Thursday, December 31, 2015

Their “reasons” seem to fall short.
Joseph Menn reports on some poor decision-making by Microsoft that left hacking victims in the dark that their communications had been intercepted:
Microsoft Corp experts concluded several years ago that Chinese authorities had hacked into more than a thousand Hotmail email accounts, targeting international leaders of China’s Tibetan and Uighur minorities in particular – but it decided not to tell the victims, allowing the hackers to continue their campaign, according to former employees of the company.
On Wednesday, after a series of requests for comment from Reuters, Microsoft said it will change its policy and in the future tell its email customers when it suspects there has been a government hacking attempt.
Read more on Reuters.
[From the article:
The first public signal of the attacks came in May 2011, though no direct link was immediately made with the Chinese authorities. That's when security firm Trend Micro Inc announced it had found an email sent to someone in Taiwan that contained a miniature computer program.
The program took advantage of a previously undetected flaw in Microsoft's own web pages to direct Hotmail and other free Microsoft email services to secretly forward copies of all of a recipient's incoming mail to an account controlled by the attacker.
Trend Micro found more than a thousand victims, and Microsoft patched the vulnerability before the security company announced its findings publicly.




For my Computer Security students.
The Biggest Cybersecurity Threat at Your Office Could Be You (Infographic)




...and likely Google isn't the only one.
Andrea Peterson reports:
Google is a major player in U.S. education. In fact, in many public schools around the country, it’s technically a “school official.” And that designation means parents may not get a chance to opt out of having information about their children shared with the online advertising giant.
Read more on Washington Post.




Perspective. Size isn't everything.
A Billion Users May Not Be Enough for India's Phone Industry
India just signed up its billionth mobile-phone customer, joining China as the only countries to cross that milestone.
Yet that 10-digit base may not be enough to keep the industry from struggling. Asia’s third largest economy is crowded with a dozen wireless carriers -- more than in any other country -- spectrum is hard to come by and regulatory risks are high. Add it all up and it’s no wonder they deliver lower profitability than phone operators in other parts of Asia, according to Sanford C. Bernstein & Co.


(Related)
Census Bureau Projects U.S. and World Populations on New Year’s Day
by Sabrina I. Pacifici on Dec 30, 2015
“As our nation prepares to ring in the new year, the U.S. Census Bureau today projected the United States population will be 322,762,018 on Jan. 1, 2016.
… The Census Bureau’s U.S. and World Population Clock simulates real-time growth of the U.S. and world populations.”




Egypt joins India? What is the concern?
Free Internet service for over 3 million Egyptians shut down
… It was not immediately clear why the program was halted. Neither Etisalat nor Egyptian officials could immediately be reached for comment. The program was recently highlighted at an entrepreneurship fair in Cairo.
Facebook and other social media sites are extremely popular in Egypt, and were used to organize protests during the 2011 uprising that toppled longtime autocrat Hosni Mubarak.




“When you're a government you waste money. It's what you do.” You also claim success before you do anything else.
DHS Claims Success with Fifth Attempt to Virtually Secure the Border
… The largest attempt to bridge these gaps began in 2006 under the umbrella of the Secure Border Initiative, known as SBInet. US Customs and Border Protection (CBP) began a project nicknamed the “virtual fence” that would link decades-old underground sensors, radar towers, and communications networks into an integrated invisible surveillance system.
The contract with Boeing was supposed to be completed in two years and cost roughly $220 million. However, cost increases, time delays, and general human incompetence caused the virtual fence project to get pushed back to 2011 and costs to skyrocket to almost $1 billion.
… However, after two years of searching for a solution provider and crafting a strategy, DHS believes the current iteration of its virtual barrier is the final answer. Arizona is currently the test bed for the Integrated Fixed Tower project—formally known as the Arizona Border Surveillance Technology Plan—which aims to erect 52 sensor-laden towers along the southwest border by the year 2020.
… Why DHS officials are so confident the Arizona plan will work better than previous solutions is unclear, and there are already signs of delays and management problems.




Global Warming?
Record breaking North Pole Storm Pushes Temps to [sic] 50 degrees
by Sabrina I. Pacifici on Dec 30, 2015
Washington Post: “A powerful winter cyclone — the same storm that lead to two tornado outbreaks in the United States and disastrous river flooding — has driven the North Pole to the freezing point this week, 50 degrees above average for this time of year. From Tuesday evening to Wednesday morning, a mind-boggling pressure drop was recorded in Iceland: 54 millibars in just 18 hours. This triples the criteria for “bomb” cyclogenesis, which meteorologists use to describe a rapidly intensifying mid-latitude storm. A “bomb” cyclone is defined as dropping one millibar per hour for 24 hours. NOAA’s Ocean Prediction Center said the storm’s minimum pressure dropped to 928 millibars around 1 a.m. Eastern time, which likely places it in the top five strongest storms on record in this region…”


Wednesday, December 30, 2015

Any publicity is good publicity? Nobody died so it's worth the risk? What (if anything) are they thinking?
Ashley Madison surges back, says 4.6M have joined infidelity website since data breach
… The extramarital affair website Ashley Madison says it has gained nearly 4.6 million members since hackers posted the names of the website's users in August. A counter on the site's front page claimed more than 43.4 million “anonymous members” Tuesday — up from about 38.9 million Aug. 18, the day hackers posted users' private information online.




I thought Microsoft and others wanted to get out of the “We can decrypt it” boondoggle?
ONE OF THE EXCELLENT FEATURES of new Windows devices is that disk encryption is built-in and turned on by default, protecting your data in case your device is lost or stolen. But what is less well-known is that, if you are like most users and login to Windows 10 using your Microsoft account, your computer automatically uploaded a copy of your recovery key — which can be used to unlock your encrypted disk — to Microsoft’s servers, probably without your knowledge and without an option to opt out.




Someone has been collecting useful tips & tricks.
How to delete your personal info. from the internet




What did they know that we didn't know? What did we know that we were worried they might know? Did they have a better argument than we did? Did they have fact that we didn't? (Should I believe that Israeli security is so poor their Prime Minister does not use an encrypted phone?)
US snooping on Israel also caught talks with lawmakers: report
The U.S. captured communications from Israeli Prime Minister Benjamin Netanyahu and his aides and swept up the content of private conversations with U.S. lawmakers, giving the Obama administration insight into Israel's lobbying efforts against the international nuclear deal with Iran, according to a new report.
The Wall Street Journal reported Tuesday that the National Security Agency (NSA) swept up information that White House officials considered valuable as it sought to counter Netanyahu's vocal opposition to the nuclear deal between Iran, the U.S. and other world leaders.
… The Journal also reported that White House officials were worried about the politics of asking for swept-up communications between Israeli officials and members of Congress, allowing the NSA to decide what to share.
"We didn't say, 'Do it,' " a senior U.S. official told the Journal. "We didn't say, 'Don't do it.' " [Oh, that makes everything okay then. Bob]




How much is 'not enough?'
Twitter cracks down on harassment by rearranging paragraphs in its terms of service
In the wake of former CEO Dick Costolo admitting the company "suck[s] at dealing with abuse," Twitter has devoted many blog posts to explaining how seriously it takes the issue. It hired more people to enforce its abuse policies, and added new tools for reporting harassment. And to cap off the year, today the company rearranged some paragraphs in its terms of service, and celebrated the move in a new blog post.
"The updated language emphasizes that Twitter will not tolerate behavior intended to harass, intimidate, or use fear to silence another user's voice," Megan Cristina, the company's director of trust and safety, wrote in a blog post. "As always, we embrace and encourage diverse opinions and beliefs — but we will continue to take action on accounts that cross the line into abuse." That sounded like a good thing, but when I pulled up Twitter's new rules, they looked an awful lot like Twitter's old rules.
The one significant addition is a new section that bans "hateful conduct" that targets users on the basis of their race, nationality, sexual orientation, gender, gender identity, age, disability, or disease. The rule also bans creating multiple accounts for the primary purpose of inciting harm toward others based on those categories. At the same time, the old harassment rules likely prevented this sort of behavior as well.
The truth is that updated rules are meaningless unless the company strictly enforces them.




Perspective. Something for my Data Management class? Interesting points.
At our Enterprise Information and Master Data Management Summit this year (back in the Spring) we mentioned, as part of the keynote, the phrase, “from information asset to information access”. See Information is the new source of economic value, May 2015. This perhaps innocuous phrase captures a significant part of the message from the keynote: the digital, now algorithm economy, will herald significant economic shifts.




Perspective. You have to ask, “Could this happen here?”
Amazon is about to go head-to-head with Britain's struggling supermarkets
… The news that Amazon is to ramp up its grocery delivery business will come as a blow to the “big four” supermarket chains – Tesco, Asda, Sainsbury’s and Morrisons – which are already under pressure as a result of changing shopping habits. Large grocers have been battling falling sales as households abandon the weekly shop in favour of discount supermarkets, regular local top-up shopping and online ordering.




For e-tourists.
Google provides digital walk through of British Museum exhibits
by Sabrina I. Pacifici on Dec 29, 2015




For readers.
32 Places to Get Free Kindle Books


Tuesday, December 29, 2015

This has been going on since TSA set up their screening protocol, not just for the last two years. Who reviews their procedures?
TSA increases screening of airport and airline employees
The Transportation Security Administration is increasing random checks of airport and airline employees who hold badges that enable them to bypass security checkpoints.
The decision follows instances in the past two years in which employees used restricted entrances to smuggle guns and launder money.
… The American memo, for instance, reminded employees that if they work in a secure area and plan to travel after their shift is over, they must exit the sterile area and go through TSA screening, with their carry-on luggage, in order to board a flight.




Interesting summary.
How does the Cybersecurity Act of 2015 change the Internet surveillance laws?
The Omnibus Appropriations Act that President Obama signed into law last week has a provision called the Cybersecurity Act of 2015. The Cyber Act, as I’ll call it, includes sections about Internet monitoring that modify the Internet surveillance laws. This post details those changes, focusing on how the act broadens powers of network operators to conduct surveillance for cybersecurity purposes. The upshot: The Cyber Act expands those powers in significant ways, although how far isn’t entirely clear.




For students studying Homeland Security and searching for all those keywords on the DHS watch list.
Here’s How to Search Google Without Being Tracked
… You could always use another search engine that’s privacy-focused (such as DuckDuckGo), but maybe you can’t pull yourself away from Google’s results. After all, Google is still the king of results.
Enter StartPage, a search engine that makes Google searches private. When you type your query, StartPage anonymously submits it to Google and displays the results back to you. By adding this middle man, your privacy is protected since Google is not placing tracking cookies on your browser or logging your IP address to associate you with those searches.




Perspective. What is Free?
China doesn't allow Facebook. Just because India does, that doesn't mean the country should welcome Facebook CEO Mark Zuckerberg's plan to carve the Internet into pocket boroughs, let alone his preaching that this is a great way to connect a billion people to their digital future.
Facebook's "Free Basics" service, which gave some wireless subscribers in India access to a clutch of pre-selected websites without having to pay data charges, was put in abeyance recently at the request of the Telecom Regulatory Authority of India. Activists say the program threatens net neutrality, the principle that all Internet sites should be equally accessible. The regulator is yet to decide whether a differential pricing regime for some websites or applications will be allowed.


(Related) The world according to Mark
Free Basics protects net neutrality
In every society, there are certain basic services that are so important for people’s wellbeing that we expect everyone to be able to access them freely.
We have collections of free basic books. They’re called libraries. They don’t contain every book, but they still provide a world of good.
We have free basic healthcare. Public hospitals don’t offer every treatment, but they still save lives.
We have free basic education. Every child deserves to go to school.
And in the 21st century, everyone also deserves access to the tools and information that can help them to achieve all those other public services, and all their fundamental social and economic rights.
That’s why everyone also deserves access to free basic internet services.




Where there's a market, there's a broker?
Here’s How You Can Exchange That Unwanted Gift Card
… Target is offering shoppers an easy way to exchange it, reported the Star Tribune.
The retail chain started a new trade-in program last month that allows customers to exchange various store gift cards for a Target gift card, usually at a de-valued rate. For example, if a customer wanted to trade a $100 Walmart gift card, he or she could get a $85 Target card in exchange.
… The process works much like existing gift card exchange websites, including CardPool.com and CardCash.com. In fact, a shopper could get an even better deal for that $100 Walmart gift card on CardPool.com, which is a partner with Target. Based on what Fortune found on December 28, the store credit would amount to $93, delivered via check from CardPool.
However, Target’s program is all about convenience. The trade is instantaneous, and a customer can walk away immediately with their Target card in-hand.




Because you may not be paranoid enough.
How to Use Your Phone to Detect Hidden Surveillance Cameras at Home
… While it might seem like something straight out of a James Bond movie, it is possible to use your smartphone to detect hidden cameras, as well as other 007 devices. In general, two common methods are used to achieve this.
The first is by using the smartphone hardware to detect electromagnetic fields. With the installation of a single app, you can move your phone around the area you suspect a camera to be hidden, and if a strong field is detected, you can be sure there is a camera secreted within the wall or object.
Another way that smartphones can be used is by detecting light reflecting from a lens. While this method isn’t quite as reliable, it is still worth having such an app, if only to find small objects dropped on a carpet!


(Related) On the other hand…
How to Use an Old Smartphone or Tablet as a Security Camera




Backup is good! (and easy)
Backing Up Your Microsoft Outlook Emails Made Simple
… Archiving and backing up emails is simply a matter of setting up Outlook to archive old emails to a special file, and then setting up a schedule to archive those files to some safe location for long-term storage. In this article you’ll see just how simple this process is.




New resources for my Statistics students.
Which Cities Share The Most Crime Data?
Open data has contributed to dramatic improvements in a wide array of fields over the past few decades, affecting how we look at astronomy, genetics, climate change, sports and more. But until recently, crime has gone without the open analysis prevalent in other fields because crime data has been closely held by law enforcement agencies and has usually only been released in bulk at monthly, quarterly or annual intervals.
Now, thanks to efforts from the federal government and individual municipalities, crime analysis is positioned for a leap forward as cities place unprecedented quantities of data online.
… Born out of recommendations from President Obama’s Task Force on 21st Century Policing, the initiative was launched in May to encourage police departments to “better use data and technology to build community trust.” As of late November, 27 agencies had committed to providing public access to law enforcement data as part of the initiative.

Denver Police Department



Monday, December 28, 2015

We could send everyone an email telling them why they would be fools not to vote for Donald Trump. Let's do it fast, before he does. Read this entire post, it's worth your time.
Personal, public, and some non-public information on 191 million registered voters exposed
– Efforts to identify database’s owner to notify them unsuccessful
– Database still exposed
A misconfigured database leaking the personal information of over 191 million voters was reported to DataBreaches.net by researcher Chris Vickery. This report includes some of the results of an investigation by Vickery, DataBreaches.net, and Steve Ragan of Salted Hash.




You probably didn't see this in the major news sources. Why?
Time Warner cable services go down Sunday in national outage
Troubles with its national network toppled Time Warner TV and Internet service Sunday afternoon from the Carolinas to California.




Should provide some amusement for my Computer Security students.
Seeking Anonymity in an Internet Panopticon
by Sabrina I. Pacifici on Dec 27, 2015
“The Dissent project is a research collaboration between Yale University and UT Austin to create a powerful, practical anonymous group communication system offering strong, provable security guarantees with reasonable efficiency. Dissent’s technical approach differs in two fundamental ways from the traditional relay-based approaches used by systems such as Tor:
  • Dissent builds on dining cryptographers and verifiable shuffle algorithms to offer provable anonymity guarantees, even in the face of traffic analysis attacks, of the kinds likely to be feasible for authoritarian governments and their state-controlled ISPs for example.
  • Dissent seeks to offer accountable anonymity, giving users strong guarantees of anonymity while also protecting online groups or forums from anonymous abuse such as spam, Sybil attacks, and sockpuppetry. Unlike other systems, Dissent can guarantee that each user of an online forum gets exactly one bandwidth share, one vote, or one pseudonym, which other users can block in the event of misbehavior.
Dissent offers group-oriented anonymous communication best suited for broadcast communication: for example, bulletin boards, wikis, auctions, or voting. Members of a group obtain cryptographic guarantees of sender and receiver anonymity, message integrity, disruption resistance, proportionality, and location hiding. For a high-level overview of Dissent and where it fits among various approaches to anonymous communication, see our article Seeking Anonymity in an Internet Panopticon, to appear in Communications of the ACM. For technical details we recommend starting with our CCS ’10, OSDI ’12, and USENIX Security ’13 papers describing the experimental protocols underlying Dissent. Also feel free to check out the source code at the link to the right, keeping in mind that it is an experimental prototype and not yet ready for widespread deployment by normal users.”




Is this the perfect “Bad Example?”
Inside North Korea's Totalitarian Operating System
The goal of a totalitarian regime is to control everything in a country: information, resources, and power. In the 21st century, that even includes omnipotence over the code that the country's computers use.
Enter RedStar OS: North Korea's own Linux based operating system, designed to monitor its users and remain resilient to any attempts to modify or otherwise exert control over it. On Sunday at Chaos Communication Congress, a security, art, and politics conference held annually in Hamburg, Germany, researchers Niklaus Schiess and Florian Grunow presented their in-depth investigation of the third version of the operating system.
… whenever a USB storage device containing documents, photos or videos is inserted into a RedStar computer, the operating system takes the current hard-disk's serial number, encrypts that number, and then writes that encrypted serial into the file, marking it.
The purpose “is to track who actually has this file, who created this file, and who opened this file,” Schiess said.




Perspective.
Amazon lifts the veil on Prime
… The Prime service, an offering combining free two-day shipping on many items with access to video streaming, had a "record-setting" holiday, an Amazon press release said. More than 3 million members joined the service in the third week of December, bringing its total membership to "tens of millions," it said.
… Amazon also highlighted Monday that 200 million more items received free shipping this year, reaching a record. It added that holiday viewing hours of its Prime service's video-streaming doubled from a year earlier and music streaming globally rose 350 percent on the year.
… Earlier this month, Macquarie Capital analyst Ben Schachter told CNBC that his company estimated that around 25 percent of U.S. homes had already signed up for the Prime service. Macquarie estimates that by year-end, Amazon will capture 51 percent of U.S. e-commerce growth and 24 percent of retail growth.
The company can have a huge influence over online shopping in general. Earlier this month, the latest CNBC All-America Economic Survey found that 40 percent of all adults search Amazon "always" or "most of the time" when shopping online, compared to just 10 percent who say they never include Amazon in an online search.
Other figures from the survey were more striking: The conversion rate, or the number of visits to the website that result in a purchase, is massive. Some 50 percent of those Americans searching Amazon most frequently are actually making a purchase. That compares with the widely cited retail industry average for turning online searches into purchases at a mere 3 percent.




Potentially valuable tools. Add to your RSS feeds?
New on LLRX – Competitive Intelligence – A Selective Resource Guide
by Sabrina I. Pacifici on Dec 27, 2015
Via LLRX.comCompetitive Intelligence – A Selective Resource Guide. Sabrina I. Pacifici’s comprehensive current awareness guide focuses on leveraging a selected but wide range of reliable, topical, predominantly free websites and resources. The goal is to support an effective research process to search, discover, access, monitor, analyze and review current and historical data, news, reports, statistics and profiles on companies, markets, countries, people and issues, from a national and a global perspective. Sabrina’s guide is a “best of the Web” resource that encompasses search engines, portals, government sponsored open source databases, alerts, data archives, publisher specific services and applications. All of her recommendations are accompanied by links to trusted content targeted sources that are produced by top media and publishing companies, business, government, academe, IGOs and NGOs.


Sunday, December 27, 2015

Interesting. Are politicians immune as well as ignorant?
Kate Raddatz reports:
A Minneapolis City Council member is under fire for a series of tweets she posted online after attending the Black Lives Matter protest at the Mall of America this week.
The tweets published personal information of constituents who criticized her involvement in the protest.
Councilmember Alondra Cano, who represents Ward 9, tweeted out screen shots of what several constituents emailed her via the city’s public contact forum.
Apparently her tweets included their names, postal and e-mail addresses, and their comments.
Read more on CBS, while I ponder why Twitter didn’t suspend her account for posting personal information, in violation of their policies.




A most interesting forensic tale.
The Tax Sleuth Who Took Down a Drug Lord
… Back in the summer of 2013, it was not hard, even for Mr. Alford, to understand why it took him time to win over the others on the case.
… Mr. Alford also detected the sort of organizational frictions that have hindered communication between law enforcement agencies in the past.
… “I’m not high-tech, but I’m like, ‘This isn’t that complicated. This is just some guy behind a computer,’” he recalled saying to himself. “In these technical investigations, people think they are too good to do the stupid old-school stuff. But I’m like, ‘Well, that stuff still works.’ ”
Mr. Alford’s preferred tool was Google. He used the advanced search option to look for material posted within specific date ranges.




Interesting. I wonder if it's because there are no trees to fly into?
A Silicon Valley for Drones, in North Dakota


Saturday, December 26, 2015


Should we assume that TSA has discovered a major flaw in their pat-down procedure? Perhaps they are merely trying to justify spending all that money on a technology that wasn't being used? (Yeah, you challenge them. I'm walking.)
TSA Body Scan? Just Say ‘No’, Leading Expert Says
Passengers required by the Transportation Security Administration (TSA) to submit to a body scan can legally refuse, according to Marc Rotenberg, President of the Electronic Privacy Information Center (EPIC).
… On Friday, without notice, the Transportation Security Authority (TSA) implemented new procedures for airport security screening. TSA had been, until Friday, using a screening procedure that consisted of either an AIT body scan or a pat-down scan, at the passenger’s option. The legality (that is, constitutionality) of the security procedure encompassing a passenger’s option to choose an AIT scan or a pat-down scan was affirmed by the D.C. Court of Appeals in 2012, in the EPIC v DHS case mentioned above.
… What is different in the new security procedures is that TSA made the body scans mandatory for some people
… Jennifer Ellison and Marc Pilcher, attorneys in the TSA Office of Chief Counsel writing in “Advanced Imaging Technology (AIT) Deployment: Legal Challenges and Responses” emphasized the legal importance of pat-downs being a screening option.




Amusing.
A Glossary of WWI Soldier Slang




The Saturday sillies.
Hack Education Weekly News
… “Clinton: ‘I Wouldn’t Keep Any School Open That Wasn’t Doing A Better Than Average Job.’” No schools in Lake Wobegon will be required to close.
… Class Central has released its report on 2015 MOOC enrollment: “The MOOC space essentially doubled this year. More people signed up for MOOCs in 2015 than they did in the first three years of the modern MOOC space’s existence.”
Via Boing Boing: “In Texas, a 12 year old Sikh boy was arrested for ‘terrorism’ over a solar charger.”
… “Student Loan Subsidies Cause Almost All of the Increase in Tuition,” according to the Foundation for Economic Education.


Friday, December 25, 2015

Update.
IRS Still Working on the Hack of the Year
Ten months after a major hack into taxpayer information at the IRS, the Treasury Inspector General for Tax Administration says the IRS is still working on bolstering its Internet sign-in procedures.
Initially the IRS had said last May that more than 100,000 taxpayer records had been stolen. But then in August it tripled that estimate to 334,000. The IRS says hackers had made an estimated 615,000 attempts to break in, for a success rate of more than 50%.
… The IRS moved to close the gaps in this application starting last spring, and is now trying to come up with more secure sign-on procedures for taxpayers so they can access their tax information, says the new watchdog report.
The watchdog’s findings come as more than eight out of ten taxpayers use websites to get information about their tax payments, the IRS says. [Sounds high to me. Bob]




An interesting question. (Helps me outline my next Computer Security class.)
All Security Pros Want for Christmas: Smarter Users, Decoy Networks
People like to see gifts from their wish lists under the Christmas tree, and security pros are no exception. Here are things some cyberwarriors would like old St. Nick to deliver to them.
… smarter users who are less susceptible to social engineering
… more visibility into the threat landscape posed by social media.
… "I would love it if the vendors worked together more cooperatively.
… "I'd like the EU not to focus on data residency," he told TechNewsWorld. "Rather, I'd like them to focus on security and privacy of data."
… Parekh also would like vendors making goods and services for the Internet of Things to start thinking seriously about security.
… better intrusion-detection systems to nip threats before they can blossom




A Christmas present or hoping these get lost in the holiday?
Heavily redacted Benghazi emails released on Christmas Eve
The Office of the Director of National Intelligence (DNI) released a handful of sensitive documents Thursday morning dealing with terrorism suspect Anwar al-Awlaki and the terrorist attacks in Benghazi, Libya.
The Christmas Eve document dump includes 16 pages of heavily blacked-out emails about the events surrounding the 2012 terrorist attack on a U.S. diplomatic compound in Benghazi that killed four Americans.
The documents were released as part of a “proactive disclosure” under the Freedom of Information Act. The government and public relations firms have been known to release unflattering information around major holidays or weekends to blunt the news effect.




Sometimes words in an article just jump out at me. I wonder what other hacks are possible?
2016 BMW 7-Series
… Among the new safety features for the 2016 BMW 7 Series is an update to the adaptive cruise control designed to help drivers stick to posted speed limits. Using data from the navigation system and cameras that read traffic signs, the car prompts the driver when the speed limit is about to change.
… Speedy drivers can preselect by how much they’d like the system to automatically exceed the speed limit, up to 15 km/h (9.3 mph) over.




In case they let me teach Math again.


(Ditto)
10 Good YouTube Channels for Math Lessons


Thursday, December 24, 2015

Must be easy to hack these systems.
Brian Krebs reports:
Hyatt Hotels Corporation said today it recently discovered malicious software designed to steal credit card data on computers that operate the payment processing systems for Hyatt-managed locations.
Hyatt’s notice to customers has very few details about the investigation, such as how long the breach lasted or how many consumers may have had their card data stolen as a result. Hyatt did say that it has taken steps to strengthen its systems, and that “customers can feel confident using payment cards at Hyatt hotels worldwide.”
Read more on KrebsOnSecurity.com.
[From the article:
Hyatt joins a crowded list of other hotel chains similarly breached in the past year, including Hilton, Starwood, Mandarin Oriental, White Lodging and the Trump Collection.




We live in a complicated world. (Don't you love it when one lawyer can confuse another?)
Yesterday morning, some of were following up on a ProPublica report about a New Jersey clinic who, when suing patients for overdue accounts, included their diagnostic codes in materials sent to their collection agency. Those records – containing the patients’ names, diagnostic codes, and treatment codes – became part of public court records.
There were some interesting questions raised by the case. The Short Hills Associates in Clinical Psychology provides its patients with its notice of privacy practices, but when an aggrieved patient filed a complaint with HHS over the disclosure of his diagnostic code, OCR closed the case without action because the clinic – using paper records for transactions – was not a HIPAA-covered entity.
But what about the collection agency? If the clinic was not a HIPAA-covered entity, was the collection then not a Business Associate under HIPAA? At first blush, it might seem unreasonable to think that they could still be a business associate and subject to HIPAA’s restrictions on only disclosing what is necessary to obtain payment.
But Texas attorney Jeff Drummond raised some very interesting points in our discussion, including one that if the collection agency was a BA for any other entity, then they might be covered by HIPAA to protect all clients’ patient records.
Jeff has blogged about the issues raised by this case on HIPAA Blog. It’s a post – and interpretation of HIPAA – that I found surprising, to say the least. I would love to see a panel discuss this issue at a conference. In the meantime, I may shoot a link to it over to HHS to ask for their reaction.
In the meantime, go read Jeff’s post.




Is the FAA encouraging more restrictions or looking for better wording?
FAA Issues Fact Sheet on State and Local UAS Laws
by Sabrina I. Pacifici on Dec 23, 2015
December 17, 2015 – “The Federal Aviation Administration’s (FAA) new fact sheet on state and local regulation of unmanned aircraft systems (UAS) provides information for states and municipalities considering laws or regulations addressing UAS use. The document outlines FAA’s safety reasons for federal oversight of aviation and airspace, and explains federal responsibility in this area. The fact sheet provides examples of state and local laws affecting UAS for which consultation with the FAA is recommended, such as restrictions on flight altitude or flight paths, regulation of the navigable airspace, and mandating UAS-specific equipment or training. The fact sheet also gives examples of UAS laws likely to fall within state and local government authority, such as requirements for police to obtain a warrant prior to using UAS for surveillance; prohibitions on the use of UAS for voyeurism; exclusions on using UAS for hunting or fishing, or harassing individuals engaged in those activities; and prohibitions on attaching firearms or other weapons to a UAS.”




So you don't have to get x-rayed, unless you do. Can you then opt-out? Probably not.
Full-body TSA scans are mandatory for 'some passengers'
… Now the Advanced Imaging Technologies (AIT) using Automatic Target Recognition (ATR) will be mandatory in certain cases. Slashgear notes that prior to this the scanners were opt-in, and one could go through a contactless, non-imaging scan instead. That option will exist, but security agents can insist on mandatory screening "for some passengers." The argument the DHS gives (PDF) is that these scanners are more capable of detecting prohibited, non-metallic items that could be hidden under a few layers of clothing than a metal detector wand would be.




Evan I might read a couple of these.
11 Exceptional Legal Tech White Papers from 2015
by Sabrina I. Pacifici on Dec 23, 2015
LexisNexis Business of Law Blog: “White papers are a place for deep thinking – deep thinking that is data-driven. Combine that data with innumerable client engagements, from small law firms to large – and from corporate legal departments to legal services bureaus – and we’re able to chronicle insights for the market in neatly packaged white papers. As part of our 2015 roundup series, here’s an at-a-glance listing of many of the white papers we’ve publish this year.”




Perspective. Free is not always trusted.
Facebook goes all out for saving Free Basics in India
NEW DELHI: Social media giant Facebook has started an aggressive campaign in India to gather public support for its free internet platform 'Free Basics.'
… The Telecom Regulatory Authority of India (Trai) has asked RCom to keep the service in abeyance till there is a decision on its consultation process around differential pricing of data by operators is sorted out. The last date for public comments on Trai's paper is December 30.
… The regulator has received close to 5.7 lakh [570,000 Bob] comments out which over 5.5 lakh comments are through Facebook's campaign.




I will not use this line on my students. I will not use this line on my students. I will not use this line on my students.


Wednesday, December 23, 2015

Hard to tell how good this guy was. He could have tried to Phish thousands of “celebrities” and only managed to get to 130. (Apparently it is mandatory for celebrities to have sex tapes.)
Feds arrest hacker for stealing scripts, celeb identities and sex tapes
The Department of Homeland Security has arrested and charged (PDF) a man from the Bahamas for stealing unreleased movie/TV scripts along with celebrities' files and sensitive information. According to The New York Times, the 23-year-old hacker named Alonzo Knowles contacted a radio host in an effort to sell his loot, which included the scripts for six episodes of a hit drama currently being filmed. When the unnamed host got in touch with Homeland Security, the agency cooked up a sting operation and had him put Knowles in touch with an undercover investigator posing as a buyer.
… The accused allegedly tried to sell the agent 15 scripts and the social security numbers of two athletes and a movie actress for $80,000. He also showed the agent a sex tape, saying that it's merely a "sample of things [he] can get" -- he had "more stuff along these lines and can get more" if the buyer was interested.
… He reportedly admitted to the undercover agent that when it was too difficult to hack a particular celebrity, he would look at pictures online to see who his friends are and then hack them instead. He'd also send fake automated text messages telling recipients that their accounts had been hacked, and some people actually replied with their passwords. Other times, he'd send a virus to celebrities' computers to infiltrate their systems.




Is government really able to run anything?
Inslee: Error releases up to 3,200 inmates early
For three years, state Department of Corrections staff knew a software-coding error was miscalculating prison sentences and allowing inmates to be released early. On Tuesday, Gov. Jay Inslee gave the damning tally: up to 3,200 prisoners set free too soon since 2002.
The problem stemmed from “good time” credits applied to certain prison sentences, and was discovered, according to the Corrections Department, only after a victim’s family alerted officials in 2012 that they might be planning to release an offender too early. Once the broader problem was discovered, a scheduled software fix got caught up in repeated IT delays, yet to be explained.
“That this problem was allowed to continue to exist for 13 years is deeply disappointing,” Inslee said. “It is totally unacceptable, and frankly it is maddening.”
… The governor ordered the DOC to halt all releases of prisoners whose sentences could have been affected until a hand calculation is done to ensure offenders are being released on the correct date. [Why not three years ago? Bob]




For my Canadian students, eh?
Howard Solomon reports:
Of all the publicly-disclosed data or privacy breaches in this country in 2015, one topped them all by a wide margin: Ashley Madison.
With over 30 million records exposed from the dating site, a $578 million class action suit filed against parent Avid Life Media, the CEO resigning after his emails were published, the attack is easily one of the largest reported in Canadian history.
But it’s easy for infosec pros to sit back and think, ‘Thank Gawd my company isn’t such a big fat target.’ Instead, they should remember all of the smaller breaches that happened this year as a lesson that corporations and government departments aren’t the only targets. Here’s just three of them:
Read more on IT World Canada, where Solomon actually mentions a number of incidents, including a few you may not have heard about.




Economics and debasing a virtual currency?
Rand – National Security Implications of Virtual Currency
by Sabrina I. Pacifici on Dec 22, 2015
Joshua Baron, Angela O’Mahony, David Manheim, Cynthia Dion-Schwarz: “This report examines the feasibility for non-state actors, including terrorist and insurgent groups, to increase their political and/or economic power by deploying a virtual currency (VC) for use in regular economic transactions. A VC, such as Bitcoin, is a digital representation of value that can be transferred, stored, or traded electronically and that is neither issued by a central bank or public authority, nor necessarily attached to a fiat currency (dollars, euros, etc.), but is accepted by people as a means of payment. We addressed the following research questions from both the technological and political-economic perspectives: (1) Why would a non-state actor deploy a VC? That is, what political and/or economic utility is there to gain? How might this non-state actor go about such a deployment? What challenges would it have to overcome? (2) How might a government or organization successfully technologically disrupt a VC deployment by a non-state actor, and what degree of cyber sophistication would be required? (3) What additional capabilities become possible when the technologies underlying the development and implementation of VCs are used for purposes broader than currency? This report should be of interest to policymakers interested in technology, counterterrorism, and intelligence and law enforcement issues, as well as for VC and cybersecurity researchers.”




To steal a line from Jaws, “We're gonna need a bigger jail!” (This guy makes me look anorexic.) But wait! The fun is not over yet!
Kim Dotcom Eligible to Be Extradited to U.S., New Zealand Court Rules
Internet entrepreneur Kim Dotcom and three co-defendants are eligible to be extradited to the U.S. to face charges including criminal copyright infringement, money laundering and conspiracy to commit racketeering, a New Zealand court ruled on Wednesday.
… His New Zealand-based lawyer Ron Mansfield told The Wall Street Journal that Mr. Dotcom is positive he can succeed in the higher courts in New Zealand. “We’ve just got through the starter’s gates, we haven’t lost the race. We remain pretty confident.”




Interesting, it is. This Infographic, you should see.
Wait, The Force Awakens Made How Much?




Free is good!
Free eBook Today Only: ‘Preserving Your Privacy in Windows 10
This free eBook is available today (12/23) only! Don’t miss out!


Tuesday, December 22, 2015

Can a breach provide a competitive advantage? Was Lambert linked to the hacker and not the hack? Not much to go on here.
DOJ investigating data breach at Uber
The Department of Justice is probing a data breach at Uber that an internal investigation reportedly linked to an employee at rival service Lyft, Reuters reported late Friday.
Uber has said that the data breach last year may have affected tens of thousands of drivers, exposing their identities and drivers license numbers.
Uber's internal investigation reportedly linked the initial data breach to a Comcast IP address belonging to Chris Lambert, the chief technology officer at rival service Lyft. A separate IP address reportedly executed the hack; that user remains unidentified.
… Lambert’s attorney says the software engineer has signed a sworn statement saying he was not involved in the hack. He told Reuters he expected an investigation would clear his client.




Incentive for my Computer Security students?
Cybersecurity Market Reaches $75 Billion In 2015, Expected To Reach $170 Billion By 2020
… According to IDC, the hot areas for growth are security analytics / SIEM (10%); threat intelligence (10% +); mobile security (18%); and cloud security (50%).
… There’s a huge cybersecurity market emerging around protecting cars from being hacked.
… Cybersecurity insurance is one of the fastest growing sectors in the insurance market, according to the PwC Global State of Information Security Survey 2016. A recent PwC report forecasts that the global cyberinsurance market will reach $7.5 billion in annual sales by 2020, up from $2.5 billion this year.


(Related) The subtitle for my Computer Security class is “How to Commit Computer Crime.”
How to Think Like a Hacker and Act Like a Security Pro
A rite of passage for new parents is child-proofing—securing the home from threats to children. Most experts on the subject highly recommend that parents make their way around the house on their hands and knees in order to experience the environment from a child’s perspective. This may be the only way to see the threats that aren’t obvious from an adult’s point of view.
The same is true when building security into an application. Obviously, there are lists of common vulnerabilities and other guidance in the form of best practices to consider. However, to really protect software you need to consider the hacker’s point of view of the application. You need to think like a hacker, but act like a security pro.




Betting on litigation. A new area for my Statistics students to ponder?
Caterpillar ordered to pay $73.6M to tiny British firm for stealing design
A federal jury has ordered Peoria-based Caterpillar to pay a small British firm $73.6 million for ripping off its design for a piece of heavy-duty construction equipment.
… Miller's victory was good news for Highland Park-based Arena Consulting, which helped bankroll the suit in return for a cut of the jury award.
So-called litigation financing is a growing but controversial industry. Supporters say it levels the playing field, allowing small-time litigants to have their day in court against wealthy defendants, but critics say giving outside investors a stake in the outcome of a case can skew the litigants' decision making.




Interesting. So what do we do about it?
… Some scholars argue nations must take a rigorous approach to understanding how people become radicalized — and, just as importantly, that religion itself is not the main motivation.
A substantial number of radical Islamic terrorists are recent converts who know surprisingly little about Islam, Olivier Roy, a professor at the European University Institute in Italy and well-known analyst of Islamist terrorism, said in a recent lecture, where he attempted to lay out “a scientific perspective on the causes/circumstances” of people joining radical groups.
… No comprehensive data exists on the militants who have joined the Islamic State and other organizations, but Roy has analyzed individual stories of the path to radicalization — saying that we must first understand radicalization before we can hope to prevent or reverse it.
4. Most radicals are motivated by the desire to be a hero, to do violence or get revenge.




Own everything from purchase to delivery? Interesting analysis.
An In-Depth Analysis Of Plans For An Amazon Airline
After over a month of speculation, more details are beginning to emerge surrounding Amazon's rumored plan to launch an in-house freight airline. The rumor started with someone close to the talks posting on an online forum stating that Amazon is working to create the world's largest overnight parcel service within 2 years. The source stated Amazon would not buy an existing company as it did not want to inherit the problems so instead resorted to launching its own operation. In this article, I go into detail about the implications of such an operation for Amazon financially, structurally and the risks associated with such a venture.
… Amazon has been quietly building up sorting centers across the country, replacing work that was previously done by FedEx and UPS
… Some impressive numbers to note are a 1% market share in U.S domestic parcel deliveries ($800 million), contract logistics ($2.5 billion), and freight forwarding ($1.7 billion) would add $5 billion in annual revenue to Amazon.




Humor is truth.
Strategic Humor: Cartoons from the January-February 2016 Issue




Proof that I am (almost) completely out of touch.
The Best of the ‘Best Of’ Lists
The best of the ‘Best Movies of 2015’
The best of the ‘Best Television Shows of 2015’
The best of the ‘Best Television Shows of 2015’
The best of the ‘Best Albums of 2015’


Monday, December 21, 2015

Infiltrated is not the same as disrupted. Think of it as building roadmaps for later use.
Danny Yadron reports:
Iranian hackers infiltrated the control system of a small dam less than 20 miles from New York City two years ago, sparking concerns that reached to the White House, according to former and current U.S. officials and experts familiar with the previously undisclosed incident.
Read more on WSJ.
[From the article:
Security experts say companies have done little to protect these systems from would-be hackers.
“Everything is being integrated, which is great, but it’s not very secure,” said Cesar Cerrudo, an Argentine researcher and chief technology officer at IOActive Labs, a security-consulting firm. At a hacker conference last year in Las Vegas, Mr. Cerrudo wowed the audience when he showed how he could manipulate traffic lights in major U.S. cities.
Operators of these systems “don’t think about security,” he said.




Not just educating employees, but keeping them alert. What would a serious hacker do?
Robin Sidel reports:
Terrified by a string of recent hacks, banks are spending billions of dollars trying to fend off a faceless army of digital intruders.
But the biggest threats may come from within.
Banks fear a growing number of employees are unwittingly exposing valuable information to hackers or in some cases leaving digital clues that make a breach possible. To boost their defenses, firms are banning workers from using portable devices such as USB drives, warning employees to be careful what they post on social media and even discouraging workers from posting “out-of-office” replies on their emails.
Read more on Nasdaq.




A backgrounder for my Ethical Hacking students.
Juniper Firewall Backdoor Password Found in 6 Hours
Networking and security company Juniper Networks revealed last week that it had identified unauthorized code in ScreenOS, the operating system powering the company’s NetScreen firewalls.
The vulnerabilities have been analyzed by several external researchers. Fox-IT experts said it took them just 6 hours to find the password for the ScreenOS authentication backdoor.
After analyzing the differences between the vulnerable and patched versions of ScreenOS, Rapid7’s HD Moore determined that the authentication backdoor, which can be exploited via SSH or Telnet, involves the default password <<< %s(un='%s') = %u
This backdoor password, which was presumably set this way so that it would be mistaken for one of the many debug format strings present in the code, can be leveraged by an attacker who knows a valid username for the device.
On one hand, it’s difficult to say if this vulnerability has been exploited in the wild since even though an unauthorized access attempt would normally be logged, it’s easy for an attacker to delete the relevant log entries. However, as Moore has highlighted, the logs might be sent to a centralized server, which could result in an alert being triggered.




It's not Hillary's fault. (Bet you never expected to see those words on this Blog) No politicians understand technology and that's Okay. Very few politicians bother to ask the people who do know and that's the problem.
Clueless Hillary Clinton On Encryption, Doesn't Understand The Concept Of The 'Back Door'
… On one hand, Clinton doesn't want back doors, but on the other, she wants law enforcement to be able to gain access to data if needed. She seals the deal with: "I just think there's got to be a way, and I would hope our tech companies would work with government to figure it out." Making matters worse she ponders, "maybe the back door is the wrong door?"
Clinton went on to say that maybe we need a "Manhattan-like project" [Because politicians understand spending lots and lots of money Bob] to accomplish this goal. What she doesn't seem to realize is that what she's effectively asking for is a back door, and as soon as any company (or person, for that matter) deliberately punches a hole in their product's security, it's no longer secure. Period.


(Related)
Tim Cook says there isn't a trade-off between security and privacy
In a strong defense of encryption, Apple's CEO Tim Cook said that there can be no trade-off between privacy and national security when it comes to encryption.
"I think that's an overly simplistic view. We're America. We should have both," he told Charlie Rose on CBS' 60 Minutes program on Sunday, according to a transcript of the interview posted online.




What does this suggest? If it sounds foreign, kill it? (Agrabah is the country from Disney’s “Aladdin”)
PublicPolicyPolling
We asked the Agrabah question to Dem primary voters too. They oppose bombing 'it' 36/19, while GOP supports bombing 'it' 30/13




Perspective. Just because I find it amusing. What would have happened if this was an auction?
Over ten million fans tried to buy tickets to Adele's North American tour
… When tickets for Adele's North American tour went on sale Wednesday morning, the virtual box office was literally crushed when over ten million fans rushed the site. Up for grabs were some 750,000 tickets for her 25 album tour across the continent.
… Just how unprecedented was the demand? Ticketmaster says that the ten million-plus figure represents an "all-time record," and according to Billboard's source, over four million tried to buy tickets for the six shows in New York City alone. Perhaps the craziness isn't so surprising considering sales of Adele's 25, which crushed all single-week records.




Perspective. Another of those “Year End” articles. Some charts are interesting even to me.
Goldman Sachs: 21 of the World's Most Interesting Charts
… While there are loads of billion-dollar startups in the software and internet sectors, education and energy are still a relatively small portion of that space.
… Taking a look at the largest companies in 2005 and comparing it to the largest firms in 2015 shows how important tech has become in the economy.
… the top-earning YouTube channels, with a toy review channel and Taylor Swift's VEVO account earning the most and garnering more than 250 million views per month.




Perspective. Most of my students are over 25.
The first website went online 25 years ago today
Tim Berners-Lee's first World Wide Web page flickered to life at CERN on December 20th, 1990.