I don’t have any students who work for the State this quarter. I hope someone who works with election computers reads my blog. Lots of detail.

https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/

How they did it (and will likely try again): GRU hackers vs. US elections

In a press briefing just two weeks ago, Deputy Attorney General Rod Rosenstein announced that the grand jury assembled by Special Counsel Robert Mueller had returned an indictment

… The filing [PDF] spells out the Justice Department's first official, public accounting

… The allegations are backed up by data collected from service provider logs, Bitcoin transaction tracing, and additional forensics. The DOJ also relied on information collected by US (and likely foreign) intelligence and law enforcement agencies.

… After digging into this latest indictment, the evidence suggests Trump may not have made a very good call on this matter. But his blaming of the victims of the attacks for failing to have good enough security, while misguided, does strike on a certain truth: the Clinton campaign, the DNC, and DCC were poorly prepared for this sort of attack, failed to learn lessons from history, and ignored advice from some very knowledgeable third parties they enlisted for help.

… The GRU operation had conducted wide-ranging spear-phishing attacks against both Democrats and Republicans as far back as October 2015 with limited success. Members of John McCain's and Lindsey Graham's campaign staffs, as well as members of several other Republican congressional campaign staffs, had their emails stolen and later posted on the DCLeaks site. But as the presidential field narrowed, the GRU began to focus on the Democrats and Hillary Clinton's campaign.

… Unfortunately, few if any members of the Clinton campaign staff, DNC, or DCCC used two-factor authentication—despite advice from outside advisors

(Related) The government hasn’t realized how important Computer Security is. They still consider IT as unimportant to the strategic success of the organization (like janitorial services). The results are similar to the failures of ignorant politicians.

https://www.nextgov.com/cybersecurity/2018/07/nsa-hasnt-implemented-post-snowden-security-fixes-audit-finds/150067/

NSA Hasn’t Implemented Post-Snowden Security Fixes, Audit Finds

The nation’s cyber spy agency is suffering from substantial cyber vulnerabilities, according to a first-of-its-kind unclassified audit overview from the agency’s inspector general released Wednesday.

Those vulnerabilities include computer system security plans that are inaccurate or incomplete, removable media that aren’t properly scanned for viruses, and an inadequate process for tracking the job duties of National Security Agency cyber defenders to ensure they’re qualified for the highest-level work they do, according to the overview.

Perhaps most striking, the agency has not properly implemented “two-person access controls” on its data centers and equipment rooms.

This should be an obvious red flag.

https://krebsonsecurity.com/2018/07/state-govts-warned-of-malware-laden-cd-sent-via-snail-mail-from-china/

State Govts. Warned of Malware-Laden CD Sent Via Snail Mail from China

Here’s a timely reminder that email isn’t the only vector for phishing attacks: Several U.S. state and local government agencies have reported receiving strange letters via snail mail that include malware-laden compact discs (CDs) apparently sent from China, KrebsOnSecurity has learned.

This particular ruse, while crude and simplistic, preys on the curiosity of recipients who may be enticed into popping the CD into a computer. According to a non-public alert shared with state and local government agencies by the Multi-State Information Sharing and Analysis Center (MS-ISAC), the scam arrives in a Chinese postmarked envelope and includes a “confusingly worded typed letter with occasional Chinese characters.”

More to come.

https://www.buzzfeed.com/alexspence/britains-fake-news-inquiry-says-facebook-and-googles?utm_term=.jqVPvkvK2#.fhP0LeL3W

Britain's Fake News Inquiry Says Facebook And Google's Algorithms Should Be Audited By UK Regulators

British regulators should be given more control over Facebook and Google to stop the spread of “fake news” — including the power to audit their jealously-guarded algorithms — an influential parliamentary committee will recommend.

The interim report from the House of Commons Digital, Culture, Media and Sport Committee is due to be published on Sunday, but on Friday afternoon a leaked copy was published in full online by former Vote Leave campaign strategist Dominic Cummings.

Tools for summer reading.

How to Remove the DRM on Every Ebook You Own

School for hackers? I’d hazard a guess that this did not take much skill to do. Once one inmate figured it out, he could just email instructions to all his friends. No indication how long this has been going on.

https://idahostatejournal.com/news/local/idaho-inmates-hacked-nearly-a-quarter-million-dollars/article_560271d3-8223-5c3a-8626-34b18711980e.html

Idaho inmates hacked nearly a quarter million dollars

Idaho prison officials say 364 inmates hacked the JPay tablets they use for email, music and games and collectively transferred nearly a quarter million dollars into their own accounts.

The department’s special investigations unit discovered the problem earlier this month, and the improper conduct involved no taxpayer dollars, Idaho Department of Correction spokesman Jeff Ray said.

The hand-held computer tablets are popular in prisons across the country, and they are made available to Idaho inmates through a contract with CenturyLink and JPay. Neither company immediately responded to a request for comment from The Associated Press.

The tablets allow inmates to email their families and friends, purchase and listen to music or play simple electronic games.

The inmates were “intentionally exploiting a vulnerability within JPay to improperly increase their JPay account balances,” Ray said in a prepared statement on Thursday. He said 50 inmates credited their accounts in amounts exceeding $1,000; the largest amount credited by a single inmate was just under $10,000.

The total amount was nearly $225,000.

“This conduct was intentional, not accidental. It required a knowledge of the JPay system and multiple actions by every inmate who exploited the system’s vulnerability to improperly credit their account,” Ray said in a prepared statement.

Phishing requires the right lure.

https://hotforsecurity.bitdefender.com/blog/password-check-required-immediately-most-effective-phishing-line-20151.html

‘Password Check Required Immediately’ – most effective phishing line

Leveraging a key human trait that machines would not fall for, cybercriminals can easily manipulate or fool humans using social engineering tactics. A new study on the most effective phishing scams shows that, ironically, the subject lines relating to security are most likely to trick users into handling their credentials insecurely.

“By playing into a person’s psyche to either feel wanted or alarmed, hackers continue to use email as a successful entry point for an attack,” according to KnowBe4, which deals with security awareness and simulated phishing.

… After examining tens of thousands of subject lines, including some “in-the-wild” emails, researchers compiled the following “Top 10 Most-Clicked General Email Subject Lines Globally for Q2 2018” (frequency percentage in brackets):

1. Password Check Required Immediately (15%)
2. Security Alert (12%)
3. Change of Password Required Immediately (11%)
4. A Delivery Attempt was made (10%)
5. Urgent press release to all employees (10%)
6. De-activation of [[email]] in Process (10%)
7. Revised Vacation & Sick Time Policy (9%)
8. UPS Label Delivery, 1ZBE312TNY00015011 (9%)
9. Staff Review 2017 (7%)
10. Company Policies-Updates to our Fraternization Policy (7%)

We haven’t heard much about the Exactis data breach, but Troy Hunt pointed me to this record layout.

https://pastebin.com/QUMSr4q5

Exactis Data Sample

The cost of doing the right thing? More like an accurate user count now that they are doing the right things.

https://finance.yahoo.com/news/twitter-beats-estimates-revenue-monthly-105453499.html

Twitter to prioritize fixing platform over user growth, shares plunge

Twitter Inc on Friday reported fewer monthly active users than analysts expected and warned that the closely-watched figure could keep falling as it deletes phony accounts, sending shares sharply lower in early trading.

The company said the work it was doing to clean up Twitter by purging automated and spam accounts had some impact on its user metrics in the second quarter, and that it would prioritize work to improve suspicious accounts and reduce hate speech and other abusive content over projects that could attract more users.

The clash of technologies? Requires a thoughtful architecture to avoid disaster.

https://www.insideprivacy.com/international/european-union/the-gdpr-and-blockchain/

The GDPR and Blockchain

Blockchain technology has the potential to revolutionise many industries; it has been said that “blockchain will do to the financial system what the internet did to media”. Its most famous use is its role as the architecture of the cryptocurrency Bitcoin, however it has many other potential uses in the financial sector, for instance in trading, clearing and settlement, as well as various middle- and back-office functions.

… in order for the technology to unfold its full potential there needs to be careful consideration as to how the technology can comply with new European privacy legislation, namely the General Data Protection Regulation (the “GDPR”) which came into force on 25 May 2018. This article explores some of the possible or “perceived” challenges blockchain technology faces when it comes to compliance with the GDPR.

… One of the most widely perceived challenges of blockchain and the GDPR is the inability to delete data. The main benefit of blockchain technology is that the blocks in the chain cannot be deleted or modified, to ensure the security and accuracy of the record. However, under the GDPR, data subjects have the right to rectification, where the personal data concerning them is inaccurate, and they may have the right to have their data erased (“right to be forgotten”).

Legal tech. No robot lawyers yet?

https://www.bespacific.com/three-technologies-transforming-the-legal-field/

Three Technologies Transforming the Legal Field

Law Technology Today: “Is your staff using analytics, blockchain and OCR yet? Corporations are ever-focused on their legal spend and demand more value from their outside counsel. Further disrupting the legal field are alternative legal service providers fueling the competitive landscape to become more crowded and innovative. As a result, Thomson Reuters’ 2018 Report on the State of the Legal Market surmised that declining profit margins, weakening collections, falling productivity, and loss of market share to alternative legal service providers are chipping away at the foundations of firm profitability. To counteract these market pressures and to differentiate themselves from competitors, law firms are embracing technology to improve operational efficiencies and transform the way attorneys and their firms interact with clients, answer their questions, and tackle their legal challenges. The law firms that embrace technology as a means to provide more cost-effective services to their clients will have a competitive advantage. For example, digitization and automation technologies have emerged that streamline internal processes and reduce workloads, so lawyers can spend more time advising clients and less time with administrative work…”

Perspective. Amazon the advertising powerhouse?

https://www.geekwire.com/2018/amazon-challenges-google-facebook-surprising-new-multi-billon-dollar-business/

Amazon challenges Google and Facebook with surprising new multi-billion dollar business

Amazon’s cloud business may get much of the attention for bolstering the company’s bottom line. But an emerging new advertising arm of Amazon is also fueling record profits for the Seattle tech giant.

… Amazon does not break out financials for advertising and lumps it into the “Other” category, which “primarily includes sales of advertising services, as well as sales related to our other service offerings,” according to financial statements.

Amazon reported revenue of $2.2 billion for that category in the second quarter, up 129 percent year-over-year. For comparison, Amazon’s online store sales grew 12 percent and AWS sales grew 49 percent.

… Amazon has become a formidable e-commerce search engine, competing with Google to be the first place where shoppers start when they want to buy products online. Its growing advertising business is another example of the battle between Amazon and Alphabet-owned Google, which compete across a number of areas such as voice technology, cloud computing, and online shopping.

Interesting. I was about to try loading Kali Linux on a thumb drive.

Get Started With Ethical Hacking Using Kali Linux and Raspberry Pi

Ethical hacking is a great way to uncover your inner Mr. Robot. And what better way to build those skills than by using one of the foremost hacking toolkits?

We’re talking Kali Linux on your Raspberry Pi 3! A Raspberry Pi 3 running Kali Linux is surprisingly formidable for hacking. The tiny computer is cheap, powerful, and versatile.

In fact, Kali Linux comes packed with everything you need to expand your ethical hacking skills.

Note that this dies not seem to be a problem with either Oracle or SAP. It’s a management problem.

https://www.reuters.com/article/us-cyber-secrets-sap-se-oracle/study-warns-of-rising-hacker-threats-to-sap-oracle-business-management-software-idUSKBN1KF1G8

Study warns of rising hacker threats to SAP, Oracle business software

At least a dozen companies and government agencies have been targeted and thousands more are exposed to data breaches by hackers exploiting old security flaws in management software, two cyber security firms said in a study published on Wednesday.

The Department of Homeland Security issued an alert [ https://www.us-cert.gov/ncas/current-activity/2018/07/25/Malicious-Cyber-Activity-Targeting-ERP-Applications ] citing the study by security firms Digital Shadows and Onapsis that highlights the risks posed to thousands of unpatched business systems from software makers Oracle and SAP.

Systems at two government agencies and at firms in the media, energy and finance sectors were hit after failing to install patches or take other security measures advised by Oracle or SAP, security firms Onapsis and Digital Shadows said in the newly published report. (goo.gl/pWbz3Q)

When the “protectors” compromise your data… Think of ‘unsubscribe’ as a GDPR ‘opt-out.’

https://www.engadget.com/2018/07/26/lifelock-id-theft-protection-website-leak/

LifeLock ID theft protection leak could have aided identity thieves

LifeLock's identity theft protection service suffered from a security flaw that put users' identities in jeopardy. The event forced its parent company, Symantec, to pull its website down to fix the issue after it was notified by KrebsOnSecurity. According to Krebs, Atlanta-based security researcher Nathan Reese discovered the vulnerability through a newsletter email he received from the service. Upon clicking "unsubscribe," a page that clearly showed his subscriber key popped up. That allowed Reese to write a script that sequences numbers, which was able to pull keys and their corresponding email addresses from the service.

Non-reporting was even worse than I thought.

https://www.bankinfosecurity.com/under-gdpr-data-breach-reports-in-uk-have-quadrupled-a-11249

Under GDPR, Data Breach Reports in UK Have Quadrupled

… GDPR imposes a number of new requirements on organizations that handle personal information. But one of the biggest changes is that organizations must track all breaches, as well as report certain types of breaches to authorities "within 72 hours of becoming aware of the breach, where feasible," according to the Information Commissioner's Office, which is the U.K.'s data privacy watchdog and GDPR enforcer

… But the data does not reveal whether organizations are suffering more - or fewer - breaches than before. "It's important to note that while the number of reported breaches has increased, it does not necessarily mean the number of breaches has increased – just that more are being reported," says Brian Honan, who heads cybersecurity consultancy BH Consulting in Dublin, an who moderated a panel focused on complying with GDPR at the June Infosecurity Europe conference in London

(Related) A good summary for my students.

https://www.forbes.com/sites/forbestechcouncil/2018/07/25/nine-aspects-of-gdpr-customer-data-management-you-need-to-know/#7d1cbf244d9b

Nine Aspects Of GDPR Customer Data Management You Need To Know

1. The Right To Be Forgotten

The biggest impact GDPR will have on organizations is the right to be forgotten. Organizations are required to allow EU residents to revoke their consent at any point. This means that all that data must be removed from every system within the organization. Unless all their databases are integrated, this could get tricky.

8. The IP Address As Personal Data

One of the key tenets of cybersecurity operations is tracking indicators of compromise: Pieces of identifying information that tip off whether user or network activity is malicious. With GDPR in effect, IOCs such as a user's IP address are considered personal data, impacting the defenders' ability to fully use that data to identify, detect and respond to threats.

9. Third-Party Data Policy

All third-party scripts like social media plug-ins, advertising and analytics scripts are your responsibility. How they handle your users' data can be a liability. You cannot assume these third-party companies are GDPR compliant just yet. Review your third-party service providers’ security, and consider removing most external third-party scripts until you can ensure they are GDPR compliant.

I immediately thought this meant that the remaining 507 members of congress were correctly matched to mugshots. Perhaps they didn’t gather enough mugshots?

https://arstechnica.com/tech-policy/2018/07/amazons-rekognition-messes-up-matches-28-lawmakers-to-mugshots/

Amazon’s Rekognition messes up, matches 28 lawmakers to mugshots

The American Civil Liberties Union of Northern California said Thursday that in its new test of Amazon’s facial recognition system known as Rekognition, the software erroneously identified 28 members of Congress as people who have been arrested for a crime.

According to Jake Snow, an ACLU attorney, the organization downloaded 25,000 mugshots from what he described as a "public source."

The ACLU then ran the official photos of all 535 members of Congress through Rekognition, asking it to match them up with any of the mugshots—and it ended up matching 28.

How to breach security.

https://www.securityweek.com/foundation-cyber-attacks-credential-harvesting

The Foundation of Cyber-Attacks: Credential Harvesting

Recent reports of a newly detected Smoke Loader infection campaign and the re-emergence of Magecart-based cyber-attacks illustrate a common tactic used by cyber criminals and state-sponsored attackers alike ― credential harvesting. According to the Verizon 2017 Data Breach Investigation Report, 81% of hacking-related breaches leverage either stolen, default, or weak credentials. While credential harvesting is often seen as equivalent to phishing, it uses different tactics.

Cyber attackers long ago figured out that the easiest way for them to gain access to sensitive data is by compromising an end user’s identity and credentials. Betting on the human factor and attacking the weakest link in the cyber defense chain, credential harvesting has become the foundation of most cyber-attacks.

… In the case of cloned websites, the victim is often unaware of the attack, since the fake web designs are often very authentic. When the user enters his or her credentials, the page not only captures them but then forwards them to the actual login page, which then logs in the user. The victim never even knows their credentials were stolen.

Important topic for Computer Security too.

https://www.justsecurity.org/59718/low-hanging-fruit-responding-digital-evidence-challenge-csis-report/

Low-Hanging Fruit: Responding to the Digital Evidence Challenge in Law Enforcement

Whether you believe law enforcement is “going dark” or we are in a “golden age of surveillance,” law enforcement faces serious challenges in identifying and accessing digital evidence that is available and important to their criminal investigations. Some of these problems are, no doubt, related to encryption and ephemerality of data – the two issues that have absorbed most of the national attention to date. But, in fact, the problems with digital evidence and digital technologies go far beyond those issues, as we detail in a new CSIS-issued report released today, Low-Hanging Fruit: Evidence Based Solutions to the Digital Evidence Challenge. (See also coverage of the report at the Washington Post.)

… We found that difficulties accessing and utilizing digital evidence affect more than a third of law enforcement cases – a percentage that we expect only to grow over time absent national attention to the issue.

Still think we are doing everything possible?

https://www.bespacific.com/poynter-guide-to-anti-misinformation-actions-around-the-world/

Poynter guide to anti-misinformation actions around the world

Poynter has updated this very useful guide – Here’s where governments are taking action against online misinformation – subject matter includes hate speech law, misinformation. media literacy, fake news, election misinformation, political bots and advertising, foreign disinformation campaigns, media regulation, internet regulation.

(Related) Matches my observation.

https://www.bespacific.com/paper-susceptibility-to-partisan-fake-news-is-better-explained-by-lack-of-reasoning-than-by-motivated-reasoning/

Paper – Susceptibility to partisan fake news is better explained by lack of reasoning than by motivated reasoning

Lazy, not biased: Susceptibility to partisan fake news is better explained by lack of reasoning than by motivated reasoning. Gordon Pennycook and David G. Rand. https://doi.org/10.1016/j.cognition.2018.06.011. Cognition. Available online 20 June 2018 [paywall – but Table of Contents, Abstract, Figures and Supplementary Data are available at no fee]

• Participants rated perceived accuracy of fake and real news headlines.
• Analytic thinking was associated with ability to discern between fake and real.
• We found no evidence that analytic thinking exacerbates motivated reasoning.

“Falling for fake news is more a result of a lack of thinking than partisanship. Why do people believe blatantly inaccurate news headlines (“fake news”)? Do we use our reasoning abilities to convince ourselves that statements that align with our ideology are true, or does reasoning allow us to effectively differentiate fake from real regardless of political ideology? Here we test these competing accounts in two studies (total N = 3446 Mechanical Turk workers) by using the Cognitive Reflection Test (CRT) as a measure of the propensity to engage in analytical reasoning. We find that CRT performance is negatively correlated with the perceived accuracy of fake news, and positively correlated with the ability to discern fake news from real news – even for headlines that align with individuals’ political ideology. Moreover, overall discernment was actually better for ideologically aligned headlines than for misaligned headlines. Finally, a headline-level analysis finds that CRT is negatively correlated with perceived accuracy of relatively implausible (primarily fake) headlines, and positively correlated with perceived accuracy of relatively plausible (primarily real) headlines. In contrast, the correlation between CRT and perceived accuracy is unrelated to how closely the headline aligns with the participant’s ideology. Thus, we conclude that analytic thinking is used to assess the plausibility of headlines, regardless of whether the stories are consistent or inconsistent with one’s political ideology. Our findings therefore suggest that susceptibility to fake news is driven more by lazy thinking than it is by partisan bias per se – a finding that opens potential avenues for fighting fake news.”

All is not peaches and cream?

Outbound Facebook Infosec Chief Alex Stamos Wrote a Note to Staff Urging Major Reforms

Facebook’s departing chief information security officer Alex Stamos, whose upcoming exit has been known for months, wrote a note to staff in March amid the Cambridge Analytica data-sharing scandal urging them to reconsider the site’s approach to privacy, BuzzFeed News reported on Tuesday.

In his note titled “A Difficult Week,” Stamos wrote that the scandal—in which Facebook’s reckless approach to sharing data on users allowed the sketchy political firm to acquire data on somewhere around 87 million users—as well as others such as alleged Russian information warfare on the site were the result of “tens of thousands of small decisions made over the last decade.” Per BuzzFeed, he also implored his colleagues to please, for the love of god, consider negative feedback when implementing features that pushed the limits of users’ comfort levels, as well as limit its data collection to that actually necessary for the company’s functioning:

“We need to build a user experience that conveys honesty and respect, not one optimized to get people to click yes to giving us more access,” Stamos wrote. “We need to intentionally not collect data where possible, and to keep it only as long as we are using it to serve people.”

“We need to listen to people (including internally) when they tell us a feature is creepy or point out a negative impact we are having in the world,” the note continued. “We need to deprioritize short-term growth and revenue and to explain to Wall Street why that is ok. We need to be willing to pick sides when there are clear moral or humanitarian issues. And we need to be open, honest and transparent about our challenges and what we are doing to fix them.”

Perspective. What are auto manufacturers doing to transition to the “self-driving/rides on demand” future?

https://www.reuters.com/article/us-ford-motor-autonomous/ford-creates-new-self-driving-vehicle-unit-idUSKBN1KE24P

Ford follows GM's Cruise move with self-driving spinoff

Ford Motor Co (F.N) said on Tuesday it was creating a separate $4 billion unit to house its self-driving vehicle operations and is seeking outside investors, following a similar move in late May by Detroit rival General Motors Co (GM.N) with its Cruise Automation unit.

(Related)

https://techcrunch.com/2018/07/24/gm-launches-a-peer-to-peer-car-sharing-service/

GM launches a peer-to-peer car-sharing service

General Motors is launching a new service in Chicago, Detroit and Ann Arbor, Mich. that will let owners rent out their personal GM -branded vehicles through its Maven car-sharing platform.

Perspective. Tired of the vast wasteland?

https://mashable.com/2018/07/24/cord-cutters-growing-despite-cable-bundles/#OI4BSJxdamqj

Cable's Netflix bundling deals aren't stopping customers from cutting the cord

Cable providers have been wringing their hands and pulling out deal after deal to try to keep cable TV subscribers. Most recently, they started bundling Netflix subscriptions with cable packages (because bundling is totally something customers don't hate at all).

But a new report from eMarketer shows that their tactics aren't panning out. Not only is the rate of TV watchers opting for Over The Top (OTT) service on the rise — where they just watch internet TV providers like Netflix, instead of paying for cable — it's also accelerating faster than projected growth rates.

Projections put the number of cord cutters — adults who cancel pay TV, opting instead for OTT — at 33 million, which is 32.8 percent of TV watchers.

… The growth rates of the OTT providers tell the other side of the story. Netflix reached 100 million subscribers in 2017. Leaked documents from Amazon showed that it counts 26 million prime members as US viewers. Hulu garnered a walloping 40 percent growth in subscribers in 2017, reaching 17 million viewers. It also launched Hulu Live TV, which is like basic cable via a Hulu subscription — and is proving to be incredibly popular. And YouTube and Facebook (via Facebook Watch and IGTV) are in all-out war to capture the millions of eyeballs to which they already have access.

A new record? This has really got to hurt.

https://www.cbsnews.com/news/venezuelas-inflation-on-track-to-top-1-million-percent-imf-says/

Venezuela's inflation on track to top 1 million percent, IMF says

Interesting. One of those products I see no great market for, but then I have a history of being wrong.

https://hypebeast.com/2018/7/segway-drift-w1-release-details

Segway Unveils Self-Balancing Electric Roller Shoes

Segway has unveiled its latest creation, and its as off-kilter as you’d expect from the company. Taking the hoverboard trend one step further, it’s now created the Drift W1, which essentially splits the board in half and works underneath your shoes. The shoes will weigh 7.7lbs and have a top speed of 7.5 MPH, with a riding time of around 45 minutes before needing another charge.

Each pair will also come with a helmet for anyone trying to figure out how to work these shoes without injury. The Segway Drift W1 will cost $399 USD and be available during August. You can find out more information from the brand’s web page.

"The fault, dear Brutus, is not in our stars, but in ourselves...”

https://krebsonsecurity.com/2018/07/hackers-breached-virginia-bank-twice-in-eight-months-stole-2-4m/

Hackers Breached Virginia Bank Twice in Eight Months, Stole $2.4M

Hackers used phishing emails to break into a Virginia bank in two separate cyber intrusions over an eight-month period, making off with more than $2.4 million total. Now the financial institution is suing its cybersecurity insurance provider for refusing to fully cover the losses.

According to a lawsuit filed last month in the Western District of Virginia, the first heist took place in late May 2016, after an employee at The National Bank of Blacksburg fell victim to a targeted phishing email.

… Armed with this access, the bank says, hackers were able to disable and alter anti-theft and anti-fraud protections, such as 4-digit personal identification numbers (PINs), daily withdrawal limits, daily debit card usage limits, and fraud score protections.

National Bank said the first breach began Saturday, May 28, 2016 and continued through the following Monday. Normally, the bank would be open on a Monday, but that particular Monday was Memorial Day, a federal holiday in the United States. The hackers used hundreds of ATMs across North America to dispense funds from customer accounts. All told, the perpetrators stole more than $569,000 in that incident.

… In June of 2016, National Bank implemented additional security protocols, as recommended by FirstData. These protocols are known as “velocity rules” and were put in place to help the bank flag specific types of repeated transaction patterns that happen within a short period of time

But just eight months later — in January 2017 according to the lawsuit — hackers broke in to the bank’s systems once more, again gaining access to the financial institution’s systems via a phishing email.

Perspective. No plans to monetize any time soon.

https://www.businessinsider.com/sundar-pichai-google-translate-143-billion-words-daily-2018-7

Google CEO Sundar Pichai revealed a jaw-dropping fact about its translation app that shows how much money is still sitting on the table

… During Google's second-quarter earnings conference call on Monday, CEO Sundar Pichai revealed an intriguing piece of information that hints at the translation product's moneymaking potential. The app translates a staggering 143 billions words every day, Pichai said. And, he added, it got a big boost during this summer's World Cup soccer tournament.

For my geeks. Anyone know where I can buy a used quantum computer?

https://www.digitaltrends.com/computing/microsoft-provides-free-quantum-computing-lessons/

Microsoft provides free lessons for quantum computing basics

Want to learn more about quantum computing and how to program in the Q# language? Microsoft just launched Quantum Katas, an open source project that does just that by providing you with tutorials for learning at your own pace. According to Microsoft, these exercises are based on three learning principles: Active learning, incremental complexity growth, and feedback.

This uses a lot of interesting tech.

https://www.theverge.com/2018/7/24/17606614/amazon-alexa-echo-mod-sign-language-gestures-ai

This Amazon Echo mod lets Alexa understand sign language

It seems like voice interfaces are going to be a big part of the future of computing; popping up in phones, smart speakers, and even household appliances. But how useful is this technology for people who don’t communicate using speech? Are we creating a system that locks out certain users?

These were the questions that inspired software developer Abhishek Singh to create a mod that lets Amazon’s Alexa assistant understand some simple sign language commands. In a video, Singh demonstrates how the system works. An Amazon Echo is connected to a laptop, with a webcam (and some back-end machine learning software) decoding Singh’s gestures in text and speech.

… The actual mod itself was made with the help of Google’s TensorFlow software, specifically TensorFlow.js, which allows users to code machine learning applications in JavaScript (making it easier to run applications in web browsers). As with any machine vision software, Singh had to teach his program to understand visual signals by feeding it training data. He couldn’t find any datasets for sign language online, and instead created his own set of basic signals.

The software is just a proof-of-concept at this point, and is unable to read any signs that aren’t demoed in the video. But adding more vocabulary is relatively easy, and Singh says he plans to open-source the code and write an explanatory blog post for his work. “By releasing the code people will be able to download it and build on it further or just be inspired to explore this problem space,” he tells The Verge.

It might be fun to see what my students think.

https://qz.com/1334123/forbes-deleted-an-op-ed-arguing-that-amazon-should-replace-libraries/

Forbes deleted a deeply misinformed op-ed arguing Amazon should replace libraries

On Saturday morning Forbes published an opinion piece by LIU Post economist Panos Mourdoukoutas with the headline “Amazon Should Replace Local Libraries to Save Taxpayers Money.” It quickly received enthusiastic backlash from actual American libraries and their communities.

As of around 10am US eastern time this morning, the story had nearly 200,000 views, according to a counter on the page. As of 11am, though, the story’s URL has been down.

Preparing for the November election. Also, think about other things that may be influenced.

https://www.bespacific.com/report-challenging-truth-and-trust-a-global-inventory-of-organized-social-media-manipulation/

Report – Challenging Truth and Trust: A Global Inventory of Organized Social Media Manipulation

Computational Propaganda Research Program – Oxford Internet Institute – Challenging Truth and Trust: A Global Inventory of Organized Social Media Manipulation, July 20, 2018: “The manipulation of public opinion over social media platforms has emerged as a critical threat to public life. Around the world, a range of government agencies and political parties are exploiting social media platforms to spread junk news and disinformation, exercise censorship and control, and undermine trust in the media, public institutions, and science. At a time when news consumption is increasingly digital, artificial intelligence, big data analytics, and “blackbox” algorithms are being leveraged to challenge truth and trust: the cornerstones of our democratic society. In 2017, the first Global Cyber Troops inventory shed light on the global organization of social media manipulation by government and political party actors. This 2018 report analyses the new trends of organized media manipulation, and the growing capacities, strategies and resources that support this phenomenon. Our key findings are:

1. We have found evidence of formally organized social media manipulation campaigns in 48 countries, up from 28 countries last year. In each country there is at least one political party or government agency using social media to manipulate public opinion domestically.
2. Much of this growth comes from countries where political parties are spreading disinformation during elections, or countries where government agencies feel threatened by junk news and foreign interference and are responding by developing their own computational propaganda campaigns in response.
3. In a fifth of these 48 countries—mostly across the Global South—we found evidence of disinformation campaigns operating over chat applications such as WhatsApp, Telegram and WeChat.
4. Computational propaganda still involves social media account automation and online commentary teams, but is making increasing use of paid advertisements and search engine optimization on a widening array of Internet platforms.
5. Social media manipulation is big business. Since 2010, political parties and governments have spent more than half a billion dollars on the research, development, and implementation of psychological operations and public opinion manipulation over social media. In a few countries this includes efforts to counter extremism, but in most countries this involves the spread junk news and misinformation during elections, military crises, and complex humanitarian disasters…”

Not the most common vector of attack. Consider why this data might be valuable.

https://www.securityweek.com/state-actors-likely-behind-singapore-cyberattack-experts

State-Actors Likely Behind Singapore Cyberattack: Experts

State-actors were likely behind Singapore's biggest ever cyberattack to date, security experts say, citing the scale and sophistication of the hack which hit medical data of about a quarter of the population.

The city-state announced Friday that hackers had broken into a government database and stolen the health records of 1.5 million Singaporeans, including Prime Minister Lee Hsien Loong who was specifically targeted in the "unprecedented" attack.

Singapore's health minister said the strike was "a deliberate, targeted, and well-planned cyberattack and not the work of casual hackers or criminal gangs".

While officials refused to comment on the identity of the hackers citing "operational security", experts told AFP that the complexity of the attack and its focus on high-profile targets like the prime minister pointed to the hand of a state-actor.

"A cyber espionage threat actor could leverage disclosure of sensitive health information... to coerce an individual in (a) position of interest to conduct espionage" on its behalf, said Eric Hoh, Asia-Pacific president of cybersecurity firm FireEye.

… Jeff Middleton, chief executive of cybersecurity consultancy Lantium, said healthcare data is of particular interest to hackers because it can be used to blackmail people in positions of power.

"A lot of information about a person's health can be gleaned from the medications that they take," Middleton told AFP Saturday.

… The hackers used a computer infected with malware to gain access to the database between June 27 and July 4 before administrators spotted "unusual activity", authorities said.

Something is off here. A privacy App that violates privacy?

https://www.slashgear.com/india-threatens-iphone-ban-if-apple-doesnt-accept-regulators-anti-spam-app-22538401/

India threatens iPhone ban if Apple doesn’t accept regulator’s anti-spam app

The last few years have seen Apple expanding into India with the iPhone, but now the company is facing a serious problem if it doesn’t cater to the demands of the country’s telecom regulator. The Telecom Regulatory Authority of India (TRAI) has put new rules in place in an effort to protect mobile users’ privacy and block spam calls and messages. Part of this policy involves making an app available to every subscriber, but Apple refuses to allow it on the App Store, ironically, due to privacy concerns.

The regulator requires that all carriers in India make TRAI’s “Do Not Disturb” app available for users to download and install on their device. The app then gives users the ability to report unsolicited calls and messages. Apple has not allowed it on their App Store, however, due to the fact that the app requires access to call history and message logs in order to send reports to the agency.

While Apple has been butting heads with TRAI for over a year now, the regulator has moved forward with the policy, giving all carriers six months to make sure the app can be installed on every device they offer. Any phones that can’t install the app after that period will be cut off from the carrier’s network. As for Android, the app is already available via Google’s Play Store.

How do you explain religion to a computer? Or the a-religious?

https://www.theatlantic.com/international/archive/2018/07/artificial-intelligence-religion-atheism/565076/?utm_source=feed

Can Artificial Intelligence Predict Religious Violence?

Imagine you’re the president of a European country. You’re slated to take in 50,000 refugees from the Middle East this year. Most of them are very religious, while most of your population is very secular. You want to integrate the newcomers seamlessly, minimizing the risk of economic malaise or violence, but you have limited resources. One of your advisers tells you to invest in the refugees’ education; another says providing jobs is the key; yet another insists the most important thing is giving the youth opportunities to socialize with local kids. What do you do?

Well, you make your best guess and hope the policy you chose works out. But it might not. Even a policy that yielded great results in another place or time may fail miserably in your particular country under its present circumstances. If that happens, you might find yourself wishing you could hit a giant reset button and run the whole experiment over again, this time choosing a different policy. But of course, you can’t experiment like that, not with real people.

You can, however, experiment like that with virtual people. And that’s exactly what the Modeling Religion Project does.

One source of “Big Data.”

https://www.engadget.com/2018/07/22/nasa-remote-sensing-toolkit/

NASA helps businesses make use of its satellite data

NASA has made its raw satellite data widely available for a long while. Now that it has a privatization-minded leader, though, it's looking to make that data more palatable for the business crowd. The administration has released a Remote Sensing Toolkit that should make it easier to use observational satellite info for commercial purposes, including straightforward business uses as well as conservation and research. The move consolidates info that used to be scattered across "dozens" of websites, and helps you search that unified database for helpful knowledge – you don't have to go to one place for atmospheric studies and another to learn about forests.

The kit includes both some ready-to-use tools for making sense of satellite content as well as the code companies can use to craft their own tools.

For the Movie Club.

https://www.bespacific.com/1150-free-movies-online-great-classics-indies-noir-westerns-etc/

1,150 Free Movies Online: Great Classics, Indies, Noir, Westerns, etc.

1,150 Free Movies Online: Great Classics, Indies, Noir, Westerns, etc.

“Watch 1,150 movies free online. Includes classics, indies, film noir, documentaries and other films, created by some of our greatest actors, actresses and directors. The collection is divided into the following categories: Comedy & Drama; Film Noir, Horror & Hitchcock; Westerns (many with John Wayne); Martial Arts Movies; Silent Films; Documentaries, and Animation. We also have special collections of Oscar Winning Movies and Films by Andrei Tarkovsky and Charlie Chaplin.”

With articles like these, it is easy to keep my students interested.

http://www.businessinsider.com/data-breaches-2018-4

If you shopped at these 15 stores in the last year, your data might have been stolen

Never rely on the word of a vendor? Several flaws are detailed.

https://www.eff.org/deeplinks/2018/07/between-you-me-and-google-problems-gmails-confidential-mode

Between You, Me, and Google: Problems With Gmail's “Confidential Mode”

With Gmail’s new design rolled out to more and more users, many have had a chance to try out its new “Confidential Mode.” While many of its features sound promising, what “Confidential Mode” provides isn’t confidentiality. At best, the new mode might create expectations that it fails to meet around security and privacy in Gmail.

… With its new Confidential Mode, Google purports to allow you to restrict how the emails you send can be viewed and shared: the recipient of your Confidential Mode email will not be able to forward or print it. You can also set an “expiration date” at which time the email will be deleted from your recipient’s inbox, and even require a text message code as an added layer of security before the email can be viewed.

Unfortunately, each of these “security” features comes with serious security problems for users.

… It’s important to note at the outset that because Confidential Mode emails are not end-to-end encrypted, Google can see the contents of your messages and has the technical capability to store them indefinitely, regardless of any “expiration date” you set. In other words, Confidential Mode provides zero confidentiality with regard to Google.

Moving forensics into the cloud.

https://medium.com/netflix-techblog/netflix-sirt-releases-diffy-a-differencing-engine-for-digital-forensics-in-the-cloud-37b71abd2698

Netflix Cloud Security SIRT releases Diffy: A Differencing Engine for Digital Forensics in the Cloud

The Netflix Security Intelligence and Response Team (SIRT) announces the release of Diffy under an Apache 2.0 license. Diffy is a triage tool to help digital forensics and incident response (DFIR) teams quickly identify compromised hosts on which to focus their response, during a security incident on cloud architectures.

… It's called "Diffy" because it helps a human investigator to identify the differences between instances

Why I had my Software Architecture students design a mobile banking app.

https://www.bloomberg.com/news/articles/2018-07-21/banks-freed-from-branches-use-mobile-apps-to-go-after-customers

Banks Freed From Branches Use Mobile Apps to Go After Customers

U.S. Bancorp this week was the latest to say it will build a nationally available checking-account product as lenders introduce mobile offerings that let consumers do their full banking without a branch. The move follows similar announcements by some of the country’s largest banks including JPMorgan Chase & Co., Citigroup Inc. and PNC Financial Services Group Inc.

The “fake news” concept seems to be catching on. Definitions seem to vary a bit.

https://www.reuters.com/article/us-egypt-politics/egypt-targets-social-media-with-new-law-idUSKBN1K722C

Egypt targets social media with new law

Egypt’s parliament has passed a law giving the state powers to block social media accounts and penalize journalists held to be publishing fake news.

Under the law passed on Monday social media accounts and blogs with more than 5,000 followers on sites such as Twitter and Facebook will be treated as media outlets, which makes them subject to prosecution for publishing false news or incitement to break the law.

Perspective. Holy Mackerel! It’s not an error, it’s a message from God?

https://motherboard.vice.com/en_us/article/j5npeg/why-is-google-translate-spitting-out-sinister-religious-prophecies

Why Is Google Translate Spitting Out Sinister Religious Prophecies?

Type the word “dog” into Google Translate 19 times, request that the nonsensical message be flipped from Maori into English, and out pops what appears to be a garbled religious prophecy.

“Doomsday Clock is three minutes at twelve,” it reads. “We are experiencing characters and a dramatic developments in the world, which indicate that we are increasingly approaching the end times and Jesus' return.”

I still don’t get it.

http://dilbert.com/strip/2018-07-22