Saturday, September 21, 2019

Social engineering works best on employees who have never heard the term.
Toyota Subsidiary Loses $37 Million Due to BEC Scam
… By now, BEC attacks are common all over the world, and are used primarily to target finance and accounting departments. In this case, the BEC scam was simple: a third-party hacker posing as a business partner of the Toyota subsidiary sent emails to members of the finance and accounting department, requesting that funds be sent for payment into a specific bank account controlled by the hacker.
… According to Colin Bastable, CEO of Lucy Security, Toyota should have been on the lookout for just such a scam: “This is the third acknowledged attack on Toyota this year – Australia in February, Japan in March and now the Zavantem, Belgium European HQ of Toyota Boshoku. Once is happenstance, twice is co-incidence but three attacks looks like enemy action.” In fact, says Bastable, “It’s reasonable to assume that Toyota’s global infrastructure has been compromised to some extent.

Cheaper than recovery from zero, but insurance is clearly a positive indicator for hackers.
Stratford cyberattack costs $75K in bitcoin
The city of Stratford agreed to pay an attacker more than $75,000 worth of Bitcoin in exchange for decryption keys to unlock its information systems following an April cyber attack.
… The city said it has submitted a cyber insurance claim, which should foot most of the bill. The city's deductible is $15,000.
The cyber attack happened on April 14, after an attacker installed malware on six physical servers and two virtual ones. The city didn't return to normal business operations until April 29.
… The city said it has since beefed up its security measures to prevent another attack from happening. [A very common reaction. Bob]

Good rules are enforceable. Not so good rules are wishes.
5 simple rules to make AI a force for good

Perspective. What can we copy?
How the Air Force has reorganized its cyber staff
The service announced Sept. 18 a new information warfare focused organization called 16th Air Force that combines cyber, intelligence, surveillance and reconnaissance, electronic warfare and information operations.
The Air Force also recently rebranded its main communications arm essentially separating traditional IT functions from cyber warfare under the deputy chief of staff for ISR.
While the service had previously previewed the document prior to its official publication, Jamieson provided additional details of the plan. The document itself is classified, but the Air Force passed out an unclassified version that fit on a single tri-fold pamphlet.
The strategy lays out seven areas the service wants to pursue, including:
  • Human capital, meaning the Air Force has to be able to recruit, retain and develop talent in the cyber domain
  • Offensive cyber operations
  • Defensive cyber operations
  • War fighter communications, which includes building a global and resilient command and control grid
  • Emerging technology
  • ISR for and from cyber operations
  • Partnerships

Nothing new beyond journalist taking note.
Silicon Valley is terrified of California’s privacy law. Good.
In a little over three months, California will see the widest-sweeping state-wide changes to its privacy law in years. California’s Consumer Privacy Act (CCPA) kicks in on January 1 and rolls out sweeping new privacy benefits to the state’s 40 million residents — and every tech company in Silicon Valley.
California’s law is similar to Europe’s GDPR. It grants state consumers a right to know what information companies have on them, a right to have that information deleted and the right to opt-out of the sale of that information.

Friday, September 20, 2019

“Look! We did something! All your worries are over!”
Key Senate Panel Approves $250 Million for Election Security
A key Senate panel on Thursday approved $250 million to help states beef up their election systems, freeing up the money after Senate Majority Leader Mitch McConnell came under criticism from Democrats for impeding separate election security legislation.
… Sen. Ron Wyden, D-Ore., who has been outspoken about the need for improved election security, called the proposal a “joke” and an effort by McConnell to “desperately” get the issue to go away.
“This amendment doesn’t even require the funding be spent on election security — it can go for anything related to elections,” Wyden said in a statement. “Giving states taxpayer money to buy hackable, paperless machines or systems with poor cybersecurity is a waste.”

Good luck!
How to erase your personal information from the internet (it’s not impossible!)
Vox – Your shopping habits, your family members’ names, even your salary is out there for anyone to see. But you can take back control. “…Before you can get a handle on digital privacy, you first have to understand what is out there. Start by Googling yourself with your browser in private or “incognito” mode — which prevents some tracking and autofilling from your own internet use — and look for social media profiles and data brokers. (Google and its popular Chrome browser hold a wealth of data, too.) This will allow you to see what a stranger would find if they began looking for your information online. For most of us, social media profiles populate the first few search results on Google. Next, find the data brokers. These companies scrape information from public records and compile it into a database. Then, as the name might suggest, they sell it. (This is technically legal, though shady.) Oftentimes, they’ll have things like your birthday, phone number, home address, salary, as well as names of neighbors and family members. This information can be used to hack into other online accounts by giving people hints on how you might answer security questions. Popular brokers include Spokeo, Intelius, BeenVerified, Whitepages, MyLife, and Radaris, but you can find many others on privacy company and reputation management firm Abine’s free library. This audit won’t be comprehensive. Rob Shavell, Abine’s chief executive, says that when his company was founded in 2012, employees removed about 1,000 pieces of information per customer over a two-year period. Today, that number has reached 1,900. This amount of information is too much for the average person to comprehend or completely erase — but you can certainly make it harder for others to find by getting it off common websites…”

When you can’t do one thing, do another thing. It’s all techno-gibberish, so no one sees it.
Allegations of Google’s Hidden Web Tracking Pages Raise New Privacy Concerns
… The details of Google’s hidden web tracking system to serve personalized ads were outlined by Brave’s Chief Policy Officer, Dr. Johnny Ryan, who has been campaigning very publicly against Google for the past year. [So, perhaps a bit of bias? Bob]
… when users opt out of allowing tracking cookies, that’s when the task of serving up personalized ads becomes much more difficult.
So, as might be expected, Google has come up with a workaround for this problem. According to Brave, Google still creates unique identifiers for each web user linked to their browsing activity – but instead of sending this information directly to advertisers as part of bid requests, it creates an elaborate network of hidden web pages that advertisers can log into instead. Once they are logged in, they can then grab this personally identifiable information and match it with any information they already have about the user in order to create very sophisticated advertising profiles and decide how much to bid. But there’s just one problem with this indirect form of web tracking – it’s not GDPR-compliant.

Like all laws, this one will have law breakers.
A facial recognition ban is coming to the US, says an AI policy advisor
MIT Technology Review: San Francisco and Oakland, California, and Somerville, Massachusetts, have outlawed certain uses of facial recognition technology, with Portland, Oregon, potentially soon to follow. That’s just the beginning, according to Mutale Nkonde, a Harvard fellow and AI policy advisor. That trend will soon spread to states, and there will eventually be a federal ban on some uses of the technology, she said at MIT Technology Review’s EmTech conference. Which uses will face a ban, it’s not yet clear: while some cities have banned use by police departments, Portland’s focus is restricting use by the private sector. And the debate is not confined to the US. In the UK, there is growing concern over the use of live facial recognition after it emerged that a property developer had been collecting images of people’s faces in an area of London for two years without informing them. We still don’t know how that data was used, Daragh Murray, a human rights lawyer at the University of Essex, said on stage. There will be legal challenges, and there will eventually be regulation,” he predicted…”

New Biometrics
This article discusses new types of biometrics under development, including gait, scent, heartbeat, microbiome, and butt shape (no, really).

Can I use this information to avoid celebrity? A podcast!
Why Being a Celebrity Is Big Business
… “When the photograph became something anyone could buy, everyone who wanted to be famous made sure they were photographed.”
... “No one group controls the narrative. No one group controls the outcome. That’s part of the reason we’re so engaged. We don’t know how it’s going to turn out.”

Less control than Facebook, wider coverage than dirt.
The Internet of Things Is Still a Privacy Dumpster Fire, Study Finds
… The full study, a joint collaboration between Northeastern University and Imperial College London took a closer look at 81 popular smart TVs, streaming dongles, smart speakers, and video doorbells made by vendors including Google, Roku, and Amazon.
The results aren’t comforting: the majority of the devices collected and shared information including your IP address, device specs (like MAC address), usage habits, and location data. That data is then shared with a laundry list of third parties, regardless of whether the user actually has a relationship with those companies.
“Nearly all TV devices in our testbeds contacts Netflix even though we never configured any TV with a Netflix account,” the researchers said.

California's IoT Security Law Causing Confusion
The law, which goes into effect January 1, requires manufacturers to equip devices with 'reasonable security feature(s).' What that entails is still an open question.

Gambling on lawsuits. Is this the best possible use for AI in the legal field?
This young litigation finance startup just secured $100 million to chase cases it thinks will win
… What is litigation finance? In a nutshell, the idea is to fund plaintiffs and law firms in cases where it looks like there will be a winning ruling. When everything goes the right way, the capital that helps fund the lawsuits is returned — and then some — in return for the risk taken. Litigation finance firms — and there’s a growing number of them — basically want to estimate as accurately as possible the risk involved so they can bet on the right horses.
Interestingly, one of the newest entrants onto the scene wasn’t founded by career attorneys or spun out of a hedge fund or private equity group. Instead it’s a young, 11-person company called Legalist that’s run by a 23-year-old Harvard dropout named Eva Shang, who co-founded the company with her college classmate Christian Haigh, who also dropped out.

New White Paper Explores Privacy and Security Risk to Machine Learning Systems
The Future of Privacy Forum (FPF) released a white paper, WARNING SIGNS: The Future of Privacy and Security in an Age of Machine Learning, exploring how machine learning systems can be exposed to new privacy and security risks, and explaining approaches to data protection.

A podcast.
Doctor Bot: How artificial intelligence is already changing healthcare, and what’s coming next
Artificial intelligence is at the center of many emerging technologies today, and perhaps nowhere are the implications more meaningful than in healthcare.
So where is AI making an impact in healthcare today? What will the future bring, and how should healthcare providers and technologists get ready?
On the Season 4 premiere of GeekWire’s Health Tech Podcast, we address all of those questions with three guests: Linda Hand, CEO of Cardinal Analytx Solutions, a venture-backed company that uses predictive technology to identify people at high risk of declining health, and match them with interventions; Colt Courtright, who leads Corporate Data & Analytics at Premera Blue Cross; and Dr. David Rhew, Microsoft’s new chief medical officer and vice president of healthcare.
… Implications for data and privacy
Hand: I think we have a really inconvenient relationship with privacy. Everybody wants to keep their stuff private, but everybody wants the benefit of having the insights from using everybody else’s data. There’s just a huge disconnect there.
Rhew: It’s very important to be proactive on this because once the information moves outside of the medical record into the individual’s phone, it’s no longer under the context or umbrella of HIPAA. They can do what they want with that. Now we’re talking about the Wild West in terms of how data can be used and moved around. We have to really start thinking proactively about how do we put those safeguards in without being too restrictive at the same point.
Courtright: I think we are in an inflection point where we are being forced to grapple with these kinds of considerations. The Privacy and Security Standards that have governed what I would call the traditional actors in healthcare — the health plans and the providers — will remain the same. The shift is really to say the member owns their medical record. The member should be able to control that, and use it, place it where they would like it.

Teasing an interesting series?
The Artificial Intelligence Apocalypse (Part 1)
Is It Time to Be Scared Yet?

50 Trillion Calculations per Second in the Palm of Your Hand—Data Sheet
The number of transistors packed onto a modern chip inside your phone or PC runs into the billions but it’s still sometimes amazing to comprehend the computing power you can easily hold in the palm of your hand. When I met Intel vice presidents Gadi Singer and Carey Kloss on Wednesday, they showed me a new circuit board the company has created for speeding up artificial intelligence apps.
The board is the size of an SSD drive, made to plug into a standard PC or server. The Nervana chip at its heart is no bigger than a quarter. But it can perform some 50 trillion operations per second and greatly speed up the job of an A.I. program that has already been trained as it makes inferences such as identifyng objects in photos.

For me and my geeks.
Microsoft: We want you to learn Python programming language for free
Microsoft has launched a new 44-part series called Python for Beginners on YouTube, consisting of three- to four-minute lessons from two self-described geeks at Microsoft who love programming and teaching.
The course isn't quite for total beginners as it assumes people have done a little programming in JavaScript or played around with the MIT-developed Scratch visual programming language aimed at kids.
But it could help beginners kick-start ambitions to build machine-learning apps, web applications, or automate processes on a desktop.
Microsoft has published a page on GitHub containing additional resources, including slides and code samples to help students become better at Python.

Thursday, September 19, 2019

Responding to attacks is Okay. Preventing them by requiring adequate security would be better.
Schumer calls for federal response to school cyberattacks
U.S. Sen. Charles Schumer Wednesday called on Congress and the Federal Bureau of Investigation to help school districts and other local government bodies threatened by increasingly common and sophisticated cyberattacks.
The issue has put school districts across New York on guard, particularly after the Syracuse City School District was hit with ransomware earlier this year. The district ended up paying a $50,000 insurance premium [??? Bob] to free itself, Schumer said.
"It’s a threat that’s wreaking havoc on our state and more specifically our schools," he said. “It's time to hit 'control-alt-delete' on ransomware and take a megabyte out of hackers." [Trying to sound like a techie? This fails miserably. Bob]
He put forward two proposals. The first is a bill called the Department of Homeland Security Cyber Incident Response Teams Act, which already has passed the House of Representatives. It would create specific teams within DHS to assist local government with cyberattacks.
Schumer also said the FBI should be more active in targeting attacks at their source, often out of the country. State bureau offices, meanwhile, would investigate specific incidents and report back to various levels of government.

(Related) How they do it in the UK.
NCSC urges UK universities to shield themselves from possible cybersecurity threats

Question: Is a private corporation the way facial recognition should go?
(license plate:cars=face:people)
This Company Built a Private Surveillance Network. We Tracked Someone With It
I gave the private investigator, who offered to demonstrate the capability, a plate of someone who consented to be tracked.
The results popped up: dozens of sightings, spanning years. The system could see photos of the car parked outside the owner's house; the car in another state as its driver went to visit family; and the car parked in other spots in the owner's city. Each was tagged with the time and GPS coordinates of the car. Some showed the car's location as recently as a few weeks before. In addition to photos of the vehicle itself, the tool displayed the car's accurate location on an easy to understand, Google Maps-style interface.
This tool, called Digital Recognition Network (DRN), is not run by a government, although law enforcement can also access it. Instead, DRN is a private surveillance system crowdsourced by hundreds of repo men who have installed cameras that passively scan, capture, and upload the license plates of every car they drive by to DRN's database. DRN stretches coast to coast and is available to private individuals and companies focused on tracking and locating people or vehicles. The tool is made by a company that is also called Digital Recognition Network.

Read the Privacy Commissioner’s Submission to the New Zealand Law Commission on the Use of DNA in Criminal Investigations (Issues Paper 43). You can view it here . Here’s a snippet:
1.18. In my view, a legitimate reason needs to be articulated for the State to collect and retain the DNA profiles of some people and not others. The incremental changes to the CIBS Act implemented over time mean there is a risk is that the scheme has become a de facto databank of those citizens who have come to the attention of the Police for a variety of reasons (where through being charged with an offence, being excluded as a suspect, being present in crime scene DNA analysis, or as a victim).
1.19. Function creep can intensify privacy intrusions and erode trust and confidence. Without proper safeguards there is a clear risk of gradual “creep” if DNA gathered for one law enforcement purpose ends up being used for a broader range of purposes than originally articulated or intended.
1.20. There appears to be a real risk of discriminatory impacts. As the Issues Paper notes, this has significant implications for Māori who are over-represented in the justice system. The DNA held in the databank is an available source for the investigation of future offences, regardless of the purpose for which it was originally collected.

After all, 100 billion flies can’t be wrong – eat garbage!
Poll: Two-thirds of Americans want to break up companies like Amazon and Google
Vox: “Americans are pretty on board with breaking up Big Tech, especially if it means companies such as Amazon and Google stop showing them search results they make money off of first. Nearly two-thirds of Americans would support breaking up tech firms by undoing recent mergers, such as Facebook’s acquisition of Instagram, if it means ensuring more competition in the future. Another tech company issue appears to strike a chord with people even more: Almost seven in 10 Americans say it’s a good idea to break up big tech companies when the content they’re showing people is ranked depending on whether the company is making money off of it or not. Basically, when you search for a suitcase to buy on Amazon, it might show you options from its proprietary AmazonBasics line instead of from a company it doesn’t own. That’s according to polling from progressive think tank Data for Progress in partnership with YouGov Blue shared exclusively with Vox. And the results hold across most age groups, education levels, demographics, and political ideologies …”

Perspective. A phone that is just a phone! What a concept!
A No-Internet, Just-For-Kids Cell Phone Is Here, and It's Every Parent's Dream
Much to our chagrin, it seems like the age where kids get their first cell phone is skewing younger by the day. And while it's important that we're able to reach our children after soccer practice do they really need access to the internet on top of all the other bells and whistles? According to Stephen Dalby - a dad from Palo Alto, CA, and the founder and CEO of Gabb Wireless - the answer is no.
geared toward kids ages 8 to 14
Your kids can communicate with their loved ones freely via call or text, sans unlimited internet access and an app store.

I always talk about a book called “How to lie with statistics”
How juries are fooled by statistics
TED Talk – “Oxford mathematician Peter Donnelly reveals the common mistakes humans make in interpreting statistics — and the devastating impact these errors can have on the outcome of criminal trials.”

Wednesday, September 18, 2019

When will we start taking election security seriously? They talk about old hardware. They should be concerned about the data!
Two computers stolen from Atlanta polling site contain statewide voter data
Two computers containing statewide voter data were stolen from an Atlanta polling site on Tuesday ahead of a vote for a city school board election.
The Atlanta Journal-Constitution reports the computers were used to check in voters and contained names, addresses, birthdates and driver’s license information for every voter in the state, but not social security numbers, according to Fulton County elections director Richard Barron.
Officials said the burglary did not impact the election Tuesday in any way.
Barron noted that the stolen equipment can’t be used for other purposes as they do not connect to the internet.
… “A Palm Pilot from 2000 is probably more sophisticated than those things. They’re pretty primitive pieces of equipment.”

Experts Warn of Voting Machine Vulnerabilities in N.C.
At a recent meeting in Greensboro, N.C., a cybersecurity expert told an emergency meeting of the NAACP that even the newest era of voting machines can be vulnerable to reprogramming by hackers.

Least common denominator level. No excuses for falling below this level.
NIST Releases Preliminary Draft of Privacy Framework
The U.S. Department of Commerce’s National Institute of Standards and Technology (“NIST”) now has released the preliminary draft of the “NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management.” NIST is seeking comments on the preliminary draft of the Privacy Framework and plans to use these comments to develop version 1.0 of the Privacy Framework.  Comments are due by 5:00 p.m. ET on October 24, 2019.

Order from chaos.
The Seven Patterns Of AI
From autonomous vehicles, predictive analytics applications, facial recognition, to chatbots, virtual assistants, cognitive automation, and fraud detection, the use cases for AI are many. However, regardless of the application of AI, there is commonality to all these applications. Those who have implemented hundreds or even thousands of AI projects realize that despite all this diversity in application, AI use cases fall into one or more of seven common patterns.
  • The Hyperpersonalization Pattern: Treat each customer as an individual
  • Autonomous systems Pattern: Reducing the need for manual labor
  • AI powered predictive analytics
  • The Conversational Pattern: Machines that can communicate as humans do
  • Identifying Patterns and anomalies with AI
  • Machines that can recognize the world: The Recognition Pattern
  • Solving the Puzzle: The Goal-Driven Systems Pattern
While these might seem like discrete patterns that are implemented individually in typical AI projects, in reality, we have seen organizations combine one or more of these seven patterns to realize their goals. By companies thinking of AI projects in terms of these patterns it will help them better approach, plan, and executate AI projects.

Worth teaching our students to score high?
LinkedIn launches skills assessments, tests that let you beef up your credentials for job hunting
LinkedIn will now offer a new feature called Skills Assessments: short, multiple-choice tests that users can take to verify their knowledge in areas like computer languages, software packages and other work-related skills.
… First up are English-language tests covering some 75 different skills, all free to take

Tuesday, September 17, 2019

How secure was the security that was breached? Why wait so long to take action.
Exclusive: Russia carried out a 'stunning' breach of FBI communications system, escalating the spy game on U.S. soil
On Dec. 29, 2016, the Obama administration announced that it was giving nearly three dozen Russian diplomats just 72 hours to leave the United States and was seizing two rural East Coast estates owned by the Russian government. As the Russians burned papers and scrambled to pack their bags, the Kremlin protested the treatment of its diplomats, and denied that those compounds — sometimes known as the “dachas” — were anything more than vacation spots for their personnel.
Both compounds, and at least some of the expelled diplomats, played key roles in a brazen Russian counterintelligence operation that stretched from the Bay Area to the heart of the nation’s capital, according to former U.S. officials. The operation, which targeted FBI communications, hampered the bureau’s ability to track Russian spies on U.S. soil at a time of increasing tension with Moscow, forced the FBI and CIA to cease contact with some of their Russian assets, and prompted tighter security procedures at key U.S. national security facilities in the Washington area and elsewhere, according to former U.S. officials. It even raised concerns among some U.S. officials about a Russian mole within the U.S. intelligence community.
American officials discovered that the Russians had dramatically improved their ability to decrypt certain types of secure communications and had successfully tracked devices used by elite FBI surveillance teams
These compromises, the full gravity of which became clear to U.S. officials in 2012, gave Russian spies in American cities including Washington, New York and San Francisco key insights into the location of undercover FBI surveillance teams, and likely the actual substance of FBI communications, according to former officials. They provided the Russians opportunities to potentially shake off FBI surveillance and communicate with sensitive human sources, check on remote recording devices and even gather intelligence on their FBI pursuers, the former officials said.
The compromise of FBI systems occurred not long after the White House’s 2010 decision to arrest and expose a group of “illegals” – Russian operatives embedded in American society under deep non-official cover – and reflected a resurgence of Russian espionage.

What does HIPAA say about this?
Millions of Americans’ Medical Images and Data Are Available on the Internet. Anyone Can Take a Peek.
Hundreds of computer servers worldwide that store patient X-rays and MRIs are so insecure that anyone with a web browser or a few lines of computer code can view patient records. One expert warned about it for years.
We identified 187 servers — computers that are used to store and retrieve medical data — in the U.S. that were unprotected by passwords or basic security precautions. The computer systems, from Florida to California, are used in doctors’ offices, medical-imaging centers and mobile X-ray services.
… “It’s not even hacking. It’s walking into an open door,” said Jackie Singh, a cybersecurity researcher and chief executive of the consulting firm Spyglass Security.

This is probably the version that becomes law in January.
California Legislature Passes CCPA Amendments and Privacy Bills
Last week, after months of negotiation and speculation, the California legislature passed bills amending the California Consumer Privacy Act (“CCPA”). This marked the last round of CCPA amendments before the legislature adjourned for the year—and before the CCPA takes effect on January 1, 2020. California Governor Gavin Newsom has until October 13 to sign the bills into law. Separately, the Attorney General’s office is expected to release a draft of proposed CCPA regulations for public input later this Fall.

Target surveillance is Okay. How do I avoid being a target?
Bulk surveillance is unlawful, says the High Court of South Africa
Today, the High Court of South Africa in Pretoria in a historic decision declared that bulk interception by the South African National Communications Centre is unlawful and invalid.

Making smartphones much smarter.
Apple is building a machine learning system to rule them alI
This week, Apple is sponsoring the world’s largest spoken language processing conference, Interspeech 2019..
Among other topics (see them all here ), Apple will present papers on etecting expression/intent through voice, improving voice recognition, developing more accurate tools to understand speech nuances, using mirroring to build relationships between human users and speech assistants and using tech to optimize speech enhancement.

A handy student guide.
The Constitution Annotated Is Now Easier to Search and Browse
In Custodia Legis:Constitution Day is [September 17, 2019], but it’s already off to a great start with the release of the Congressional Research Service’s new version of The Constitution of the United States of America: Analysis and Interpretation, better known as the Constitution Annotated. The Constitution Annotated allows you to “read about the Constitution in plain English…providing a comprehensive overview of Supreme Court decisions interpreting the United States Constitution.” The Constitution Annotated is a Senate document created by the Congressional Research Service that makes the Constitution accessible to all Americans, regardless of their background in law. In the past, the web version of this document, which is linked from, consisted of PDFs that could be challenging to search. With this release, the document is available in a more accessible and user-friendly HTML format that is convenient to search and browse…”

Can Blockchain be explained to politicians?
GAO Spotlight – Blockchain & Distributed Ledger Technologies
The technology that allows Bitcoin and other cryptocurrencies to function could profoundly change the way government and industry do business. Distributed ledger technology allows the secure transfer of digital assets without management by a central authority. Instead, participants share synchronized copies of a ledger that records assets and transactions. Changes are visible to all participants. Questions remain about the technology, including where it may be most useful, how best to regulate it, and how to mitigate its use in illegal activities.”