Yesterday, one of my former students sent me an
email explaining how his company had been phished. It really is an
epidemic (translations: It really works!)
Add AmeriPride
and Actifio
to the ever-growing list of companies whose employees’ W-2 info was
snagged by criminals via phishing.
If your company didn’t urgently re-train
employees about this growing problem with phishing and business email
compromises, do it now.
Update 1: Add Evening
Post Industries to the list of those whose employees
fell for business email compromise, resulting in employees’ W-2
data in criminals’ hands.
Have they found an antidote? When was the last
time you tested your backup plan?
Kat Hall reports:
North Dorset District Council is working with police to identify the source of a ransomware attack this week, the latest incident in what security experts believe to be a growing problem for local authorities.
According to an email seen by The Register, the attack had infected 6,000 files on the council’s servers by Tuesday.
However, the council said yesterday evening the problem had been fixed.
Read more on The
Register.
[From
the article:
He added that with more sophisticated encryption
targets have little choice between restoring
their systems from a backup or paying the ransom.
Eddy Willems, security specialist at G-Data, said
attackers were deliberately targeting organisations which appear more
likely to pay the ransom to get back online. "Some
of these organisations do not have the latest backup [systems]
installed," he said.
When you fear that facts and logic are against
you, make stuff up? If I was the judge, that would really make me
wonder what else was pulled from “thin air.”
What is a
“lying-dormant cyber pathogen?” San Bernardino DA says it’s
made up [Update]
One day after the San Bernardino County district
attorney said that an iPhone used by one of the San Bernardino
shooters might contain a "lying-dormant cyber pathogen,"
the county's top prosecutor went on the offense again. DA Michael
Ramos said Apple must assist the FBI in unlocking the phone because
an alleged security threat might have been "introduced by its
product and concealed by its operating system."
… The fact no one has heard of a pathogen that
might carry devastating qualities has us and others wanting to know
exactly what is a "lying-dormant cyber pathogen?" We asked
Ramos' office to elaborate. Ars' e-mail and phone messages, however,
were not returned.
… But late Friday, Ramos told The
Associated Press that his cyber doom suggestion was out of thin
air.
… The prosecutor suggested in a court filing
yesterday that the iPhone—a county phone used by Farook and
recovered after the shooting—might be some type of trigger to
release a "lying-dormant cyber pathogen" into the county's
computer infrastructure. On Friday, the district attorney again
demanded
that a federal magistrate presiding over the dispute command Apple to
help decrypt the phone.
(Related) “Mon Dieu! The FBI wants us to
become French!”
Iain Thomson reports:
The French parliament has voted in favor of punishing companies that refuse to decrypt data for government investigators – by threatening businesses with big fines and possible jail terms for staff.
This comes amid the FBI’s high-profile battle with Apple in the US to unlock a dead killer’s encrypted iPhone.
French deputies voted to add an amendment to a penal reform bill that would fine companies €350,000 (US$385,350) for a refusal to decrypt and give up to five years in jail for senior executives. Telecommunications company executives would face smaller fines and up to two years in jail for not cooperating with the authorities.
Read more on The
Register.
(Related) Flipping their flop for political or
privacy reasons? Will they reverse again in a few months? (Does
their policy favor privacy or convenience?)
Amazon
reverses course on encryption for its Fire tablets
It's been only one day since -- in the midst of a
national
debate over encrypted devices -- Amazon started pushing a new
Fire OS 5 to its tablets that ditched
support for device encryption. Just yesterday, the company said
that was because customers
weren't using the feature. [How did they know? Bob]
Tonight, the company tells Engadget that it will bring the option
back in another update that is due to arrive this spring. Given the
attention Apple's
battle with the FBI has brought to this security feature it seems
logical that encryption remains at least available as an option, even
on a device intended for casual usage.
Another FBI kerfuffle in the works? Sounds like
they are targeting the Young Republicans.
Sarah Lazare writes:
Under new guidelines, the FBI is instructing high schools across the country to report students who criticize government policies and “western corruption” as potential future terrorists, warning that “anarchist extremists” are in the same category as ISIS and young people who are poor, immigrants or travel to “suspicious” countries are more likely to commit horrific violence.
Based on the widely unpopular British “anti-terror” mass surveillance program, the FBI’s “Preventing Violent Extremism in Schools” guidelines, released in January, are almost certainly designed to single out and target Muslim-American communities. However, in its caution to avoid the appearance of discrimination, the agency identifies risk factors that are so broad and vague that virtually any young person could be deemed dangerous and worthy of surveillance, especially if she is socio-economically marginalized or politically outspoken.
Read more on AlterNet.
For
my Computer Security class to consider. (Kind of a fluff piece.)
http://www.cnbc.com/2016/03/04/how-the-internet-of-things-could-be-fatal.html?__source=google|editorspicks|&par=google&google_editors_picks=true
How
the 'Internet of Things' could be fatal
Another article for my Computer Security students.
Serious actors planning extensively – sounds to me like they would
try a few “test hacks” like maybe OPM or Sony. Just saying.
Inside the
Cunning, Unprecedented Hack of Ukraine’s Power Grid
… The hackers who struck the power centers in
Ukraine—the first confirmed hack to take down a power grid—weren’t
opportunists who just happened upon the networks and launched an
attack to test their abilities; according to new details from an
extensive investigation into the hack, they were skilled and stealthy
strategists who carefully planned their assault over many months,
first doing reconnaissance to study the networks and siphon operator
credentials, then launching a synchronized assault in a
well-choreographed dance.
… Ukraine was quick to point the finger at
Russia for the assault. Lee shies away from attributing it to any
actor but says there are clear delineations between the various
phases of the operation that suggest different levels of actors
worked on different parts of the assault. This raises the
possibility that the attack might have involved collaboration between
completely different parties—possibly cybercriminals and
nation-state actors.
… Regardless, the successful assault holds
many lessons for power generation plants and distribution centers
here in the US, experts say; the control systems in Ukraine were
surprisingly more secure
than some in the US, since they were well-segmented from
the control center business networks with robust firewalls. But in
the end they still weren’t
secure enough—workers logging remotely into the SCADA
network, the Supervisory Control and Data Acquisition network that
controlled the grid, weren’t required to use two-factor
authentication, which allowed the attackers to hijack their
credentials and gain crucial access to systems that controlled the
breakers.
The power wasn’t out long in Ukraine: just one
to six hours for all the areas hit. But more than two months after
the attack, the control centers are still not fully operational,
according to a recent
US report. Ukrainian and US computer security experts involved
in the investigation say the attackers overwrote firmware on critical
devices at 16 of the substations, leaving them unresponsive to any
remote commands from operators. The power is on, but workers still
have to control the breakers manually.
Thou shalt not fish for evidence?
Andrea Noble reports:
In a historic victory for privacy rights advocates, the Maryland Court of Special Appeals upheld a ruling that barred prosecutors from using evidence discovered through the Baltimore Police Department’s use of secret cellphone tracking technology.
The ruling, issued late Wednesday, marks the first time any appellate court in the country has thrown out evidence obtained through warrantless use of the secretive devices, often known by the brand name Stingray.
The brief order, signed by Judge Andrea Leahy, offered no explanation of the reasoning behind the decision but indicated that an opinion would be forthcoming.
Read more on The
Washington Times.
(Related) “When we specify phone calls, we mean
everything including phone calls.”
John Frank Weaver writes:
In July 2015, I wrote an article about Fourth Amendment protection for self-driving cars that referenced Commonwealth v. Dorelas, a Massachusetts case that considered how specific a warrant must be before police can search a smartphone. (Full disclosure: I helped the American Civil Liberties Union of Massachusetts draft its amicus brief.) Briefly: Defendant Denis Dorelas was arrested following a shooting. While investigating the shooting, witnesses told police that Dorelas had received threatening phone calls and text messages from the other individual involved in the shooting. Based on this evidence, police applied for and received a warrant to search Dorelas’ iPhone…..
Read more on Slate.
[From
the article:
In the decision, which was released in January,
the Supreme
Judicial Court ruled that the warrant was constitutionally granted
because electronic communications “can come in many forms” and
the issuing judge “could conclude that the evidence sought might
reasonably be located in the photograph file,” despite the fact
that the only evidence supporting the search of the iPhone was
testimony that referenced phone calls and texts. Equating texts and
phone calls with all electronic communications is a huge
expansion of those forms of evidence and grants broad discretion to
police to search all the data on a phone as long as there is evidence
suggesting that any data on the phone could be related to criminal
activity.
I can think of a few reasons why it would simplify
things at Facebook (No warrants asking them to identify users) But
it ruins my New Yorker cartoon, “On the Internet, nobody knows
you're a dog.”
Facebook
can nix German users with fake names
… The German court's decision rested on the
fact that Facebook's European headquarters are in Ireland. The
company therefore only needs to comply with orders from the Irish
data protection authority. Ireland decided back in 2011 that
Facebook's real-name policy did not violate people's right to
privacy.
History is written by the winners, except in the
EU.
Google
makes narrow expansion of 'right to be forgotten' official
… Google said on Friday that it would delist
the links from all of its domains when they are accessed in the
country where the petition to remove the content originated.
… Google portrayed its announcement Friday as
one that would mollify privacy regulators without infringing too much
on the sanctity of its platform.
“We’re changing our approach as a result of
specific discussions that we’ve had with EU data protection
regulators in recent months,” wrote Global Privacy Counsel Peter
Fleischer in
a blog post. “We believe that this additional layer of
delisting enables us to provide the enhanced protections that
European regulators ask us for, while also upholding
the rights of people in other countries to access lawfully published
information.”
Something my Data Management students can use to
get rich?
How Netflix
Knows Exactly What You Want to Watch
Netflix’s rise to being the world’s primary
media streaming service was no fluke. It was based on a complex
recipe of data manipulation and emotion that means the company knows
what you want to watch even before you know yourself.
… It is Netflix’s secret sauce of
algorithms, big data, and gut instinct that fuel this unstoppable
growth. It’s this secret sauce that allows Netflix to not just
consistently recommend content that users will (likely)
love, but also to fund the creation of that content,
confident that it will be a success.
It’s no surprise that big data plays a big part
in Netflix’s ability to recommend and fund the right content. What
is surprising, however, is the kind of data and amount of data that
Netflix tracks every time you use the service.
I had no idea – and I still don't but looking at
the illustration, they have several ways to make money. .
How
Snapchat brings celebrities millions of views and offers advertisers
a young audience
Another snapshot of my indusrty.
Hack
Education Weekly News
… Via
The Harvard Crimson: “Harvard jointly filed an amicus brief to
the National Labor Relations Board on Monday arguing against the
unionization of graduate students, joining six other Ivy League
universities, Stanford, and MIT in a call for the board to uphold
existing rulings that define the relationship between private
universities and graduate students as strictly academic.”
… Via
SF Gate: “Hackers compromised a UC Berkeley computer network
containing the financial data of 80,000 people.”
… This week in rebranding bullshit:
“Ubiquitous
learning could push the term ‘online’ out of education.”
… “Minnesota State University at Moorhead
has announced an unusual scholarship program,” Inside
Higher Ed reports. “Four $2,500 scholarships and two $1,000
scholarships will be awarded (on top of other aid for which students
are eligible) based on
tweets.”
… The “Transcript
of Tomorrow”!
… According to a survey of 4000 community
college students, “about 50 percent of students reported having one
or more mental-health condition,” The
Chronicle of Higher Education reports.