s $81 million heist at Bangladesh’s central bank had thwarted many [but not all? Bob] of those attempts. (reut.rs/2z1b7Bo)
Group-IB has dubbed the hacker group “MoneyTaker” after the name of software it used to hijack payment orders to then cash out funds through a network of low-level “money mules” who were hired to pick up money from automated teller machines.
… The average amount of money stolen in each of 14 U.S. ATM heists was $500,000 per incident. Losses in Russia averaged $1.2 million per incident, but one bank there managed to catch the attack and return some of the stolen funds, Group-IB said.




Should there be a law to protect LinkedIn’s data? How could you write that to keep my researching students from violating it every day?
EFF to Court: LinkedIn is wrong about accessing publicly available information online
… The social networking giant wants violations of its corporate policy against using automated scripts to access public information on its website to count as felony “hacking” under the Computer Fraud and Abuse Act, a 1986 federal law meant to criminalize breaking into private computer systems to access non-public information.
EFF, together with our friends DuckDuckGo and the Internet Archive, have urged the Ninth Circuit Court of Appeals to reject LinkedIn’s request to transform the CFAA from a law meant to target “hacking” into a tool for enforcing its computer use policies. Using automated scripts to access publicly available data is not “hacking,” and neither is violating a website’s terms of use. LinkedIn would have the court believe that all “bots” are bad, but they’re actually a common and necessary part of the Internet. “Good bots” were responsible for 23 percent of Web traffic in 2016. Using them to access publicly available information on the open Internet should not be punishable by years in federal prison.




So what do we do about it? Rather simplistic and opinionated.
How Russia Hacked America—And Why It Will Happen Again
During the 2016 presidential campaign, Russian hackers attacked the U.S. on two fronts: the psychological and the technical. Hackers used classic propaganda techniques to influence American voters, bought thousands of social media ads to propagate fake news, and broke into Democratic party email servers to steal information.




They talk to the people who should know.
Deloitte’s tech predictions for 2018: More AI, digital subscriptions, AR, and live events
Accounting and tech consultant Deloitte released its predictions for the technology industry in 2018, covering topics from the growth of augmented reality to the triumph of live programming on the Internet.
The predictions are part of the company’s 17th annual Technology, Media, & Telecommunications report. Some of the predictions are for tech growth in 2018, while other predictions refer to growth in future years.




I wonder if detailed analysis of signatures in those little screens or the signatures by finger suggests that nothing matches?
American Express and MasterCard are quietly killing one of the most annoying things about buying things in stores
In 2018, major credit card companies including MasterCard, Discover, and American Express will no longer require customers to sign their receipts.
… With the rise of online shopping and new tech like EMV chips in credit cards, signatures have become less necessary as a safety measure, American Express said in a press release.




For my Statistics class: There is such a thing as “Wisdom of the Crowd.” What else could we do with it?
Crowdsourcing Accurately and Robustly Predicts Supreme Court Decisions
ABSTRACT: Scholars have increasingly investigated “crowdsourcing” as an alternative to expert-based judgment or purely data-driven approaches to predicting the future. Under certain conditions, scholars have found that crowd-sourcing can outperform these other approaches. However, despite interest in the topic and a series of successful use cases, relatively few studies have applied empirical model thinking to evaluate the accuracy and robustness of crowdsourcing in real-world contexts. In this paper, we offer three novel contributions. First, we explore a dataset of over 600,000 predictions from over 7,000 participants in a multi-year tournament to predict the decisions of the Supreme Court of the United States. Second, we develop a comprehensive crowd construction framework that allows for the formal description and application of crowdsourcing to real-world data. Third, we apply this framework to our data to construct more than 275,000 crowd models. We find that in out-of-sample historical simulations, crowdsourcing robustly outperforms the commonly-accepted null model, yielding the highest-known performance for this context at 80.8% case level accuracy. To our knowledge, this dataset and analysis represent one of the largest explorations of recurring human prediction to date, and our results provide additional empirical support for the use of crowdsourcing as a prediction method.” (via SSRN)




Something for my geeks?
Microsoft Launches Free Preview Version Of Its Quantum Development Kit
Back in September, we talked about the groundwork Microsoft was laying for quantum computing with a new programming language in development. Not even three months later, Microsoft is ready to toss a free preview version of that new language to the public and it's called the Quantum Development Kit. That dev kit includes the Q# programming language, a quantum computing simulator, and other resources for people who want to write apps for quantum computers.


Somehow, this does not give me that warm fuzzy feeling.
Hackers hit U.S., Russian banks in ATM robbery scam: report
A previously undetected group of Russian-language hackers silently stole nearly $10 million from at least 18 mostly U.S. and Russian banks in recent years by targeting interbank transfer systems, a Moscow-based security firm said on Monday.
Group-IB warned that the attacks, which began 18 months ago and allow money to be stolen from banks’ automated teller machines (ATMs), appear to be ongoing and that banks in Latin America could be targeted next.
… The firm said it was continuing to investigate a number of incidents where hackers studied how to make money transfers through the SWIFT banking system, while stopping short of saying whether any such attacks had been carried out successfully.
SWIFT said in October that hackers were still targeting its interbank messaging system, but security controls instituted after last year’s $81 million heist at Bangladesh’s central bank had thwarted many [but not all? Bob] of those attempts. (reut.rs/2z1b7Bo)
Group-IB has dubbed the hacker group “MoneyTaker” after the name of software it used to hijack payment orders to then cash out funds through a network of low-level “money mules” who were hired to pick up money from automated teller machines.
… The average amount of money stolen in each of 14 U.S. ATM heists was $500,000 per incident. Losses in Russia averaged $1.2 million per incident, but one bank there managed to catch the attack and return some of the stolen funds, Group-IB said.




Should there be a law to protect LinkedIn’s data? How could you write that to keep my researching students from violating it every day?
EFF to Court: LinkedIn is wrong about accessing publicly available information online
… The social networking giant wants violations of its corporate policy against using automated scripts to access public information on its website to count as felony “hacking” under the Computer Fraud and Abuse Act, a 1986 federal law meant to criminalize breaking into private computer systems to access non-public information.
EFF, together with our friends DuckDuckGo and the Internet Archive, have urged the Ninth Circuit Court of Appeals to reject LinkedIn’s request to transform the CFAA from a law meant to target “hacking” into a tool for enforcing its computer use policies. Using automated scripts to access publicly available data is not “hacking,” and neither is violating a website’s terms of use. LinkedIn would have the court believe that all “bots” are bad, but they’re actually a common and necessary part of the Internet. “Good bots” were responsible for 23 percent of Web traffic in 2016. Using them to access publicly available information on the open Internet should not be punishable by years in federal prison.




So what do we do about it? Rather simplistic and opinionated.
How Russia Hacked America—And Why It Will Happen Again
During the 2016 presidential campaign, Russian hackers attacked the U.S. on two fronts: the psychological and the technical. Hackers used classic propaganda techniques to influence American voters, bought thousands of social media ads to propagate fake news, and broke into Democratic party email servers to steal information.




They talk to the people who should know.
Deloitte’s tech predictions for 2018: More AI, digital subscriptions, AR, and live events
Accounting and tech consultant Deloitte released its predictions for the technology industry in 2018, covering topics from the growth of augmented reality to the triumph of live programming on the Internet.
The predictions are part of the company’s 17th annual Technology, Media, & Telecommunications report. Some of the predictions are for tech growth in 2018, while other predictions refer to growth in future years.




I wonder if detailed analysis of signatures in those little screens or the signatures by finger suggests that nothing matches?
American Express and MasterCard are quietly killing one of the most annoying things about buying things in stores
In 2018, major credit card companies including MasterCard, Discover, and American Express will no longer require customers to sign their receipts.
… With the rise of online shopping and new tech like EMV chips in credit cards, signatures have become less necessary as a safety measure, American Express said in a press release.




For my Statistics class: There is such a thing as “Wisdom of the Crowd.” What else could we do with it?
Crowdsourcing Accurately and Robustly Predicts Supreme Court Decisions
ABSTRACT: Scholars have increasingly investigated “crowdsourcing” as an alternative to expert-based judgment or purely data-driven approaches to predicting the future. Under certain conditions, scholars have found that crowd-sourcing can outperform these other approaches. However, despite interest in the topic and a series of successful use cases, relatively few studies have applied empirical model thinking to evaluate the accuracy and robustness of crowdsourcing in real-world contexts. In this paper, we offer three novel contributions. First, we explore a dataset of over 600,000 predictions from over 7,000 participants in a multi-year tournament to predict the decisions of the Supreme Court of the United States. Second, we develop a comprehensive crowd construction framework that allows for the formal description and application of crowdsourcing to real-world data. Third, we apply this framework to our data to construct more than 275,000 crowd models. We find that in out-of-sample historical simulations, crowdsourcing robustly outperforms the commonly-accepted null model, yielding the highest-known performance for this context at 80.8% case level accuracy. To our knowledge, this dataset and analysis represent one of the largest explorations of recurring human prediction to date, and our results provide additional empirical support for the use of crowdsourcing as a prediction method.” (via SSRN)




Something for my geeks?
Microsoft Launches Free Preview Version Of Its Quantum Development Kit
Back in September, we talked about the groundwork Microsoft was laying for quantum computing with a new programming language in development. Not even three months later, Microsoft is ready to toss a free preview version of that new language to the public and it's called the Quantum Development Kit. That dev kit includes the Q# programming language, a quantum computing simulator, and other resources for people who want to write apps for quantum computers.


Monday, December 11, 2017

My students are not likely at risk, but others are?
LinkedIn Is China's Newest Espionage Tool, German Spies Warn
… In an unusual move, the Bundesamt für Verfassungsschutz (BfV) on Sunday released details of some of the fake social networking profiles that it said had made contact with at least 10,000 Germans, in order to recruit possible information sources.
… “The modus operandi is almost always the same,” the agency said in a report. “Supposed scientists, employment agents and headhunters contact people with a significant personal profile. They are lured in with enticing offers and eventually invited to China, where the intelligence-gathering commences.”




For my students who read. A really huge resource!
University of Pennsylvania: Online Books Page
University of Pennsylvania: Online Books Page – “The Online Books Page is a website that facilitates access to books that are freely readable over the Internet. It also aims to encourage the development of such online books, for the benefit and edification of all. Major parts of the site include:


Sunday, December 10, 2017

Helping to define the digital health ecology.
Covington & Burling Inside Privacy writes:
Covington’s global cross-practice Digital Health team has posted an illuminating three-part series on the Covington Digital Health blog that covers key questions entities should be asking as they seek to fit together the regulatory and commercial pieces of the complex digital health puzzle.
  • In the first part of the series, the Digital Health team answers key regulatory questions about digital health solutions.
  • In the second part of the series, the Digital Health team considers key commercial questions when contracting for digital health solutions.
  • In the third part of the series, the Digital Health team answers key regulatory and commercial questions about the Artificial Intelligence (AI), data privacy, and cybersecurity aspects of digital health solutions.




“Stupid is as stupid does.” F. Gump
From the this-doesn’t-seem-quite-right-to-me dept.:
Defendant’s telling someone in a recorded jail call that he knew was being recorded his Facebook ID and password so it could be changed. That was a waiver of his reasonable expectation of privacy in the information on his Facebook account that AFOSI could access. Defendant was awaiting court martial in a county jail. United States v. Langhorne, 2017 CCA LEXIS 746 (A.F. Ct. Crim. App. Dec. 5, 2017): http://afcca.law.af.mil/content/afcca_opinions/cp/langhorne_-_39047.pub.pdf
Read more on FourthAmendment.com.
Doesn’t the defendant’s action in trying to change his password for FB show that he was concerned about protecting his privacy? If they had said to the defendant, “You realize you’re waiving any expectation of privacy because this call is being recorded, right?” what would the defendant have said? And more importantly, perhaps, what would he have then done? Would he have proceeded or shut up?




Interesting application and (in my wife’s hands) extremely expensive. Not to mention the Privacy implications of giving away a 3D rendering of my home.
3D interior design company Modsy raises $23 million
Modsy, a company that allows people to create 3D renderings of their home in order to visualize what it would look like with various kinds of furniture, has raised $23 million in a series B round of funding from Advance Venture Partners (AVP), Comcast Ventures, NBCUniversal Cable Entertainment, and Norwest Venture Partners.
Founded out of San Francisco in 2015, Modsy asks you to take several photos of the specific space you are looking to renovate. Upload these photos, answer a few style-focused questions, and Modsy does the rest. You’ll be presented with 360-degree room renderings featuring furniture from more than 100 retailers — and you can buy products directly through these designs.
… Modsy offers two core pricing tiers. The basic Modsy package costs $69 and features all of the above, including two custom designs. Modsy & Style Advisor offers a few extra perks, including one-on-one access to a human style adviser over video chat or telephone.




A simple question: Has Wally learned this from Donald Trump?