Saturday, February 21, 2015

The FBI seems to be suggesting that if “terrorists” (never regular criminals let alone innocent civilians) are able to encrypt their data, the FBI won't be able to find them. Clearly the British can find hackers who encrypt their data. Perhaps they could teach the FBI how it is done?
Cyrus Farivar reports:
An alleged British hacker who has criminal charges pending in three American federal districts is preparing to petition a Suffolk County, United Kingdom court to compel the National Crime Agency (NCA) to return his encrypted seized computers and storage devices.
The BBC reported Friday that Lauri Love “will petition Bury St Edmunds magistrates for the return of his property,” adding that “the BBC understands that the NCA has been unable to decrypt some of the files and does not want to return the computers and media devices until Mr Love helps them to decrypt them.”
Read more on Ars Technica.
[From the article:
"I cannot speak to the contents," he told Ars via online chat. "Except that they are mine. This is the only salient detail as far as I'm concerned. I am not on trial, nor is my data, and I am under no obligation to speak for it. But my property is being withheld from me, and that must be justified. The current justification is due to the inability of the NCA to understand certain data. It remains for them to establish why this is my problem and for the court to decide if this gives them authority to convert chattel."


An Infographic for my next Computer Forensics class.
How Can You Make Sure Your Files Are Deleted Forever?
So, you’ve just deleted a file. Congratulations, that file is no longer a part of your life. Or so you thought! As it turns out, deleting files doesn’t actually mean they are gone forever. Instead, you need to jump through some hoops to make sure they’re really gone for good!
It sounds more complicated than it actually is, as this infographic shows you.


The intent is to provide some evidence that the person taking the exam is the student and not a paid “ringer.” We used to make them show up in person for the exam, but apparently that didn't work.
Victor Skinner reports:
Students at Rutgers University are balking at a new biometric software used in online classes that requires them to record their facial features, knuckles and photo ID.
ProctorTrack, implemented for online courses this year, requires students to record their face, knuckle and personal identification details to verify their identity. The software then tracks students’ monitor, browser, webcam and microphone activity during the session to prevent cheating on exams, according to The Daily Targum – Rutgers’ student newspaper.
Read more on EAGnews.org.


Google may need a larger HQ. Every country/state/city will want to do the same.
Loek Essers reports:
Google has agreed to on-the-spot audits at its U.S. headquarters in order to comply with Italy’s data protection laws.
The Italian data protection authority (DPA) imposed several privacy measures on Google after an investigation into the company’s policies that was completed in July 2014. On Friday, the authority said Google will comply with all demands.
The process to verify compliance calls for the DPA to check up on Google’s progress at its U.S. headquarters. It remains unclear when that will happen, though. “There is no precise appointment at the moment but there is an agreement to be able to go there,” a spokesman for the authority said.
Read more on CSO (AU).
Update: Here’s the release from the Garante per la protezione dei dati personali:
… The Italian DPA approved the verification protocol referred to in its order of July 2014 to Mountain View.


Quite a spike in the number of articles. Looks like Europe is about to panic.
Putin called the West's bluff
Vladimir Putin has called Europe’s bluff over east Ukraine as Russia-backed separatists seize a strategic town in defiance of a ceasefire brokered by France and Germany.

(Related)
Vladimir Putin Says Russia's Military Might Has No Match

(Related)
UK Defence Minister: Putin may use Ukraine tactic to invade Baltic States next


For my students. Once upon a time, real audiophiles had music systems with separate components. (Tuner, amp, turntable, speakers) This is that old idea in miniature.
Project Ara: How Your Next Smartphone Will Be Built by You
… This upgrade cycle — or planned obsolescence as the cynics may prefer to call it — has long been an integral part of the business model for smartphone manufacturers. With Google’s Project Ara, that may be about to change.
Ara is an Android-powered modular smartphone concept that is about to become a reality.

Friday, February 20, 2015

How easily an organization can convince itself that whatever they want to do is the ethically proper thing to do.
Who should have questioned this software? Is there a process that ensures the right people get to review changes like this? (If not, will they install one now?)
Lenovo Rapped for Preinstalling Spyware
… "Superfish is purposely designed to bypass the security of HTTPS websites in a manner that would allow malware and attackers to also bypass the security provided by HTTPS," said Adam Ely, cofounder of Bluebox.
"Users are inherently at risk of being directed to malicious sites that appear valid," he told TechNewsWorld, "making it much easier for attackers to steal information and further infect computers with malware."
… "We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," the company said in a statement provided to TechNewsWorld by spokesperson Brion Tingler.
Superfish was installed on some consumer notebooks from September to December of last year to help customers potentially discover interesting products while shopping, Lenovo explained.


I find it amusing that when reporters finally notice what should have been strategically obvious they seem surprised. Which would you do: A) hack each phone as it becomes interesting or B) avoid the need to hack each phone by acquiring all the keys before users get their phones?
More likely, they have the software that generates the keys.
Joint NSA/GCHQ unit hacked SIM card maker, stole just about EVERYONE's keys
America's NSA and Britain's GCHQ hacked the world's biggest SIM card manufacturer to harvest the encryption keys needed to silently and effortlessly eavesdrop on people without a warrant.
That's according to documents obtained by surveillance whistleblower Edward Snowden and leaked to the web on Thursday.
"Wow. This is huge – it's one of the most significant findings of the Snowden files so far," computer security guru Bruce Schneier told The Register this afternoon.
"We always knew that they would occasionally steal SIM keys. But all of them? The odds that they just attacked this one firm are extraordinarily low and we know the NSA does like to steal keys where it can."
… The Ki keys are also used to generate session keys that encrypt and decrypt voice calls; due to a lack of forward secrecy, obtaining the Ki for a phone means session keys can be recovered and intercepted calls can be decrypted effortlessly – without the need to crack the actual math behind the encryption algorithm, say experts.


I doubt this is correct. It suggest that the State Department does not know who should be on their system and therefore can't flag the email addresses of thoese who should not.
Hackers Said to Remain Active in U.S. State Department E-Mails
U.S. and private security specialists are trying to expel unidentified hackers from the unclassified portion of the U.S. State Department’s e-mail system, two officials familiar with the investigation said Thursday.
The problem persists three months after the hackers were first discovered because the intruders’ techniques keep shifting, said the officials, who asked for anonymity because the inquiry is classified even though no classified material appears to have been obtained.


Let the finger pointing begin! OR figure out who needs to know what and deliver it to them.
Boards Not Regularly Briefed on Cyber-Security: Survey
A new study from the Ponemon Institute found that 78 percent of the more than 1,000 CIOs, CISOs and senior IT leaders surveyed had not briefed their board of directors on cyber-security in the last 12 months. In addition, 66 percent said they don't believe senior leaders in their organization consider security a strategic priority.
The findings follow a recent survey from the National Association of Corporate Directors (NCD) that found that more than half (52 percent) of the 1,013 corporate directors surveyed were not satisfied with the amount of information they were receiving about cyber-security. In addition, 36 percent said they were unsatisfied with the quality of that information.
Less than half of the respondents believe their organizations take appropriate steps to comply with leading cyber-security standards, and just 47 percent said their organizations have sufficient resources to meet cyber-security requirements.


'Those who cannot remember the past are condemned to repeat it.' Santayana
"Peace for Our Time" Neville Chamberlain
Russia's Putin Took European States 'By Surprise' in Ukraine: Report
… "There has been a strong element of 'sleepwalking' into the current crisis, with [European states] being taken by surprise by events in Ukraine," the European Union Committee of the House of Lords said in a report released Thursday.
European officials "seem to have missed the warning signs" as the crisis intensified, according to the report. "The EU and member states lacked good intelligence-gathering capacity on the ground. The lack of an integrated and coordinated foreign policy was also evident."


For my Data Management and Business Intelligence students. Note that they are doing exactly what we are learning to do.
How Social Media Is The Newest Military Battleground
… A number of militaries around the world—including those of the US, Israel, and the Islamic State (ISIS)—are already using social media to gather intelligence, spread propaganda, recruit soldiers, control overarching narratives, and communicate with other military groups. ISIS has been especially effective in using social and other online media outlets to its advantage in recruiting.

(Related) Old, but still viable?
10 Web Tools To Try Out Sentiment Search & Feel the Pulse

Thursday, February 19, 2015

Strange that SlashGear thinks this is a PR problem. What advice did their lawyers offer? Did PR lie to the lawyers? Did the lawyers rely on the PR guys?
Nope, Samsung doesn’t actually encrypt Smart TV voice data
If Samsung thinks it's already safe from the latest Smart TV scandal, it better put its PR team into action again. The company publicly stated that its Smart TVs were not eavesdropping on users and that it follows security best practices when transmitting voice queries, and only voice queries, to a third-party company for processing. Apparently, for the Korean consumer electronics giant, such "best practices" don't actually include encryption, leaving owners' voice commands, or practically anything they say to the TV, open for hackers to hear.

(Related)
Kashmir Hill and Pendarvis Harshaw point out that it’s not just Samsung TV that can capture our conversations through voice recognition features. See what other devices and cars can do – and what their privacy policies reveal – on Fusion.


Amusing that this article is in the Japan Times. Not much being said by those beneath the blimp? Is there a threat by a country that has cruise missiles and the ability to deliver them to Washington undetected, or are they more interested in people already on the ground?
AFP-JIJI reports that the Joint Land Attack Cruise Missile Elevated Netted Sensor System (JLENS) blimp, which the government says is intended to spot low-flying cruise missiles amid thousands of aircraft in this corner of the U.S. East Coast, is making the people who live under it uncomfortable:
“There is a particular visceral reaction to looking up in the sky and seeing someone or something staring back at you,” said Ginger McCall of the Electronic Privacy Information Center in Washington.
Combing through thousands of pages it obtained through the Freedom of Information Act, the nonprofit group found no guarantee that JLENS will not be used for ground surveillance.
Instead, it came across contracts stating that “the technology was specifically designed to integrate very high definition video” to track and identify people and vehicles in a five-kilometer (three mile) radius,” McCall said.
Read more on Japan Times.


Shouldn't everyone be using this standard?
Quinten Plummer reports:
Microsoft has adopted an international standard for certifying the security of its cloud offerings, making it the first major cloud services provider to do so, the company says.
The company adopted the International Organization for Standardization and International Electrotechnical Commission’s standard 27018 to certify the security of its cloud offerings, using the guidelines to set a uniform, international approach to protecting privacy for personal data stored in the cloud.
Read more on Tech Times.


I knew this because a professor friend of mine pointed it out some years ago.
Me: “So HIPAA means we no longer need to worry about privacy!”
Professor: “Not so fast, my incredibly ignorant friend.”
Amanda Robert reports:
In recent weeks, it has been widely reported that Dr. Robert Taub will testify in the corruption case against New York State Assembly Speaker Sheldon Silver.
According to the Jan. 21 federal complaint, Taub referred his patients from the Columbia University Mesothelioma Center to the high-profile asbestos cancer law firm Weitz & Luxenberg, which employed Silver. These patients and their cases generated millions in referral fees for Silver, who in exchange, the complaint says, secretly directed state funding to Taub’s cancer center.
While it seems that Taub’s role as a government witness may have helped him avoid criminal charges, should he be held to standards agreed to by all medical professionals, particularly the Health Insurance Portability and Accountability Act, or HIPAA?
Karen Porter, an associate professor of clinical law at Brooklyn Law School who also serves as executive director of its Center for Health, Science and Public Policy points out that HIPAA isn’t “extraordinarily protective of people’s information.”
Read more on The Legal Newsline.


...because it addresses so many of the areas I teach.
Hunton & Williams write:
On February 12, 2015, the Office of the Privacy Commissioner of Canada released a research report entitled Privacy and Cyber Security – Emphasizing privacy protection in cyber security activities (the “Report”). The Report explores the interconnected relationship among cybersecurity, privacy and data protection, including common interests and challenges.
The Report illustrates some of the current and growing challenges for data protection and cybersecurity including:
  • the growing complexity of managing and providing security for cyberspace;
  • the growing sophistication and “professionalization” of cybercrimes and hackings;
  • the future focus of cyber criminals on the mobile sphere;
  • the risks of “big data” and “big data” analytics to individual privacy;
  • the failures of companies and organizations to prioritize breach preparedness; and
  • the shortcomings of a “check the box” approach to compliance with data protection laws, and the need for effective risk management and dynamic implementation of security.


Interesting
Top 10 U.S. Privacy Developments of 2014


It's not in the US, but it is “educators”
Updated: Following a strongly negative public reaction to his statements yesterday, it appears the Education Minister is backing off. Adam Shostack kindly pointed out that CBC now reports:
Bolduc said Wednesday the government has asked an independent person from outside the school board to look into what happened.
Once the review is complete, Bolduc said he would decide, “based on the facts, what should be done in the future.”
Original story:
Steve Rukavina reports:
Quebec Education Minister Yves Bolduc says high school staff are permitted to strip-search students, as long as it’s done “in a respectful fashion.”
Bolduc’s comments Tuesday follow a report in the Journal de MontrĂ©al newspaper, saying that a 15-year-old female student at the Neufchatel High School in Quebec City was strip-searched last week after school officials suspected she was selling drugs.
The girl told the newspaper that the female school principal and a female staff member took her to a room in the school and asked her to remove all her clothing, including her underwear. The female staff member held a blanket in front of the student while the principal searched her clothes.
In a news release, the De la Capitale School Board did not dispute that version of events.
The board said school officials have a responsibility to ensure a safe and healthy environment.
Read more on CBC News.


Any manager worth the title should be able to design a process that prevents this.
Carnegie Mellon Mistakenly Accepts -- Then Rejects -- 800 Grad School Students
The Pittsburgh university revealed yesterday that it had erroneously admitted 800 students to its highly selective Master of Science in Computer Science program -- which ranks as the number one program of its kind in the world, according to U.S. News & World Report.
Carnegie Mellon explained that the error “was the result of serious mistakes in our process for generating acceptance letters.”
… However, such oversights occur more often than one might expect -- though typically at the undergraduate level, where the application process is less personal, the Associated Press reports. In December, Johns Hopkins mistakenly sent welcome letters to 300 rejected undergrads, and in 2009, the University of California sent acceptance emails to all 46,000 applicants.


“It's hard to define what an intermediary is but we studied it anyway.” Isn't it the companies (processes) that we removed back when the buzzword was “disintermediation?”
Liability of Online Intermediaries – New Study by the Global Network of Internet and Society Centers
“The Global Network of Internet and Society Research Centers (NoC) and the Berkman Center for Internet & Society at Harvard University are pleased to announce the release of a new report, which examines the rapidly changing landscape of online intermediary liability at the intersection of law, technology, norms, and markets, and is aimed at informing and improving Internet policy-making globally. This report is a first output of a larger initiative on the governance of online intermediaries and consists of a case study series exploring online intermediary liability frameworks and issues in Brazil, the European Union, India, South Korea, the United States, Thailand, Turkey, and Vietnam, and a synthesis paper. In addition to facilitating the research project, the Berkman Center led the drafting of the synthesis document and contributed a case study on intermediary liability in the United States. The synthesis paper seeks to distill key observations and provide a high-level analysis of some of the structural elements that characterize varying governance frameworks, with a focus on intermediary liability regimes and their evolution. While intermediary liability varies significantly across the country case studies, the synthesis highlights the importance of cultural and political context, as reflected in both the legal norms aimed at regulating intermediaries and the perception of intermediaries’ social function within the countries studied. The United States paper describes and assesses the intermediary liability landscape in the United States, providing an overview of major US legal regimes that protect online intermediaries from liability for user content. It then offers a series of short case studies describing ways in which US-based companies and other organizations have structured their operations in compliance with and in response to US law. The research effort is grounded in a diversity of global perspectives and collaborative research techniques, committed to objective and independent academic standards, and aspires to be useful, actionable, and timely for policymakers and stakeholders. More broadly, the Network of Centers seeks to contribute to a more generalized vision and longer-term strategy regarding the role of academic research, facilitation and convening, and education and communication in the Internet age. The full text of the Berkman Center contribution, the other case studies by our international partners, and the synthesis paper are available on the Publixphere website, where the authors welcome comments and feedback. The series and individual papers are also available for download from SSRN.”


For my “Anything but Microsoft” students.
Microsoft Offers 100 GB of Free Storage for Using Bing
… The company is now offering 100 GB of free space to anyone. And there’s only one catch. To get the space, you’ll need to sign up for Bing Rewards.
Bing Rewards is a program run through the Microsoft search engine in an attempt to get more users to choose it over Google. As long as you stay signed into Bing (either on a PC or mobile device), the search engine collects your browsing data and based on where you visit and what you buy, you earn credits.
The more searching with Bing you do, the higher your Bing Status rises and Rewards are accrued as a result, according to the program’s terms.
… Microsoft even offers an option where you can donate your Bing Rewards credits to a charity.
To get your 100 GB of free OneDrive storage requires only a few simple steps, AndroidAuthority reports.
… However, the Bing Rewards deal also require you sign up to receive promotional emails from Microsoft about OneDrive in the future, cNet reports.


This agrees with what I find in the classroom.
America’s Skills Challenge – Millennials and the Future
Educational Testing Service – “Recent research reveals an apparent paradox for U.S. millennials (born after 1980, ages 16–34): while they may be on track to be our most educated generation ever, they consistently score below many of their international peers in literacy, numeracy and problem solving in technology-rich environments. Equally troubling is that these findings represent a decrease in literacy and numeracy skills when compared to results from previous years of U.S. adult surveys. As a country, simply providing more education may not be the answer. There needs to be a greater focus on skills — not just educational attainment — or we are likely to experience adverse consequences that could undermine the fabric of our democracy and community. This vital new report sheds light on the growing inequality of opportunity in the United States and the impact this has on both skills acquisition and outcomes for both current and future generations.”


A “backgrounder” for my IT students.
What Are APIs, And How Are Open APIs Changing The Internet


For the student toolkit.
How To Use Your Smartphone as a Windows Microphone

Wednesday, February 18, 2015

I wonder what they would make if they actually spent money on security?
Sony sees 25-fold profit jump by 2018; could exit TVs, phones


Perspective
Japan Sees 25 billion Cyberattacks in 2014: Govt Agency
The National Institute of Information and Communications Technology (NICT), which has a network of a quarter of a million sensors, said there were 25.66 billion attempts to compromise systems, according to a report by Kyodo News.
A Russian report released Monday said cyberattacks since 2013 have cost banks around the globe up to $1 billion.


Is Barbie about to become another “Thing” that captures information about your child in order to sell ads? (Article 2)
Hello Barbie Gets Her Smarts
Mattel is developing a new Barbie that can actually interact with her owners in a meaningful way. Hello Barbie, as the model is tentatively known, can converse with her owners using ToyTalk’s PullString technology, which is similar to the technology used by Siri and Cortana.
ToyTalk CEO Oren Jacob revealed, “The most requested thing that kids have wanted to do with Barbie, and Mattel’s done unbelievable amounts of research over the course of decades, is to talk to Barbie. That’s the number one request over all demographics, over all geographies, of all time. For the first time we’re doing that for real now.
Hello Barbie will recognize speech patterns and respond accordingly, even remembering past conversations to suggest she’s getting to know her owner. According to Fast Company, Hello Barbie will be connected to the Internet and constantly updating to add new topics of conversation and pop culture references.
A prototype of Hello Barbie was on show at the North American International Toy Fair this past weekend, which is where ChipChick shot the video embedded above. Hello Barbie could be released in time for the 2015 holidays, with Mattel said to be chasing an aggressive timetable.

(Related) Will you allow Barbie to connect to your WiFi?
IoT Requires Changes From Identity and Access Management Space: Gartner
In November, Gartner predicted 4.9 billion devices would be Internet-connected in 2015. Securing those devices however remains a challenge that consumers, IT departments and vendors will have to face. This is particularly true when it comes to the subject of authentication, and according to Gartner analyst Earl Perkins, current IAM solutions cannot meet the scale or complexity that IoT demands of the enterprise.
"IAM leaders must reconsider how traditional approaches to cybersecurity and IAM work in a world where devices and services are so abundant, in so many different forms and positioned at so many different points within the IT ecosystem," said Perkins, research vice president at Gartner, in a statement.
Next month, Gartner plans to dive into this and other issues at the Gartner Identity & Access Management Summit in London. According to Gartner, the explosion of the Internet of Things means that IAM solutions must have a way of defining and managing not only the identities of people, but also "entities" within a single framework. IoT is not only about the introduction of different forms of networked devices into enterprises, it is a transformational approach to viewing and implementing processing, analytics, storage and communications, according to Gartner.


You vision of the world is the basis of your strategy. (and this from a Blackberry fan?)
Obama: We Created The Internet And EU Companies 'Can't Compete With Ours'
Following an interview with Re/code late last week, president Obama has managed to upset officials in Europe for a couple of rather blunt comments regarding America's success with the Internet. For starters, Obama claims that the EU's actions towards regulating the Internet is 'commercially-driven', and is the result of their companies being unable to compete with 'ours'.

(Related) ...but the “Official Position” is that North Korea pulled off the Sony hack. Imagine what China or Russia could have done!
Obama Ranks North Korea Cyber Capabilities As Not So Good
Iran is "good," China and Russia are "very good," but North Korea's cyberattack capabilities are actually not that great, according to an impromptu ranking by US President Barack Obama.
In an interview with online site "re/code" published Tuesday, Obama used North Korea's relative lack of electronic prowess to underscore how dangerous even less skilled cyber attackers can be.
Obama slapped sanctions on North Korea last month following the hacking of Hollywood studio Sony Pictures' computer network.


This is important to my Data Analysis students.
Big data vendors to forge a common Hadoop base platform
A number of the largest big data vendors, including IBM, Hortonworks and Pivotal, have banded together to specify a unified base platform for the open source Hadoop data processing software.
The Open Data Platform will identify the specific versions of Apache Hadoop and its supporting software that will run together as a seamless whole, potentially reducing the work required on the part of enterprises to build and maintain complex Hadoop-based data analysis systems.
… In addition to IBM, Hortonworks and Pivotal, other companies that have signed on to the initiative include General Electric, Infosys, SAS, Altiscale, Capgemini, CenturyLink, EMC, Splunk, Verizon Enterprise Solutions, Teradata, and VMware.


For my Business Intelligence students. What we should be telling our “customers” about Tweeting
A Quick Tip on Publishing Twitter Replies
One of the most frequently asked questions in my course on Blogs & Social Media for Teachers is along the lines of, "how do I get more people involved in a conversation?" A simple way to get more people to see your "@" replies in a conversation is to put a period in front of the "@." In the video embedded below I explain and demonstrate how this works.


Better research means better students?
How to Search for Publicly Shared Google Docs, Slides, and Spreadsheets
Searching by file type and searching by domains is a great way for students to refine their Google searches. Searching for and within a DOC, a PPT, or XLS file can lead students to resources that they might not otherwise have seen. But increasingly a lot of us are creating our documents, slides, and spreadsheets in Google Drive. Many of us are then publishing those files for anyone in the world to see. Thanks to the Google for Education Google+ page, today I was reminded that you can perform a Google search to look for publicly shared Docs, Slides, and Spreadsheets. The screenshots below illustrate how to do this.
To search for a public Google Document: enter site:docs.google.com after your search term.
To search for a public Google Slides presentation: enter site:docs.google.com/presentation/ after your search term.
To search for a public Google Drive Spreadsheet: enter site:docs.google.com/spreadsheets/ after your search term.

Tuesday, February 17, 2015

For my Ethical Hackers. Grab a copy and let's see how good it is. Because you know copies will leak.
Anthony Cuthbertson reports:
A search engine more powerful than Google has been developed by the US Defence Advanced Research Projects Agency (DARPA), capable of finding results within dark web networks such as Tor.
The Memex project was ostensibly developed for uncovering sex-trafficking rings, however the platform can be used by law enforcement agencies to uncover all kinds of illegal activity taking place on the dark web, leading to concerns surrounding internet privacy.
Read more on IBT.
[From DARPA:
The Broad Agency Announcement (BAA) for Memex is available at http://go.usa.gov/BBc5. To familiarize potential participants with the technical objectives of Memex, DARPA has scheduled a Proposers' Day on Tuesday, February 18, 2014, in Arlington, Va. For details, visit http://www.sa-meetings.com/memex. Registration closes on February 13, 2014, at 5 p.m. ET. There will be no on-site registration.


Imagine that, a spy agency that actually does its job! (On the other hand, the FBI can prove it was North Korea.)
Kaspersky fingers NSA-style Equation Group for hard drive backdoor epidemic
Russian security firm Kaspersky has exposed what looks like evidence of backdoor surveillance by the US National Security Agency (NSA)
Kaspersky researchers claim to have uncovered one of the biggest, if not the biggest, threat actor that it has seen in two decades.
The security firm has dubbed this outfit the Equation Group, and its toolbox 'the Death Star of the Malware Galaxy', and explained that the tools of its trade have hallmarks and themes similar to those of Stuxnet.
… Two of these trojans, or modules, can be found deeply inserted in as many as a dozen different makes of hard drive that are sold and shipped to international waters.
The malware is so deeply inserted into the firmware that it can survive wipes, and "resurrect" itself indefinitely. Additional 'implants' add to the mix and can grab and store encrypted passwords, for example.


I love easy to remember slogans.
Shamoil T. Shipchandler of Bracewell & Giuliani LLP has a great commentary about how our country is doing on cybersecurity and privacy. It begins:
When it comes right down to it, we are about as bad at cybersecurity as Twitter’s CFO is at Twitter or North Korea is at coming up with new political slogans to commemorate its 70th anniversary.
… The whole column is worth reading on The National Law Review. I think he’s really hit on a great metaphor for us:
As a prosecutor in a securities fraud case, I once had a witness testify that the bad guy treated him and his fellow investors like “mushrooms,” i.e., he “kept them in the dark and fed them manure.” Okay, he didn’t actually say “manure,” but this is a family blog (if only for kids with insomnia). But we are all mushrooms when it comes to data privacy. Think about it. Do you think about how your information is protected when you swipe your credit card? Do you know how your doctor’s office secures your personal health history? Or are you in the dark?
So maybe “a country of mushrooms” isn’t the worst slogan in the world, if it helps us pay attention to the privacy that we cede and the cyber threats that we ignore.

(Related) For my Security Management students. I hope they come out with more than a 6 page PDF.
Embedding a ‘Culture of Security’ Is the Best Defense
Increased connectivity and data use have greatly heightened the risk of a major security breach. But on top of the requisite technological protections, one of the best security defenses organizations can have is a “culture of security,” says Robert Coles, chief information security officer at GlaxoSmithKline.


Get the young ones used to being spied on, it make things easier when they become adults.
Quadcopter Malware Proves Connected Toys Are A Security Risk
Like a subgroup of the Internet of Things, connected toys are the new generation of children’s toys – often using Wi-Fi and an iOS or Android-based remote control to manage and manipulate a car, quadcopter, or Lego robot.
We’ve recently learned that malware has been introduced to a quadcopter toy, a revelation that has left security-conscious parents concerned. If it can happen with one toy, what’s to say it couldn’t happen with another?
And if this was to be repeated with one or more toys, what might the results be?
… Rahul Sasi has created a demonstration of his drone malware, Maldrone, a proof-of-concept that highlights just how poor security in this area actually is.


The future of “In Home” security risks.
“Hello! This is Siri calling. Your home is being robbed. Would you like to watch via your home security cameras? Oops, too late. They just went in the bag.”
Future Proofing Your Smart Home for Apple HomeKit Compatibility
As the smart home scene has geared up, everyone has been waiting to see what Apple’s HomeKit will bring to the table—and we finally got a look at it during this year’s Consumer Electronics Show. Here are some of the most exciting products that we’ve seen, and some advice on making sure you can use HomeKit with as many devices as possible.


Marketing has finally realized that their customers value their privacy? “Then we can make them pay for it!”
AT&T Brings 1Gbps Internet To Kansas City, Charges $29 Extra If You Don’t Want To Be Tracked
Google Fiber launched in Kansas City, Missouri in September 2012, and now AT&T is looking to creep in and compete toe-to-toe with its own ultra high-speed fiber network.
The $70 price that AT&T’s quotes for standalone Internet service is comes with an added “bonus” — user tracking. That’s right; AT&T will track all of your Internet activity so that it can deliver targeted ads to your devices. The fine print in AT&T’s documentation on GigaPower Internet Preferences states:
When you select AT&T Internet Preferences, we can offer you our best pricing on GigaPower because you let us use your individual Web browsing information, like the search terms you enter and the web pages you visit, to tailor ads and offers to your interests.


Tell 'em what they want to hear and they will go home and declare victory!”
Ukraine crisis: Battle rages for Debaltseve despite truce
Rebels say they have taken most of Debaltseve, a transport hub, but the government says it is still in control.
International observers tasked with monitoring the ceasefire have been unable to enter the town.
Earlier, both sides failed to begin withdrawing heavy weapons, despite a Monday deadline agreed in the truce.


For my students. Could be useful.
Edit the Text and Images of your PDF file in the Browser
If you need to make changes in an existing PDF file, you need to get hold of the original document that was used to create the PDF, make the edits in the source document and export it as a PDF again. This is the best option since the document’s layout and formatting will be preserved in the new PDF file and you don’t even need an external PDF editor like Adobe Acrobat.
However, if you do not have access to the source document, you can still edit your PDF files in the browser using the free Word app. It may not be able to handle PDF files with complex layouts, or PDFs that are mostly comprised of charts and images but for text based PDF, Word is a probably a good options for fixing typos or manipulating text and images in PDFs.

(Related) More tools for students.
9 Must Have Modern Apps For Viewing, Editing & Managing Documents


What will we lose? No one will be able to read the Declaration of Independence in the original? Will we really trade Cursive for a “more useful” skill or will we just teach less over all?
Cursive Writing Is Obsolete; Schools Should Teach Programming Instead [Opinion]
Cursive writing is an anachronism. Spending any classroom time on it is comparable to teaching how to use an abacus: it’s interesting as a history lesson, and probably offers some side benefits, but it is not at all practical as a day-to-day skill in the modern, connected world.


For my wino friends. I should have thought of this one. If nothing else, talking about crowdsourcing while tasting their wine would have made for an interesting day.
Entrepreneur Creates Crowdsourcing Model for Wine
… Gormley launched NakedWines.com in 2008 after losing his job. With the tough economy, he and his partners created a much needed service for one struggling industry. They came up with a unique crowdsourcing model for wines.
… Here’s how it works. Wine buyers can sign up on the site as “Angels.” Angels invest $40 a month. That money goes into their “piggy banks” so that they can use it on future wine orders. But by paying that money up front each month, it allows NakedWines.com to invest in local wineries.
Then those local wineries can offer their wines on the site at a discounted price, usually about 40 to 60 percent of normal retail prices.


For my new students. It's amazing how many don't know most of these commands.
Windows Shortcuts 101 – The Ultimate Keyboard Shortcut Guide


Dilbert on North Korea? Or perhaps on the President's reliance on the FBI?

Monday, February 16, 2015

Diligence requires understanding of the risks.
Cybersecurity and Privacy Diligence in a Post-Breach World
Posted by Paul Ferrillo, Weil, Gotshal & Manges LLP, on Sunday February 15, 2015 – The Harvard Law School Forum on Corporate Governance and Financial Regulation.
Editor’s Note: Paul A. Ferrillo is counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation. This post is based on a Weil Alert authored by Mr. Ferrillo and Randi Singer; the complete publication, including footnotes, is available here.
Thus, it is absolutely critical to understand what kind of data a company collects, how the company uses, stores, shares, processes, protects, and disposes of information, and how to develop and evaluate a plan to respond to attacks that target these data. Proper planning can mean the difference between a news story that begins, “Sony has just announced that Sony Pictures Entertainment co-chairman Amy Pascal is stepping down from her post,” and one that announces a major cyber-attack, but concludes, “Anthem said it doesn’t expect the incident to affect its 2015 financial outlook, ‘primarily as a result of normal contingency planning and preparation.’” Proper planning includes incident response and information management business continuity planning, which are mission-critical. They are (or should be) part of a Board’s enterprise risk management duties, and they are particularly vital for certain federally-regulated entities with an obligation to protect consumer and client information and to keep it private. We have written in-depth elsewhere about incident response plans and their elements. Here, we set forth a high-level summary designed to help evaluate a company’s incident response and business continuity plans…”
[From the publication:
As there is no silver bullet in a constantly-evolving environment where hackers are often several steps ahead of cybersecurity professionals (or at least adapt quickly to new security measures), a lawyer conducting due diligence on a company’s incident response plan should evaluate the approach and process of the plan.


“You ain't seen nothing yet!”
Data breaches of over 1 billion records in 2014
CNBC – “Over a billion personal data records were compromised by cyberattacks in 2014, a new report has revealed, driven by high-profile breaches on Home Depot, JPMorgan and eBay. The 1,023,108,267 records breached in 2014 came from just 1,541 incidents, according to the Breach Level Index report by digital security company Gemalto. It marked a 78 percent surge in the number of personal data records compromised compared to 2013. Last year saw a number of major hacking attacks on companies including Sony Pictures Entertainment and investment bank JPMorgan. The biggest incident occurred when AliExpress, a service run by New York-listed Alibaba, was breached, leaving 300 million personal records open to hackers, who didn’t need passwords to access the accounts.”
Gemalto Releases Findings of 2014 Breach Level Index – February 12, 2015 ─ Gemalto, the world leader in digital security, releases the latest findings of the Breach Level Index, revealing that more than 1,500 data breaches led to one billion data records compromised worldwide during 2014. These numbers represent a 49% increase in data breaches and a 78% increase in data records that were either stolen or lost compared to 2013. Continuing with this industry-leading benchmarking from SafeNet following its acquisition by Gemalto, the Breach Level Index (BLI) is a global database of data breaches as they happen and provides a methodology for security professionals to score the severity of breaches and see where they rank among publicly disclosed breaches. The BLI calculates the severity of data breaches across multiple dimensions based on breach disclosure information. According to data in the BLI originally developed by SafeNet, the main motivation for cybercriminals in 2014 was identity theft with 54% of the all data breaches being identity theft-based, more than any breach category including access to financial data. In addition, identity theft breaches also accounted for one-third of the most severe data breaches categorized by the BLI as either Catastrophic (with a BLI score of between 9.0 and 10) or Severe (7.0 to 8.9). Secure breaches, which involved breaches of perimeter security where compromised data was encrypted in full or in part, increased to 4% from 1%.”


For my Computer Security students.
An introduction to social engineering was released by the UK Computer Emergency Response Team (CERT) on January 21, 2015:
Social engineering is a prolific and effective means of gaining access to the secure systems and sensitive information of an organisation. Attacks vary from bulk phishing emails to highly targeted, multi-layered techniques. These attacks often prey on common aspects of human psychology such as curiosity and greed and do not necessarily require a great deal of technical ability.
Organisations need to be aware of this unique cyber-threat and take precautions to prevent falling victim to a social engineering attack and respond appropriately if the worst happens. This paper provides readers with an overview of the techniques used and the steps that can be taken to help you protect your organisation’s information.
The paper includes an overview wide-scale attacks such as phishing and baiting, as well as focused attacks involving spear phishing, watering hole attacks, attacking on multiple fronts, and physical baiting.
You can download the paper from CERT-UK (pdf, 10 pp.)


Also for my Computer Security students (but this is less useful) The full text.


An interesting question (for my students? TBD) Can you protect your children for social media?
White House Investigating Origins of Malia Obama's Mysterious Instagram Pic
It's a national mystery that has left both the social media world and the Secret Service scratching their heads.
On Sunday night, a photo of what appears to be Malia Obama wearing a Pro Era shirt surfaced on Instagram. It quickly went viral after the Brooklyn-based hip-hop collective posted the pic to advertise its online store.
… Michelle Obama has been very vocal in the past about how she regulates her daughters' social media usage. She told Barbara Walters in 2013 that Malia could only use Facebook, and Sasha was banned from all forms of social media in an effort to protect the girls from the public eye.


If you want privacy, don't use a phone?
Michael Geist writes about an issue I’ve commented on before:
In October 2013, Bell announced the launch of a targeted advertising program that uses its customers’ personal information to deliver more “relevant advertising.” The announcement sparked hundreds of complaints with the Privacy Commissioner of Canada and a filing by the Public Interest Advocacy Centre over the same issue with the Canadian Radio-television and Telecommunications Commission.
Nearly a year and a half later, the complaints and filings remain unresolved. The CRTC case has succeeded in placing considerably more information on the public record, however, offering a better perspective on what Bell is doing and why its privacy approach falls short.
Read more on Toronto Star.
[From the article:
From Bell’s perspective, the targeted advertising approach, which it calls RAP or Relevant Ads Program, does not involve the collection of additional information (it already collects whatever is being used)


Once upon a time, Scifi promised a flying car in every garage. No one was talking about a three dimensional traffic grid. Now we have to sift through all potential uses for drones and try to establish rules and safety protocols. If my students could write software that forced drones to follow the rules, would Amazon be allowed to deliver dog food to my back porch?
No Amazon Deliveries by Drone, At Least Not For Awhile
… “This is not the last word, by any means,” Michael Huerta, chief of the U.S. Federal Aviation Administration, told reporters on a conference call Sunday from Washington.
For the time being, the FAA has concluded that small drones for hire must be flown within sight of an operator and away from crowds for safety reasons.


After the first couple (maybe three) rounds of sanctions, you run out of sanctions that might actually hurt and you find yourself reduced to minor functionaries and B list entertainers?
Russian singer, deputy ministers top new EU sanctions list


An article my students can translate for businesses (and students)
Social Media Strategies for Consultants: Facebook


Am I creating Data Scientists or merely Analysts. (Is “merely” “good enough?”)
Are Data Scientists Really a Breed Apart?
Companies are hungry for data scientists to make sense of the information they’ve compiled, putting these particular analysts in high demand. “Today’s data scientists are often singled out as a breed apart — and for good reason,” argue Harris and Mehrotra. “They tend to be better programmers than most statisticians and better statisticians than most programmers.”
Types of data:
Analysts: Structured and semistructured, mostly numeric data
Data Scientists: All types, including unstructured, numeric and nonnumeric data (such as images, sound, text)
Nature of work:
Analysts: Report, predict, prescribe and optimize
Data Scientists: Explore, discover, investigate and visualize
The research also explored the challenges of managing data scientists. A common complaint is that data scientists “don’t see a need to explain or talk about the implications of their insights, which makes it difficult for them to partner effectively with professionals whose business expertise lies outside of the technical realm.”
For more on Harris and Mehrotra’s research, including their seven recommendations for how to manage data scientists for maximum business value, read the full article. And for thoughts about how companies can automate the data scientist function, read Michael Fitzgerald's recent blog post "Data Scientist In a Can?."


For my researching students.
50 Google Search Tips & Tricks
… you can take advantage of a ton of other Google Search features that go well beyond just the text box. Google supports a ton of cool tricks that you can use in order to be better at searching for something and quickly find what you’re looking for. Using things like boolean terms and even some symbols can help you perform better searches on Google, and by the time you get done going through this list, you’ll be a Google Search master (or a reasonable facsimile thereof).”