Saturday, January 05, 2019

It seems there are always people who didn’t get (or understand) the word.
Suzanne Perez Tobias reports:
At least three employees of Wichita State University did not receive their paychecks recently after they were targeted by computer hackers.
The employees were victims of an e-mail phishing scheme, which asked them to type in their university ID number and password, allowing scammers to access bank account numbers, student records and other personal information, according to university officials.
Read more on Kansas.com.




I doubt we’ll have election security by 2020. This article mentions a few of the problems we have already seen.
HR1 Bill Includes Provisions to Improve U.S. Election Security
The Democrat-controlled House of Representatives has unveiled its first Bill: HR1, dubbed the 'For the People Act'. It has little chance of getting through the Republican-controlled Congress, and even less chance of being signed into law by President Trump.
Nevertheless, HR1 lays down a marker for current Democrat intentions; and it is likely that some of the potentially bi-partisan elements could be spun out into separate bills with a greater chance of progress.
One of these is likely to include the section on election security.
… Concerns began in late August 2016, when security researcher Logan Lamb discovered registration details for 6.7 million Georgia voters were being held in a publicly accessible database. This data included voter histories and personal information of all Georgia voters, tabulation and memory card programming databases for past and future elections, instructions and passwords for voting equipment administration, and executable programs controlling essential election resources.
… What made the situation worse was that when the database was eventually taken down, the log details were deleted. As a result, it is impossible to discover whether anyone other than Logan Lamb also accessed the database.
… Two days before the election it was reported that the online voter registration database was unsecured and vulnerable.




Another good “bad example” for my students.
Fewer Affected in Marriott Hack, but Passports a Red Flag
Fewer Marriott guest records that previously feared were compromised in a massive data breach, but the largest hotel chain in the world confirmed Friday that approximately 5.25 million unencrypted passport numbers were accessed.
The compromise of those passport numbers has raised alarms among security experts because of their value to state intelligence agencies.
The hackers accessed about 20.3 million encrypted passport numbers. There is no evidence that they were able to use the master encryption key required to gain access to that data.
Unencrypted passport numbers are valuable to state intelligence agencies because they can be used to compile detailed dossiers on people and their international movements. [Suggesting that the encryption yields the same number every time, so it can be used to track my movement. Bob]
When Bethesda, Maryland, hotel chain initially disclosed the breach in November, the company said that hackers compiled stolen data undetected for four years, including credit card and passport numbers, birthdates, phone numbers and hotel arrival and departure dates.




Perspective.
More Americans are using ride-hailing apps
Americans who use ride-hailing services has increased dramatically. Today, 36% of U.S. adults say they have ever used a ride-hailing service such as Uber or Lyft, according to a Pew Research Center survey conducted in fall 2018. By comparison, just 15% of Americans said they had used these services in late 2015, and one-third had never heard of ride-hailing before.




As a fan of Science Fiction I can tell you it makes it easier to understand the potential of new technologies.
Science fiction writers are professional future-dreamers, imagining worlds far beyond their own. With technology advancing at astronomical rates, real life feels more and more like sci-fi every day (for better or worse). So it’s fun to look back at those writers who, decades and even centuries ago, imagined what life would be like now—and some of their predictions were surprisingly accurate.


Friday, January 04, 2019

If When this happens here, will we get a GDPR-like law?
German politicians' data published online, Merkel unaffected
Personal data and documents from hundreds of German politicians and public figures have been published online, the government said on Friday, adding that no sensitive material from Chancellor Angela Merkel’s office was released.
An Interior Ministry spokesman declined to confirm that the data breach, which triggered an emergency meeting of the national cyber defense body, was the result of a hack.
… If the data release does stem from a hack, it would be the latest in a number of hi-tech assaults on Germany’s political institutions and key individuals.
Last year, lawmakers said a powerful cyber attack breached the foreign ministry’s computer network.
Security officials have blamed most previous attacks on a Russian hacking group APT28 that experts say has close ties to a Russian spy agency.




I’m still not convinced, but I’m getting closer to convinced.
The case for why Big Tech is violating antitrust laws
Big Tech is behaving badly. And I'm not talking about Facebook handing over your personal data to the highest bidder or Amazon playing puppeteer in its HQ2 charade. Big Tech is violating the Sherman Act of 1890.




A true treasure, but finding gems among the stones is difficult.
New Out-of-Copyright Works and Where to Find Them
Fortune: “As for getting your hands (or smartphones, e-readers, etc.) on the works themselves, websites are highlighting some of the best cultural goodies. These include Duke University’s Center for the Study of the Public Domain, which has a list of prominent 1923 books (such as Kahlil Gibran’s The Prophet), films (The Pilgrim by Charlie Chaplin) and songs (“Yes, We Have No Bananas!”). Meanwhile, a scholarly repository known as the Hathi Trust has made over 50,000 titles from 1923 available: You can also find the newly-available works on non-profit sites like Project Gutenberg and the Internet Archive, or on Google Books’ website and via the company’s Books app, which lets Android users download the books to their phones or tablets. On Amazon’s Kindle service, the 1923 works do not yet appear to be available for free, though many other public domain works can be found there for free or less than $1. This is just the beginning. The first of January, 2020, will see another bonanza of works enter the public domain, including famous novels like F. Scott Fitzgerald’s The Great Gatsby…”




I thought we had finished with this years ago.
For-profit college cancels $500M in student debt after fraud allegations
The settlement stems from allegations that Career Education Corporation lied about job placement rates and misled prospective students.
A company that owns two national for-profit college chains said Thursday that it will erase nearly $500 million in debt incurred by former students as part of a settlement with 48 states and the District of Columbia.
The deal with Career Education Corporation will resolve allegations that it lied about job placement rates and misled potential students to get them to enroll. State attorneys general began investigating the company in 2014 following complaints from students and a damning report by the U.S. Senate.
Company officials on Thursday said they deny any wrongdoing but called the settlement an "important milestone."
… Based in Schaumburg, Illinois, the company enrolls about 34,000 students across two chains, Colorado Technical University and American InterContinental University. More than 90 percent of its students are enrolled through online courses, according to the company.


Thursday, January 03, 2019

Has the fear of Cyberwar finally got their attention?
The Yomiuri Shimbun reports:
From April at the earliest, the government will ask operators of crucial infrastructure (see below) such as power and water suppliers to store their electronic data on servers located in Japan, as part of security measures against the threat of cyberwar.
The measure is aimed at protecting information indispensable for the security of people’s lives and for industrial competitiveness, with an eye on possible cyber-attacks by China and other countries.
Read more on The Japan News.




Some timely resources for my Computer Security students.
Eli Richman reports:
Email phishing attacks, ransomware attacks and attacks against connected medical devices are among the greatest cyberthreats that health systems need to protect against, according to new cybersecurity guidance for health systems from the Department of Health and Human Services.
Released last week, the Health Industry Cybersecurity Practices were released to help the industry identify ways to reduce its risk from cyberthreats. The result of a two-year effort between HHS and private entities, the guidance fulfills a mandate of the Cybersecurity Act of 2015.
Read more on Fierce Healthcare.
The main guidance is embedded below the following links, but also see:




Companies are being paid to gather the DNA needed to identify Jack the Ripper (assuming we have any of his DNA)
The Future of Crime-Fighting Is Family Tree Forensics
In April, a citizen scientist named Barbara Rae-Venter used a little-known genealogy website called GEDMatch to help investigators find a man they’d been looking for for nearly 40 years: The Golden State Killer. In the months since, law enforcement agencies across the country have flocked to the technique, arresting a flurry of more than 20 people tied to some of the most notorious cold cases of the last five decades. Far from being a forensic anomaly, genetic genealogy is quickly on its way to becoming a routine police procedure. At least one company has begun offering a full-service genetic genealogy shop to law enforcement clients. And Rae-Venter’s skills are in such high demand that she’s started teaching her secrets to some of the biggest police forces in the US, including the Federal Bureau of Investigation.




For my Enterprise Architecture students.
Data Science: What to Expect in 2019
Data science is rapidly changing. New advances in AI and machine learning mean that data can be applied in brand new ways, and in unprecedented modeling systems, to do much more than was possible just a few years ago. The cloud is also ushering in a new era of data science by making software more portable and versatile.
Techopedia asked the experts what we might see in the year ahead. Here’s some of what’s likely to come our way in 2019.




For me? Sounds interesting.
Digital Data Flows Masterclass: Emerging Technologies
Digital Data Flows Masterclass is a year-long educational program designed for regulators, policymakers, and staff seeking to better understand the data-driven technologies at the forefront of data protection law & policy. The program will feature experts on machine learning, biometrics, connected cars, facial recognition, online advertising, encryption, and other emerging technologies.
Sign up to receive email updates. https://www.fpf.org/classes-enroll
Visit the Digital Data Flows Masterclass Archive to view the relevant curriculum materials and resources for previous classes:




No doubt available in public kiosks (confessionals) provided by the ever caring Big Brother.
Could AI counselling be the future of therapy?
Charities are considering switching to so-called ‘woebots’ to meet the growing demand for mental health treatment
[The last line of this article is terrifying:
“Have you tried switching your husband off and on again?”




China would love it. Is that sufficient reason to drop restrictions?
U.S. Plan to Restrict AI Exports Could Backfire
Right now, the position of world leader in artificial intelligence is up for grabs — but soon, it could be out of the United States’s reach.
… industry insiders worry that proposed rules limiting or even outright banning the export of American AI services and technologies will prevent the nation from dominating the global AI industry. And that wouldn’t just hurt the U.S. economy — it could also jeopardize the nation’s security.
On November 19, the U.S. Department of Commerce published a proposal listing various types of AI software that it thinks could benefit from export restrictions
… According to the proposal, the purpose of the restrictions would be to bolster the U.S.’s national security — after all, AI has many potential military uses, so why would the U.S. want to put that technology in the hands of nations such as China or North Korea?




Perspective.
Norway's electric cars zip to new record: almost a third of all sales
Almost a third of new cars sold in Norway last year were pure electric, a new world record as the country strives to end sales of fossil-fueled vehicles by 2025.
In a bid to cut carbon emissions and air pollution, Norway exempts battery-driven cars from most taxes and offers benefits such as free parking and charging points to hasten a shift from diesel and petrol engines.




Congratulations China. I hope the US goes back to the moon some day.
China's lunar probe makes history with first-ever landing on far side of the moon




This won’t work for long. After all, it’s a guide to fixing these problems.
AI can generate fake faces now. Here’s how to spot them
… AI-generated faces bear some telltale signs. This week, computational artist Kyle McDonald published a guide on how to identify a fake. These tips probably won’t be reliable forever, and they’re certainly not applicable to every picture—some generated images are extraordinarily convincing. But every little bit of information helps.




It’s a good day for free stuff.
How to Find, Download, and Borrow Books from the Internet Archive
On Tuesday hundreds of thousands of works entered the public domain. That includes early movies, pictures, early audio recordings, and many pieces of literature. Many of those works are available through the Internet Archive. The Internet Archive offers millions of texts that can be borrowed and or downloaded for free. In the following video I demonstrate how you can borrow ebooks and download ebooks through the Internet Archive.




Free stuff from Apple?
Apple has released six exclusive audiobooks just for Apple Books users. Five are classic titles newly narrated by celebrities, while the sixth is a collection of Winnie the Pooh stories as told in the style of Disney. All of them are available for free.




A “free stuff” resource.
O’Reilly Media
Get free book samplers, ebooks, webcasts, tutorials and more


Wednesday, January 02, 2019

Consider yourself (or your selfie) scanned.
Lorraine Bailey reports:
A federal judge ruled Saturday that Google does not violate Illinois privacy laws by automatically creating a face template when Android users upload photos taken on their smartphone to the company’s cloud-based photo service.
Read more on Courthouse News.
[From the article:
“The Seventh Circuit has definitively held that retention of an individual’s private information, on its own, is not a concrete injury sufficient” to establish standing, the 28-page opinion states.
Further, there are no allegations that hackers have stolen the plaintiffs’ information or that there has been other unauthorized access to the Google Photos accounts.
“Plaintiffs cannot show – and do not argue – that Google ‘intruded into a private place’ by receiving photographs of plaintiffs voluntarily uploaded to Google photos” by themselves or others, Judge Chang said.
He added, “Plaintiffs do not offer evidence to dispute that their faces are public – just that their facial biometrics are. This is consistent with Fourth Amendment case law that rejects an expectation of privacy in a person’s face.” (Emphasis in original.)




3 business days to provide notice of a breach.
Josephine Cicchetti of Carlton Fields writes:
Ohio has joined South Carolina in becoming the next state to adopt a variation of the NAIC Insurance Data Security Model Law (“MDL-668”). This legislation makes a number of changes to Ohio’s insurance law, including the addition of a new Chapter 3965, which establishes “standards for data security and for the investigation of and notification to the Superintendent of Insurance of a cybersecurity event” (containing new Sections 3965.01 through 3965.11). Licensees will have one year to come into compliance with the new requirements, with the exception of the third party service provider provisions (Section 3965.02(F)), which have been granted a two-year implementation date.
[From the article:
The law provides an affirmative defense to any tort cause of action that "alleges that the failure to implement reasonable information security controls resulted in a data breach concerning nonpublic information." [See Section 3965.08]. Section 3965.02(J) also states that "a licensee that meets the requirements of this chapter shall be deemed to have implemented a cybersecurity program that reasonably conforms to an industry-recognized cybersecurity framework for purposes of Chapter 1354 of the Revised Code.




Perspective.
Economists calculate the true value of Facebook to its users in new study
“Facebook, the online social network, has more than 2 billion global users. Because those users do not pay for the service, its benefits are hard to measure. We report the results of a series of three non-hypothetical auction experiments where winners are paid to deactivate their Facebook accounts for up to one year. Though the populations sampled and the auction design differ across the experiments, we consistently find the average Facebook user would require more than $1000 to deactivate their account for one year. While the measurable impact Facebook and other free online services have on the economy may be small, our results show that the benefits these services provide for their users are large.”




For the next time I teach Statistics.
Seeing Theory – Making statistics more accessible through vizualizations
Seeing Theory was created by Daniel Kunin while an undergraduate at Brown University. The goal of this website is to make statistics more accessible through interactive visualizations.”
Chapters –


Tuesday, January 01, 2019

Should be interesting.
While most people in the U.K. and U.S. might have been preparing for New Year’s Eve celebrations, the hackers known as thedarkoverlord had their own plans for the evening, and their plans seemed to involve spoiling the plans of a number of corporative executives on both sides of the Atlantic.
Earlier in the day, the hackers, whose past hacks and extortion demands have been covered extensively on this site, announced that a law firm hack earlier in 2018 that had not garnered much notice had been one of their hacks. That hack, they claim, had reportedly given them access to files from major insurers such as Hicsox Group and Lloyd’s of London.
But it was in poring through the files they obtained that the hackers realized that they had acquired a treasure trove of files concerning the World Trade Center attacks and post-attack litigation. And as you might expect with such complex litigation involving subrogation, there were files containing Sensitive Security Information “from the likes of the FBI, CIA, TSA, FAA, DOD, and others.”
By the time they were done pillaging, thedarkoverlord had acquired what they described as 18,000 files relating to the litigation.
Consistent with their past methods, thedarkoverlord claims that they had offered to keep the files out of the public’s eye if their victim paid them . And the victim did pay, they say, but as in the Larson Studio case, the victim then allegedly cooperated with law enforcement, which thedarkoverlord viewed as a breach of their contract. When the victim was unwilling to pay an additional penalty, thedarkoverlord went public with a sample of files, a new Twitter account (@tdo_h4ck3rs) to tweet out some files, and some threats.




A good backgrounder for my students. (Have someone read this to a Congressman)
Artificial intelligence can’t save us from human stupidity | Editorial
Looking over the year that has passed, it is a nice question whether human stupidity or artificial intelligence has done more to shape events. Perhaps it is the convergence of the two that we really need to fear.
… It is possible to make them represent their reasoning in ways that humans can understand. In fact, in the EU and Britain it may be illegal not to in certain circumstances: the General Data Protection Regulation (GDPR) gives people the right to know on what grounds computer programs make decisions that affect their future, although this has not been tested in practice. This kind of safety check is not just a precaution against the propagation of bias and wrongful discrimination: it’s also needed to make the partnership between humans and their newest tools productive.




Background for my Computer Security students.




A job my students should consider. (And some skills I have to teach.)
The New (And Misunderstood) Role of the GDPR Data Protection Officer
… Core competencies
Three areas of significant experience are absolute requirements for this position:
  • Knowledge of how GDPR regulations and all applicable national data protection law apply to the organization’s data processing practices;
  • Significant experience with IT security audits and threat assessment; and
  • Strong communication skills across a variety of organizational positions and departments.




Interesting and worth thinking about.
Look Beyond the Regulations to See What 2019 Has in Store for the Privacy Industry
… here are my predictions concerning data privacy in 2019:
The Rise of the CISO and CTO – Privacy is a data issue, and that’s the responsibility of the CTO and sometimes the CISO.
The Data Protection Continuum – Privacy and security will start to be seen as a Data Protection Continuum, with privacy telling you “what” is important and “why,” and security telling you “how” to protect it
Privacy vs. Data Industrial Complex – In 2019, organizations will recognize they need to be concerned about the private data they hold – even if they themselves don’t intend to monetize it.
Growth of Data Privacy Automation – People will realize that automation at the data layer is the only feasible way to ensure continuous compliance related to data privacy laws. [This is why I changed so many of my lectures on Security and Software Architecture. Bob]




Perspective. The Luddites of 2019?
Wielding Rocks and Knives, Arizonans Attack Self-Driving Cars
… “They didn’t ask us if we wanted to be part of their beta test,”
At least 21 such attacks have been leveled at Waymo vans in Chandler, as first reported by The Arizona Republic. Some analysts say they expect more such behavior as the nation moves into a broader discussion about the potential for driverless cars to unleash colossal changes in American society. The debate touches on fears ranging from eliminating jobs for drivers to ceding control over mobility to autonomous vehicles.
“People are lashing out justifiably," said Douglas Rushkoff, a media theorist at City University of New York and author of the book “Throwing Rocks at the Google Bus.” He likened driverless cars to robotic incarnations of scabs — workers who refuse to join strikes or who take the place of those on strike.




If you really, really love movies…


Monday, December 31, 2018

Think of it as a work in progress.
Hackers use a fake wax hand to fool vein authentication security
Vein authentication, a biometric security method that scans the veins in your hand, has been cracked, reports Motherboard. Using a fake hand made out of wax, Jan Krissler and Julian Albrecht demonstrated how they were able to bypass scanners made by both Hitachi and Fujitsu, which they claim covers around 95 percent of the vein authentication market. The method was demonstrated at Germany’s annual Chaos Communication Congress.
While imprints of fingerprints can often be left behind on surfaces just by touching them, vein patterns cannot, and are considered to be much more secure as a result.




Is this in time to ensure the 2020 election is influence free?
Measuring the “Filter Bubble”: How Google is influencing what you click
DuckDuckGo Blog: “Over the years, there has been considerable discussion of Google’s “filter bubble” problem. Put simply, it’s the manipulation of your search results based on your personal data. In practice this means links are moved up or down or added to your Google search results, necessitating the filtering of other search results altogether. These editorialized results are informed by the personal information Google has on you (like your search, browsing, and purchase history), and puts you in a bubble based on what Google’s algorithms think you’re most likely to click on. The filter bubble is particularly pernicious when searching for political topics. That’s because undecided and inquisitive voters turn to search engines to conduct basic research on candidates and issues in the critical time when they are forming their opinions on them. If they’re getting information that is swayed to one side because of their personal filter bubbles, then this can have a significant effect on political outcomes in aggregate…
Now, after the 2016 U.S. Presidential election and other recent elections, there is justified new interest in examining the ways people can be influenced politically online. In that context, we conducted another study to examine the state of Google’s filter bubble problem in 2018…”




Facebook is certainly being vilified like they are responsible.
Facebook Data Scandals Stoke Criticism That a Privacy Watchdog Too Rarely Bites
Last spring, soon after Facebook acknowledged that the data of tens of millions of its users had improperly been obtained by the political consulting firm Cambridge Analytica, a top enforcement official at the Federal Trade Commission drafted a memo about the prospect of disciplining the social network.
Lawmakers, consumer advocates and even former commission officials were clamoring for tough action against Facebook, arguing that it had violated an earlier F.T.C. consent decree barring it from misleading users about how their information was shared.
But the enforcement official, James A. Kohm, took a different view. In a previously undisclosed memo in March, Mr. Kohm — echoing Facebook’s own argument — cautioned that Facebook was not responsible for the consulting firm’s reported abuses. The social network seemed to have taken reasonable steps to address the problem, he wrote, according to someone who read the memo, and most likely had not broken its promises to the F.T.C.




Perspective.
Smart speakers hit critical mass in 2018
... The smart speaker market reached critical mass in 2018, with around 41 percent of U.S. consumers now owning a voice-activated speaker, up from 21.5 percent in 2017.




This was the activity on my blog yesterday. Strange that once again more Russians are reading the blog than anyone else. And why can’t Google identify the country 116 users are connecting from?
Pageviews by countries.


Sunday, December 30, 2018

Not sure I would notice if the Denver Post wasn’t being delivered. I canceled my subscription years ago. (Practice for cyberwar?)
Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.
What first arose as a server outage was identified Saturday as a malware attack, which appears to have originated from outside the United States and hobbled computer systems and delayed weekend deliveries of the Los Angeles Times and other newspapers across the country.
Technology teams worked feverishly to quarantine the computer virus, but it spread through Tribune Publishing’s network and reinfected systems crucial to the news production and printing process. Multiple newspapers around the country were affected because they share a production platform.




Seems an awful long time to identify a bad card…
Report: Huge CenturyLink outage caused by bad networking card in Colorado
Brian Krebs, a veteran security journalist, posted a copy of a notice sent to CenturyLink’s “core customers” to his Twitter feed Saturday that blamed a card at its data center in Colorado for “propagating invalid frame packets across devices,” causing a series of issues that forced the company to reboot much of its networking equipment. It took CenturyLink more than two days from when it first identified the issues to sound the all-clear on Saturday morning, a period during which 911 services in several states including Washington were down or spotty.
… By the standards of modern cloud service providers, a two-day outage is an eternity. And it’s not clear how a single piece of equipment could cause an outage of such magnitude given the layers of redundancy that cloud providers build into their systems.
An FCC investigation into the outage might turn up some answers, unless CenturyLink is willing to post a moew detailed post-mortem on the outage, which is becoming a standard part of incident response.




So why are ‘innocent’ drones coming to Gatwick to die? Something fishy here.
Two drones found at Gatwick airport but still no arrests
Sussex police have found two drones at the perimeter of Gatwick airport but neither is the one responsible for last week’s runway closures and travel chaos, the force’s chief constable has revealed.




Probably cheap.
Wells Fargo is paying $575 million to states to settle fake account claims
Over the past two years, Wells Fargo has faced numerous lawsuits and government investigations stemming from a cascade of business scandals.
On Friday, it took a step to put one batch of accusations behind it.
The bank agreed to pay $575 million to all 50 states and the District of Columbia to settle civil charges related to the bank's fake-accounts scandals.
The agreement, which applies to charges brought by states' attorneys general, follows other fines and settlements Wells Fargo (WFC) has paid out since September 2016. That's when the bank admitted its employees opened as many as 3.5 million fake bank and credit card accounts without customers' knowledge.




Overreaction? If you can’t spend the day texting, perhaps you will vote?
Bangladesh shuts down mobile internet in lead up to election day
Bangladesh's telecoms regulator has ordered mobile operators to shut down high-speed mobile internet services until midnight Sunday, the day of a national election.
… "The decision has been taken to prevent rumours and propaganda surrounding the vote," Zakir Hussain Khan said.
As Bangladeshis get set for Sunday's parliamentary elections, there are fears that violence and intimidation could keep many voters away.
… A spokesman for the RAB, Bangladesh's elite security force, said on Saturday they had arrested eight men for spreading rumours on social media before the poll.




EU approved free software? I use some of them, perhaps I should use more.
In January, the EU starts running Bug Bounties on Free and Open Source Software
… In January the European Commission is launching 14 out of a total of 15 bug bounties on Free Software projects that the EU institutions rely on.
… Here is the list of Software projects and the bug bounties: