Thursday, March 08, 2018

It seems more important to sell new technologies than to secure them.
Tristan Greene reports:
A pair of independent researchers yesterday uncovered a particularly worrisome security vulnerability in Microsoft’s Windows 10. If your PC’s OS was installed with default settings this could affect you.
The simple “hack” involves activating Cortana via voice command to open websites on a PC that’s been locked.
Read more on TNW.

Democratizing crime? At least making it easier to get untraceable payments.
Cryptocurrencies and the Revolution in Cybercrime Economics
Over the past year, Bitcoin and other Cryptocurrencies have increasingly gained publicity and media attention. The focus of the reporting has been primarily on cryptocurrencies as a financially speculative medium, with the value of Bitcoin rising over 2000% in 2017 alone. Although there has been some reporting on the importance of cryptocurrencies as the payment medium of choice on the Darknet, less attention has been given to the fact that they have revolutionized the economics of cybercrime, with a noticeable impact on threat actors’ Tactics, Techniques and Procedures (TTP’s).
Cryptocurrencies possess some characteristics that solve the complexity and risk challenges for monetizing hacking:
1. They are anonymous
2. They are unregulated
3. They represent a direct store of purchasing value, even if they need to be converted from one cryptocurrency into another
4. They can be stolen themselves, or resources can be stolen to mine them

It is these characteristics that make Cryptocurrencies so attractive and especially useful to cybercriminals.
The problem that cybercriminals have always had, was how to turn data into currency. Now data is currency.

For my Ethical Hacking students: Always learn from the pros. If a less sophisticated hacker is stumbling around in the machine, they may attract attention you want to avoid. Do you exit or lock them out?
When the mysterious entity known as the “Shadow Brokers” released a tranche of stolen NSA hacking tools to the internet a year ago, most experts who studied the material homed in on the most potent tools, so-called zero-day exploits that could be used to install malware and take over machines. But a group of Hungarian security researchers spotted something else in the data, a collection of scripts and scanning tools that the National Security Agency uses to detect other nation-state hackers on the machines it infects.

My students immediately saw how this could be monetized, but also recognized the problems failing to disclose could cause.
Earlier this week, Mitch Lowe, CEO of the popular all-you-can-eat movie subscription service MoviePass, made headlines for bragging about how the app can track the location of its users. Shortly after that comment, MoviePass issued a statement clarifying its actions, and now the iOS app has been updated to remove the features…

“The ghost in the machine?” A rogue AI has taken over your machine and finds your doom laughable?
Alexa Spooks Users As Deranged Amazon Echos Randomly Break Out In Creepy Laughter
After being temporarily knocked offline last week due to an Amazon Web Services (AWS) outage, Amazon is dealing with another Alexa incident. While losing access to Alexa Voice Services for a few hours is annoying, what is currently happening to Amazon Echo users (and other devices that take advantage of Alexa) was downright puzzling and to some people, a little freaky.
Amazon Echo devices have reportedly been laughing for absolutely no particular reason at all, which as you can imagine is unsettling to unsuspecting ears. This isn't a fluke that was relegated to just one person. Multiple people have confirmed that their Echos have "gone rogue" with fits of laughter as if they somehow had their funny bone tickled.

If this keeps happening, people might stop blindly trusting the government.
IG Audit finds continues flaws in OPM security of federal employee data
NextGov: “The Office of Personnel Management inspector general again found flaws in the agency’s contracting for the credit monitoring and ID theft services it provides to the more than 21.5 million current, former and prospective federal employees affected by the 2015 data breaches. OPM has gone through two different contracts for post-breach protections. The IG found “significant deficiencies” in the contracting process of the first one, a $20 million contract to Winvale Group and subcontractor CSID. When that contract expired, OPM opted for a contract with ID Experts to provide services for three years with a potential value of $330 million. In a report released Tuesday, auditors found the agency’s Office of Procurement Operations bypassed some of the Federal Acquisition Regulation and the agencies’ purchasing rules for the ID Experts contract. The IG found 15 areas of noncompliance, such as designating the contracting officer representative after the award, failing to check the System for Award Management and data-entry errors. Auditors also found incomplete or unapproved contractual documents, including the acquisition plan, market research plan and technical evaluation plan. “Without a complete and accurate history of the actions taken to award the contract, it is impossible to know whether following all of the FAR requirements would have resulted in an award of the credit monitoring and identity theft services contract to someone other than ID Experts,” the report states…”

(Related) I bet some of their systems are older than the Department itself.
Homeland Security's own IT security is a hot mess, watchdog finds
An inspector general audit found dozens of systems across the agency's networks were running old and outdated software, and in some cases, computers hadn't received security patches for five years.
… A newly released report by the department's Office of Inspector General found many of the agency's systems, including both unclassified and national security systems containing the highest "top secret" information, were running outdated, unsupported operating systems that in some cases hadn't been patched with security updates for years.

Perspective. Perhaps not all of the questions have been answered.
UK kicks off driverless car law review to get tech on the road by 2021
… Among the questions to be reviewed and — says the government — answered are:
  • who is the ‘driver’ or responsible person, as appropriate
  • how to allocate civil and criminal responsibility where there is some shared control in a human-machine interface
  • the role of automated vehicles within public transport networks and emerging platforms for on-demand passenger transport, car sharing and new business models providing mobility as a service
  • whether there is a need for new criminal offences to deal with novel types of conduct and interference
  • what is the impact on other road users and how they can be protected from risk

A tool for our AI class (if we had one)
Windows 10’s next major update will include Windows ML, a new AI platform
Microsoft is planning to include more artificial intelligence capabilities inside Windows 10 soon. The software giant is unveiling a new AI platform, Windows ML, for developers today, that will be available in the next major Windows 10 update available this spring. Microsoft’s new platform will enable all developers that create apps on Windows 10 to leverage existing pre-trained machine learning models in apps.
… Microsoft has already been using AI throughout Office 365, inside the Windows 10 Photos app, and even with its Windows Hello facial recognition to allow Windows 10 users to sign into PCs and laptops with their faces.

A little insider trading?
Peyton Manning sold 31 local Papa John’s stores 2 days before NFL cut ties with the chain

I went the other way (Japan)
History of the US Army Security Agency
Interesting history of the US Army Security Agency in the early years of Cold War Germany.

No comments: