Saturday, June 11, 2016

For my iPhone toting students.  (and my Ethical Hacking students)
Your cell phone number could be hijacked unless you add a PIN to your carrier account
DeRay Mckesson is a widely known activist in the Black Lives Matter movement and a former candidate in the race for mayor of Baltimore.  He’s a high-profile target, and someone finally figured out a way to crack his popular Twitter account—by hijacking his cell phone number, and getting it reassigned to a phone under their control.  This was used to push out a message in his account in support of a candidate who he says represents the antithesis of his beliefs.  Those tweets have since been deleted and Twitter has restored account access to Mckesson.


Gosh, how shocking.
The National Security Agency is researching opportunities to collect foreign intelligence — including the possibility of exploiting internet-connected biomedical devices like pacemakers, according to a senior official.
“We’re looking at it sort of theoretically from a research point of view right now,” Richard Ledgett, the NSA’s deputy director, said at a conference on military technology at Washington’s Newseum on Friday.
Biomedical devices could be a new source of information for the NSA’s data hoards — “maybe a niche kind of thing … a tool in the toolbox,” he said, though he added that there are easier ways to keep track of overseas terrorists and foreign intelligence agents.
When asked if the entire scope of the Internet of Things — billions of interconnected devices — would be “a security nightmare or a signals intelligence bonanza,” he replied, “Both.”
   When the agency is looking to exploit different new devices, the NSA has to prioritize its resources, which are usually focused on the “bad guys’” tech of choice rather than popular gadgets in the U.S., Ledgett explained.
That’s why the NSA wasn’t able to help the FBI crack the iPhone of the San Bernardino shooter, he said, because the agency hadn’t invested in exploiting that particular model of phone.  “We don’t do every phone, every variation of phone,” he said.  “If we don’t have a bad guy who’s using it, we don’t do that.”


Gotta keep my students current!
6 Tools to Boost Snapchat for Beginners or Pros
The big news in the tech world recently is that Snapchat has more active daily users than Twitter now.  If you ignored Snapchat previously for its notoriety as a sexting app, it’s time to rethink that image and get on board.


This article tells you how to use software you already have on your computer.
How to Easily Create a Stunning Video Using Windows Movie Maker


Saturday, and more silliness.
Hack Education Weekly News
   A must-read on Trump University from Ars Technica: “Trump University and the art of the get-rich seminar.”  Here are some reading suggestions from ProPublica: “The Absolute Best, Most Terrific Reporting on Trump University.”  And the latest on the court case/Trump University scandal: Via NPR: “Texas Governor Linked To Trump University Fraud Case.” See also, via The Texas Tribune: “In Texas, Trump U Shut Down After State Scrutiny.”  Via the AP: “Florida AG asked Trump for donation before nixing fraud case.”
   Via The Hechinger Report: “Some surprising reasons companies are rushing to help their workers get degrees.”
   Via eSchool News: “How hackers held a district hostage for almost $10,000.” Hackers, man. (Related: “Companies Are Stockpiling Bitcoin to Pay Off Cybercriminals.”
   Apple, Microsoft, Amazon and Google Are Fighting a War for the Classroom,” says Edutechnica, with a look at how many colleges have adopted their competing pseudo-LMSes.

Friday, June 10, 2016

I have to ask if we have reached a point where hackers are winning the security game.  How can so many large and otherwise well-managed companies fall prey so easily?  And I’m including those large third party providers do.
Wendy's Finds More PoS Systems Hit by Malware
Wendy’s launched an investigation in late January after fraud patterns were discovered on cards used at some restaurants.  The presence of malware was confirmed in February and, in mid-May, the company said hackers had compromised PoS systems at less than 300 of its 5,500 franchised restaurants in North America.
The investigation conducted up until May revealed that unrelated cybersecurity issues had been identified at roughly 50 other franchise restaurants.  As the investigation continued, experts discovered another variant of the malware that was similar to the threat discovered initially, but which had a different execution method.
According to the company, a remote access tool (RAT) had been found on PoS systems that were initially believed to be clean.  As a result, Wendy’s now says the number of affected restaurants is “considerably higher” than 300, although it has not disclosed an exact number.
   “Many franchisees and operators throughout the retail and restaurant industries contract with third-party service providers to maintain and support their POS systems.  The Company believes this series of cybersecurity attacks resulted from certain service providers' remote access credentials being compromised, allowing access to the POS system in certain franchise restaurants serviced by those providers,” Wendy’s said in a statement.
Wendy’s pointed out that the data breach does not appear to impact any of the restaurants it operates.


How bad must you be for politicians to take notice?  Is this posturing?  Will they take action if there is no improvement?  Stay tuned until after the election (and campaign contribution) season.
New York state’s top cop says this cable company misleads consumers about its Internet speeds
The ink is barely dry on Charter's massive acquisition of Time Warner Cable — a deal that just formed the nation's second-largest cable company — but New York's attorney general is wasting no time pressing the firm on customer complaints about their Internet service.
Thousands of Time Warner Cable's customers have written in to the attorney general's office saying they aren't getting the download speeds they paid for as part of an ongoing investigation by New York Attorney General Eric Schneiderman into Internet providers' advertised speeds, according to a spokesman.  And on Wednesday, Schneiderman sent a letter to Charter calling for the cable company to "clean up Time Warner Cable's act" in the wake of the acquisition.


I’ve not seen an HBR video before.  Some thoughts for my students?
Can You Entrust That Decision to a Robot?


Could be useful.
Sunlight Foundation is using IFTTT to make the government more open
by Sabrina I. Pacifici on
“Want to know when the president signs a bill into law?  When congress votes on a bill?  When a new legislator is representing you?  Since 2014, The Sunlight Foundation has been connecting its massive trove of government data to IFTTT, the popular web service that connects things on the internet to other things… For those unfamiliar with IFTTT, it works like this: Users create recipes that consist of a trigger (the “IF” portion of IFTTT), such as “If I get a Facebook notification,” and a result, such as “send me an email.”  The idea is to connect up the myriad services and information available on the internet to make them work in concert with one another.  The function of the service is spelled out in its name, which doubles as an initialism: IF This, Then That.  The Sunlight Foundation has put IFTTT to work by bridging its Congress API to various online services.  The foundation automatically pulls in lots of data from the government — the locations and zip codes of congress members, for example, and the crush of information that accompanies the legislature’s routines: floor votes, hearings, bills, amendments and nominations.  With IFTTT, The Sunlight Foundation allows people to automatically get an email when the president signs a bill into law, or save that law to a read-later app like Pocket or Instapaper…”


How can I use this?  I’ll ask my gaming students.
Microsoft launches a free trial of Minecraft: Education Edition for teachers to test over the summer
Following up on its promises from January, Microsoft today released a free trial of Minecraft Education Edition – the version of Minecraft meant for use in the classroom – to educators worldwide.  This “early access” version of the program includes new features and updated classroom content and curriculum, the company also says.
For those unfamiliar with the Education Edition, the idea is to bring the world of Minecraft to the classroom to be used as a learning tool where students can develop skills in areas like digital citizenship, empathy, literacy, and more.  They can use the software as part of a coding camp, study science, learn about city planning, or they can study history by re-creating historic landscapes and events in the program, for example.


In case I ever teach Math again.
Recognize Handwritten Equations with MyScript MathPad
MyScript Mathpad is a handwriting recognition app specialized for mathematics expressions.  MyScript Mathpad automatically converts handwritten mathematical expressions and equations to their digital equivalent.  It can recognize more than 200 symbols and operators.
MyScript MathPad is compatible with iPad, iPhone, and iPod Touch running in iOS 6.0 or later.

Thursday, June 09, 2016

Millions of individuals infected with malware?  Now do you feel like a twit?  
Twitter credentials are being traded in the tens of millions on the dark web.  LeakedSource has obtained and added a copy of this data to its ever-growing searchable repository of leaked data.  This data set was provided to us by a user who goes by the alias “[email protected]”, and has given us permission to name them in this blog.
[…]
You may search for yourself in the leaked Twitter.com credentials by visiting our homepage.  If your personal information appears in our copy of the Twitter credentials, or in any other leaked database that we possess, you may remove yourself for free
[…]
This data set contains 32,888,300 records.  Each record may contain an email address, a username, sometimes a second email and a visible password.  We have very strong evidence that Twitter was not hacked, rather the consumer was.  These credentials however are real and valid.  Out of 15 users we asked, all 15 verified their passwords.
The explanation for this is that tens of millions of people have become infected by malware, and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter.
You can search for your info on LeakedSource’s home page, here.  Read more on LeakedSource’s blog post about Twitter, here.


For my Computer Security students.  Policies do matter. 
Matt Robinson reports that Morgan Stanley has been fined $1 million by the U.S. Securities and Exchange Commission to settle allegations that it failed to protect customer data improperly taken by a former financial adviser, Galen Marsh.
Marsh pleaded guilty in September, 2015 to making thousands of unauthorized searches on his employer’s system and to copying information on  730,000 accounts.  Marsh somehow managed to avoid prison and was sentenced in December to three years’ probation and $600,000 restitution.
But the SEC went after Morgan Stanley for its failure to protect all that customer data.  Today, they issued the following statement:
The SEC issued an order finding that Morgan Stanley failed to adopt written policies and procedures reasonably designed to protect customer data.  As a result of these failures, from 2011 to 2014, a then-employee impermissibly accessed and transferred the data regarding approximately 730,000 accounts to his personal server, which was ultimately hacked by third parties. 


For my Computer Security students.  Please share with other students.
Has Your Facebook Been Hacked? Here’s How to Tell (and Fix It)
   Thankfully, there are a few things that you can do to prevent an attack, and a few things you can do to fix your Facebook account if it does get hacked.
   Go to Settings > Security > Where You’re Logged In and click edit.  The information contained in the section will show where you’ve logged in and with what devices you signed in with.  For example, my last log in was in Cologne, Germany on my iPhone, which sounds about right.


An Infographic (because lawyers like pictures?)
How is Social Media Being Used in Court?


I’ll add students to this also.
How Academics and Researchers Can Get More Out of Social Media
In today’s digital age, social media competence is a critical communication tool for academics.  Whether you’re looking to engage students, increase awareness of your research, or garner media coverage for your department, engaging in social media will give you a competitive edge.


THE NEXT BIG THING?  I like pretending that I’m social.  Telling my students about new stuff makes it seem like I care!
Why You Will Want to Join Imzy — and How to Get an Invite Now!
Imzy is the latest big social network to hit the scene — and it’s set to dominate.  Here’s everything you need to know about why Imzy will be huge.


Big.  Really, really Big.
Big Data and the recency bias
by Sabrina I. Pacifici on
Via BBC – Tom Chatfield 5 June 2016 – “You may be familiar with the statistic that 90% of the world’s data was created in the last few years.  It’s true.  One of the first mentions of this particular formulation I can find dates back to May 2013, but the trend remains remarkably constant.  Indeed, every two years for about the last three decades the amount of data in the world has increased by about 10 times – a rate that puts even Moore’s law of doubling processor power to shame…  Here’s the problem with much of the big data currently being gathered and analysed.  The moment you start looking backwards to seek the longer view, you have far too much of the recent stuff and far too little of the old.  Short-sightedness is built into the structure, in the form of an overwhelming tendency to over-estimate short-term trends at the expense of history…”


I’m sure there is a lot of detail here.  How I should use it is still a work in progress.
E-Stats 2014 Report: Measuring the Electronic Economy
by Sabrina I. Pacifici on
“This report summarizes 2014 e-commerce statistics on shipments, sales and revenues from four sectors of the economy: manufacturing, wholesale, services and retail.  The report and tables can be found on the U.S. Census Bureau’s website at www.census.gov/econ/estats/.”


How to Use the Virtuapedia


Never!  Keep coding, dudes.  Yes, the frequency of 100 million download Apps is down, but it will still happen as “the next big thing” offers their App.  And my students only need a few million downloads at $.99 each to make their hobby pay.
Everyone needs to tell their college friends building an app to stop right now
The era of mobile apps is over, and Facebook - with a touch of Snapchat - won.
The following chart, which comes to us from Anthony DiClemente at Nomura, shows how Facebook absolutely dominates the mobile app space, owning four of the top five most-downloaded apps in May, with only Snapchat breaking up its stranglehold on the space.
   Last month, my colleague Kif Leswing reported that the top 1% of publishers in Apple's App Store collect 94% of the revenue.  In other words, the App Store has effectively become a winner-take-all environment.
Matt Rosoff also noted last month that the average number of apps on mobile phones has been stuck at 27 for four years straight.
People already have the apps they want, or they at least are tapped out at using a certain total number of apps, and so with the pie for mobile apps not getting any bigger, the giants of the space are accruing the gains.
And a market that has stopped scaling is not a market you want to try to break into.

(Related) Subscribers download once, pay every year for life!
Apple Overhauls App Store With Search Ads, Offers 85% Revenue Cut For Devs On App Subscriptions
   Apple marketing chief Phil Schiller explained that developers will now have the option to sell subscriptions to customers for any of their apps.  This could drastically change the landscape of the App Store ecosystem and the expectations of iOS users that are used to paying a few bucks for an app, or at most $9.99 if they’re really committed.
In return, developers will get a larger share of revenue — if they manage to keep customers long-term.  Under the current revenue-sharing model, developers get a 70 percent cut, while Apple gets the remaining 30 percent.  Under the new rules, that split will still stay in place if developers decide not to deploy app subscriptions.  But if developers do offer subscriptions, and customers stick around for at least a year, Apple’s cut drops down to just 15 percent.

Wednesday, June 08, 2016

An interesting tool for erasing data that has escaped your physical control, but be careful to put rules are in place that control when you are allowed to use it.  Also backup your data.  If I can hack into this command, I can erase all your data whenever I want to. 
Google Goes Thermonuclear On Thieves With Methodical Remote Wipe Option For Stolen Androids
   Google has presented what could clearly be called a “Nuclear Option” by allowing the Android operating system to securely erase every single partition on the device when invoked by a device’s rightful owner. Recovery partition, boot partition, bootloader — all would be wiped off the face of the earth with zeroes.
Which partitions are erased would be left up to each individual manufacturer, but according to Android Police, even external partitions (i.e. a microSD card) can be included with the “bricking” command.


Nothing startling, but a good summary.
The New Economics of Cybercrime
   According to the cybersecurity firm Intel Security, the price of a stolen payment-card record has dropped from $25 in 2011 to $6 in 2016.  “We’re living through an historic glut of stolen data,” explains Brian Krebs, who writes the blog Krebs on Security.  “More supply drives the price way down, and there’s so much data for sale, we’re sort of having a shortage of buyers at this point.”


Planning for cyberwar?  Is there an inertial navigation App for smartphones? 
US military tests massive GPS jamming weapon over California
The US Federal Aviation Authority (FAA) is warning aircraft to stay a few hundred miles away from the Naval Air Weapons Station at China Lake, California, because the military is testing a new gizmo that disrupts GPS – and may also mess with flight control systems.
The FAA has issued a Notice to Airmen (NOTAM) warning [PDF] that on June 7, GPS readouts will be unreliable or nonexistent…
   In addition, the FAA is warning pilots flying the Embraer Phenom 300, one of the world's most popular executive jet aircraft, that the testing could interfere with flight stability controls and has said extra care should be taken in the area.


I need to read this a few more times.  As I now understand it, if the government knows I know the password, I have no Fifth Amendment protection.  But what if the government only thinks I know the password?  Also, I wonder if my “re-encrypt your encrypted data and add one file that says everything else is gibberish” technique would work? 
The Fifth Amendment limits on forced decryption and applying the ‘foregone conclusion’ doctrine
The U.S. Court of Appeals for the 3rd Circuit has a case pending on the Fifth Amendment limits of forcing a suspect to enter his password to decrypt a computer.  The case provides an opportunity for the 3rd Circuit to correct an error in the 11th Circuit’s treatment of the same question, specifically on how to apply the “foregone conclusion” doctrine to an order requiring decryption of a storage device.
Given the importance of the issue, I want to explain the issue, show where the 11th Circuit got it wrong, and explain what I think the right analysis should be.


Perhaps lawyers are beginning to understand the technology?
Why legal departments begrudge the cloud
   “One can’t simply go to clients or the state bar association and say the third party caused a breach, so it’s really not our responsibility.”
This year’s high-profile breaches at Panamanian law firm Mossack Fonseca and New York-based Cravath Swaine & Moore have raised alert levels even higher.  Law firms and legal departments have been warned by the Federal Bureau of Investigation that cyber thieves consider them low-hanging fruit from a risk perspective because of their potential treasure troves of trade secrets and undisclosed deal information that could be exploited.
   in fact, many law firms and legal departments don’t even know how many cloud apps are being used.  New cloud apps, such as file-sharing tools show up almost monthly even daily, creating a whack-a-mole mentality where IT security staff must shut down unauthorized apps when they pop up.
The average organization uses 1,154 cloud services to upload 5.6 terabytes of data each month, according to cloud-access security broker Skyhigh Networks.  

(Related)  I’m not (yet) convinced this is a solution, but it will be something for my Architecture class to kick around.
Egnyte Tackles Data Loss With New Data Governance Solution
Cloud computing remains a problem for many businesses.  While the move to IaaS is gathering pace, it is still true that most organizations operate a hybrid approach, combining cloud apps and on-premise data.  According to Egnyte, 85% of apps are now in the cloud, while 85% of data is still on premises.  This creates a huge governance issue as corporate data moves into and out of cloud applications.


At last someone else has noticed that the porn industry is an early adaptor.
How Porn Leads People to Upgrade Their Tech
   The pornography industry isn’t creating new communication technologies, Coopersmith said, nor is it particularly prescient about what technology is likely to take off.  It’s simply taken advantage of new developments before others, and has enough of a draw that people are willing to follow it.
Its position on the leading edge of technology comes partly out of necessity.  “There’s a nimbleness to being in the marginalia,” Barss says.  Once technologies and platforms reach mainstream status, they may become less friendly to adult content, and the social stigma attached to porn has repeatedly drawn consumers to new, largely untested technologies that provide better privacy.


Amusing enough to share…
Will Trump Screw Up Everything We Know About Elections?


Another easy screenshot tool.
How to Use YouTube to Record a Video of Your Screen
   the saved video will be available on your YouTube account where you can change its privacy settings if you want to share it publicly and can add annotations, subtitles, and more.
A few things to keep in mind when using YouTube to record a screencast:
·         The quality of the video is not great — the full-screen experience is a little hazy.
·         If you use YouTube, you won’t have access to some advanced features you’ll get with other screencasting apps like Quicktime or Screencast-o-matic.


If I incorporate this into my website design class, it won’t be cheating to use it. 
Wix Unveils New Innovation: Websites That Design Themselves Using AI
   Wix has developed the world’s first website-building platform that uses artificial intelligence — what Wix refers to as “Artificial Design Intelligence” (ADI) — to create a site automatically for you, right in front of your eyes.

Tuesday, June 07, 2016

My Computer Security students have been following this breach.  We will still see facts dribbling out years after the event. 
Did New York Fed Miss Red Flags in $81 Million Bangladesh Bank Theft?
The blame game over who should be held responsible for the bank thefts via SWIFT continues. Ecuador's Banco del Austro (BDA) has already launched action against Wells Fargo for releasing $12 million to accounts largely in Hong Kong, claiming it failed to respond to red flags in the transactions.  Bangladeshi officials have blamed both SWIFT (for not ensuring that a new SWIFT system at the bank was secure) and the New York Federal Reserve Bank (for ignoring red flags in the transactions) for its own loss of $81 million.
   Now a new report from Reuters suggests that the Bangladesh Central Bank may have a point.  The New York Fed received a total of 35 fraudulent transfer requests.  It blocked all of them.  "On the day of the theft in February, the New York Fed initially rejected 35 requests to transfer funds to various overseas accounts, a New York Fed official and a senior Bangladesh Bank official told Reuters."
The requests were incorrectly formatted and omitted the names of the receiving banks.  Later the same day the hackers at the Bangladesh bank resubmitted all 35 transfer requests.  This time they were correctly formatted - but the New York Fed still blocked 30 of them.  Five were approved for a total of $101 million dollars.  One of these was subsequently reversed because of a spelling error; but the remaining four went through and resulted in the $81 million loss.
However, what Reuters describes as 'a source close to the bank' still has concerns.  The four approved transfers contained anomalies that should have raised flags.  "They were paid to individual recipients, a rarity for Bangladesh's central bank, and the false names on the four approved withdrawals also appeared on some of the 30 resubmitted requests rejected by the bank," reports Reuters.


In a commercial environment, the Board of Directors would have fired lots of senior managers and had this under control in a couple of months.  Congress is still trying to figure out what happened because they know HHS is lying to them. 
King & Spalding write:
On May 25, 2016, the House Energy and Commerce Subcommittee on Health held a hearing to examine the Department of Health and Human Services’ (“HHS”) cybersecurity responsibilities.  The hearing focused on legislation that would create a new office within HHS, the Office of the Chief Information Security Officer (“CISO”), consolidating information security within a single office at the agency.
The HHS Data Protection Act (H.R. 5068) was introduced by Representatives Billy Long (R-MO) and Doris Matsui (D-CA) on April 26.  The legislation would implement one of the key recommendations of an August 2015 report issued by the Energy and Commerce Subcommittee on Oversight and Investigations.  The report was the result of a year-long investigation focused on an October 2013 breach at the Food and Drug Administration (“FDA”), and was expanded to include information regarding security incidents at other HHS divisions.  Among the findings in the report was that the current organizational structure was at least partially responsible for information security incidents throughout HHS.
Read more on JDSupra.
And speaking of HHS responsibilities, this blogger (still) can’t see where an HHS Office of Child Support Enforcement incident  reported months ago has been added to HHS’s public breach tool.  Was this reported for inclusion in the breach tool?  If not, why not?  Was it the case that HHS did a risk assessment and determined that it didn’t need to be reported?  Even Congress appears to have had trouble getting some straight answers from HHS when they tried to investigate.  One of their questions was why HHS didn’t notify Congress within the one week period required by FISMA and why it took two months for HHS to notify Congress. In response:
An HHS spokeswoman said Tuesday that the agency complied with legal reporting requirements and notified Congress within a week after it believed a major incident may have occurred.


Something my Computer Security students need to read.
9 reasons why your security awareness program sucks

(Related) Also something for my Architecture students.  A department dedicated to looking at start-ups? 
J.P. Morgan’s CIO on the bank’s security game plan
   Question: How does J.P. Morgan think about fintech?
Deasy: We are actively scanning most fintechs.  We will evaluate a fintech and say we’re already building what they’re doing and what we’re building will be better.  Or we’ll look at something that is being built and decide it’s a great partnering opportunity.  And in some cases we may not only partner, we may become an investor.


This is the kind of nonsense that happens when they keep all their records on paper!  And they seem to suggest they have to do this one staffer at a time? 
State Dept. would need 75 years to compile Clinton emails
The State Department said it would take 75 years for the release of emails from top aides to Hillary Clinton while she was serving as secretary of State.
Lawyers said it would take that long to compile the 450,000 pages of records from former Clinton aides Cheryl Mills, Jacob Sullivan and Patrick Kennedy, according to a court filing from last week, which was first reported by CNN.
"Given the Department's current [Freedom of Information Act] (FOIA) workload and the complexity of these documents, it can process about 500 pages a month, meaning it would take approximately 16-and-2/3 years to complete the review of the Mills documents, 33-and-1/3 years to finish the review of the Sullivan documents, and 25 years to wrap up the review of the Kennedy documents -- or 75 years in total," the State Department said in the filing.
In March, the Republican National Committee (RNC) filed a pair of lawsuits requesting the release of emails and records from Clinton and her top aides during and after her time at the State Department.


All of my students have Office 365 through the University.  This may be useful. 
Microsoft Planner ready for showtime
Today marks the general availability of Microsoft Planner.  Over the next several weeks, Planner will roll out to all eligible Office 365 customers worldwide.  This includes Office 365 Enterprise E1–E5, Business Essentials, Premium and Education subscription plans.
All users with eligible subscription plans will automatically see the Planner tile appear in the Office 365 app launcher when it is available for them to use.  No specific action by Office 365 admins is needed.
The addition of Planner to the Office 365 lineup introduces a new and improved way for businesses, schools and organizations to structure teamwork easily and get more done.  With Planner, teams can create new plans; organize, assign and collaborate on tasks; set due dates; update statuses and share files, while visual dashboards and email notifications keep everyone informed on progress.


“Alexa, grade these papers for me!”  
How to Test Drive the Amazon Echo in a Browser
   If you don’t know anyone who owns an Echo, you can take Alexa for a spin by trying a new online demo of the service.  At Echosim.io, you can use Alexa on the web — not a perfect emulation, but a pretty good copy of the virtual assistant.
Just sign in with your Amazon account and agree to let the site use your microphone, and you’ll be able to press and hold a button to chat with Alexa.

Monday, June 06, 2016

Another large breach?  Easier to believe than 100 million individual phishing or social engineering successes.  Looks like it’s going to be a record year. 
Joseph Cox reports:
Accounts for over 100 million users of popular social media site VK.com are being traded on the digital underground.
Breach notification site LeakedSource obtained the data and published an analysis on Sunday.  The hacker known as Peace, meanwhile, listed the data for sale on a dark web marketplace.
[…]
Peace provided Motherboard with a dataset containing a total of 100,544,934 records, and LeakedSource provided a smaller sample for verification purposes.  The data contains first and last names, email address, phone numbers and passwords.
Read more on Motherboard.  These data are apparently from a breach several years ago (circa 2011-2013).  Earlier today, Motherboard updated its post to note that a VK spokesperson denied that the site had been breached:
“VK database hasn’t been hacked.  We are talking about old logins/passwords that had been collected by fraudsters in 2011-2012.  All users’ data mentioned in this database was changed compulsorily.  Please remember that installing unreliable software on your devices may cause your data loss.  For security reasons, we recommend enabling 2-step verification in profile settings and using a strong password.”
That’s all well and good, except that if the data are up for sale now, they likely do contain some still-valid passwords despite any “compulsory” reset a few years ago.


Hacking for Art?  An artistic hack?  How easy would this be? 
John Oliver is not just a brilliant comedian.  Through his humor and segments, he often makes compelling points about our society – and in this case – medical privacy.  Consumerist has a piece on how Oliver easily created his own medical debt collection firm, and thereby came into possession of many people’s medical information:
For a $50 fee, Oliver and his team registered their new debt-acquisition firm, Central Asset Recovery Professionals — CARP, named after the bottom-feeding fish — in Mississippi, complete with a website that was nothing more than the logo you see here.
“With little more to go on than that website,” says Oliver, “we were soon offered a portfolio of nearly $15 million of out-of-statute medical debt from Texas.”
The asking price was less than $60,000 for $14,922,261.76 in this zombie debt — or around $.004 for every dollar of debt owed.  Purchasing the debt would give CARP the names, current addresses, Social Security numbers, and amount owed (or previously owed, as the statute of limitations had expired) for nearly 9,000 individuals.
What Oliver did next is an amazing act of kindness to people, but let’s not forget what he has demonstrated about the risks we face.
Watch the whole segment here:  https://www.youtube.com/watch?v=hxUAntt1z2c


I wonder if Facebook would be interested in hiring one of my Computer Security students?
Mark Zuckerberg social media accounts get hijacked, hacker claims Facebook founder’s password was ‘dadada’
   While the social network creator’s Facebook page remained intact, Mark Zuckerberg’s Twitter and Pinterest accounts were hijacked by the hacker group OurMine Team on Sunday.
The group claiming responsibility for the high-profile hacking left a taunting message on both social media accounts.
“Hey @finkd, you were in Linkedin Database with the password ‘dadada’ !,” the team wrote from Zuckerberg’s Twitter page.
On his Pinterest, the new title was “Hacked by OurMine Team.”
In a deleted tweet, OurMine claimed it also breached Zuckerberg’s Instagram — which Facebook owns — claiming it was “just testing your security.”
Prior to the hack, Zuckerberg did not tweet on his rival social network since January 2012.
   Zuckerberg is the latest in a rash of recent celebrity hacks, with Tenacious D's Twitter falling victim to a death hoax on Sunday.
The week before, Katy Perry's Twitter was taken over, with the hacker sending a message to the "Roar" singer's rival, Taylor Swift, and releasing a never-before-heard song.


Now this would be fun!  Perhaps I could interest the Computer Security club?  We could install it in the state legislature as a demo.  We could even rent it to Computer Security managers preparing their budgets.  This would really grab senior management’s attention.  
Liz Stinson reports:
If you’re connected to a wireless network, odds are high that little bits of data are trickling out of your device like water from a leaky faucet.  “Our phones leak data in a bunch of different ways,” says artist Kyle McDonald.  “Sometimes it’s really insidious or unexpected.”
Recently at Moogfest, a music and technology festival in Durham, N.C., McDonald with the help of fellow artist Surya Mattu created an installation called WiFi Whisperer that called attention to all that data your phone is giving away for free.  As festivalgoers walked past the installation, the artwork grabbed insecure data and display it on monitors, while a hidden speaker whispered the stream of data—what networks you’ve recently connected to and websites you’ve visited, for example—like a creepy, demon-voiced Big Brother.   “It’s sort of like looking over someone’s shoulder,” says McDonald, “except you’re doing it without actually looking over their shoulder.”
Read more on Wired.


Some interesting scholarship.  I hope this gets completed. 
State attorneys general have authority to enforce a number of federal privacy and data security statutes, and they may also have additional authority to protect privacy and data security under state law.
   Until now, however, there has been no academic scholarship on the role state attorneys general play in privacy and data security.  Happily, that has now changed with an exploratory study by Danielle Citron, who shared her findings in a paper workshopped at the Privacy Law Scholars Conference this week.
Here’s the abstract of her paper:
Accounts of privacy law have focused on legislation, federal agencies, and the self-regulation of privacy professionals.  Crucial agents of regulatory change, however, have been ignored: the state attorneys general.  This article is the first in-depth study of the privacy norm entrepreneurship of state attorneys general.  Because so little has been written about this phenomenon, I engaged with primary sources—first interviewing state attorneys general and current and former career staff, and then examining documentary evidence received through FOIA requests submitted to AG offices around the country.  
Much as Justice Louis Brandeis imagined states as laboratories of the law, offices of state attorneys general have been laboratories of privacy enforcement.  State attorneys general have been nimble privacy enforcement pioneers where federal agencies have been more conservative or constrained by politics.  Their local knowledge, specialization, multistate coordination, and broad legal authority have allowed them to experiment in ways that federal agencies cannot.  These characteristics have enabled them to establish baseline fair information protections; expand the frontiers of privacy law to cover sexual intimacy and youth; and pursue enforcement actions that have harmonized privacy policy.
Although certain systemic practices enhance AG privacy policymaking, others blunt its impact, including an overreliance on informal agreements that lack law’s influence and a reluctance to issue closing letters identifying data practices that comply with the law.  This article offers ways state attorneys general can function more effectively through informal and formal proceedings.  It addresses concerns about the potential pile-up of enforcement activity, federal preemption, and the dormant Commerce Clause.  It urges state enforcers to act more boldly in the face of certain shadowy data practices.
You can download a pre-publication version of the paper from SSRN.


Something my students are asking (since they will be the ones to program and secure them)  Not sure this infographic has all the answers, but it hits a number of points worth discussing.
How Close Are We to Self-Driving Cars Being Available?


Creating Apps for fun and the Prophet?  Expect someone to create an App that gathers information about users (potential terrorists?) for investigation and potential targeting. 
ISIS's Mobile App Developers Are in Crisis Mode
When they say, “There’s an app for everything,” terror propaganda is no exception. In the past six months, the Islamic State (IS, ISIS, or Daesh) and its news agency, ‘Amaq, have officially developed at least six mobile apps, adding to a list of other apps created by the group’s supporters.
   Just when it seemed that IS had succeeded in creating a direct and uninterrupted method of linking to its followers, the group would show signs that its app operations had brought about new risks.
A notice disseminated officially by ‘Amaq on June 1—and subsequently by other social media channels—claimed that “dubious sources” were disseminating a fake version of the ‘Amaq app, purposed for “spying”:


Some arguments for not creating Apps?
Why Britain banned mobile apps
   So why did the GDS ban apps?  It wasn’t because they weren’t technically savvy enough to build them.
Cost, he says.  Apps are “very expensive to produce, and they’re very, very expensive to maintain because you have to keep updating them when there are software changes,”  


Perhaps I should teach more Star Wars? 
‘Chewbacca Mom’ Has Gotten $420,000 Worth of Gifts Since Facebook Video Went Viral
   “Chewbacca Mom” is of course Candace Payne, the Wookie-loving stay-at-home mom from Grand Prairie, Texas, whose claim to fame is the posting of a Facebook Live video in which she giggles joyfully and infectiously while wearing her new Chewbacca mask.
The video, posted on May 19, quickly became the most-watched Facebook Live video ever, and has been viewed more than 150 million times and counting.  It’s also been shared more than 3 million times.
   Kohl’s got plenty of free publicity thanks to Payne mentioning in her video that she purchased her Chewbacca mask there.  And Kohl’s returned the favor by showing up at Payne’s home with a collection of gifts, including dozens of toys, $2,500 in gift cards, and (of course) Chewbacca masks for her whole family so no one has to share.

Sunday, June 05, 2016

For my Ethical Hacking and Computer Security students.
How LinkedIn’s password sloppiness hurts us all
Back in 2012, fellow professional password cracker d3ad0ne (who regretfully passed away in 2013) and I made short work out of the first LinkedIn password dump, cracking more than 90 percent of the 6.4 million password hashes in just under one week.  Following that effort, I did a short write-up ironically titled The Final Word on the LinkedIn Leak
But those 6.4 million unique hashes posted on a Russian password-cracking forum in June 2012 only accounted for a fraction of the total LinkedIn database.  This second dump, on the other hand, contains 177.5 million password hashes for 164.6 million users, which aligns perfectly with LinkedIn's user count in the second quarter of 2012.  After validating the data that I received with several individuals, I concluded that this does appear to be a nearly complete dump of the user table from the 2012 LinkedIn hack.


Also for my Ethical Hacking students.  Should Computer Security managers be monitoring sites like this?  (Perhaps a business opportunity for someone who would push this information to managers?)
Just as Chris Vickery has tried to focus attention that there are still tens of thousands of misconfigured databases exposing PII and other information that should be protected because port 27017 is open, now TeamGhostShell is also calling attention to the problem – plus other open ports and issues.
   This project will focus solely on this poorly configured MongoDB.  I’d like to mention exactly how easy it is to infiltrate within these types of networks but also how chilled sysadmins tend to be with their security measures.  Or should I say, lack thereof.
In a lot of instances the owners don’t bother checking for open ports on their newly configured servers, not only that but they also don’t concern themselves with establishing a proper authentication process.  (Just a simple  username/password)
   ZDNet, ably assisted by Lee Johnstone, provides some comments and analyses of the data dump.


Another common security risk.  Excel (and many other common applications) makes this type of error simple to commit, difficult to “see.”
Penn State University recently reported an incident to the New Hampshire Attorney General’s Office that involves a now-defunct club.
According to their report, the university was notified on April 13 that a historical document uploaded to the Undergraduate Law Society‘s web site was a spreadsheet that contained two fields – SSN and DOB – that were not visible on casual inspection, but could be “unhidden” in Excel. The records therefore exposed the SSN and DOB of 379 individuals. Upon notification, the university immediately took the site offline while they investigated.
   They do not explain why the web site of a defunct organization was still online.
PSU notes that although it has no responsibility for what clubs post on their web sites, [Oh really?  Bob] in response to this incident, they have started working more closely with student organizations about the importance of protecting personal information, and are encouraging organizations to use the Identity Finder software to locate and then remove personal information.


No government agency would listen to an employee (or contractor) 92 levels below the head of the agency. 
By Jason Leopold, Marcy Wheeler, and Ky Henderson report:
On the morning of May 29, 2014, an overcast Thursday in Washington, DC, the general counsel of the Office of the Director of National Intelligence (ODNI), Robert Litt, wrote an email to high-level officials at the National Security Agency and the White House.
The topic: what to do about Edward Snowden.
Snowden’s leaks had first come to light the previous June, when the Guardian’s Glenn Greenwald and the Washington Post’s Barton Gellman published stories based on highly classified documents provided to them by the former NSA contractor.  Now Snowden, who had been demonized by the NSA and the Obama administration for the past year, was publicly claiming something that set off alarm bells at the agency:  Before he leaked the documents, Snowden said, he had repeatedly attempted to raise his concerns inside the NSA about its surveillance of US citizens — and the agency had done nothing.
Read more on Vice.com.
[From the article:
The trove of more than 800 pages [pdf at the end of this story], along with several interviews conducted by VICE News, offer unprecedented insight into the NSA during this time of crisis within the agency.  And they call into question aspects of the US government's long-running narrative about Snowden's time at the NSA.


Not what I expected from France.
Nicolas Rase & Kristof Van Quathem write:
On May 12, 2016, The French High Court (“Cour de Cassation”) rendered a short decision stating that the right to be forgotten does not supersede the freedom of press.  In this case, two brothers took legal action against a famous French daily newspaper.
The two individuals requested that their respective names be removed from search results displayed by the newspaper’s website search engine (not a third party search engine such as Google Search or Bing).  The newspaper’s search engine indexed a link to an article published in 2006 which reported on a sanction imposed by the Council of State on the two brothers.
The High Court ruled that requiring a media organisation to remove information contained in its articles (the names and surnames of individuals) from its archive or to limit access to such articles by de-indexing links from its search engine exceeds the restrictions that may be imposed on the freedom of press.
Read more on Covington & Burling Inside Privacy.

(Related)
MoroÄŸlu Arseven writes:
The Turkish Constitutional Court has recently published a decision where it held that an employer monitoring an employee’s institutional email account and using correspondence in court did not violate the employee’s constitutional rights.  The court held that the employer had monitored these accounts prudently and with just cause, since it was done to verify allegations that the employee had breached corporate regulations.  It noted that monitoring had not gone beyond verification purposes and content of the correspondence was not made public.
Read more on Lexology.


…it depends on where you live.  Or where the hack occurs?
Bethany Rupert of King & Spaulding provides additional coverage of an appellate ruling I had previously noted on this site:
On May 20, 2016, the U.S. Court of Appeals for the Eighth Circuit affirmed breach-of-contract claims brought by Minnesota-based State Bank of Bellingham (“Bellingham Bank”) against BancInsure Inc. (“BancInsure”), an insurance company that refused to provide coverage when the bank suffered losses after a criminal third party hacked the bank’s computer system and transferred funds to a foreign bank account.
[…]
The case is State Bank of Bellingham v. BancInsure Inc. n/k/a Red Rock Insurance Co., case number 14-3432, in the U.S. Court of Appeals for the Eighth Circuit.
Read more on JDSupra.

(Related)  Could a breach bankrupt you?
Lyle Adriano reports that some of P.F. Chang’s breach-related costs are not covered by its insurance:
A federal court ruled that Chubb Ltd. does not have to reimburse P.F. Chang’s for costs the restaurant chain charged by its credit card processor under its cyber policy.
[…]
The Federal Court ultimately concluded that on several counts that Federal Insurance is not obligated to reimburse the charges, rationalizing that Bank of America did not suffer from P.F. Chang’s data breach and therefore did not suffer a “privacy injury” the policy could cover.
“The court agrees with Federal; (Bank of America) did not sustain a privacy Injury itself, and therefore cannot maintain a valid claim for injury against Chang’s,” said the ruling.
When I see stories like this one, I feel particularly concerned for small and medium-sized businesses who really may have no idea what their policies don’t cover and could be totally wiped out by the costs of a breach if their insurer doesn’t cover some things.  If you carry cyberinsurance for breach costs, do you know if your policy would cover reimbursement to your card issuer?  If you don’t know for absolute sure, this might be a good time to check.


My Computer Security students discussed the security requirements of these Apps last week.  Could I order 50 chicken sandwiches and have them delivered to my favorite law professor?
Why Is Chick-fil-A’s App Number One in the App Store?
In late 2014, Taco Bell became the first major fast-food chain to roll out an order-ahead app.  Finally, a Fourth Meal habitué could pay ahead, skip the line, join a rewards program, and creatively customize their Nachos Bell Grande without enraging a line of people behind them.  Shortly after a very involved launch, Taco Bell even threw free Doritos Locos Tacos at mobile-app users.  Despite all the fanfare, the Live Más app, while popular, was never the No. 1 free app in the Apple universe.  Because, really, what fast-food ordering app would be?
Earlier this week, Chick-fil-A, the sometimes maligned and beloved chicken chain, introduced its One app, which offered all of the things that Taco Bell’s app does, plus the immediate promise of a free chicken sandwich just for downloading the app.  In just three days, the app has been downloaded over a million times and has led the most downloaded free app iTunes tally board since Wednesday, muscling out the likes of Facebook, Snapchat, Instagram, and the (frankly, weird-sounding) multiplayer snake-battle game slither.io.
   “82 percent of millennial parents say they would do almost anything to avoid long lines at fast food restaurants when they are with their children,” the company noted in a press release announcing the launch of the app.  “In fact, nearly half (48 percent) said they would rather not eat at all than stand in a line.”


My dad was a fight fan.  He said Ali was the best he had ever seen.  Good enough for me.
Muhammad Ali
by Sabrina I. Pacifici on
David Remnick, Editor, The New Yorker – The Outsized Life of Muhammad Ali: “Ali, who died Friday, in Phoenix, at the age of seventy-four, was the most fantastical American figure of his era, a self-invented character of such physical wit, political defiance, global fame, and sheer originality that no novelist you might name would dare conceive him.