Thursday, February 08, 2018

When “Security” is not part of the design…
Automation Software Flaws Expose Gas Stations to Hacker Attacks
Gas stations worldwide are exposed to remote hacker attacks due to several vulnerabilities affecting the automation software they use, researchers at Kaspersky Lab reported on Wednesday.
The vulnerable product is SiteOmat from Orpak, which is advertised by the vendor as the “heart of the fuel station.” The software, designed to run on embedded Linux machines or a standard PC, provides “complete and secure site automation, managing the dispensers, payment terminals, forecourt devices and fuel tanks to fully control and record any transaction.”
Kaspersky researchers discovered that the “secure” part is not exactly true and more than 1,000 of the gas stations using the product allow remote access from the Internet. Over half of the exposed stations are located in the United States and India.
Before the research, we honestly believed that all fueling systems, without exception, would be isolated from the internet and properly monitored. But we were wrong,” explained Kaspersky’s Ido Naor. “With our experienced eyes, we came to realize that even the least skilled attacker could use this product to take over a fueling system from anywhere in the world.”
According to the security firm, the vulnerabilities affecting SiteOmat could be exploited by malicious actors for a wide range of purposes, including to modify fuel prices, shut down fueling systems, or cause a fuel leakage.

Why would a “sales partner” have access to this data? Sounds like they just gave them full access!
Jason Murdock reports:
A Swiss mobile phone operator has admitted its data systems were breached late last year and the contact details of about 800,000 customers were compromised.
Swisscom said on Wednesday (7 February) that the names, addresses, telephone numbers and dates of birth of customers were accessed by an unknown party, which got the data through a sales partner of Swisscom. The company was not named.
Read more on IBT Times.
[From the Article:
"Although the misappropriated personal data is classified as non-sensitive under data protection legislation, investigating the incident is a top priority for Swisscom," the notice continued. "The relevant partner company access was blocked immediately."
A number of changes have been made to "better protect access to such non-sensitive personal data by third-party companies," the company added.
The firm said changes included the introduction of two-factor authentication on sales partners' accounts and cutting back the ability to run high-volume queries.
It said any unusual activity on third-party accounts would now trigger an alarm and block access.

For my Computer Security students to consider. No new kinds of security, only failure to implement the old ones.
Surviving Your Digital Transformation
2018 is lining up to be the year of Digital Transformation. Just about every organization looking to remain viable in the growing digital marketplace has some sort of digital transformation in progress or one in the planning stages for this year. These projects range from implementing basic applications to better interact with online consumers, to converging OT and IT networks, or even pushing their entire infrastructure to the cloud.
But digital transformation without an equivalent security transformation is leaving organizations more vulnerable than ever.

It does not have to be ‘surveillance technology’ to be used for surveillance.
PinMe: Tracking a Smartphone User around the World
PinMe: Tracking a Smartphone User around the World. Arsalan Mosenia, Xiaoliang Dai, Prateek Mittal, Niraj Jha (Submitted on 5 Feb 2018). arXiv:1802.01468 [cs.CR]
“With the pervasive use of smartphones that sense, collect, and process valuable information about the environment, ensuring location privacy has become one of the most important concerns in the modern age. A few recent research studies discuss the feasibility of processing data gathered by a smartphone to locate the phone’s owner, even when the user does not intend to share his location information, e.g., when the Global Positioning System (GPS) is off. Previous research efforts rely on at least one of the two following fundamental requirements, which significantly limit the ability of the adversary: (i) the attacker must accurately know either the user’s initial location or the set of routes through which the user travels and/or (ii) the attacker must measure a set of features, e.g., the device’s acceleration, for potential routes in advance and construct a training dataset. In this paper, we demonstrate that neither of the above-mentioned requirements is essential for compromising the user’s location privacy. We describe PinMe, a novel user-location mechanism that exploits non-sensory/sensory data stored on the smartphone, e.g., the environment’s air pressure, along with publicly-available auxiliary information, e.g., elevation maps, to estimate the user’s location when all location services, e.g., GPS, are turned off.”

“We know what you like better than you know what you like.”
Fiction is outperforming reality’: how YouTube’s algorithm distorts truth
theguardian – An ex-YouTube insider reveals how its recommendation algorithm promotes divisive clips and conspiracy videos: “There are 1.5 billion YouTube users in the world, which is more than the number of households that own televisions. What they watch is shaped by this algorithm, which skims and ranks billions of videos to identify 20 “up next” clips that are both relevant to a previous video and most likely, statistically speaking, to keep a person hooked on their screen. Company insiders tell me the algorithm is the single most important engine of YouTube’s growth. In one of the few public explanations of how the formula works – an academic paper that sketches the algorithm’s deep neural networks, crunching a vast pool of data about videos and the people who watch them – YouTube engineers describe it as one of the “largest scale and most sophisticated industrial recommendation systems in existence”…

(Related) Can lots of data make a company creative?
Do you still use Yahoo? Do you still remember MySpace? Compaq? Kodak? The cases of startups with superior ideas dethroning well-established incumbents are legion. This is the beauty of “creative destruction” – the term coined by innovation prophet Joseph Schumpeter almost a century ago. Incumbents have to keep innovating, lest they be overtaken by a new, more creative competitor. Arguably, at least in sectors shaped by technical change, entrepreneurial innovation has kept markets competitive far better than antitrust legislation ever could. For decades, creative destruction ensured competitive markets and a constant stream of new innovation. But what if that is no longer the case?
The trouble is that the source of innovation is shifting – from human ingenuity to data-driven machine-learning. Google’s self-driving cars are getting better through the analysis of billions of data points collected as Google’s self-driving cars roam the street. IBM Watson detects skin cancer as precisely as the average dermatologist because it has been training itself with hundreds of thousands of skin images. Siri and Alexa are getting better at understanding what we say because they never stop learning. Of course, it takes plenty of talented, creative people to build these products. But their improvement is driven less by a human “aha-moment” than by data and improvements in how machines learn from it.

For my Data Management students.
Cliff Notes for Managing the Data Science Function
William Vorhies – Data Science Central: “There are an increasing number of larger companies that have truly embraced advanced analytics and deploy fairly large numbers of data scientists. Many of these same companies are the one’s beginning to ask about using AI. Here are some observations and tips on the problems and opportunities associated with managing a larger data science function.”

The simpler the better.
Common Craft Explains Blockchain
Turn on any of the 24/7 cable news networks today and you're likely to hear about Bitcoin and or blockchain. Bitcoin is in the news because of its wild fluctuations in value over the last year. Blockchain is what makes cryptocurrencies like Bitcoin possible. If that seems clear as mud, you should watch Common Craft's new video titled Blockchain Explained by Common Craft. The video does a great job of using a concept that we're all familiar with, ownership of physical property, to explain the Blockchain concept.
After watching Common Craft's video about blockchain, watch this video from Financial Post to learn how the blockchain concept is applied to Bitcoin and other cryptocurrencies.

Use the technology potential customers use.
TD Ameritrade to Allow Trading via Twitter
TD Ameritrade is letting customers initialize trades over Twitter, the latest attempt by the discount brokerage to attract digitally savvy and younger investors.
The firm’s Twitter “chatbot” resembles the one it launched via Facebook Messenger in August, and it is powered by an algorithm that produces “social signals.” The algorithm sifts through tweets and then rates the relevance of the information to provide “intelligence” to investors, such as volume spikes, live trading quotes and company news.

Perspective. Makes me feel very, very old.
5,000 single people have revealed what they think about calling and texting on a date and whether having sex with a robot is 'cheating'

No comments: