Tuesday, September 09, 2014

When? My Ethical Hackers are already planning how to hijack the best parking spots. (I told them they should apply for a Grant!)
When Cars Are as Hackable as Cell Phones
Imagine this future scenario: Self-driving cars form an orderly procession down a highway, traveling at precisely the right following distance and speed. All the on-board computers cooperate and all the vehicles travel reach their destinations safely.
But what if one person jailbreaks her car, and tells her AI driver to go just a little faster than the other cars? As the aggressive car moves up on the other vehicles, their safety mechanisms kick in and they change lanes to get out of the way. It might make the overall efficiency of the transportation lower, but this one person would get ahead.
This is but one of many scenarios that Ryan Gerdes of Utah State University is exploring with a $1.2 million grant from the National Science Foundation to look at the security of the autonomous vehicle future.
… What he's fascinated by is the way that bad actors could use the self-driving cars' algorithms against themselves. The algorithms that guide these cars—at least now—are fairly "deterministic" as he put it. A given set of inputs will yield the same outputs over and over. That makes them prone to manipulation by someone with knowledge of how they work. He can spin out scenario after scenario:
"What happens when you have two advanced cruise control vehicles and the one in front starts accelerating and breaking such that the one behind it starts doing the same thing in a more amplified fashion?"
"We’re looking at the collision avoidance systems. They rely on radar. We think we can manipulate radar sensors to some extent. Is it simple for an attacker to create an obstacle out of thin air?"
"Auto manufacturers always maintain the proper spacing in adaptive cruise control. You might get interesting effects if [someone] crafted certain inputs or misbehaved in a certain way so they create a very large traffic jam."
"If I’m a shipping company and I want to slow down the competition... I can take advantage of their sensors and keep making their cars brake and accelerate. We’ve already demonstrated in theory that it’s possible."
… A 2010 paper found all kinds of security flaws in a modern automobile, including headslappingly simple stuff like allowing the car's control system to be accessed through the radio controller. Install a hackable aftermarket radio and some malicious entity could take control of one's brakes.


For my Computer Security students. See? It can be done!
How quickly can your organization detect and stop a breach?
It looks like the National Committee for Quality Assurance (NCQA) caught one pretty quickly, as it only affected customers making online purchases on September 3 between 2 am and 10 am.
They called those affected, and by September 5, were sending out letters to those affected, telling them that their names, addresses, credit/debit card numbers and card expiration dates were breached.
What a fast breach detection, response, and notification.
Well done, NCQA!


Compare and contrast the article above to this one...
In Wake of Confirmed Breach at Home Depot, Banks See Spike in PIN Debit Card Fraud
Nearly a week after this blog first reported signs that Home Depot was battling a major security incident, the company has acknowledged that it suffered a credit and debit card breach involving its U.S. and Canadian stores dating back to April 2014. Home Depot was quick to assure customers and banks that no debit card PIN data was compromised in the break-in. Nevertheless, multiple financial institutions contacted by this publication are reporting a steep increase over the past few days in fraudulent ATM withdrawals on customer accounts.
The card data for sale in the underground that was stolen from Home Depot shoppers allows thieves to create counterfeit copies of debit and credit cards that can be used to purchase merchandise in big box stores. But if the crooks who buy stolen debit cards also are able to change the PIN on those accounts, the fabricated debit cards can then be used to withdraw cash from ATMs.
… Here’s the critical part: The card data stolen from Home Depot customers and now for sale on the crime shop Rescator[dot]cc includes both the information needed to fabricate counterfeit cards as well as the legitimate cardholder’s full name and the city, state and ZIP of the Home Depot store from which the card was stolen (presumably by malware installed on some part of the retailer’s network, and probably on each point-of-sale device).


Their use of spyware ended in early 2012. The lawsuits may end in 2112. Maybe.
Hilary Niles reports a settlement between Vermont and Aaron’s, a firm that was charged by the FTC and sued civilly by customers over the use of remotely activated spyware that captured images of customers. As reported on this blog in numerous previous entries, the software enabled the franchises to locate lost or stolen laptops, but it also enabled them to track down customers who defaulted on their rental agreements, without the knowledge or consent of customers. In some cases, the spyware reportedly captured sensitive or personal images. Previous coverage on this blog is linked from here. Niles reports:
Three Vermont consumers will collect $2,000 in fines to make up for violations of their privacy by a computer leasing company. The state additionally will collect $45,000 in civil penalties and legal costs from SEI/Aaron’s.
Read more on VTDigger.
The Vermont Attorney General’s Office posted this press release about the case today:


No doubt this will explain everything to everyone's satisfaction.
EPIC (Finally) Obtains Memos on Warrantless Wiretapping Program
by Sabrina I. Pacifici on Sep 8, 2014
More than eight years after filing a Freedom of Information Act request for the legal justification behind the “Warrantless Wiretapping” program of President Bush, EPIC has now obtained a mostly nredacted version of two key memos (OLC54) and (OLC85) by former Justice Department official Jack Goldsmith. EPIC requested these memos just four hours after the New York Times broke the story about the program in December 2005. When the agency failed to release the documents, EPIC filed a lawsuit. The ACLU and the National Security Archive later joined the case. These two Office of Legal Counsel memos offer the fullest justification of the warrantless wiretapping program available to date, arguing that the president has inherent constitutional power to monitor American’s communications without a warrant in a time of war. But some parts of the legal analysis, including possibly contrary authority, are still being withheld. The warrantless wiretapping program was part of “Stellar Wind,” a broad program of email interception, phone record collection, and data collection undertaken by the NSA without the approval of Congress. For more information see EPIC: EPIC v. DOJ: Warrantless Wiretapping Program.”

(Related) Something to think about and then ignore?
International Law and Secret Surveillance: Binding Restrictions upon State Monitoring of Telephone and Internet Activity
by Sabrina I. Pacifici on Sep 8, 2014
CDT: “In the year that has followed Edward Snowden’s first disclosures concerning secret US and UK surveillance practices, many governments, human-rights groups, and UN bodies have debated—and at times disagreed sharply—about whether the Internet and telephone surveillance practices that governments employ today are consistent with international law. With a view to informing these discussions, this report briefly summarizes the current state of international law as it applies to the secret surveillance of communications. Many commentators divide international law into two categories: “hard law,” which is binding upon at least some states, and “soft law,” which includes nonbinding materials such as UN General Assembly resolutions. In order to facilitate a greater degree of understanding and consensus, this report is restricted to major international sources of “hard law.” The report describes two distinct bodies of law: customary international law (specifically, the principle of territorial and political integrity) and international human-rights law. As explained below, these two bodies of law exist independently of one another, meaning that a surveillance practice that does not violate human-rights law may still violate customary international law, and vice versa. The report does not address the special legal regimes that apply during situations of armed conflict. Where international human-rights law is concerned, the report focuses on the right to privacy, freedom of expression, and the right to a remedy, and provides a summary of the applicable case-law of the European Court of Human Rights and Inter-American Court of Human Rights. In this respect, the report is intended to serve as a basic reference work for scholars, practitioners, and activists. Although the applicability of the relevant laws and norms to the United States is described in some detail, the discussion below is relevant to all states’ surveillance practices.”


Have we thought this through?
Tech Firms Ask Congress to Redefine Medical Privacy Rules
Tech firms, including Amazon.com Inc., are asking Congress to redefine the rules on medical privacy, saying the potential risks of disclosure should be weighed again against the potential benefits of wider sharing and easier access to crucial health data.
Executives of tech companies and health organizations have told the House Energy and Commerce Committee in recent months that what they consider an excessively conservative stance on health data privacy is hindering development of new medical technologies and approaches to treatment, and also adding costs to already burdened state and federal budgets.
… Large companies also are looking for changes in HIPAA. Paul Misener, Amazon’s vice president for global public policy, in July told Energy and Commerce that current rules make it difficult to negotiate contracts for cloud computing services.


Clearly, someone needs guidance.
Kim Archer reports that the same state education department that upset the hell out of privacy advocates by publicly posting students’ personal details if they applied for a waiver of state tests still doesn’t grasp their obligations to rigorously protect student privacy:
Some area school officials say the Oklahoma State Department of Education has violated state and federal laws protecting student privacy by releasing information to districts about students who no longer attend their schools.
“If (the students have) left us, we really shouldn’t have access to that information,” said Larry Smith, deputy superintendent at Sapulpa Public Schools.
The data include student grades, disability status, and free and reduced-lunch status.
Read more on Tulsa World.
It would be bad enough if the department had just made a configuration error in its settings and thereby allowed all districts’ personnel to access all students’ data. But for the state to later claim that they are “erring on the side of caution” in limiting access to data that should be limited is concerning, as it suggests that they really don’t get that such privacy and data protection isn’t optional.


For my Computer Security students?
Gadget knocks drones, Google Glass offline
Bothered by gadgets like Google Glass that can, theoretically, be used to snoop on you in public? Then why not get your own gadget that can knock them all offline?
That's what the creators of Cyborg Unplug promise. Billed as a "wireless anti-surveillance system," Unplug is, essentially, a portable router that can detect drones, surveillance cameras and mobile tech like Glass trying to access your Wi-Fi signal and boot them off of it.
… That's Unplug's stated purpose, anyway. But, as its creators freely note, it also has an "All Out Mode" that would let you knock devices off of any wireless network, not just yours.
The company says it doesn't recommend doing that because ... you know ... it's probably really, really illegal.
… To be clear, Cyborg Unplug can't stop anyone from using mobile devices to record or photograph you. It only keeps that data from being streamed afterward.


...and 99 cents here in the US too.
Amazon slashes Fire Phone price to 99 cents ahead of Apple's launch event
Global e-commerce giant Amazon has cut the price of its flagship Fire Phone by US $198 to 99 cents just two months after the maiden smartphone's launch.
… Similar offers have been made available in the UK and Germany, where consumers can get the phone for zero pounds and one euro, respectively under contracts with Amazon's telecom partners.


Is this just a lawyer thing, or a tool for any busy executive?
New on LLRX – Will Lawyers Embrace Wearable Tech, And The Future?
by Sabrina I. Pacifici on Sep 8, 2014
Via LLRX.com - Will Lawyers Embrace Wearable Tech, And The Future? Nicole Black predicts that smartwatches will soon be very popular with lawyers as they offer an easy and unobtrusive way to filter only the most important information received on your smartphone. So if you’re expecting a priority email or phone call, you can program your phone to forward it to your smartwatch so that you’ll receive a subtle vibration on your wrist. This will come in handy when you’re in court, for example. So instead of causing a disruption in the proceedings, you can leave the room quietly and tend to the matter in the hallway with no one else the wiser.


Doh!
Behold, a Database That Tracks More Than 500 Episodes of The Simpsons
… To celebrate the show's quarter-century of existence, fans are being treated to projects that capitalize on this documentary breadth. There's the marathon of the show that's been airing on the cable network FXX; the social media conversation that has accompanied the marathon; the new app, Simpsons World, that will function like a DVD box set for the show, with even more extras. But there's another Simpsons project Fox isn't responsible for: a searchable database. One that has taken every episode of The Simpsons and made it, in its way, interactive. As Homer might put it: "Mmmmmm, searchability."


I have a smart student who wants to add mapping features to her business website.
How You Could Make Your Own Google Maps Using A Drone
Imagine sending a drone to take pictures above your neighborhood, then compiling those photos into an extremely high-resolution, local map. A new piece of software, combined with improved drone technology, means this kind of arrangement is already cheaper than you may think.
Maps Made Easy recently completed their Kickstarter campaign, meaning their software for combining a massive number of aerial photos into a coherent whole will soon be a reality.
… Maps Made Easy, according to Thomas, is a piece of software that stitches images together. It’s not concerned with precise GPS location, making the process relatively simple.


Might be a fun writing project...
– is a free tool for authors and publishers to turn their illustrated children’s books into great-looking Kindle books. Kindle Kids’ Book Creator makes it easy for authors and publishers to import artwork, add text to pages, and preview how their book will look on Kindle devices.


A simple illustration of why I say, “Free is good!”
Kindle vs. iBooks: Which Is The Best eReader For Your iPad or iPhone?
Apple’s iBooks and Amazon’s Kindle (both free) are two of the best apps for reading a book on your iPhone or iPad, and each has its own strengths and weaknesses – so which is right for your reading habits?
… Both Kindle and iBooks are free downloads and if you haven’t yet used them, I encourage you download them both to see which works best for your reading and studying needs.


Please don't shoot the messenger.
A Man’s College Degree Does Have Value: to His Wife
Although a man’s educational level has no impact on his own happiness, a woman married to a man with at least a college degree is about 5% more likely to be very happy with her marriage, according to an analysis of the General Social Survey, funded by the U.S. National Science Foundation. “There seems to be an inherent quality of a man having a college degree that makes a woman happier in marriage,” write economists Bruce T. Elmslie of the University of New Hampshire and Edinaldo Tebaldi of Bryant University. Men, by contrast, seem to have little interest in the educational level of their wives.


An infographic for my students who actually use electronic mail.
How To Write Better Emails


I could have guessed some of these – a couple I've never heard of.
The 100 Books Facebook Users Love
… I’m usually a skeptic of such meme-y Facebook statuses, but people gathering around books that meant something to them melted even my cold heart. So I asked the Facebook Data Science team if this status had gotten “big” enough to attract their attention, and what they had seen in it.
They replied with something I wasn’t expecting: a list of the 20 books most cited by Facebook users who participated in the game.
In a new blog post, they’ve released that list (it’s also below) and some of their methodology.
… Without further ado, here is that list, along with the percentage of statuses that each title appeared in:
  1. The Harry Potter series, J.K. Rowling (appeared in 21.08 percent of all statuses)
  2. To Kill a Mockingbird, Harper Lee (14.48 percent)
  3. The Lord of the Rings series, J.R.R. Tolkien (13.86 percent)
  4. The Hobbit, J.R.R. Tolkien (7.48 percent)
  5. Pride and Prejudice, Jane Austen (7.28 percent)
  6. The Holy Bible (7.21 percent)
  7. The Hitchhiker's Guide to the Galaxy, Douglas Adams (5.97 percent)
  8. The Hunger Games Trilogy, Suzanne Collins (5.82 percent)
  9. Catcher in the Rye, J.D. Salinger (5.70 percent)
  10. The Great Gatsby, F. Scott Fitzgerald (5.61 percent)
  11. 1984, George Orwell (5.37 percent)
  12. Little Women, Louisa May Alcott (5.26 percent)
  13. Jane Eyre, Charlotte Bronte (5.23 percent)
  14. The Stand, Stephen King (5.11 percent)
  15. Gone with the Wind, Margaret Mitchell (4.95 percent)
  16. A Wrinkle in Time, Madeleine L'Engle (4.38 percent)
  17. The Handmaid’s Tale, Margaret Atwood (4.27 percent)
  18. The Lion, the Witch, and the Wardrobe, C.S. Lewis (4.05 percent)
  19. The Alchemist, Paulo Coelho (4.01 percent)
  20. Anne of Green Gables, L.M. Montgomery (3.95 percent)

No comments: