Saturday, October 04, 2014

I don't see a good scenario here. Best case seems to be that a criminal group started out to rob these banks but were interrupted for some reason. Worst case, Russia is saying “back off in the Ukraine” and we haven't demonstrated a similar ability to impact their financial system. Jobs for my Ethical Hackers seem assured.
Hackers’ Attack Cracked 10 Financial Firms in Major Assault
The huge cyberattack on JPMorgan Chase that touched more than 83 million households and businesses was one of the most serious computer intrusions into an American corporation. But it could have been much worse.
Questions over who the hackers are and the approach of their attack concern government and industry officials. Also troubling is that about nine other financial institutions — a number that has not been previously reported — were also infiltrated by the same group of overseas hackers, according to people briefed on the matter. The hackers are thought to be operating from Russia and appear to have at least loose connections with officials of the Russian government, the people briefed on the matter said.
It is unclear whether the other intrusions, at banks and brokerage firms, were as deep as the one that JPMorgan disclosed on Thursday. The identities of the other institutions could not be immediately learned.
The breadth of the attacks — and the lack of clarity about whether it was an effort to steal from accounts or to demonstrate that the hackers could penetrate even the best-protected American financial institutions — has left Washington intelligence officials and policy makers far more concerned than they have let on publicly.


For my Ethical Hackers and Computer Security students.
Medical ID Theft: How Scammers Use Records To Steal Your Identity

(Related) Oh wait, let me guess... Because there's money to be made?
Facebook is reportedly going after the healthcare market. But why?
… We may get more information on Facebook’s plans soon. Next Thursday, the company will be presenting at the m.2014 Mobile Health and Innovation Conference, put on by Digitas Health.


Completely unrelated. Perhaps doctors need to look up from their iPhones on occasion? This would result in a much better example of undue reliance than Ford Motor Credit v. Swaren, but it is unlikely to ever see a courtroom.
The Ebola Patient Was Sent Home Because of Bad Software
… On Thursday night, the hospital released a statement explaining exactly how it managed to release an Ebola-infected patient back into America's ninth-largest city.
In short? Blame the robots, not the humans:
Protocols were followed by both the physician and the nurses. However, we have identified a flaw in the way the physician and nursing portions of our electronic health records (EHR) interacted in this specific case.
[Their explanation suggests that a bit of information was not communicated. What should have happened is that when “West Africa” was first mentioned, an immediate “Red Flag: Potential Infection Hazard” should have been initiated, and kept flashing on the front page of his medical records until Ebola was specifically eliminated as the cause of his fever. This type of risk should never wait for a doctor to get around to the patient. Bob]


Free (soon freemium) Security software.
Meet GlassWire, The Prettiest Bandwidth & Internet Security Monitor For Your Windows PC
Maybe you’re looking for a way to track your Internet usage and the applications that access the network. Maybe you have a habit of absentmindedly dismissing firewall alerts. Maybe you’d like a way to clue into sneaky malware that your anti-virus might not know about yet, or applications that mishandle your data or compromise your privacy.
If any of these is a concern for you, you’re in luck, because today I invite you to meet the prettiest little Internet/network security app you ever did see. It’s called GlassWire, and you can install it to your Windows PC. I’ll also give a quick rundown of four less-pretty but open-source/cross-platform options.


For my Data Mining and Data Analytics students. Note the authors... IBM would have Watson do the matching, but the FBI never trusted Sherlock Holmes.
Biographic Entity Resolution Challenges of managing and sharing
Via Public Intelligence – DOJ/FBI – Unclassified Presentation – Biographic Entity Resolution - Challenges of managing and sharing. John N. Dvorak - Senior Level IT Architect, September 16, 2014, Global Identity Summit.
  • “Entity Resolution: The process of determining whether two or more references to real-world objects such as people (individuals), places, or things are referring to the same object or to different objects. This concept is sometimes referred to as Entity Correlation, Entity Disambiguation, or Record Linkage, and includes related concepts such as Identity Resolution. (from draft DARA)
  • Entity Map: Complete enriched entity data that includes the linkage of relationships between people, places, things, and characteristics of data resulting from an entity resolution process.”


Tickles my teaching funny-bone.
… And speaking of LAUSD, the district has paid $3.75 million to settle a lawsuit with Maximus Inc, the company hired to build its new student information system. The district spent $112 million to build the system but never implemented it.
Marmosets apparently find video content educational too. And if it’s good enough for monkeys…
edX is getting into the "professional education" business to "better serve those learners who use our courses to advance their careers, or organizations that wish to support continuing learning for their workforce."
… Students on meal plans at George Mason University must be registered for the iris scanner. I’d love to know if this data is connected to the learning management system and if the university has plans to use students’ biometric data to prevent cheating in online courses.
… Free (local) community college for graduates of Chicago Public Schools and San Luis Obispo high schools.


Something for my Math students to consider.
Wolfram|Alpha Pro


For my i-students... Cheap and free Apps and games.
iPhone Photo Apps Fragment, Lenka & AppAlchemy Are All Free [iOS Sales]

Friday, October 03, 2014

I hope they didn't do this just because I need a good “bad example” for my Intro to Computer Security class.
JPMorgan Chase Says More Than 76 Million Households Were Compromised in Cyberattack
A cyberattack this summer on JPMorgan Chase compromised more than 76 million household accounts and seven million small-business accounts, making it among the largest corporate hacks ever discovered.
The latest revelations, which were disclosed in a regulatory filing on Thursday, vastly dwarf earlier estimates that hackers had gained access to roughly one million customer accounts.
The new details about the extent of the cyberattack — which began in June but was not discovered until July — sent JPMorgan scrambling for the second time in just three months to contain the fallout.
… Hackers were able to burrow deep into JPMorgan’s computer systems, accessing the accounts of more than 90 servers — a breach that underscores just how vulnerable the global financial system is to cybercrime.
… Investigators in law enforcement remain puzzled by the attack on the bank because there was no evidence that the attackers looted any customer money from accounts.
The lack of any apparent profit motive has generated speculation among law enforcement officials and security experts that the hackers were sponsored by foreign governments either in Russia or in southern Europe.
It is still not clear how hackers managed to gain deep access to the bank’s computer network. By the time the bank’s security team discovered the breach in late July, hackers had already gained the highest level of administrative privilege to more than 90 of the bank’s computer servers, according to several people briefed on the results of the bank’s forensics investigation who were not allowed to discuss it publicly.
… More disturbing still, these people say, hackers made off with a list of the applications and programs that run on every standard JPMorgan computer– a hacker’s road map of sorts — which hackers could cross check with known vulnerabilities in each program and web application, in search of an entry point back into the bank’s systems.

(Related)
JPMorgan cyberattack largest ever bank hack
… That would make it the biggest single data breach hack since 130 million credit and debit card details were stolen from Heartland Payment Systems in 2007.

(Related) Perhaps they need better advisors?
Well, I nearly trashed this email as spam because the sender showed as “Gregory Quental,” with a subject line “Important update on cyber security.” I’m glad I looked at it, though, as it was a message from JPMorgan about their breach:
As you may know, Chase recently was the victim of a sophisticated cyber attack. Since then, we have been conducting a comprehensive investigation of the incident and have found no evidence that client account information was compromised.
Our detailed review has found no evidence that account numbers, passwords, dates of birth and Social Security numbers were compromised. We therefore do not believe you need to take any action related to your account. The information that was compromised was contact information — names, addresses, phone numbers and email addresses for users of Chase.com, J.P. Morgan Online, Chase Mobile and J.P. Morgan Mobile, as well as internal JPMorgan Chase information relating to such users.
We want to assure you that we take this incident very seriously, and have no evidence that the attackers are still in our systems. These kinds of attacks are frequent, and while this one was sophisticated, we stopped it and continue to invest in preventing future attacks. It is important to note that we have not seen any unusual fraud activity across all of our accounts, and you are not liable for any unauthorized transactions on your account that you promptly alert us to.
We regret this incident happened. As always, your J.P. Morgan advisor and client service team are available to discuss any questions or concerns.
Sincerely,
Gregory Quental
Chief Executive Officer
J.P. Morgan Securities


Best Practices?
When Community Health Systems revealed it had been breached earlier this year, a spotlight was placed on cybersecurity in the healthcare industry, and the diagnosis was not good.
In that case, patient records for some 4.5 million people were exposed by hackers. The situation added Community Health Systems to the list of organizations impacted by security incidents, and sparked discussions about the importance of information sharing within the industry and between companies and the government.
Based on his experience consulting with healthcare organizations, Michael Wojcik, senior manager with Ernst & Young, noticed patterns among organizations that contribute to security failings, and at the (ISC)2 Security Congress in Atlanta this week outlined the five most common security mistakes healthcare organizations make.
Perhaps not surprisingly, understanding and managing risk is critical, and failing to do both are numbers one and two on Wojcik's list of missteps.
It is also important for organizations to properly categorize their assets. Many organizations don't have a good handle on where all the sensitive information in their organization is, he said.


Reminds me of that cartoon, “then a miracle occurs.” (see: http://cafehayek.com/2014/03/then-a-miracle-occurs.html )
Silk Road Lawyers Poke Holes in FBI’s Story
… Last month, the U.S. government released court records claiming that FBI investigators were able to divine the location of the hidden Silk Road servers because the community’s login page employed an anti-abuse CAPTCHA service that pulled content from the open Internet — thus leaking the site’s true Internet address.
But lawyers for alleged Silk Road captain Ross W. Ulbricht (a.k.a. the “Dread Pirate Roberts”) asked the court to compel prosecutors to prove their version of events. And indeed, discovery documents reluctantly released by the government this week appear to poke serious holes in the FBI’s story.
For starters, the defense asked the government for the name of the software that FBI agents used to record evidence of the CAPTCHA traffic that allegedly leaked from the Silk Road servers. The government essentially responded (PDF) that it could not comply with that request because the FBI maintained no records of its own access, meaning that the only record of their activity is in the logs of the seized Silk Road servers.
… “Apparently, Ulbricht had this split architecture, where the initial communication through Tor went to the front-end server, which in turn just did a normal fetch to the back-end server. It’s not clear why he set it up this way, but the document the government released in 70-6.pdf shows the rules for serving the Silk Road Web pages, and those rules are that all content – including the login CAPTCHA – gets served to the front end server but to nobody else. This suggests that the Web service specifically refuses all connections except from the local host and the front-end Web server.”
Translation: Those rules mean that the Silk Road server would deny any request from the Internet that wasn’t coming from the front-end server, and that includes the CAPTCHA.
“This configuration file was last modified on June 6, so on June 11 — when the FBI said they [saw this leaky CAPTCHA] activity — the FBI could not have seen the CAPTCHA by connecting to the server while not using Tor,” Weaver said.
… Many in the Internet community have officially called baloney [that's a technical term] on the government’s claims, and these latest apparently contradictory revelations from the government are likely to fuel speculation that the government is trying to explain away some not-so-by-the-book investigative methods.

(Related)
A Year After Death of Silk Road, Darknet Markets Are Booming


How are you going to talk to all those “things” on the Internet of Things?
Google: No app? No problem for Web-connected devices
… The search giant this week revealed a project called "Physical Web," which aims to create a common standard that ties together disparate Web-enabled devices by using URLs instead of mobile apps.
Here's how it would work: Each device -- Google uses bus stops and vending machines as an example -- is assigned its own URL. That URL is then beamed out to everything around it and will show up on a nearby phone or tablet. People can then interact with the objects via their mobile device using the open Web, instead of needing to download one app for bus stops and a separate app for vending machines.
… Several of the world's largest tech companies are making bets on the nascent "Internet of Things," referring to Web-infused devices. Google in January announced the acquisition of Nest, the high-profile maker of smart-home gadgets like the Nest Learning Thermostat and Nest Protect smoke detector, for $3.2 billion. Samsung in August said it was buying SmartThings, an open platform for smart home devices. Apple also entered the fray when it introduced HomeKit for its iOS 8 mobile operating system, which lets people control various devices from an iPhone or iPad.
Using the Physical Web approach, Google said new "tiny use cases" become possible, like a bus stop telling you when the next bus is coming or a rental car beaming you a sign-up sheet so you can drive away immediately.

(Related) Your things are on the Internet of Things, even when they talk to your employer.
BYOD Privacy: Do Employees Have Rights?
Using personal devices to conduct business has become commonplace, whether employers require it or employees voluntary do so. The use of personal devices creates a privacy challenge. Employers want access to the devices, and employees want to protect their personal data contained on them.
… In Colin Cochran v. Schwan's Home Service, Inc., the California Court of Appeals in August reversed a Superior Court in Los Angeles County and ruled that "when employees must use their personal cell phones for work-related calls, Labor Code section 2802 requires the employer to reimburse them."
… The Court's answer was "that reimbursement is always required. Otherwise, the employer would receive a windfall because it would be passing its operating expenses onto the employee."


Maybe not the best way, but certainly one way that could work. For instance...
How Apple Is Monetizing Privacy With iOS 8
… Tim Cook announced at the last Apple Keynote that, as of iOS 8, even Apple will no longer be able to get around your passcode and decrypt your device. This means anyone who has your iPhone or iPad, whether they’re a thief or a police officer trying to execute a warrant, will find cracking your phone to be nearly impossible. Apple says this is a big step forward for device security, but is that true?
In a word, yes. A passcode on an iOS device may just look like a number, but once enabled it activates encryption of your entire smartphone.
… What makes Apple Pay more secure than most is the fact your credit card information never needs to leave your device. Paying does not relay your credit card number but instead relays a unique payment ID that’s valid only for that specific transaction. This is known as tokenization. It’s been used before by secure credit card payment systems, but Apple Pay is the first to apply the idea to paying via phone.
The system is hardened against thieves, as well, because (on the iPhone 6, at least) the fingerprint reader is used to make a payment.


Is “Don't get caught” adequate guidance?
Facebook Tightens Oversight of Research
Facebook Inc. FB +0.73% said Thursday it has changed how it conducts experiments on users, by giving its researchers more guidance and adding internal reviews.
But the company declined to discuss other details of the new standards, which some outsiders called inadequate.
The measures follow the disclosure in June of an earlier experiment in which Facebook researchers altered the news feeds of 700,000 users, omitting content with words associated with either positive or negative emotions, seeking to study how emotions spread on the social network.
… On Thursday, Facebook said it would tighten oversight of its data scientists by giving them clearer guidelines and creating an internal review panel of senior researchers. It also said researchers would be schooled in the ethics of such studies.


It's called “undue reliance.” It's coming to your bank next!
Why Ben Bernanke Can’t Refinance His Mortgage
… The problem probably boils down to this: Anybody who knows how the world works may know that Ben Bernanke has vast earning potential, and that he is as safe a credit risk as one could imagine. But he just changed jobs a few months ago. And in the thoroughly automated world of mortgage finance, having recently changed jobs makes you a steeper credit risk.


My favorite...
GeekWire Summit: Check out these 5 innovations we love
Picobrew
If you’re geeky and you love beer, PicoBrew might be of interest.
PicoBrew CEO Bill Mitchell, a former Microsoft executive, today showed off his company’s automatic all-grain beer brewing system that’s the size of a microwave.
This thing eats hops, grain, yeast, and water — and poops out great craft beer,” [Probably not the best image for marketing Bob] Mitchell said today.
After absolutely obliterating its crowdfunding campaign goal and raising $661,026 from Kickstarter backers last year, PicoBrew completed a $1.2 million Series AA round from angel investors this past May. Learn more about PicoBrew here.


I'm hoping the student book club will push articles like this to all our students.
5 Tips To Read More Books Every Year
There are just so many amazing books out there and several more are being written/published this very instant.
… We promise it will be fun, and more so if you turn into a librocubicularist. [Guilty! Bob]


Equal time for the student gamer's club.
5 Surprisingly Deep Free Browser-Based Strategy Games


Could be used for textbooks or even walking students through our portal! Try it for free.
– Imagine you were sitting next to your customer and showing them how to work with the application you have just built. Inline Manual does that for you. Inline Manual presents a new layer on top of your application that allows your customers work with the application while they are learning. Learning by doing at its best.

Thursday, October 02, 2014

Big Brother needs to know when agents of Eurasia and Oceania are conspiring against Eastasia.
China may be targeting Hong Kong protesters with spyware, U.S. firm says
The Chinese government might be using smartphone applications to spy on pro-democracy protesters in Hong Kong, a U.S. security firm said.
The apps are disguised as tools created by activists, said the firm, Lacoon Mobile Security. It said that once downloaded, they give an outsider access to the phone's address book, call logs and other information.


Trust no one.
Graham Cluley writes:
… from time to time, firms find themselves in the position of admitting that they have messed up massively with potentially disastrous consequences for their business and their innocent customers.
What makes it even worse, however, is when the company that has fallen woefully short really should have known better.
One such company which can offer no reasonable excuses is iThemes, the “one-stop shop for WordPress themes, plugins and training.”
Read more on State of Security.


For my Computer Security students.
Europol Analyzes Cybercrime Services Industry
The European Cybercrime Center (EC3) at Europol has published its Internet Organised Crime Threat Assessment (iOCTA) for 2014. The role of the report is to keep decision makers informed on the cybercrime threats affecting governments, businesses and citizens in the European Union.
The iOCTA also focuses on the Crime-as-a-Service business model, which facilitates a wide range of cybercriminal activities. The widespread availability of DDoS, botnet, malware, data theft and password-cracking services has led to the increasing involvement of traditional organized crime groups in cybercriminal operations.
One perfect example is the operation in which a Netherlands-based drug smuggling ring hired hackers to infiltrate the computer systems used to control shipping containers at a port in Belgium. By hacking into the port's systems, the group was able to identify the location of containers loaded with drugs, and had its drivers pick them up before the legitimate hauler got to them.
The complete iOCTA report can be browsed online or downloaded in PDF and ePub formats.

(Related) May have broader implications (e.g. The Internet of Things)
FDA Publishes Cybersecurity Guidance for Medical Device Manufacturers
The U.S. Food and Drug Administration (FDA) released a set of recommendations for manufacturers for managing cyber-security risks and protecting patient health and information.
The guidance is titled 'Content of Premarket Submissions for Management of Cybersecurity in Medical Devices' and recommends that manufacturers consider cybersecurity risks as part of the design and development of medical devices and submit documentation to the FDA about those risks and the controls in place to mitigate them. The guidance also recommends manufacturers submit their plans for providing updates to operating systems and software.
"There is no such thing as a threat-proof medical device," said Suzanne Schwartz, director of emergency preparedness/operations and medical countermeasures at the FDA’s Center for Devices and Radiological Health, in a statement.
In particular, medical devices that are capable of connecting to another device or the Internet are more vulnerable to security threats, the guidance notes. In its recommendations, the FDA stresses the importance of authentication controls and detection.


It's a well thought out policy, until someone points out that it's not.
Facebook makes peace with gays over 'real names'
Facebook on Wednesday vowed to ease its "real names" policy that prompted drag queen performers to quit the social network and sparked wider protests in the gay community and beyond.
The huge social network, facing a planned street protest in San Francisco this week, apologised in a bid to quell the simmering dispute over its enforcement of the policy.
Facebook executives and representatives of the lesbian, gay, bi-sexual and transgender communities said they found a solution acceptable to both sides, allowing people to use assumed names, subject to verification.
"The spirit of our policy is that everyone on Facebook uses the authentic name they use in real life," Facebook chief product officer Chris Cox said in a blog post.
"For Sister Roma, that's Sister Roma. For Lil Miss Hot Mess, that's Lil Miss Hot Mess."
Cox said Facebook would come up with improved tools to "authenticate" legitimate users such as those who sparked the protest.


Is this a joke? I'll need to check their modeling assumptions but I find it difficult to believe that turbines a mere 120 meters tall would do much to reduce storms that top out at 60,000 feet.
Wind Turbines Could Take the Punch Out of Hurricanes
If 78,000 giant wind turbines had been positioned off the coast of New Orleans in 2005, they not only could have provided a lot of electrical power, they also would have sucked so much energy out of Hurricane Katrina that the storm surge would have been cut by 71% and wind speeds would have been reduced by as much as 57%, according to a Wall Street Journal report of a study that relied on computer modeling. Large arrays of offshore wind turbines, although expensive to build, could take enough energy out of the wind to break the “feedback loop” of wind speed and wave heights that makes hurricanes so destructive, the scientists say.
[Supplementary material:


For all my students. (Form good homework habits now, use them on the job later.)
5 Ways to Work from Home More Effectively


For my geeks with a spare computer...
How To Download Windows 10 Now
Windows 10 is now available to download, with Microsoft inviting people to join the Windows Insider Program and help test the new operating system. If you’re technically proficient with a PC then head to previews.windows.com to get started. However, as this is only the Windows 10 Technical Preview, a very early version of the OS, you should bear a few things in mind before signing up.
The Windows 10 Technical Preview is likely to be buggy, and prone to crashing your computer. Therefore, back everything up before downloading it. This includes your current Windows install, as rolling back to a previous version of Windows will not be easy. So, ensure you have an installation or recovery disk ready before going anywhere near Windows 10.


Better than PowerPoint?
Microsoft launches Sway, a new tool for composing and presenting ideas
Have a killer idea?
Microsoft wants to make it easy to turn it into a presentation. The company unveiled a new product called Office Sway today that provides users with a canvas to document their ideas and then go on to share them with other people.
It’s a free, web-based app that Microsoft says will work on mobile devices (through a native app) and desktop browsers. Users get started by creating a title for their project, and can then add text, images and video to it. Here’s a video that shows how it all works:
… In addition, the presentation component of Sway encroaches on the territory of Haiku Deck and Jackson Fish Market’s Slide Bureau app, which are both designed to take user information and make it easy for them to build a presentation.
Right now, Sway is in an invite-only preview. People interested in signing up can visit Sway.com and get their email on the list.


I love lists. (and if I had a Smartphone I'd probably take the time to read this one.)
The App 100: The World's Greatest Apps
There are over 1.3 million apps in Apple's App Store, and another 1.3 million in Google's Play store, so finding your next app can be overwhelming. We live and breathe apps for a living, so we've sifted through them to tell you which are the best.


This could be amusing.
How to Use Classtools.net to Create a Fake Text Message Exchange
Russel Tarr, owner of Classtools.net, has developed and published a bunch of great tools over the years. One of my favorite of those is the Fake SMS Generator. The Classtools Fake SMS Generator is free to use and does not require students to register to use it. In the video below I demonstrate how to create a fictitious text message exchange between historical characters.
As I mentioned in the video, the Fake SMS Generator could also be used to create visuals for lessons on cyber-safety and etiquette.


Now that we've analyzed all that data, how do we present it?
Easily Add Charts to Infographics With Easelly
Easel.ly is an online tool for creating infographics. I've reviewed a couple of times in the past on this blog. The latest update to Easelly introduced a tool for creating charts to incorporate into your infographics. The chart creation tool is a drag-and-drop option that can be found in the Easelly toolbar. Easel.ly provides a canvas on which you can build your own infographic by dragging and dropping pre-made design elements. You can use a blank canvas or build upon one of Easel.ly's themes. In addition to using the built-in creation tools you can upload your own graphics to include in your infographic. Your completed infographic can be exported and saved as PNG, JPG, PDG, and SVG files.

Wednesday, October 01, 2014

Sounds like the plot of “Wargames” doesn't it?
Hackers Arrested for Cracking US Army Network
Four members of an international hacking ring were charged with cracking the networks of the US Army and developers of blockbuster war video games to steal software, prosecutors said Tuesday.
Two of the men entered guilty pleas in the case, which centers on the"cyber theft" of at least $100 million worth of software and data, according to the Justice Department.
The hackers are accused of breaking into programs used for the Army's Apache helicopter pilot training, Microsoft's Xbox One consoles, and yet-to-be released video games "Gears of War 3" and "Call of Duty: Modern Warfare 3."


Not the best advertisement for UPS.
Terrence T. McDonald reports:
More than two months after a compact disc containing personal data of Jersey City Medical Center-Barnabas Health patients went missing, hospital officials say the disc was found and no data was compromised. The CD, which was sent to an outside firm that reviews medical billing data back in June, was delivered earlier this month by UPS, JCMC spokesman Mark Rabson told The Jersey Journal.
The package was “still sealed in its original packaging,” Rabson said.
Read more on NJ.com
[From the Article:
A Barnabas Health spokesman said JCMC has implemented policies intended "to minimize the chance of other such incidents." [How could their policies improve UPS delivery? Bob]


Sex? There's an App for that! No doubt every high school male will have this App on his phone. I can already see the potential for phishing...
NY Daily News reports:
Want to make sure you and your partner are on the same page before you hook up? There’s an app for that.
Good2Go, which launched on Wednesday, is designed to get two parties to explicitly agree to sexual activity and log their level of intoxication with the hope of combating sexual assault, particularly on college campuses.
“Good2Go should be treated in the same manner as putting on a condom,” its website explains. “It may stop the action for a second, but everyone understands it is in the interest of safety, so it is worth the momentary pause.”
Read more on NY Daily News.


I wonder why? (This is not what I would have guessed.)
Do Academically Marginal Students Benefit from College? The Data Says Yes.
A study of Florida high-schoolers whose grades were just good enough for admission to a public university shows that higher education provided significant financial benefits for these students: 8 to 14 years after high school, their earnings were 22% higher than those of peers who hadn’t gone to college, with male students showing the largest gains, says Seth D. Zimmerman of Yale. These benefits outstrip the costs of college attendance, he says.


For the next time I teach Statistics.
Xbox Polling and the Future of Election Prediction


For my students.
8 Vital Things To Do On Facebook When You’re Looking For Work

Tuesday, September 30, 2014

For my Ethical Hackers. Something fishy here! According to their website, http://www.invocode.com/, law enforcement agencies use their software “to keep track of offenders on parole.” Corporations use it to monitor employee cellphone use. It appears that the marketing rather than the software functions are what is tipping this into “illegal” territory.
Spyware executive arrested, allegedly marketed mobile app for “stalkers”
The chief executive officer of a mobile spyware maker was arrested over the weekend, charged with allegedly illegally marketing an app that monitors calls, texts, videos, and other communications on mobile phones "without detection," federal prosecutors said.
The government said the prosecution [PDF] of Hammad Akbar, 31, of Pakistan, was the "first-ever" case surrounding advertising and the sales of mobile spyware targeting adults—in this case an app called StealthGenie.
“Selling spyware is not just reprehensible, it’s a crime,” Assistant Attorney General Leslie Caldwell said in a statement. “Apps like StealthGenie are expressly designed for use by stalkers and domestic abusers who want to know every detail of a victim’s personal life—all without the victim’s knowledge."
… The app, which the government said took minutes to install, required "physical control" of the phone.
"The purchaser could then review communications intercepted from the monitored phone without ever again having physical control over the phone," the government said.
While parents may use surveillance software to monitor their minor children's mobile phones, InvoCode also marketed the spyware to "potential purchasers who did not have any ownership interest in the mobile phone to be monitored, including those suspecting a spouse or romantic partner of infidelity."

(Related) A review of mobile tracking Apps concludes, “StealthGenie – It simply isn’t worth the money!” Are they arresting the creators of the Apps that work better?
Mobile Tracking Software

(Related) Although these guys rate it at about the middle of the pack.
Chili Reviews
Phone Monitoring Software Companies Reviews - September 2014


Similar to Jimmy John's? Another case of “We don't know what happened. Oh, and before we forget completely, here one that happen earlier...”
Another Card System Hack at Supervalu, Albertsons
Card data of Supervalu and Albertsons shoppers may be at risk in another hack, the two supermarket companies said Monday.
The companies said that in late August or early September, malicious software was installed on networks that process credit and debit card transactions at some of their stores.
The companies also disclosed a data breach in August. They said the two incidents are separate. Supervalu said that incident may have affected as many as 200 grocery and liquor stores. It said hackers accessed a network that processes Supervalu transactions, with account numbers, expiration dates, card holder names and other information.
That breach occurred between June 22 and July 17, and Supervalu said it immediately began working to secure that portion of its network. The companies said Monday that they are still investigating that incident and don't know if cardholder data was taken.


Definitely an article for my Intro to Computer Security students. (and not just because punctuation matters) As always, read it from the source.
We Take Your Privacy and Security. Seriously.
“Please note that [COMPANY NAME] takes the security of your personal data very seriously.” If you’ve been on the Internet for any length of time, chances are very good that you’ve received at least one breach notification email or letter that includes some version of this obligatory line. But as far as lines go, this one is about as convincing as the classic break-up line, “It’s not you, it’s me.”
I was reminded of the sheer emptiness of this corporate breach-speak approximately two weeks ago, after receiving a snail mail letter from my Internet service provider — Cox Communications. In its letter, the company explained:
“On or about Aug. 13, 2014, “we learned that one of our customer service representatives had her account credentials compromised by an unknown individual.
… So, I called the number on the back of the letter, and was directed to Stephen Boggs, director of public affairs at Cox.
Boggs said that the trouble started after a female customer account representative was “socially engineered” or tricked into giving away her account credentials to a caller posing as a Cox tech support staffer. Boggs informed me that I was one of just 52 customers whose information the attacker(s) looked up after hijacking the customer service rep’s account.
The nature of the attack described by Boggs suggested two things: 1) That the login page that Cox employees use to access customer information is available on the larger Internet (i.e., it is not an internal-only application); and that 2) the customer support representative was able to access that public portal with nothing more than a username and a password.
Boggs either did not want to answer or did not know the answer to my main question: Were Cox customer support employees required to use multi-factor or two-factor authentication to access their accounts?

(Related) “Our security is so good, you can break it by 'accident.'”
Debra O’Connor reports:
State computer experts found no evidence of criminal activity when private student data was exposed on the website of a student loan program, according to the Minnesota Office of Higher Education.
“We did the big deep-dive security analysis and discovered, of all the log-ins to that site, there were only three that were unauthorized,” said communications director Sandy Connolly. An investigation showed that three students accidentally gained access to the information.
“We don’t have any evidence at all of any hacking,” Connolly said.
The office last week mailed letters to the 1,328 students who may have had their data viewed on the SELF student loan site, telling them how to protect their credit and how to get a copy of a report explaining the problem.
Read more on Pioneer Press.


Perhaps I'll grab a copy for my Computer Security or my Computer Forensics students to play with.
FBI Launches Malware Investigator Tool
At the Virus Bulletin conference that took place in Seattle last week, the FBI introduced a tool designed to provide users with detailed technical information on malware.
In 2011, the FBI deployed a tool called the Binary Analysis Characterization and Storage System (BACSS). The tool provides technical information on malware functionality, which investigators and incident responders can use in their activities.
Since BACSS has been a success, the FBI decided to develop Malware Investigator, an unclassified automated malware analysis tool that can be used not only by other law enforcement agencies which might need it for cybercrime investigations, but also by researchers trying to understand the threat landscape, and private sector partners seeking to improve their cyberattack mitigation capabilities.


A slideshow. If you want to learn a more about Privacy and the Internet of Things, join us on Friday, October 10th for this Privacy Foundation seminar: http://www.law.du.edu/documents/privacy-foundation/flyer-and-schedule.pdf
A Brief History of the Internet of Things
Over the last few years, the Internet of things has evolved from an intriguing concept into an increasingly sophisticated network of devices and machines. As more and more "things" get connected to the Internet—from Fitbit activity monitors and home lighting systems to industrial machines and aircraft—the stakes grow exponentially larger. Cisco Systems estimates that approximately 12.1 billion Internet-connected devices were in use in April 2014, and that figure is expected to zoom to above 50 billion by 2020. The networking firm also notes that about 100 things currently connect to the Internet every second, and the number is expected to reach 250 per second by 2020. Eventually, the IoT will encompass about 99 percent of all objects, which currently totals approximately 1.5 trillion things.


Typically, I would flag this for my Disaster Recovery students. In this case, I'm also adding a Homeland Security flag. Think of it as “target identification” for terrorists.
Air traffic meltdown puts FAA vulnerability in spotlight
Demands for answers and promises of technology breakthroughs bounced across Washington on Monday as the nation's air traffic control system continued its gradual recovery from the fire at an Aurora radar facility that has grounded thousands of flights since Friday.
And while experts commended the Federal Aviation Administration for launching an investigation into the alleged act of arson at the agency's Chicago Center facility, some also threw cold water on claims made Monday that a next-generation, satellite-based radar system could stifle another rogue attack.
… The debate about security and vulnerability at the nation's air traffic control facilities came amid ongoing efforts to repair the damage done at the Chicago station, which handles high-altitude air traffic in seven states.
The FAA's goal is to get Chicago Center fully functional by Oct. 13.


Is this as interesting as I think it is?
To have a sitting FTC Commissioner criticizing his own agency is stunning – and refreshing. Jan M. Rybnicek, attorney advisor at the FTC, and Commissioner Joshua D. Wright have an article in George Mason Law Review, Vol. 21, No. 5, 2014, “Defining Section 5 of the FTC Act: The Failure of the Common Law Method and the Case for Formal Agency Guidelines.” And yes, it addresses the pro-common law argument advanced by law professors Daniel Solove and Woodrow Hartzog in their scholarly work.
Here’s the abstract:
As the Federal Trade Commission (“FTC” or the “Commission”) celebrates its 100th anniversary, it does so amid a renewed interest in finally defining what constitutes a standalone “unfair method of competition” under Section 5 of the FTC Act. For a century, the business community and agency staff have been without any meaningful guidance about what conduct violates the Commission’s signature competition statute. As consensus begins to build about the appropriate parameters of Section 5, some commentators have opposed articulating a principled standard for the application of the FTC’s authority to prosecute standalone unfair methods of competition for fear that doing so would too severely restrict the agency’s enforcement agenda. These commentators prefer for Section 5 to develop though the common law method, and point to the successful development of the traditional antitrust laws as evidence that the common law approach is the standard and preferred means for developing competition law. This Article discusses why, after a century-long natural experiment, it is clear that the common law method cannot be expected to define the scope of the FTC’s unfair methods of competition authority. This Article explains that the failure of the common law process in the Section 5 context is due to fundamental differences between the inputs and outputs associated with traditional litigation and those associated with Section 5 enforcement actions. In particular, this Article explains that Section 5 disputes have almost always been resolved through settlements and, unlike reasoned judicial decisions, that such settlements do not help the public distinguish between what conduct is lawful and unlawful and generally are not treated as binding precedent by the FTC. As a result, this Article argues that the Commission should issue formal agency guidelines to serve as a superior analytical starting point and finally give meaning and purpose to Section 5.
You can download the full article from SSRN.


Each Quarter, the faculty is reminded that we take a much more “risk averse” attitude. Actually, rather than a legal review, our librarians ask the copyright holder for permission.
Law Firm Copying and Fair Use: An Examination of Different Purpose and Fair Use Markets
by Sabrina I. Pacifici on Sep 29, 2014
Jones, D. R., Law Firm Copying and Fair Use: An Examination of Different Purpose and Fair Use Markets (September 29, 2014). South Texas Law Review, Vol. 56, No. 2, 2014 – Forthcoming; University of Memphis Legal Studies Research Paper No. 144. Available for download at SSRN: http://ssrn.com/abstract=2503089
“In several recent lawsuits, publishers sued law firms for copyright infringement. The lawsuits focused on making unlicensed copies of scholarly articles to file with patent applications, including copies for the firms’ internal use and for the firms’ clients. In two of these cases, lower court judges determined that the making of unlicensed copies was fair use. The decisions hinged on transformative use, focusing on the defendant’s purpose for using the works. There was no alteration or change in the works. The judges found fair use, despite the possible availability of licensing. These patent application cases fit within a larger category of cases involving the use of copyrighted works in judicial and quasi-judicial proceedings. This article uses these cases as a vehicle to review the use of purpose in fair use analysis. It advocates that the review of the character and purpose of a use should include a deeper examination of the policies and societal interests underlying the use. This broader consideration is especially important if a plaintiff asserts the presence of a ready market for the payment of fees for use of a copyrighted work. This article explores the determination of a fair use market as a way to support the unlicensed use of copyrighted works although a ready market exists for the payment of fees. These cases offer an excellent model for the analysis necessary to determine a fair use market.”


I'm sure there must be a use for this somewhere...
– is a word count and character counter tool. Basically put your cursor in the box and start typing. Word Counter will immediately count the number of words and characters when you type. You may copy and paste a doc you’ve already composed into the word counter box and it’ll display the word count and character count for that bit of writing.


An interesting test of political correctness. Can you avoid replacing the word “cultural” with any of the politically incorrect terms we're not supposed to use? (Me neither...)