Saturday, July 09, 2016

What is worse than a large breach?  A large breach that no one knows anything about.  (Or do they, and they are hoping no one noticed?)
So it appears that 71 million Twitter login credentials (email addresses and passwords, all cleartext) are up for sale on the dark net.  No indication where they came from or how fresh they are (I’ve inquired and will update this post if I get any info).
Might this be a good time to change your password?
And if the Twitter offering doesn’t concern you, how about 80,000 Amazon Kindle users’ details?  TechMic reports:
@0x2Taylor — said in a Twitter direct message that he and a friend “breached a server” owned by Amazon that contained database files with more than 80,000 Kindle users’ information.
“When they first got Kindles and set them up, all their stuff was being logged and put into a database,” @0x2Taylor said.  He added that the database includes a user’s email, password, city, state, phone number, zip code, user-agent, LastLoginIP, Proxy IP and street.  He sent us several emails and passwords in an effort to legitimize the breach.
“If I don’t receive a payment from them the data will be posted online along with an older dump,” he said.
As of the time of this posting, there’s a 569mb dump with 83k records that the hacker’s uploaded.  The file is dated May 25.

(Related)  When do you report an incident?  (DLP = Data Loss Prevention)
OIG Audit of FDIC Info System Security Issues
by Sabrina I. Pacifici on Jul 8, 2016
“Our audit focused on the FDIC’s processes for addressing one particular type of information security incident—a breach of sensitive information—because the incident we selected for detailed review (i.e., the Florida Incident) was a breach.  The Florida Incident involved a former FDIC employee who copied a large quantity of sensitive FDIC information, including personally identifiable information, to removable media and took this information when the employee departed the FDIC’s employment in October 2015.  The FDIC detected the incident through its DLP tool.  Audit Results Although the FDIC had established various incident response policies, procedures, guidelines, and processes, these controls did not provide reasonable assurance that major incidents were identified and reported in a timely manner.  Specifically, we found that:
  • The FDIC’s incident response policies, procedures, and guidelines did not address major incidents.
  • The large volume of potential security violations identified by the DLP tool, together with limited resources devoted to reviewing these potential violations, hindered meaningful analysis of the information and the FDIC’s ability to identify all security incidents, including major incidents.
  • Further, based on our analysis of the Florida Incident, we concluded that the FDIC had not properly applied the criteria in OMB Memorandum M-16-03 when it determined that the incident was not major.  Specifically, the FDIC based its determination on various mitigation factors related to the “risk of harm” posed by the incident.  Although such factors have relevance in determining the mitigation actions to be taken in addressing incidents, the factors are not among those listed in OMB Memorandum M-16 -03 for agencies to consider when determining whether incidents are major and, therefore, are not relevant. We notified the CIO on February 19, 2016 that our analysis of the Florida Incident found that reasonable grounds existed to designate the incident as major as of December 2, 2015, and, as such, the incident warranted immediate reporting to the Congress.  The FDIC subsequently reported the Florida Incident to the Congress as major on February 26, 2016…”


A question for my Computer Security class?  Is censorship their job?  
Facebook explains censorship policy for Live video
Facebook only removes content if it celebrates or glorifies violence, not if it’s only graphic or disturbing, according to a spokesperson.
Facebook also insists that the video of Philando Castile’s death was temporarily unavailable due to a technical glitch that was Facebook’s fault.  That contradicts theories that the video disappeared due to Facebook waffling on whether it should stay up, a high volume of reports of it containing violent content, a deletion by police who’d taken possession of Castile’s girlfriend’s phone and Facebook account or a request from police to remove it.
However, Facebook refused to detail exactly what caused the glitch, such as a traffic spike.  It did release this statement, however.
   The company suspiciously refused to detail the cause of the glitch, though a spike in traffic is a possibility.  Still, that ambiguity stokes concerns that Facebook purposefully brought down the clip.
Even if it was a technical glitch, it’s one Facebook must prevent from happening in the future.  Live is its chance to become a hub for real-time news that has historically ended up on Twitter first.  And with the acquisition of Periscope, Twitter wants to control live video broadcasting, too.  Users may reach for whichever they think is most likely to make their voice heard and not censor them.


Jobs for my Computer Security students?
Criminal Capability Outpacing Ability to Defend Attacks in UK: Report
The UK's National Crime Agency (NCA) released its Cyber Crime Assessment 2016 this week. Designed to outline the "real and immediate threat to UK businesses" from cyber crime, the report tells us little that is new.  It argues that criminal capability is outpacing industry's ability to defend against attacks, and suggests that "only by working together across law enforcement and the private sector can we successfully reduce the threat to the UK from cyber crime."


Something for my lawyer friends?  (and my Computer Security students)
The law firm of Bryan Cave lists nine factors entities should look at when considering the risk that litigation poses following a breach.  They note:
 Specifically, unless a plaintiff has been the victim of identity theft or has suffered some other type of concrete injury, most courts have refused to let them proceed based solely on the allegation that they are subject to an increased risk of harm as a result of the breach.
They then go on to list factors to consider in assessing risk:
  1. Was the quantity of records lost lower, or greater, than the average number of records involved in recent class action lawsuits?
  2. Were the records lost encrypted, obscured, or de-identified?
  3. Could the type of information lost be used to commit identity theft?
  4. Did patients suffer any direct monetary harm?
  5. Has there been any evidence of actual identity theft?
  6. Could the data loss hurt the reputation of a patient or cause emotional distress?
  7. Did you offer credit monitoring, identity theft insurance, and/or credit repair services?
  8. If so, what percentage of impacted consumers availed themselves of your offer?
  9. If filed as a class action, is the class representative’s claim of identity theft premised on unique facts?
Unfortunately, the article doesn’t indicate whether their list of factors is ranked in order of importance/predictive value or is just in random order.  Looking at their list, I think 3, 4, 5, and 6 may be the most predictive of whether standing would be conferred, but I’ve written to them to ask their opinion, and will update this post if I get a response.
Their article also lists allegations plaintiffs have made that courts have not found sufficient to confer standing and allegations which some courts have found sufficient to confer standing.
Read the article here.
For another perspective on the risks of litigation with reference to specific court opinions, read No harm, no foul? Private and public litigation in cybersecurity law.


Is this the future of IT?  At minimum the architecture is changing. 
Exclusive: Why Microsoft is betting its future on AI
   No matter where we work in the future, Nadella says, Microsoft will have a place in it.  The company’s "conversation as a platform" offering, which it unveiled in March, represents a bet that chat-based interfaces will overtake apps as our primary way of using the internet: for finding information, for shopping, and for accessing a range of services.  And apps will become smarter thanks to "cognitive APIs," made available by Microsoft, that let them understand faces, emotions, and other information contained in photos and videos.
   In January, The Verge described the tech industry's search for the killer bot.  In the months that followed, companies big and small have accelerated their development efforts.  Facebook opened up a bot development platform of its own, running on its popular Messenger chat app.  Google announced a new intelligent assistant running inside Allo, a forthcoming messenger app, and Home, its Amazon Echo competitor.  Meanwhile the Echo, whose voice-based inputs have captivated developers, is reportedly in 3 million homes, and has added 1,200 "skills" through its API.
   But to win, Lu says, a company needs five "key assets."  The first is a "conversation canvas" — a place where people are doing lots of talking and texting.  Microsoft has Office, Outlook, Skype, and Cortana.  The second is that AI "brain" — a sophisticated mental model of the world.  Microsoft says its own AI efforts date back nearly 20 years.  The third is access to a social graph — people’s activity on the internet often involves their friends and coworkers.  Not coincidentally, a few days after I met Lu, Microsoft announced it would spend $26.2 billion to acquire LinkedIn, and its 433 million registered users.
The fourth piece is a platform for the artificial intelligence to operate on.  Microsoft has Windows and a family of devices, notably the Xbox.  The final piece is a network of developers eager to build on your platform, and to pay you for the privilege.  Stoking that interest had been the primary goal of the Microsoft Build developer conference in March.


Is the future of law enforcement?  Do remotely controlled robots allow cooler heads to determine how much force is required? 
The Dallas Shooting and the Advent of Killer Police Robots
   “I’m not aware of officers using a remote-controlled device as a delivery mechanism for lethal force,” said Seth Stoughton, an assistant professor of law at the University of South Carolina who is a former police officer and expert on police methods.  “This is sort of a new horizon for police technology.  Robots have been around for a while, but using them to deliver lethal force raises some new issues.”


Thoughtful analysis.  The WSJ does this well.  (even guest writers)
Roads That Work for Self-Driving Cars
In May, a Tesla “autopilot” enthusiast in Florida became the first known fatality in a self-driving car.  But this was no ordinary accident.  The car performed exactly as designed, and the (non)driver’s failure to take any corrective action could reasonably have been foreseen by the manufacturer.  This unwelcome yet widely anticipated milestone may set back progress on what promises to be one of the most valuable technologies of the 21st century.
   The National Highway Traffic Safety Administration is soon expected to issue rules that will mandate transponders for all new cars and most trucks.  This will permit vehicles to broadcast their speed, heading and braking status to anyone or anything within 300 meters, which is well beyond the range of current onboard sensors.  These devices, called “V2V” (vehicle-to-vehicle) communicators, can see around corners and convey a driver’s intent (such as, say, an impending left turn), along with other relevant information.
   The potential economic and social benefits of self-driving technology are difficult to overstate.  When the taxi you summon arrives within seconds and doesn’t require a driver, personal transportation will be far more convenient and much cheaper.  You won’t want to own (or insure) your own car.  Garages will go the way of outhouses, and the 14% of Los Angeles real estate devoted to parking can be repurposed for higher uses.
   In the fatal self-driving accident in Florida, the car failed to recognize that a truck traveling in the other direction was about to make a left turn in front of it.  Tesla pointed out that the driver also failed to take corrective action.  As the company said in a statement, “When drivers activate Autopilot, the acknowledgment box explains, among other things, that Autopilot is an assist feature that requires you to keep your hands on the steering wheel at all times.”
This disclaimer may mitigate Tesla’s liability, but it’s simply not practical to ask passengers in a self-driving vehicle to remain alert and engaged.  Reports from the accident scene in Florida suggest that the driver may have been watching a “Harry Potter” movie on a portable DVD player at the time.
The risk now is that politicians and government agencies, reacting to such unfortunate incidents, will enact a hodgepodge of new regulations that will hamper the development and adoption of the technology.


For all my students, not just the Computer Security students.
Should You Accept LinkedIn Invites from Strangers?
A recent survey, reported in SC Magazine, found that 24% of surveyed LinkedIn users have connected with people they didn’t know on the professional social network, despite LinkedIn’s repeated warnings not to do so.  Why is this an issue?
Because LinkedIn can be a vector for spear-phishing and other types of attacks.


Tips for my students.  My students already snap pictures of my math problems from the whiteboards.
Get Mad Detective Research Skills with PDF Tricks & a Smartphone
The smartphone is an invaluable tool for capturing data wherever you are.
No matter what you’re researching or what real-world information you need to save,
Maybe, you are a university student who needs to archive newspaper clippings on microfiche, an archivist that wants to save a page or two from an antique book, or a web researcher who needs to archive emails and web pages?
The PDF format — and the smartphone apps that help you create and organize PDF documents — is one of the fastest ways to collect lots of information easily.


Humor in education. 
Hack Education Weekly News
   Via ProPublica: “New Jerseys Student Loan Program is State-Sanctioned Loan-Sharking’.”  [Hey!  It’s New Jersey, what else did you expect?  Bob] 
   Via the Texas Tribune: “Three University of Texas at Austin professors sued their university and the state on Wednesday, claiming Texas’ new campus carry law is forcing the school to impose ‘overly-solicitous, dangerously-experimental gun policies’ that violate the First and Second Amendments.”
[From the article:
"Compelling professors at a public university to allow, without any limitation or restriction, students to carry concealed guns in their classrooms chills their First Amendment rights to academic freedom," the lawsuit says. 
   Michigan State University has dropped its general ed requirement that students take college-level algebra.
   From the Berkman Klein Center: “Privacy and Student Data – An Overview of Federal Laws Impacting Student Information Collected Through Networked Technologies.”
   Via the Milwaukee Wisconsin Journal Sentinel: “Over the past three decades, state and local expenditures on prisons and jails have increased more than three times as fast as spending on elementary and secondary education, according to a new brief released Thursday by the U.S. Department of Education.”

No comments: