Tuesday, August 30, 2016

Who does Putin want to win and by how much? 
Russian Hackers Attack Two U.S. Voter Databases: Reports
Russian-based hackers may have been responsible for two recent attempts to breach US voter registration databases in two states, raising fears Moscow is trying to undermine November's presidential election, US media said Monday.
The incidents led the FBI to send a "flash alert" to election officials earlier this month, asking them to watch for similar cyber-attacks.
The FBI alert, first reported by Yahoo News, did not mention Russia.
However, the authorities have attributed the attacks to Russian spy agencies, NBC News quoted US intelligence officials as saying.
   Although the alert does not identify targeted states, Yahoo News quoted officials as saying they were Illinois and Arizona.

(Related)
How Electronic Voting Could Undermine the Election


Things just got a lot worse for St. Jude.  What could they recover if they can “prove” their innocence?  (What will they lose if they can’t?)  
From the you’re-not-really-surprised-by-this-are-you? dept., Don DeBenedictis reports:
In a class action that sounds like a Tom Clancy novel, a patient claims that pacemakers and other implanted heart devices sold by St. Jude Medical can be attacked by hackers to steal personal information and even harm patients.
Clinton W. Ross Jr. claims that several lines of St. Jude’s heart-regulating devices designed to be monitored remotely with in-home equipment, rather than during in-person visits to the doctor, lack “even the most basic security defenses” to safeguard their computer communications from outsiders.
Gee, what could have possibly given him that idea?
Read more on Courthouse News.


For my Computer Security student debate on Incident Response.  Too extreme or just right? 
Daniel Tyson reports:
Appalachian Regional Hospitals in Beckley and Summers County computer systems were breached Saturday afternoon, but company officials were tight-lipped as to the extent or what information was seized by the hackers.
The hospitals’ parent company, Appalachian Regional Healthcare, issued a two-paragraph statement that their hospitals in West Virginia and Kentucky are on an Emergency Operations Plan, after hackers planted a computer virus in its electronic web-based services and electronic communications.
A spokesperson for ARH said all computers were shut down to prevent further spreading of the virus, which affected Beckley Appalachian Regional Hospital and Summers County Appalachian Regional Hospital in Hinton.
By Saturday afternoon, all patient care, registration, medication, imaging and laboratory services were managed manually.
Read more on The Register-Herald.
The FBI has been called in to investigate, and patients are concerned that their personal information may have been stolen or compromised, but at this point, there’s no indication from the healthcare system that any information was exfiltrated and this may turn out to be a situation in which the data was just locked up for ransom.  The biggest concern, of course, was that hospital operations were threatened, even though it sounds like the system quickly implemented its emergency plan so it could continue to provide services to patients.


“We have a great law, but we don’t have any way to enforce it.”
Shawn Shinneman reports:
The Office of the Attorney General hasn’t disciplined a single Texas company for failing to notify customers of a data breach – and records show it is only directly notified of a small portion of the incidents, the Dallas Business Journal has learned.
The issue could stem from the way Texas’ cybersecurity law is constructed.  Although it calls for the OAG to penalize companies who don’t notify their customers about data breaches, Texas’ standard doesn’t require businesses to actually report breaches to any governmental agency.
The state is effectively looking for speeders without a radar gun.
Read more on the Dallas Business Journal.


Fodder for dossier builders?  How many database duplicate the same information? 
EFF – Transparency Hunters Capture More than 400 California Database Catalogs
by Sabrina I. Pacifici on Aug 29, 2016
Dave Maass – A team of over 40 transparency activists aimed their browsers at California this past weekend, collecting more than 400 database catalogs from local government agencies, as required under a new state law.  Together, participants in the California Database Hunt shined light on thousands upon thousands of government record systems.  California S.B. 272 requires every local government body, with the exception of educational agencies, to post inventories of their “enterprise systems,” essentially every database that holds records on members of the public or is used as a primary source of information.  These database catalogs were required to be posted online (at least by agencies with websites) by July 1, 2016.  EFF, the Data Foundation, the Sunlight Foundation, and Level Zero, combined forces to host volunteers in San Francisco, Washington, D.C., and remotely.  More than 40 volunteers scoured as many local agency websites as we could in four hours—cities, counties, regional transportation agencies, water districts, etc.  Here are the rough numbers:
680 – The number of unique agencies that supporters searched
970 – The number of searches conducted (Note: agencies found on the first pass not to have catalogs were searched a second time)
430 – Number of agencies with database catalogs online
250 – Number of agencies without database catalogs online, as verified by two people…”
Download a spreadsheet of local government database catalogs: Excel/TSV 
Download a spreadsheet of cities and counties where we did not find S.B. 272 catalogs: Excel/TSV


Speaking of dossier creators…
Kashmir Hill writes:
Facebook’s ability to figure out the “people we might know” is sometimes eerie.  Many a Facebook user has been creeped out when a one-time Tinder date or an ex-boss from 10 years ago suddenly pops up as a friend recommendation.  How does the big blue giant know?
While some of these incredibly accurate friend suggestions are amusing, others are alarming, such as this story from Lisa*, a psychiatrist who is an infrequent Facebook user, mostly signing in to RSVP for events.  Last summer, she noticed that the social network had started recommending her patients as friends—and she had no idea why.
Read more on Fusion.


Background for budget time.
What's the Real Value of "Cost of Breach" Studies?
The European Union Agency for Network and Information Security (ENISA) published The cost of incidents affecting CIIs – a review ‘of studies concerning the economic impact of cyber-security incidents on critical information infrastructures’.  Published this month, it is an analysis of ‘cost of breach’ reports; and it draws some worrying conclusions.
   ENISA is not alone in this view. The current Verizon DBIR 
   Ponemon’s latest report puts the average cost of a breach at $4 million, or at $158 per stolen record.  In a study conducted for the UK government, PwC put the overall cost of a breach for major companies at between £1.46 million and £3.14 million (smaller companies £75,000 to £311,000).  In 2015 Kaspersky Lab put the average direct cost at $551,000 for large companies and $38,000 for SMBs (with indirect costs adding an extra $69,000 and $8,000 respectfully).


I have a rather high percentage of international students this quarter.  We should probably talk about not carrying the “Ethical Hacking” textbook through Customs.
Constitutional law professor Noah Feldman writes:
Wall Street Journal reporter Maria Abi-Habib made waves in journalistic circles last month after she posted on Facebook that Department of Homeland Security officials tried to seize her phones as she entered the U.S. at Los Angeles International Airport.
What was striking about her post was that Homeland Security’s demand (which it eventually gave up) was probably lawful and certainly constitutional.  Under established U.S. Supreme Court precedent, there is an exception to the Fourth Amendment privacy right when you are at the border entering or leaving the country.
Read his full commentary on The Commercial Appeal.


For my IT Architecture class.  
Private Clouds a ‘Big Priority’ for Dell
Dell Inc. hopes its pending $60 billion acquisition of EMC Corp. will make the combined company a favored supplier in the rapidly growing market for cloud computing, where companies tap software programs via the internet.
Dell Chief Executive Michael Dell appeared Monday at the annual conference of EMC’s VMware unit, underscoring the deal’s importance for Dell’s future.  He is betting that companies will use Dell’s equipment to build “private clouds,” where their employees access software programs through the internet.  “A big priority for us is making private clouds easy,” Mr. Dell told the VMworld conference Monday.


If everyone loved what Iran was selling, this would not be necessary.  They know that and yet they waste money creating a very porous wall rather than anything attractive and convincing.  Strange, but not unusual.
Iran rolls out domestic internet
   The state news agency Irna said the initiative would offer "high quality, high speed" connections at "low costs".
But critics suggest the true aim is to tighten the authorities' control over citizens' use of the net.
Although Iran already blocks access to overseas-based social media services - including Twitter and Facebook - many users still access them via proxy sites and virtual private networks (VPNs).


In aggregate, this data is useful.  Targeting individuals is a different story.
Ford, MIT use Bostonians’ cellphone location data for traffic planning
By collecting the anonymous cellphone location data from nearly two million Bostonians, MIT and Ford were able to produce near-instant urban mobility patterns that typically cost millions of dollars and take years to build.
The big data experiment holds the promise of more accurate and timely data about urban mobility patterns that can be used to quickly determine whether particular attempts to address local transportation needs are working.
In making decisions about infrastructure development and resource allocation, city planners rely on models of how people move through their cities -- on foot, in cars and by public transportation.  Those models are largely based on socio-demographic information from costly, time-consuming manual surveys, which are in small sample sizes and infrequently updated.  Cities might go more than a decade between surveys.


Of course they do.
Jamie Williams writes:
Imagine being convicted of a crime for logging into a friend’s social media account with their permission?  Or for logging into your spouse’s bank account to pay a bill, even though a pop-up banner appeared stating that only account holders were permitted to access the system?  The Ninth Circuit Court of Appeals last month issued two decisions—by two different 3-judge panels in two separate cases—which seem to turn such actions into federal crimes.  We teamed up with the ACLU and ACLU of Northern California to ask the court to review both decisions en banc—with 11 judges, not just 3—and issue a ruling that will ensure innocent Internet users are not transformed into criminals on the basis of innocuous password sharing.  We want the court to come up with a clear and limited interpretation of the notoriously vague statute at the heart of both cases, the Computer Fraud and Abuse Act (CFAA).
Read more on EFF.


This will put a small dent in the petty cash fund.  (You don’t think Ireland was planning this all along, do you?)
Apple should repay Ireland 13bn euros, European Commission rules
After a three-year investigation, it has concluded that the US firm's Irish tax benefits are illegal.
The Commission said Ireland enabled the company to pay substantially less than other businesses, in effect paying a corporate tax rate of no more than 1%.
   "Member states cannot give tax benefits to selected companies - this is illegal under EU state aid rules," said Commissioner Margarethe Vestager.


Then add in hobby drones and illegal drones – we may never see the sun again!
FAA Expects 600,000 Commercial Drones In The Air Within A Year


3D printing and raspberry pi, my students will love this article!  (I want the cryptex!)  
30 Useful Ways 3D Printing Could Be Used At Home


Great consultants choose their words carefully.

No comments: