Saturday, April 30, 2016

Governments are big organizations.  Hackers are looking for one security weakness.  Too often, they find one.
Hacked reports:
Hactivist collective Anonymous has begun to leak documents from the Kenyan government as a part of a sophisticated operation called #OpAfrica, a campaign aimed to expose the government corruption across Africa.
An initial sample of 95 documents revealed via an Anonymous Twitter account and can be accessed via a TOR browser.  Hacked reviewed the documents that were uploaded on the Dark Web and contains PDF and DOCX files.
Read more on Hacked.


2016 may be a record year.
Joseph Cox reports:
A hacker is advertising a cache of email addresses, poorly secured passwords, phone numbers, and other information from users of photo sharing and video streaming app ’17’, which is particularly popular in Asia.
The data is being sold on The Real Deal, a dark web market that specialises in stolen information and computer exploits.
The data was allegedly obtained via an app server, and not the company’s website, the hacker advertising the data told Motherboard in an encrypted chat.
Read more on Motherboard.


You don’t see collections of comments like this often enough. 
Cybercriminals stole millions of dollars from Bangladesh’s central bank and they managed to cover their tracks by using custom malware that targeted the SWIFT interbank messaging system.
   Industry professionals contacted by SecurityWeek commented on the incident, including its implications for the financial industry, the possibility that other proprietary platforms could be targeted in a similar fashion, and the steps organizations should take to prevent these types of breaches.


A different face than the FBI shows?  But not so different behind the curtain.
GCHQ Has Disclosed Over 20 Vulnerabilities This Year, Including Ones in iOS
Earlier this week, it emerged that a section of Government Communications Headquarters (GCHQ), the UK's signal intelligence agency, had disclosed a serious vulnerability in Firefox to Mozilla.  Now, GCHQ has said it helped fix nearly two dozen individual vulnerabilities in the past few months, including in highly popular pieces of software like iOS.
   In a speech last year, the Director of GCHQ Robert Hannigan said: “GCHQ has disclosed vulnerabilities in every major mobile and desktop platform, including the big names that underpin British business.”
However, governments sometimes withhold details of vulnerabilities from affected companies because the security holes can be used for hacking operations instead.  Motherboard's question of whether the recent selection of vulnerabilities were only disclosed after they had already been exploited by the offensive arm of GCHQ went unanswered.


An amusing read.  Surveillance by financial institutions. 
You Can't Escape Data Surveillance In America
In America, surveillance has always played an outsized role in the relationship between creditors and debtors.  In the 19th century, credit bureaus pioneered mass-surveillance techniques.  Today the American debtor faces remote kill switches in their devices, GPS tracking on their leased cars, and surreptitious webcam recordings from their rent-to-own laptops.  And where our buying and borrowing habits were once tracked by shopkeepers, our computers score our creditworthiness without us knowing.


Health data is going to be Big (Data).  Will we see Google (or Watson) doing the same thing in the US?  Globally? 
New Scientist – Google AI has access to huge haul of NHS patient data
by Sabrina I. Pacifici on
Via New Scientist, Hal Hodson: ”  It’s no secret that Google has broad ambitions in healthcare.  But a document obtained by New Scientist reveals that the tech giant’s collaboration with the UK’s National Health Service goes far beyond what has been publicly announced.  The document – a data-sharing agreement between Google-owned artificial intelligence company DeepMind and the Royal Free NHS Trust – gives the clearest picture yet of what the company is doing and what sensitive data it now has access to.  The agreement gives DeepMind access to a wide range of healthcare data on the 1.6 million patients who pass through three London hospitals run by the Royal Free NHS Trust – Barnet, Chase Farm and the Royal Free – each year.  This will include information about people who are HIV-positive, for instance, as well as details of drug overdoses and abortions.  The agreement also includes access to patient data from the last five years…”


Another tool for our Apps class?
Microsoft releases public preview of PowerApps business-app building service
Microsoft is making PowerApps available as a public preview today, April 29.
PowerApps, which was codenamed Project Kratos, is designed to allow business users and business analysts to create custom native, mobile, and Web apps that can be shared simply across their organizations.  Examples of just a few of the many types of apps users can create using PowerApps include simple cost estimators, budget trackers, and site-inspection reports.
PowerApps connects to existing cloud services and data sources.  It's designed to allow users to build apps without writing code or having to figure out integration issues.  The custom apps created with PowerApps can be published internally across the Web, tablets and mobile devices, without requiring app creators to go through app stores for distribution.
PowerApps also will integrate with Microsoft Flow, Microsoft's recently-unveiled alternative to IFTTT.  Users will be able to trigger flows from within PowerApps.


What did Donald Trump ever do to them?
Microsoft won’t make cash donations to GOP convention
Microsoft on Friday announced that it would be making cash donations to the Democratic convention but not the Republican one.
The announcement comes as advocates have increased their pressure on technology giants and other large corporations to refrain from sponsoring the Republican convention because of the rhetoric and proposed policies of GOP presidential front-runner Donald Trump


Because Google Glasses are not intimate enough?
Google has a crazy idea for injecting a computer into your eyeball
A patent filed in 2014 and published Thursday describes a device that could correct vision without putting contacts in or wearing glasses everyday.
But to insert the device, a person must undergo what sounds like a rather intrusive procedure.
Here’s how it would work: After surgically removing a person’s lens from the lens capsule of his or her eye (ouch!), a fluid would be injected into the capsule.  This fluid would act sort of like a glue, allowing whoever is conducting the procedure to attach an “intra-ocular device” to the lens capsule.
That fluid would solidify to create a “coupling” between the lens capsule and the device, creating an electronic contact lens.  The electronic contact lens would correct the wearer’s vision.

(Related)
Sony Filed A Patent For Video-Recording Contact Lens


Hacking Microsoft.
How to Download Official Windows ISO Files Free from Microsoft
If you’re seeking Windows installation files, the good news is, they’re available for free from Microsoft.  You can easily create Windows 10 installation media and you can legally download Windows 7 and Windows 8.1 ISO files from Microsoft, too.  The only requirement is that you own a product key for the respective Windows edition.
Here we’ll show you a little hack that allows you to download any edition of Windows 7, Windows 8.1, and Windows 10 from Microsoft’s Tech Bench.


Saturday is “educate me” day.
Hack Education Weekly News
   “A bill designed to strengthen the privacy and security of student educational data continued down its apparently smooth path to passage Wednesday, winning unanimous Senate Education Committee approval,” Chalkbeat reports.  Lest you think this is a story about federal legislation and that DC gridlock is over, to be clear, this is a measure in the state of Colorado.
..   “Demand for computer science forces Washington colleges to ramp up,” The Seattle Times reports.
   The University College London is hiring a “Professor of Future Crimes.” “The successful candidate will be passionate about the problem of future crime.” Paging Philip K. Dick.
   Via The Washington Post: “Schools are helping police spy on kids’ social media activity.”

Friday, April 29, 2016

Don’t be such a weenie.  Admit you screwed up.  (It will save you so much embarrassment later.)
DataBreaches.net is not alone in being outraged that in response to a massive data leak that put the information of 87 million Mexican voters at risk, Movimiento Ciudadano appears to be falsely claiming that the voter data list they stored on Amazon cloud was “hacked.”  The political party has been repeating that false claim on Twitter and in the media, and has claimed to have filed a criminal complaint against Chris Vickery for allegedly hacking them.
Instead of being grateful that Vickery noticed that they had not secured their database and then spent a lot of time trying to identify them and alert them so that they could secure it, Movimiento Ciudadano is blaming Vickery and telling the public that Amazon told them that the database had been “hacked” or the victim of a “cyberattack.”
Movimiento Ciudadano is either incredibly ignorant or liars.  Amazon told them no such thing.
Chris Vickery contacted Amazon last night to ask what they had actually said to Movimiento Ciudadano or its vendor, Indatcom. He received the following statement from Amazon.
All AWS security features and networks did, and continue to, operate as designed. Once AWS was notified that an unsecured database containing sensitive information was being hosted on the AWS Cloud and was publicly accessible via the Internet, we followed our standard security protocols and have since confirmed that this database is no longer publicly accessible. Customers who have questions about security best practices can find information at our Security Resources page (http://aws.amazon.com/security/security-resources/).
   DataBreaches.net understands that in 2013, Movimiento Ciudadano was fined over another data leak involving voter information that was found up for sale.  It would be understandable that they do not want to be responsible for this newest incident, but they are responsible for this incident, and the Mexican public needs to understand that.


While we were busy watching Apple v. FBI, the FBI won a bigger argument. 
U.S. high court approves rule change to expand FBI hacking power
The Supreme Court on Thursday approved a rule change that would let U.S. judges issue search warrants for access to computers located in any jurisdiction despite opposition from civil liberties groups who say it will greatly expand the FBI's hacking authority.
U.S. Chief Justice John Roberts transmitted the rules to Congress, which will have until Dec. 1 to reject or modify the changes to the federal rules of criminal procedure. If Congress does not act, the rules would take effect automatically.
Magistrate judges normally can order searches only within the jurisdiction of their court, which is typically limited to a few counties.

(Related) For now…
Cory Bennett report:
A key senator is trying to block the Justice Department’s request to expand its remote hacking powers, after the Supreme Court signed off on the proposal Thursday.
“These amendments will have significant consequences for Americans’ privacy and the scope of the government’s powers to conduct remote surveillance and searches of electronic devices,” warned Sen. Ron Wyden.
Read more on The Hill.


Perhaps the director was exaggerating a bit.  (Or was making it up as he talked.)  What are the legal implications of using a tool you don’t understand? 
FBI paid under $1 million to unlock San Bernardino iPhone: sources
The FBI paid under $1 million for the technique used to unlock the iPhone used by one of the San Bernardino shooters - a figure smaller than the $1.3 million the agency's chief initially indicated the hack cost, several U.S. government sources said on Thursday.
   The FBI, not the contractor, has physical possession of the mechanism used to open the phone but does not know details of how it works, one of the sources said.
The identity of the contractor is so closely-held inside the FBI that not even Comey knows who it is, one of the sources said.


Definitely something my Computer Security students should read.
Breach concealment is not a security strategy
   I saw a security "strategy" this week in the wake of a major data breach which was alarming, to say the least.  I want to capture the details of it here and frankly, tear it to shreds because we should never see an organisation playing fast and loose with people's data in this way.  Hopefully if this strategy is ever considered by others in future they'll stumble across this post and think better of it.
This relates to the Lifeboat data breach from earlier this week.  Well actually, the breach itself was many months ago but the disclosure was only this week and therein lies the problem.


Facebook’s government requests report.
Government Requests Report


Perspective. 
Snapchat Users View 10 Billion Videos A Day: Report
Snapchat reaches a new high with reports of 10 billion video views per day as the users have started using videos as an important means of communication, alongside messaging and photo-sharing.

Thursday, April 28, 2016

Ah well, they’re politicians.  What do you expect?
A reader kindly informed me that Movimiento Ciudadano, one of the political parties that had legitimate access to Mexico’s voter data list, has admitted it was responsible for the leak on Amazon.  Except that as I read more, I realized they weren’t really admitting they were responsible for the leak.
I’ve been trying to read/translate a number of news stories on today’s developments, including the political party’s statement (ES).
From what I’m reading in their statement and from a number of sources, it seems like the Citizens Movement party is filing a criminal complaint against Chris Vickery, claiming he broke Amazon’s great security, or some such nonsense.  They write, in part:
Para hacer pública la información que estaba salvaguardada en los servidores de Amazon Web Services fue necesario violar las medidas de seguridad a través de métodos altamente especializados, característicos de hackers profesionales.
To be clear: Chris Vickery never hacked into the database.  Citizens Movement left port 27017 open, and so anyone and everyone could access it and download the voter data with no login required.  Amazon was not responsible for securing that database and Vickery didn’t break any security: there was no security, and that was Citizens Movement’s responsibility.
Trying to make it out that Vickery engaged in criminal conduct is a lame attempt on their part to deflect blame for their infosecurity failure.  It is especially lame in light of how appreciative Mexico INE has been of Vickery’s discovery and notification.


“Don’t put off until tomorrow that which you can secure today.” An ancient saying, I just made up.   
Nick Rummell reports that it’s not just affected customers suing Wendy’s after a data breach disclosed in February – the banks are suing, too:
A major data security breach at Wendy’s restaurants could have been easily prevented had the company acted faster, according to a class action filed on behalf of banks whose customers were affected by the breach.
The suit, filed in Federal Court in Pittsburgh on April 25 by First Choice Federal Credit Union, claims the fast-food chain “refused to take steps to adequately protect its computer systems from intrusion,” which led to a nearly five-month-long data breach where customer credit card information was stolen.
Read more on Courthouse News.


They must have something that convinced the judge he is probably guilty, right?  Or can they do this to anyone with an encrypted hard drive?  I keep a large boring file named “This is important” on my backup DVDs next to my encrypted files.  Then I re-encrypt everything.  I will gladly hand over that second encryption key and decrypting that file will prove that it worked.  Everything that still looks encrypted must be gibberish. 
David Kravets reports:
A Philadelphia man suspected of possessing child pornography has been in jail for seven months and counting after being found in contempt of a court order demanding that he decrypt two password-protected hard drives.
The suspect, a former Philadelphia Police Department sergeant, has not been charged with any child porn crimes.  Instead, he remains indefinitely imprisoned in Philadelphia’s Federal Detention Center for refusing to unlock two drives encrypted with Apple’s FileVault software in a case that once again highlights the extent to which the authorities are going to crack encrypted devices.  The man is to remain jailed “until such time that he fully complies” with the decryption order.
Read more on Ars Technica.


Legitimate porn?  Porn in the public interest? 
Journalism in the Age of Hulkamania
In March, 2016, a jury awarded wrestler Hulk Hogan $140 million in damages from a suit he brought against Gawker Media. In 2012, Gawker released a sex tape of Hogan and his friend and radio DJ Bubba Clem’s wife, which was taped by Bubba Clem, allegedly without Hogan’s knowledge.  Hogan claimed that the tape represented an invasion of his privacy by the press.  Gawker is appealing the decision.
Fabio Bertoni, the New Yorker’s general counsel, makes the argument that the decision against Gawker chips away at freedom of the press, largely by threatening editorial discretion about what is newsworthy and producing a chilling effect.  Sex tapes are considered newsworthy if they expose the hypocrisy of a public official or are in some other way relevant to public life.  The Hogan tape is not clearly newsworthy—but it’s not clearly not newsworthy, either.  It had been floating among news organizations for some time before Gawker decided to publish it, and Gawker editors have since backpedaled a bit from their decision.


Is it true that there was no mechanism to issue warrants to trash collectors? 
Erik Lacitis talks trash on Seattle Times:
Seattle’s ordinance allowing garbage collectors to look through people’s trash — to make sure food scraps aren’t going into the garbage — was declared “unconstitutional and void” Wednesday afternoon by King County Superior Court Judge Beth Andrus.
She entered an injunction against its enforcement.


Words are important.
Tim Cushing reports that not satisfied to rest on his laurels in the Really Bad Ideas Department, Rhode Island Attorney General Peter F. Kilmartin is behind a legislative proposal that amounts to a very bad state-level version of the federal hacking statute, CFAA.  Tim writes:
Here’s the worst part of the suggested amendments:
Whoever intentionally and without authorization or in excess of one’s authorization, directly or indirectly accesses a computer, computer program, computer system, or computer network with the intent to either view, obtain, copy, print or download any confidential information contained in or stored on such computer, computer program, computer system, or computer network, shall be guilty of a felony and shall be subject to the penalties set forth in §11-52-5.
This would make the following Google search illegal:
filetype:pdf site:*.gov “law enforcement use only”
Read more on TechDirt.


I wonder if our Computer Security club would be interested in creating a similar database for Colorado?  Maybe just Denver?  Maybe just elected officials? 
Grace Dobush writes:
…. With the advent of global surveillance, “Our world is becoming better behaved, but perhaps less human,” said Tijmen Schep, creative director of the Dutch arts collective SETUP, which for the past two years has worked on building a national database of Dutch citizens based solely on open source data.
The initial point of the project – originally known as the National Birthday Calendar – was to create a provocative, interactive site that would know every Dutch citizen’s birthday and recommend gifts based on their personal preferences.  It became so easy to gather the information about people, and they collected so much that they began referring to it as the DIY NSA, a tongue-in-cheek reference to a do-it-yourself National Security Agency.

(Related) Should my Ethical Hacking students ignore these tools just because they can be used for evil?
Attackers Increasingly Abuse Open Source Security Tools
Instead of developing their own hacking tools or buying them from third parties, threat groups have increasingly turned their attention to open source security tools, Kaspersky Lab reported on Wednesday.
One such tool is the Browser Exploitation Framework (BeEF), a penetration testing suite that focuses on the web browser.  It allows pentesters to determine if the targeted environment is vulnerable by hooking the browser and using it to launch attacks.
BeEF enables attackers to monitor and profile the visitors of a website as it can deploy evercookies for persistent tracking, it can enumerate browsers and plugins, and obtain a list of domains visited by the victim.  In addition to tracking, it can also be used to find and exploit vulnerabilities.


Just because…
30 Insanely Useful Websites You Probably Don’t Know About


Because you never know when you may need to hack a computer.
5 Best Linux Distros for Installation on a USB Stick

Wednesday, April 27, 2016

What did they know and when did they know it? 
Exclusive: SWIFT warns customers of multiple cyber fraud cases
SWIFT, the global financial network that banks use to transfer billions of dollars every day, warned its customers on Monday that it was aware of "a number of recent cyber incidents" where attackers had sent fraudulent messages over its system.
   "SWIFT is aware of a number of recent cyber incidents in which malicious insiders or external attackers have managed to submit SWIFT messages from financial institutions' back-offices, PCs or workstations connected to their local interface to the SWIFT network," the group warned customers on Monday in a notice seen by Reuters.
   SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, is a cooperative owned by 3,000 financial institutions.
   BAE said it could not explain how the fraudulent orders were created and pushed through the system.
But SWIFT provided some evidence about how that happened in its note to customers, saying that in most cases the modus operandi was similar.
It said the attackers obtained valid credentials for operators authorized to create and approve SWIFT messages, then submitted fraudulent messages by impersonating those people.


As I read this, the FBI intends to claim institutional ignorance.  “We don’t have to share what we know because we don’t know what we know.”  Should be amusing in any case where they need to show more than “It was a miracle!” in court. 
FBI won’t reveal method for cracking San Bernardino iPhone
The FBI intends to tell the White House this week that its understanding of how a third party hacked the iPhone of a shooter in San Bernardino, Calif., is so limited that there’s no point in undertaking a government review of whether the tool should be shared with Apple, officials said.
   Last month, the FBI paid more than $1 million for a tool to crack an iPhone used by one of the shooters in California.  But the contract did not include rights to the software flaws that went into the tool, officials said.
As a result, the bureau has a limited technical understanding of how the method worked, officials said.
   “The threshold is: Are we aware of the vulnerability, or did we just buy a tool and don’t have sufficient knowledge of the vulnerability that would implicate the process?” he said at a cyber conference at Georgetown University.

(Related) Another reason not to share information with Apple. 
Apple says FBI gave it first vulnerability tip on April 14
The FBI informed Apple Inc of a vulnerability in its iPhone and Mac software on April 14, the first time it had told the company about a flaw in Apple products under a controversial White House process for sharing such information, the company told Reuters on Tuesday.
The FBI told the company that the disclosure resulted from the so-called Vulnerability Equities Process for deciding what to do with information about security holes, Apple said.
The process, which has been in place in its current form since 2014, is meant to balance law enforcement and U.S. intelligence desires to hack into devices with the need to warn manufacturers so that they can patch holes before criminals and other hackers take advantage of them.
   The issue of how U.S. government agencies decide to share information about vulnerabilities in computer and telecom products has received renewed scrutiny since the FBI announced last month that it had found a way to break into the iPhone of one of the shooters in December's massacre in San Bernardino, California.
Reuters reported earlier this month that the FBI believed it did not have legal ownership of the necessary information and techniques for breaking into the iPhone so would not be able to bring it to the White House for review under the equities process.
The day after that report, the FBI offered information about the older vulnerabilities to Apple.  The move may have been an effort to show that it can and does use the White House process and disclose hacking methods when it can.


Even banks have customers.  Why are they any different?
James Salmon reports that a new tool for small businesses from Barclays Bank is raising privacy hackles.
The online service will enable small companies – from corner shops to florists and local butchers – to track the performance of similar businesses in their area.
Salmon reports that even though the data will supposedly be anonymous – no individuals or individual firms are supposedly identifiable – privacy advocates such as Privacy International find the service unacceptable:
Banks not only hold our money but also vast quantities of our personal data.  This gives them extraordinary insight, and therefore power, into what we value and how we behave individually and as compared to our peers.
‘Services such as SmartBusiness demonstrate a growing trend of companies exploiting the vast amount of data they collect on their customers.  Such exploitation is done without customers’ informed consent, and is unacceptable.  The notion that any data, in particular financial data, is anonymous is deceitful.
Read more on Daily Mail.


It’s no longer just idle flapping of your lips. 
Gary Ridley reports:
State police officials are using online surveillance to monitor social media comments made about the Flint water crisis, according to emails released by Gov. Rick Snyder’s office.
The emails show that officials attempted on at least one occasion to initiate criminal proceedings against a Copper City man over allegedly threatening comments he made on Facebook about the government’s handling of the crisis.
“It’s time for civil unrest.  Burn down the Governor mansion, elimionate (sic) the capitol where the legislators RE-INSTATED the emergency dictator law after the PEOPLE voted it down, and tell the Mich (sic) State Police if they use military force, we will return with same,” according to a state police email about the Facebook post.
Read more on mLive.


There’s phishing, spear phishing and then there’s whaling. 
Whaling emerges as major cybersecurity threat
A clever variant of phishing scams is proliferating among enterprises, forcing CIOs to up their game even as they are still refining their cybersecurity practices to contend with various zero-day attacks.  Called whaling, the social engineering grift typically involves a hacker masquerading as a senior executive asking an employee to transfer money.
   Whaling is becoming a big enough issue that it's landed on the radar of the Federal Bureau of Investigation, which last week said that such scams have cost companies more than $2.3 billion in losses over the past three years.  The losses affect every U.S. state and in at least 79 countries .  The FBI said that it has seen a 270 percent increase in identified victims and exposed losses from CEO scams since January 2015.  For example, Mattel lost $3 million in 2015 to one CEO fraud scam, while Snapchat and Seagate Technologies also fell prey to similar schemes.

(Related) Some details.
Report says criminals are better communicators than IT staffers
   Verizon, in its just-released annual report of report of cyber incidents, identifies phishing as the major problem.  Of the over 65,200 incidents it gathered data about, about 2,250 resulted in a breach, or confirmed disclosure of data to a third party.  (In Verizon's parlance, a security 'incident' falls short of a breach.)


Should we tell them there is a way bombs can home in on cash?  (Or is all this purely accidental?)
http://www.bbc.com/news/world-middle-east-36145301
Islamic State: Up to $800m of funds 'destroyed by strikes'
Maj Gen Peter Gersten, who is based in Baghdad, said the US had repeatedly targeted stores of the group's funds.
The blow to the group's financing has contributed to a 90% jump in defections and a drop in new arrivals, he said.
   In a briefing to reporters, Maj Gen Gersten, the deputy commander for operations and intelligence for the US-led operation against IS, said under 20 air strikes targeting the group's stores of money had been conducted.
He did not specify how the US knew how much money had been destroyed.
In one case, he said, an estimated $150m was destroyed at a house in Mosul, Iraq.


A class we will have to teach soon.
http://sloanreview.mit.edu/article/blockchain-data-storage-may-soon-change-your-business-model/
Blockchain Data Storage May (Soon) Change Your Business Model
Blockchain is a data storage technology with implications for business that extend well beyond its most popular application to date — the virtual currency, Bitcoin.  To be sure, the financial industry is taking notice of how it might use blockchain.  Even the U.S. Federal Reserve is optimistic, and a consortium of 42 top banks recently demonstrated a proof of concept, with Barclays, BMO Financial Group, Credit Suisse, Commonwealth Bank of Australia, HSBC, Natixis, Royal Bank of Scotland, TD Bank, UBS, UniCredit, and Wells Fargo trading mock shares and money.  These are staid financial institutions, not breathless startups.


A most interesting resource!
Cybersecurity: Overview Reports and Links to Government, News, and Related Resources
by Sabrina I. Pacifici on
“Much is written on the topic of cybersecurity.  This CRS report and those listed below direct the reader to authoritative sources that address many of the most prominent issues.  Included in the reports are resources and studies from government agencies (federal, state, local, and international), think tanks, academic institutions, news organizations, and other sources.  This report is intended to serve as a starting point for congressional staff assigned to cover cybersecurity issues.  It includes annotated descriptions of reports, websites, or external resources…”


If you could send an email from Hillary to Donald, what would you say?
How Do Scammers Spoof Your Email Address?
We’ve all had questionable emails from miscellaneous folk begging for a wire transfer to Nigeria.  Most of us can spot the signs fairly easily, and know when to delete an email straight away.  In fact, most of these just automatically go into spam and are subsequently swept away by a solid email service.
But then we get emails from family and friends — or sometimes from our own address!  So what’s all that about?  Does this mean you (or someone you know) have been compromised?  Otherwise, how can scammers do that?


What happens if the kid’s arm isn’t long enough?
How to Keep Kids From Holding Phones Too Close to Their Eyes
   If your young children use your phone, part of your phone’s child-proofing process should include a new free Android app from Samsung called Samsung Safety Screen.  The app is simple but important: it uses the device’s front camera to detect if a face is too close to the screen.
Thankfully, you can password protect the app so kids don’t just disable it and go on their merry way.  You might find this app to be overkill, and it won’t be battery-friendly since it needs to constantly access the camera, but for those with young ones concerned about their screen time, it’s worth a shot.


An interesting question.  This is not supposed to work, so why did it? 
Widening Highways Never Fixes Traffic. But Darnit, It Did in Texas
In a true fairy tale of a transportation project, Texas spent a measly $4.25 million widening a highway and, in defiance of conventional wisdom among transportation planners, doubled the speed of rush hour traffic on a notoriously congested highway in Dallas.
The Texas Department of Transportation repaved the shoulders along both sides of a 6.3-mile stretch of State Highway 161 between Dallas and Fort Worth in September.  Then it opened them up to traffic during the daily rush hour, keeping tow trucks on standby in case someone breaks down.  Based on figures released this month, with the extra lanes in place, traffic “started sailing,” The Dallas Morning News reported this week.
It isn’t supposed to work that way.  The rule of induced demand says widening highways does not ease congestion, and often makes it worse.


Reading is good, even if it isn’t your textbook.
How to Find Free Unlimited Content for Your Kindle
   If you’re looking for more things to read on your Kindle, have no fear.  Here are all the websites, tools, and tips you need to fill your e-reader with high-quality free content that will keep you reading for hours without breaking the bank.
   More Articles on Your Kindle
Just because a site doesn’t offer a Send to Kindle button doesn’t mean you can’t get their articles on your e-reader.  There are plenty of apps and extensions that will let you send just about anything to your Kindle (this is great for reading longform articles that might strain your eyes on a backlit screen).
Push to Kindle, for example, has a browser extension that lets you send anything you want with a click of a button.


Will my geeks start wandering the halls with cardboard over their eyes?
How to Get Started With Virtual Reality for Under $30
   2016 looks set to be the year that virtual reality comes into its own, but looking at the most popular devices on the market may discourage you due to the high costs.  That’s why we’re going to show you how to get started with VR on the cheap using the Google Cardboard.


Want a techie job?  Use techie tools to get it.
Supercharge Your Next Job Interview with These 11 Free Tools


We’re trying to put teams together… 
Hacking competitions that will get you noticed
From the Hack the Pentagon announcement to the Facebook Hacker Cup, there are loads of opportunities for those new to security to either participate in educational hacking competitions or simply learn by watching others compete.  Michiel Prins, co-founder, HackerOne, and Ryan Stortz, security researcher, Trail of Bits, offered up a list of popular competitions and what they like most about some of them.

Tuesday, April 26, 2016

Mark your calendars!  Another Privacy Foundation seminar. 
Data Transfers: Domestic and International.
Friday, April 29, 2016 10:00AM — 1:00 PM.  Followed by lunch.
Register online at http://dughost.imodules.com/privacydatatransfers or contact Privacy Foundation Administrator Anne Beblavi at abeblavi@law.du.edu
Seminar, CLE (3 hrs.) & Lunch $30


Often an indication of where the poorest security can be found.
Healthcare Was Most Attacked Industry in 2015: IBM
The financial services industry is no longer the most targeted sector when it comes to data-stealing cyber attacks, as healthcare climbed to the top in 2015, IBM X-Force’s 2016 Cyber Security Intelligence Index reveals.
Overall, all industries had their fair share of data breaches last year, though some were targeted far more frequently than others, the report reveals.


Because your ego must be fed?
Self-Flying Hover Camera Drone Follows You Anywhere
The Hover Camera is exactly what you would expect, based on its name.  The new drone from Zero Zero Robotics is the company's debut product, which will only be available through a beta testers program for now.  But those people that are selected to play with it are likely to be fast moving, active folks who are eager to have an autonomous camera drone follow them everywhere.
   The facial recognition technology that allows the drone to keep you in frame and follow you is run off of a 2.3-GHz quad-core Qualcomm Snapdragon 801 processor.  There's no fan inside the Hover Camera, so the company engineered slots along the edges that send air pushing through the propellers into the body of the drone to cool things off.
The drone was dead simple to use.  You turn it on, flip out the wings and then toss it into the air, where it stops and hangs out awaiting instructions.  The blades make a bit of noise, but not so I couldn't continue my conversation normally.  If your toss is a little off, the drone knows how to how balance itself and get level using sonar and a ground facing camera.  The company assures me that tossing it into the wind won't throw it off.


Would this make sense here?  There are some Apps that contact friends, but should there be an easy way to call 911? 
India said to mandate panic button in mobile phones
India’s government will soon require cell phone manufacturers to include a panic button on their devices, Bloomberg reported on Monday.
Manufacturers will need to implement a feature by early next year to connect allowing users to flag when they are in an emergency situation.  By 2018, they will be required to implement global position system technology in phones by 2018.


Communication in the modern age?  Maybe I can get the University to block these – otherwise I could see them in the papers my students submit.
5 Sites to Copy-Paste Emojis, Text Faces, Emoticons, & More
From the humble :), the emoticon has come a long way in 30 years.  But while it’s easy to remember how to type that smiley face, you’d be hard-pressed to type out the “shruggie” even if you brought up the character map.
Don’t worry though, there’s an easier way to do this.  Much like with anything else on the Internet, there are handy cheat sheets to type text faces, emoticons, emojis, Japanese kawai faces, and more.


I have a color printer.  I can buy precut paper to print on.  But I don’t feel that old fashioned.
30+ Free Business Card Templates for Every Profession

Monday, April 25, 2016

What happened is leaking out much more slowly that the bank’s money.  If there is a flaw in the Swift software, all member banks are at risk. 
SWIFT Software Bug Exploited by Bangladesh Bank Hackers
   Investigators at British defense contractor BAE Systems told Reuters that the malware in question, evtdiag.exe, had been designed to change code in SWIFT’s Access Alliance software to tamper with a database recording the bank’s activity over the network.
That apparently allowed the attackers to delete outgoing transfer requests and intercept incoming requests, as well as change recorded account balances – effectively hiding the heist from officials.
The malware even interfered with a printer to ensure that paper copies of transfer requests didn’t give the attack away.
   It’s thought that the malware was part of a multi-layered attack and used on the SWIFT system once Bangladesh Bank admin credentials had been stolen.
   For its part, SWIFT confirmed it is later today releasing a software update to “assist customers in enhancing their security and to spot inconsistencies in their local database records."


You know they were a prime target. 
Thomas Fox-Brewster reports:
Sexual preference.  Relationship status.  Income.  Address.  These are just some details applicants for the controversial dating site BeautifulPeople.com are asked to supply before their physical appeal is judged by the existing user base, who vote on who is allowed in to the “elite” club based on looks alone.  All of this, of course, is supposed to remain confidential.  But much of that supposedly-private information is now public, thanks to the leak of a database containing sensitive data of 1.1 million BeautifulPeople.com users.  The leak, according to one researcher, also included 15 million private messages between users.  Another said the data is now being sold by traders lurking in the murky corners of the web.
Read more on Forbes.  The data leak was originally uncovered by Chris Vickery (now a researcher with MacKeeper), but as we were told in many cases last year, this was supposedly a “test server.”  It seems that the test server contained real data. [“Real data” is never as useful for testing as “test data” that has been designed to exercise every edit in the application.  Bob]


We would probably have been better served if everyone (and by everyone I mean the politicians) just avoided bragging. 
ISIS Targeted by Cyberattacks in a New U.S. Line of Combat
The United States has opened a new line of combat against the Islamic State, directing the military’s six-year-old Cyber Command for the first time to mount computer-network attacks that are now being used alongside more traditional weapons.
The effort reflects President Obama’s desire to bring many of the secret American cyberweapons that have been aimed elsewhere, notably at Iran, into the fight against the Islamic State — which has proved effective in using modern communications and encryption to recruit and carry out operations.
   Cyber Command, was focused largely on Russia, China, Iran and North Korea — where cyberattacks on the United States most frequently originate — and had run virtually no operations against what has become the most dangerous terrorist organization in the world.
   The goal of the new campaign is to disrupt the ability of the Islamic State to spread its message, attract new adherents, circulate orders from commanders and carry out day-to-day functions, like paying its fighters.  A benefit of the administration’s exceedingly rare public discussion of the campaign, officials said, is to rattle the Islamic State’s commanders, who have begun to realize that sophisticated hacking efforts are manipulating their data.  Potential recruits may also be deterred if they come to worry about the security of their communications with the militant group. [Not so sure about these last two ideas.  Bob] 
   The fact that the administration is beginning to talk of its use of the new weapons is a dramatic change.  As recently as four years ago, it would not publicly admit to developing offensive cyberweapons or confirm its role in any attacks on computer networks.
That is partly because cyberattacks inside another nation raise major questions over invasion of sovereignty.  But in the case of the Islamic State, officials say a decision was made that a bit of boasting might degrade the enemy’s trust in its communications, jumbling and even deterring some actions. [Again, no so much… Bob]


Moves and counter-moves.  You send me annoying ads.  I block annoying ads.  You try to identify anyone blocking annoying ads so you can deny me access to content or override the block and display annoying ads.  I call in the annoying ad lawyers…  Would it be simpler to make the ads less annoying? 
Websites that detect your ad blocker could be breaking EU law
In the battle against ad blocking, many publishers have begun preventing readers from viewing content while they have an ad blocker switched on.
However, a letter purporting to be from the European Commission suggests that these publishers could be breaking European law.


Interesting.  Does it provide any deterrence?  Not sure what the “tag” entails. 
From the strike-Kuwait-from-your-tourism-plans dept., Thinus Ferreira writes:
All visitors and tourists to Kuwait will now have to submit to a DNA test and be DNA tagged before they’re allowed to enter the Persian Gulf state.
In a world first, Kuwait wants to DNA “tag” everybody in, as well as entering the country with the new DNA legislation that will become law this year.
[…]
According to The Kuwait Times, the DNA testing law is “aimed at creating an integrated security database”.  The law – the first of its kind in the world – and the DNA tagging will only be used for “criminal security purposes” according to Kuwait officials.
“Kuwait will have a database including DBA fingerprints of all citizens, residents and visitors.  This law is the first of its kind in the world and Kuwait is the first country worldwide to apply the system,” notes the publication.
Read more on Traveler24.


Do they have a moral obligation to monitor every social media platform used by even one student?  If not, can they tell us which ones they feel they can safely ignore?  They opened the can, are they monitoring all the worms? 
I’ve previously noted (snarkily, of course) the use of SnapTrends software by Orange County Public Schools in Florida to monitor students’ social media activities.
Well, it seems they’re pleased as punch with the results of their monitoring.  So much so that they’re renewing the contract for the software.  Details of the approximately one dozen police investigations that resulted from use of the software and manual searches were not disclosed.
[From the article: 
"It's a no-brainer to me," Chairman Bill Sublette said. "I think we have a moral obligation in every sense of the word to monitor social media for threats to our students or schools."
The school district declined to provide many details about how the software is used or the types of social media posts that had generated alerts, citing exemptions in open-records laws regarding security.  Officials stressed the software looks only at publicly available posts.


Just because the politicians are screaming for backdoors into encryption does not mean the scientific side of the government feels the same way.
DARPA Is Looking For The Perfect Encryption App, and It’s Willing to Pay
While the FBI keeps crying wolf about the dangerous dark future where criminals use technology that’s impossible to spy on, the Pentagon’s blue-sky research arm wants someone to create the ultimate hacker-proof messaging app.
The Defense Advanced Research Projects Agency, better known as DARPA, is looking for a “secure messaging and transaction platform” that would use the standard encryption and security features of current messaging apps such as WhatsApp, Signal, or Ricochet, but also use a decentralized Blockchain-like backbone structure that would be more resilient to surveillance and cyberattacks.
DARPA’s goal is to have “a secure messaging system that can provide repudiation or deniability, perfect forward and backward secrecy, time to live/self delete for messages, one time eyes only messages, a decentralized infrastructure to be resilient to cyber-attacks, and ease of use for individuals in less than ideal situations,” according to a notice looking for proposals, which was recently posted on a government platform that offers federal research funds to small businesses.

(Related) Could this be why?
Serious weaknesses seen in cell phone networks
America’s digital adversaries may have spent years eavesdropping on officials’ private phone conversations through vulnerabilities in the global cell phone network, according to security experts.
   Specialists believe countries like China, Russia and Iran have all likely exploited the deficiency to record calls, pilfer phone data and remotely track high-value targets.
“I would be flabbergasted if these foreign governments were not monitoring large numbers of American officials on their cell phones,” Rep. Ted Lieu (D-Calif.) told The Hill.


Perspective.  Perhaps this kind of disclosure is the future?
100 data breaches later, Have I been pwned gets its first self-submission
I certainly didn't expect it would go this far when I built Have I been pwned (HIBP) a few years ago, but I've just loaded the 100th data breach into the system.  This brings it to a grand total of 336,724,945 breached accounts that have been loaded in over the years, another figure I honestly didn't expect to see.
But there's something a bit different about this 100th data breach - it was provided to me by the site that was breached themselves.  It was self-submitted, if you like.

(Related)  The opposite of self-reporting?
Looks like I missed a breach report from weeks ago.  Troy Hunt writes:
Today I’ve been looking at the Naughty America data breach which was in the news 10 days ago.  The breach itself is dated March 14 which is a day short of six weeks before the time of writing.  Yet somehow, Naughty America have yet to acknowledge the incident. In fact, the first a number of their customers knew of the breach was when I contacted them today and repeated the same process as I’d done with the Filipino voters.  Not only did I get affirmative responses, one member of the site even emailed me the original welcome email he’d received from them in 2010, complete with the precise date that was stamped on his record in the data breach.
Read more on WindowsITPro.
The breach was initially reported on Forbes, which sadly, I no longer read because of their requirement that you turn off ad-blockers in your browser.  You can read other coverage of the breach on TechInsider.


For my geeks.  We could build an App for that!  (Whatever ‘that’ is.) 
How to Detect Faces With the Google Cloud Vision API
The Google Cloud Vision API is currently in Beta and available to developers with a basic pricing model that is free up to a thousand units per month.  That means that developers have access to powerful image analysis capabilities backed by Google’s Machine Vision Infrastructure to implement in any relevant project.
The technology uses machine learning to identify the content in images, such as objects, colors, and notable landmarks.  That data can be leveraged by applications or other software to perform specific tasks according to the developer’s intentions.  In this tutorial on Google Cloud Platform, followers learn how to use the Google Cloud Vision API to detect faces in an image, and use that data to draw a box around each face.


Something we want our students to start doing.
An Informal Chat About Ed Tech Blogging - Recording
Earlier this evening I hosted a Google+ Hangout On Air for people who had questions related to blogging for professional purposes.  It was an informal half hour in which I answered a bunch of the questions that I frequently receive in my email on that topic.  A few new questions were added into the chat too.  If you weren't able to make it, you can now watch the recording on my YouTube channel. (you may want to fast-forward through the first two minutes in which I was just setting things up).

(Related) Have my students create (and publish?) their own textbook.
Collaborative Book Publishing with Google Slides & Issuu
EdTechTeacher, an advertiser on this site, has launched a new FREE video series called #ETTchat. Each week, one of their instructors posts a new video with ideas using technology in the service of learning. 
Collaborative Book Publishing
Google Slides has become a universal tool for students to use on any device. In this video, Greg Kulowiec (@gregkulowiec) shows how students could collaboratively design a book using Google Slides and then publish it with the digital publishing platform, Issuu
Learn more about collaborative tools and ePub creation on the EdTechTeacher web site.