Saturday, January 11, 2020

Something my Computer Security students must consider. Not just disruption of services but massive disclosure of data. Paying the ransom is not guarantee that this is over.
Maze Ransomware Publishes 14GB of Stolen Southwire Files
The Maze Ransomware operators have released an additional 14GB of files that they claim were stolen from one of their victims for not paying a ransomware demand.
In December the Maze Ransomware operators attacked Southwire, a wire and cable manufacturer out of Georgia, and allegedly stole 120GB worth of files before encrypting 878 devices on the network.
Maze then demanded $6 million in bitcoins or they would publicly release Southwire's stolen files.
When Southwire did not make a payment, the Maze operators uploaded some of the company's files to a "News" site that they had created to shame non-paying victims.
This led to Southwire filing a lawsuit against Maze in Georgia courts and asking for an injunction in the courts of Ireland against a web hosting provider who was hosting the Maze news site. This injunction led to the site being taken down and Southwire's stolen data being accessible.
Yesterday, the Maze operators released an additional 14.1GB of stolen files that they claim belong to Southwire on a Russian hacking forum. They further state that they will continue to release 10% of the data every week unless the ransom is paid.

Who do you want elected and by how much?
'Online and vulnerable': Experts find nearly three dozen U.S. voting systems connected to internet
It was an assurance designed to bolster public confidence in the way America votes: Voting machines “are not connected to the internet.”
Then Acting Undersecretary for Cybersecurity and Communications at the Department of Homeland Security Jeanette Manfra said those words in 2017, testifying before Congress while she was responsible for the security of the nation’s voting system.
So many government officials like Manfra have said the same thing over the last few years that it is commonly accepted as gospel by most Americans. Behind it is the notion that if voting systems are not online, hackers will have a harder time compromising them.
But that is an overstatement, according to a team of 10 independent cybersecurity experts who specialize in voting systems and elections. While the voting machines themselves are not designed to be online, the larger voting systems in many states end up there, putting the voting process at risk.
… “We found over 35 [voting systems] had been left online and we’re still continuing to find more,” Kevin Skoglund, a senior technical advisor at the election security advocacy group National Election Defense Coalition, told NBC News.
The three largest voting manufacturing companies — Election Systems &Software, Dominion Voting Systems and Hart InterCivic — have acknowledged they all put modems in some of their tabulators and scanners. The reason? So that unofficial election results can more quickly be relayed to the public. Those modems connect to cell phone networks, which, in turn, are connected to the internet.

...and changing enterprise architecture.
The Internet of Things Is Changing the World
The Internet of Things has been a long time coming. Ubiquitous or pervasive computing, which is computing happening anytime and anywhere, dates to the 1990s, when devices and wireless networks were nowhere near where they are today.
The transformation brought by connected devices is about to go into overdrive, the Economist says in a recent issue: “One forecast is that by 2035 the world will have a trillion connected computers, built into everything from food packaging to bridges and clothes.”
IoT promises to bring many benefits, including a new generation of smart, connected products. In addition to mechanical and electrical components, these products use digital components such as microprocessors, sensors, data storage, software, and connectivity in a variety of ways.

(Related) Perspective.
About one-in-five Americans use a smart watch or fitness tracker
A fitness tracker can compile a variety of data about the wearer’s activities, depending on the complexity of the device. Users can monitor this data with a corresponding app, where they can manually input additional information about themselves and their lifestyle. As a result, the makers of fitness trackers amass a wealth of data on their users that can be used in many ways. Current privacy policies for many fitness tracking apps allow users’ data to be shared with others. Some researchers are already using data from these apps for health research,

Worth a look.
New Supplemental Materials for INFORMATION PRIVACY LAW Casebooks
I am pleased to announce that Professor Paul Schwartz and I have released new supplemental materials for our INFORMATION PRIVACY LAW casebooks:
(1) edited version of Carpenter v. US

Any indication that this technology is worth the investment?
San Diego’s massive, 7-year experiment with facial recognition technology appears to be a flop
Since 2012, the city’s law enforcement agencies have compiled over 65,000 face scans and tried to match them against a massive mugshot database. But it’s almost completely unclear how effective the initiative was, with one spokesperson saying they’re unaware of a single arrest or prosecution that stemmed from the program.

Part of my Security lectures.
What a Business AI Ethics Code Looks Like
By now, it’s safe to say that artificial intelligence (AI) has established itself in the mainstream, especially in the world of business. From customer service and marketing, to fraud detection and automation, this particular technology has helped streamline operations in recent years.
Unfortunately, our dependence on AI also means that it holds so much of our personal information – whether it’s our family history, the things we buy, places we go to, or even our favourite songs. Essentially, we’re giving technology free access to our lives. As AI continues to develop (and ask for even more data), it’s raising a lot of serious concerns.
The AI code of ethics isn’t meant for the AI itself, but for the people who develop and use said technology. Last year, the UK government published a report that aims to inform the public about its ethical use. All in all, the report can be summarised into five principles:
1. AI must be created and used for the benefit of all.
2. AI should not be used to diminish the data rights or privacy of individuals, families, and communities.
3. AI must operate within parameters understood by the human mind.
4. Everybody has the right to be educated on the nuances of AI.
5. Humans must be able to flourish mentally, emotionally, and economically alongside AI.

Probably not...
Samsung's Neon AI has an ethics problem, and it's as old as sci-fi canon
For decades, ethicists, philosophers and science fiction writers have wrestled with what seems increasingly like an inevitability in the evolution of humankind's technological discovery: The creation of a new species of artificial humanity. What better place for such a species' debutante ball than the Las Vegas consumer electronics frenzy, CES 2020? Enter stage right: The eerily realistic interactive CGI avatar, Neon.. It's the literal brainchild of Samsung-funded Star Labs' Pranav Mistry, who also serves as CEO of the company he says is building "the first computerized artificial human."
"Neon is like a new kind of life," Mistry said when unveiling the technology this week at CES. "There are millions of species on our planet, and we hope to add one more."

Friday, January 10, 2020

Probably not just Iran. Probably for far longer than one year.
Iranian Hackers Have Been ‘Password-Spraying’ the US Grid
By all appearances, Iranian hackers don't currently have the capability to start causing blackouts in the US. But they’ve been working to gain access to American electric utilities, long before tensions between the two countries came to a head.
On Thursday morning, industrial control system security firm Dragos detailed newly revealed hacking activity that it has tracked and attributed to a group of state-sponsored hackers it calls Magnallium. The same group is also known as APT33, Refined Kitten, or Elfin, and has previously been linked to Iran. Dragos says it has observed Magnallium carrying out a broad campaign of so-called password-spraying attacks, which guess a set of common passwords for hundreds or even thousands of different accounts, targeting US electric utilities as well as oil and gas firms.

A starting point for my Computer Security students. (And a “be sure to talk about” list for me!)
Nine Cybersecurity Metrics Every CEO Should Track
According to a 2019 survey from The Conference Board of more than 800 international CEOs and 600 C-suite members, cybersecurity is cited as the top external concern. The Conference Board also notes (via CIO Dive ) that malicious cyber activity cost the economy up to $109 billion in 2016.
CEOs and boards that seek to meaningfully reduce their risk of experiencing high-impact cyber incidents such as data breaches must invest in a security operations center (SOC) with a primary mandate of delivering enterprisewide threat detection and response. Furthermore, the SOC’s threat detection and response program must be viewed as a business-critical operation, requiring continuous investment, improvement and measurement across the following six interrelated subcomponents: centralized visibility, threat discovery, threat qualification, threat investigation, threat mitigation and incident recovery.
Boards should ask their CEOs — and thus CEOs should ask their CISOs — to provide operational measurement and metrics across these subcomponents with the intent of understanding current operational capabilities and related risks.

Thinking about Privacy! (Action make take a bit longer.)
Four Federal Privacy Trends to Watch in 2020
  • Expansive Definition of Sensitive Data
  • Anti-Discrimination Protections
  • Portability
  • CEO Certification Requirements

State Legislatures Are Off to the Privacy Races, With New Hampshire in the Lead
New Hampshire legislators introduced new data privacy legislation, New Hampshire House Bill 1680.

The shoemakers children go barefoot? Why would any IT manager rely on manual processes?
Top Five Ways to Survive the DSR Deluge and One Thing You Should Never Do
Data breaches and misuse of private information continue to erode consumer trust. In response, companies are pouring resources into implementing security controls to block or restrict access to their data. However, the bigger question looms around how the data is being used and why, and many of these inquiries are coming in the form of Data Subject Requests (DSRs).
What’s more, there are several complexities making the onslaught of DSR’s even more challenging. For example, the massive growth in data collection and proliferation has not been accompanied by an equally matched effort in data management and governance.
Regulations like GDPR and CCPA are forcing companies to respond to DSR’s and answer consumer concerns over privacy. But achieving compliance requires that companies understand what personal information they have, where it’s located and how it’s being used.
Until now, the basic data inventory process has been a manual one of application data owner surveys and spreadsheets. The Integris Software 2019 Data Privacy Maturity Study found that 77% of respondents were still relying on manual processes to manage sensitive data.
Here are five key ways to solve the data subject rights’ big data problem and one thing you should never do!

Re-architecting the firm. (Not yet at my local library, but I’m watching for it.)
Rethinking Business Strategy in the Age of AI
For the first time in 100 years, new technologies such as artificial intelligence are causing firms to rethink their competitive strategy and organizational structure, say the authors of a new book, Competing in the Age of AI.
John Foley was irritated with his local gym. He was constantly getting elbowed out of his favorite spin classes as other cyclists snapped up spots in sessions led by the most popular instructors.
Foley’s frustration inspired him in 2012 to found Peloton, whose $2,200 stationary bicycles with integrated 21-inch tablet computers have become a fitness sensation. For $39 per month, Peloton offers access to live-streamed classes where members can track their performance on a leader board, virtually connect with fellow classmates, and hear instructors call out their achievements.
Foley transformed a traditional business—the gym—into an $8 billion digital offering that pulled in more than $700 million in revenue during the last fiscal year. Foley credits the magic of today’s technology, including software, data, and communication networks, for the basis of Peloton’s success.
We see ourselves more akin to an Apple, a Tesla, or a Nest, or a GoPro—where it’s a consumer product that has the foundation of sexy hardware technology and sexy software technology,” he is quoted in a book published today, Competing in the Age of AI: Strategy and Leadership When Algorithms and Networks Run the World.

Maybe I’ll get a JD now that law school is free.
Upending Bankruptcy ‘Myths,’ Judge Erases $220,000 Student Loan Debt
The borrower-friendly ruling comes as bankruptcy judges across the country are growing more sympathetic to discharging student debt
A bankruptcy judge excused a U.S. Navy veteran with a law degree from repaying more than $220,000 in student loan debt, the latest court ruling to lower the barriers to discharging educational debt.
Judge Cecelia G. Morris of the U.S. Bankruptcy Court in Poughkeepsie, N.Y., discharged the law school graduate’s unpaid student loans even though he isn’t disabled or unemployable, saying that satisfying his law school debt in full would impose an undue hardship.

Some supplemental classes for my students. Most are free.
Best Machine Learning Courses

Thursday, January 09, 2020

Not just random servers…
SNAKE Ransomware Targeting Entire Corporate Networks
… SNAKE isn’t the first ransomware that’s directed its focus to entire corporate networks. Back in March 2019, for instance, researchers discovered a new variant of the CryptoMix Clop ransomware family that claimed to target entire networks instead of individual users’ machines. A few months later, the security community learned of a new crypto-ransomware threat called “TFlower” targeting corporate environments via exposed Remote Desktop Services (RDS).
The emergence of SNAKE ransomware highlights the need for organizations to defend themselves against a ransomware infection. They can use these recommendations to prevent a ransomware infection in the first place. They should also consider investing in a solution like Tripwire File Analyzer for the purpose of detecting suspicious files and behavior on the network.

Eventually we will get it right. Unfortunately, I think it will take a major hack to spur us to action.
New “secure” voting machines are still vulnerable—because of voters
A new study of voting machines is spotlighting the “serious risk” that election results can be manipulated because most voters do not check that their ballot is correct, according to new research.
… The research raises questions about hackable computers and post-election audits—two major issues in election cybersecurity—just weeks before the first US primary votes are cast in Iowa on February 3.

Probably won’t eliminate TSA. Does it also detect ‘box cutters’ like those used on 9/11?
Evolv raises $30 million to expedite security screenings with AI
Perhaps the worst thing about air travel is having to wade through congested airport security. Wait times at airports like Salt Lake City International and Washington Dulles regularly exceed half an hour on average, and that’s assuming folks follow TSA instructions.
The founders of Evolv Technology, a Waltham, Massachusetts-based security startup specializing in tech-based screening technology, think they have a better solution: the Evolv Edge and Express. They’re self-contained and portable gates that tap AI, machine learning, and millimeter wave sensors to expedite security screenings in high-traffic places.
It remains unclear how the Edge’s threat detection rates compare to traditional checkpoints. A leaked 2015 TSA report revealed that Department of Homeland Security investigators managed to sneak weapons and fake bombs past airport screeners in an alarming 95% of attempts.

Another view.
From AiThority:
The ‘Navigating the Age of Surveillance’ report uncovers changing consumer attitudes, the rise of third-party tracking and the need for mandated data privacy protection
Winston Privacy, an innovative start-up and makers of the Winston privacy filter, released a new report titled, “Navigating the Age of Surveillance” and results of a national survey revealing consumers’ attitudes about data privacy.
Read more on AiThority.

Have you been waiting for a refrigerator than has this ability? Has anyone?
Samsung’s new food A.I. can suggest recipes based on what’s in your fridge
Imagine if, after a long day at work, your fridge could look to see what you’ve got in stock and then suggest a meal composed of those ingredients. That’s what Samsung has developed with a new personalized cooking experience feature for its fridges, shown off at CES.

Is this surprising in a Congress where Senators are willing to attack Facebook without bothering to learn how the company makes money?
Copy, Paste, Legislate Beta
The Center for Public Integrity – “Do you know if a bill introduced in your statehouse — it might govern who can fix your shattered iPhone screen or whether you can still sue a pedophile priest years later — was actually written by your elected lawmakers? Use this new tool to find out. Spoiler alert: The answer may well be no. Thousands of pieces of “model legislation” are drafted each year by business organizations and special interest groups and distributed to state lawmakers for introduction. These copycat bills influence policymaking across the nation, state by state, often with little scrutiny. This news application was developed by the Center for Public Integrity, part of a year-long collaboration with USA TODAY and the Arizona Republic to bring the practice into the light…”

Wednesday, January 08, 2020

Do you have a tested procedure for investigating reports of security breaches? Here’s a really good bad example.
The Difficulty of Disclosure, Surebet247 and the Streisand Effect

Shouldn’t the court redact any sensitive information?
Valley News Live reports:
North Dakota is now the first state to allow anyone with a computer and internet connection access to court documents from their own home or a remote location, according to state officials.
Yet, there’s disagreement on whether this is a good thing with sensitive information being exposed to millions.
The court records can be viewed and printed for free on
Read more on Valley News Live.
[I think that link should be:

Worth reading.
Award-Winning Paper: “Privacy’s Constitutional Moment and the Limits of Data Protection”
Among the papers to be honored at an event at the Hart Senate Office Building on February 6, 2020 is Privacy’s Constitutional Moment and the Limits of Data Protection by Woodrow Hartzog of Northeastern University School of Law and Neil Richards of the Washington University School of Law.
You can view all of this year’s award-winning papers on the FPF website.

I clearly do not understand antitrust.
McConnell Backs Bill to Give News Outlets Leverage Over Big Tech
The legislation would grant publishers a four-year exemption from antitrust laws so they could negotiate financial terms with the tech giants that often serve as a gateway for readers and online advertisers.
The bill, which has seven Senate supporters in total, was introduced by Senators John Kennedy, a Louisiana Republican, and Amy Klobuchar, a Minnesota Democrat. A companion measure in the House was introduced by the chairman of the antitrust subcommittee, Democratic Representative David Cicilline of Rhode Island, and the Judiciary Committee’s top Republican, Representative Doug Collins of Georgia.

8 AI trends we’re watching in 2020
To fully take advantage of AI technologies, you’ll need to retrain your entire organization
Data literacy will be required from employees outside traditional data teams—in fact, Gartner expects that 80% of organizations will start to roll out internal data literacy initiatives to upskill their workforce by 2020.

In case I ever want to recommend a student? I guess it could happen.

Tuesday, January 07, 2020

Practice on the Olympics before going pro for the election?
State-Backed Cyber Attacks Expected at Tokyo 2020 Games
The Public Security Intelligence Agency (PSIA) of Japan has issued a warning that a state-sponsored cyber attack on the Tokyo 2020 Summer Olympic and Paralympic Games is expected, after uncovering some early phishing emails made up to look as if they are coming from Olympic staff.
… Russia has a particular motivation for an attack on the 2020 games, however. The country recently received a four-year Olympic ban from the World Anti-Doping Agency (WADA) due to repeated violations. Russian athletes can compete under “neutral” status, but medals they are awarded do not count toward the country’s lifetime totals. Russia and Japan also have a long-running dispute over the Kuril Islands, and Russia has seized an unusual number of Japanese fishing boats this year in the area including five in December.

What actions could Airbnb take that would not result in lawsuits?
Airbnb's AI Can Dig Through Your Social Media For Clues You're a Psychopath
According to patent documents reviewed by the Evening Standard, the tool takes into account everything from a user's criminal record to their social media posts to rate their likelihood of exhibiting "untrustworthy" traits - including narcissism, Machiavellianism, and even psychopathy.

You should outsource things that are not part of you core business.
Elite Law Firms Are Quietly Outsourcing High-Value Functions
The American Lawyer: “Sullivan & Cromwell spends millions of dollars on technology, ensuring its equipment is accessible to its lawyers around the globe and that its digital security can keep clients safe. Chairman Joe Shenker, citing bank surveys, says the Wall Street firm’s tech costs per lawyer are higher than any of its peers. Still, Sullivan & Cromwell has managed to improve its profit margin while maintaining high-quality telecommunications, computers and servers. That financial success isn’t tied only to the firm’s lawyers. It’s partly a result of back-office decisions. Starting in 2017, the firm began outsourcing some of its technology functions and infrastructure. The change required about 30 high-level staffers, including engineers, to leave the firm and become employees of another business, HBR Consulting’s managed services division. It was a sea change in Sullivan & Cromwell’s evolution, Shenker says. “You can’t keep up doing state-of-the-art, best-of-the-best [in technology]—which is what we try to do—doing it yourself,” Shenker says. Law firms just can’t compete with big tech companies, he says. Instead, “Let’s focus on what we’re great at and let other people focus on what they’re great at.” Sullivan & Cromwell isn’t alone. Big Law is embracing outsourcing. Not only are more firms doing it, but the industry is outsourcing a growing number of high-value departments, often shedding administrative and operations employees in the process. The decisions carry some risk, but also big rewards. The outsourcing trend goes beyond law firms opening so-called “captive” operation centers, in which they move some back-office jobs to lower-cost locations with firm employees. More and more firms are moving departments and jobs outside the firm entirely…”

Beyond “I really need a job.”
Here’s an example of the perfect answer to ‘Tell me about yourself,’ according to Yale career experts