Thursday, February 22, 2018

This should bother my Computer Security students. Since when is a 10% failure rate considered good?
Meghan Bogardus Cortez reports:
University end users are pretty good at identifying a scam.
Only 10 percent of simulated phishing emails sent to users at education institutions were successful, a new study from Wombat Security Technologies reports. The company monitored tens of millions of simulated phishing attacks sent over the course of a year through its Security Education Platform across more than 15 industries.
The State of the Phish 2018 report found that users in education were less likely to click on a phishing attempt than those in technology, entertainment, hospitality, government, consumer goods, retail and telecommunications.
Read more on EdTech Magazine.

We’ve been considering how to prevent Russia from hacking these devices instead of merely chatting on social media.
The Risks of Digital Democracy
Like many segments of the economy and society, democracy is in the process of being digitized, a development that promises new levels of efficiency but also brings new risks. Consider the digitization of voting machines, devices that date back to the 19th century. The growing use of direct recording electronic (DRE) voting machines has made possible fully digitized voting and the availability of near real-time results.
But, the events of this summer’s 25th annual DEF CON computer security conference illustrate the risks that come with these benefits. As part of the conference, software engineers were invited to a Voting Machine Hacking Village to try to break in to commercially available DRE voting machines. The hackers cracked the “secured” systems in less than two hours.

Something the CSO can use to start a discussion with Senior Management? This has come up in several recent breaches.
SEC Tells Execs Not to Trade While Investigating Security Incidents
The U.S. Securities and Exchange Commission (SEC) on Wednesday announced updated guidance on how public companies should handle the investigation and disclosure of data breaches and other cybersecurity incidents.
The SEC has advised companies to inform investors in a timely fashion of all cybersecurity incidents and risks – even if the firm has not actually been targeted in a malicious attack. The agency also believes companies should develop controls and procedures for assessing the impact of incidents and risks.
While directors, officers and the people in charge of developing these controls and procedures should be made aware of security risks and incidents, the SEC believes these individuals should refrain from trading securities while in possession of non-public information regarding a significant cybersecurity incident.

Similar to the conclusions my students have reached.
Global Cybercrime Costs $600 Billion Annually: Study
A report by the security firm McAfee with the Center for Strategic and International Studies found theft of intellectual property represents about one-fourth of the cost of cybercrime in 2017, and that other attacks such as those involving ransomware are growing at a fast pace.
Russia, North Korea and Iran are the main sources of hackers targeting financial institutions, while China is the most active in cyber espionage, the report found.
Criminals are using cutting-edge technologies including artificial intelligence and encryption for attacks in cyberspace, with anonymity preserved by using bitcoin or other cryptocurrency, the researchers said.
The report said there is often a connection between governments and the cybercrime community.

A simple password testing tool.
I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download
Last August, I launched a little feature within Have I Been Pwned (HIBP) I called Pwned Passwords. This was a list of 320 million passwords from a range of different data breaches which organisations could use to better protect their own systems. How? NIST explains:
When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised.
They then go on to recommend that passwords "obtained from previous breach corpuses" should be disallowed and that the service should "advise the subscriber that they need to select a different secret".
[The comparison tool:

For my researching students.
Paper – Text mining 101
EU OpenMinted Project Paper – What is text mining, how does it work and why is it useful? “This article will help you understand the basics in just a few minutes. Text mining seeks to extract useful and important information from heterogeneous document formats, such as web pages, emails, social media posts, journal articles, etc. This is often done through identifying patterns within texts, such as trends in words usage, syntactic structure, etc. People often talk about ‘text and data mining (TDM)’ at the same time, but strictly speaking text mining is a specific form of data mining that deals with text…”

Is the sky really falling?
Top Experts Warn Against 'Malicious Use' of AI
Artificial intelligence could be deployed by dictators, criminals and terrorists to manipulate elections and use drones in terrorist attacks, more than two dozen experts said Wednesday as they sounded the alarm over misuse of the technology.
In a 100-page analysis, they outlined a rapid growth in cybercrime and the use of "bots" to interfere with news gathering and penetrate social media among a host of plausible scenarios in the next five to 10 years.
"Our report focuses on ways in which people could do deliberate harm with AI," said Seán Ó hÉigeartaigh, Executive Director of the Cambridge Centre for the Study of Existential Risk.
Contributors to the new report – entitled "The Malicious Use of AI: Forecasting, Prevention, and Mitigation" -- also include experts from the Electronic Frontier Foundation, the Center for a New American Security, and OpenAI, a leading non-profit research company.

I’d say yes, but the cost might be prohibitive.
Can “Fake News” be stopped?
On Wednesday, YouTube was forced to apologize for a video that sat at the top of its “Trending” tab, which shows users the most popular videos on the site. By the time it was removed from the site, it had more than 200,000 views. The problem? The video promoted the conspiracy theory peddled by alt-right propagandists that Parkland, Florida high school student and shooting survivor David Hogg is an actor, “bought and paid by CNN and George Soros.” The conspiracy theory also found its way into a trending position on Facebook, where clicking Hogg’s name “brought up several videos and articles promoting the conspiracy that he’s a paid actor,” according to Business Insider.
The incident highlights the speed at which the spread of false information occurs on algorithmically optimized social media sites that are easy to game. What to do about it is the subject of a new report from the New York think tank Data & Society, “Dead Reckoning: Navigating Content Moderation After ‘Fake News’,” which coincidentally debuted yesterday, just as the Hogg conspiracy theory spread across the internet. Based on a “year of field-based research using stakeholder mapping, discourse and policy analysis, as well as ethnographic and qualitative research of industry groups working to solve ‘fake news’ issues,” the report sets out to define the problem set before offering four strategies for addressing it.

A wake-up slap to California?
Judge says state can't force IMDB to take down actors' ages
A federal judge has blocked a California law that would have forced IMDB to take down actors' ages on request.
The law was signed by Governor Jerry Brown, a Democrat, in September 2016. It was supported by the Screen Actors Guild, which said the law it would help prevent age discrimination in film and television hiring.
IMDB quickly challenged the law in court, saying that it "attempts to combat age discrimination in casting through content-based censorship."
… In his order, Chhabria called the law "clearly unconstitutional." He said it "singles out specific, non-commercial content — age-related information — for differential treatment."
The judge also said that even if the defendants, the state of California and the Screen Actors Guild, demonstrated a casual link between the availability of ages on IMDB and age discrimination, it would not be enough to justify a "content based restriction on IMDB's speech."
Chhabria added that "regulation of speech must be a last resort."

Perspective. Perhaps all politicians are delusional.
Bernie blames Hillary for allowing Russian interference
Bernie Sanders on Wednesday blamed Hillary Clinton for not doing more to stop the Russian attack on the last presidential election. Then his 2016 campaign manager, in an interview with POLITICO, said he’s seen no evidence to support special counsel Robert Mueller's assertion in an indictment last week that the Russian operation had backed Sanders' campaign.
The remarks showed Sanders, running for a third term and currently considered a front-runner for the Democratic presidential nomination in 2020, deeply defensive in response to questions posed to him about what was laid out in the indictment. He attempted to thread a response that blasts Donald Trump for refusing to acknowledge that Russians helped his campaign — but then holds himself harmless for a nearly identical denial.

Again I suggest that Amazon buy the USPS.
Postal-Service Workers Are Shouldering the Burden for Amazon

Some classes for my students.

It is always thus for new technologies!

No comments: