Saturday, July 09, 2016

What is worse than a large breach?  A large breach that no one knows anything about.  (Or do they, and they are hoping no one noticed?)
So it appears that 71 million Twitter login credentials (email addresses and passwords, all cleartext) are up for sale on the dark net.  No indication where they came from or how fresh they are (I’ve inquired and will update this post if I get any info).
Might this be a good time to change your password?
And if the Twitter offering doesn’t concern you, how about 80,000 Amazon Kindle users’ details?  TechMic reports:
@0x2Taylor — said in a Twitter direct message that he and a friend “breached a server” owned by Amazon that contained database files with more than 80,000 Kindle users’ information.
“When they first got Kindles and set them up, all their stuff was being logged and put into a database,” @0x2Taylor said.  He added that the database includes a user’s email, password, city, state, phone number, zip code, user-agent, LastLoginIP, Proxy IP and street.  He sent us several emails and passwords in an effort to legitimize the breach.
“If I don’t receive a payment from them the data will be posted online along with an older dump,” he said.
As of the time of this posting, there’s a 569mb dump with 83k records that the hacker’s uploaded.  The file is dated May 25.

(Related)  When do you report an incident?  (DLP = Data Loss Prevention)
OIG Audit of FDIC Info System Security Issues
by Sabrina I. Pacifici on Jul 8, 2016
“Our audit focused on the FDIC’s processes for addressing one particular type of information security incident—a breach of sensitive information—because the incident we selected for detailed review (i.e., the Florida Incident) was a breach.  The Florida Incident involved a former FDIC employee who copied a large quantity of sensitive FDIC information, including personally identifiable information, to removable media and took this information when the employee departed the FDIC’s employment in October 2015.  The FDIC detected the incident through its DLP tool.  Audit Results Although the FDIC had established various incident response policies, procedures, guidelines, and processes, these controls did not provide reasonable assurance that major incidents were identified and reported in a timely manner.  Specifically, we found that:
  • The FDIC’s incident response policies, procedures, and guidelines did not address major incidents.
  • The large volume of potential security violations identified by the DLP tool, together with limited resources devoted to reviewing these potential violations, hindered meaningful analysis of the information and the FDIC’s ability to identify all security incidents, including major incidents.
  • Further, based on our analysis of the Florida Incident, we concluded that the FDIC had not properly applied the criteria in OMB Memorandum M-16-03 when it determined that the incident was not major.  Specifically, the FDIC based its determination on various mitigation factors related to the “risk of harm” posed by the incident.  Although such factors have relevance in determining the mitigation actions to be taken in addressing incidents, the factors are not among those listed in OMB Memorandum M-16 -03 for agencies to consider when determining whether incidents are major and, therefore, are not relevant. We notified the CIO on February 19, 2016 that our analysis of the Florida Incident found that reasonable grounds existed to designate the incident as major as of December 2, 2015, and, as such, the incident warranted immediate reporting to the Congress.  The FDIC subsequently reported the Florida Incident to the Congress as major on February 26, 2016…”


A question for my Computer Security class?  Is censorship their job?  
Facebook explains censorship policy for Live video
Facebook only removes content if it celebrates or glorifies violence, not if it’s only graphic or disturbing, according to a spokesperson.
Facebook also insists that the video of Philando Castile’s death was temporarily unavailable due to a technical glitch that was Facebook’s fault.  That contradicts theories that the video disappeared due to Facebook waffling on whether it should stay up, a high volume of reports of it containing violent content, a deletion by police who’d taken possession of Castile’s girlfriend’s phone and Facebook account or a request from police to remove it.
However, Facebook refused to detail exactly what caused the glitch, such as a traffic spike.  It did release this statement, however.
   The company suspiciously refused to detail the cause of the glitch, though a spike in traffic is a possibility.  Still, that ambiguity stokes concerns that Facebook purposefully brought down the clip.
Even if it was a technical glitch, it’s one Facebook must prevent from happening in the future.  Live is its chance to become a hub for real-time news that has historically ended up on Twitter first.  And with the acquisition of Periscope, Twitter wants to control live video broadcasting, too.  Users may reach for whichever they think is most likely to make their voice heard and not censor them.


Jobs for my Computer Security students?
Criminal Capability Outpacing Ability to Defend Attacks in UK: Report
The UK's National Crime Agency (NCA) released its Cyber Crime Assessment 2016 this week. Designed to outline the "real and immediate threat to UK businesses" from cyber crime, the report tells us little that is new.  It argues that criminal capability is outpacing industry's ability to defend against attacks, and suggests that "only by working together across law enforcement and the private sector can we successfully reduce the threat to the UK from cyber crime."


Something for my lawyer friends?  (and my Computer Security students)
The law firm of Bryan Cave lists nine factors entities should look at when considering the risk that litigation poses following a breach.  They note:
 Specifically, unless a plaintiff has been the victim of identity theft or has suffered some other type of concrete injury, most courts have refused to let them proceed based solely on the allegation that they are subject to an increased risk of harm as a result of the breach.
They then go on to list factors to consider in assessing risk:
  1. Was the quantity of records lost lower, or greater, than the average number of records involved in recent class action lawsuits?
  2. Were the records lost encrypted, obscured, or de-identified?
  3. Could the type of information lost be used to commit identity theft?
  4. Did patients suffer any direct monetary harm?
  5. Has there been any evidence of actual identity theft?
  6. Could the data loss hurt the reputation of a patient or cause emotional distress?
  7. Did you offer credit monitoring, identity theft insurance, and/or credit repair services?
  8. If so, what percentage of impacted consumers availed themselves of your offer?
  9. If filed as a class action, is the class representative’s claim of identity theft premised on unique facts?
Unfortunately, the article doesn’t indicate whether their list of factors is ranked in order of importance/predictive value or is just in random order.  Looking at their list, I think 3, 4, 5, and 6 may be the most predictive of whether standing would be conferred, but I’ve written to them to ask their opinion, and will update this post if I get a response.
Their article also lists allegations plaintiffs have made that courts have not found sufficient to confer standing and allegations which some courts have found sufficient to confer standing.
Read the article here.
For another perspective on the risks of litigation with reference to specific court opinions, read No harm, no foul? Private and public litigation in cybersecurity law.


Is this the future of IT?  At minimum the architecture is changing. 
Exclusive: Why Microsoft is betting its future on AI
   No matter where we work in the future, Nadella says, Microsoft will have a place in it.  The company’s "conversation as a platform" offering, which it unveiled in March, represents a bet that chat-based interfaces will overtake apps as our primary way of using the internet: for finding information, for shopping, and for accessing a range of services.  And apps will become smarter thanks to "cognitive APIs," made available by Microsoft, that let them understand faces, emotions, and other information contained in photos and videos.
   In January, The Verge described the tech industry's search for the killer bot.  In the months that followed, companies big and small have accelerated their development efforts.  Facebook opened up a bot development platform of its own, running on its popular Messenger chat app.  Google announced a new intelligent assistant running inside Allo, a forthcoming messenger app, and Home, its Amazon Echo competitor.  Meanwhile the Echo, whose voice-based inputs have captivated developers, is reportedly in 3 million homes, and has added 1,200 "skills" through its API.
   But to win, Lu says, a company needs five "key assets."  The first is a "conversation canvas" — a place where people are doing lots of talking and texting.  Microsoft has Office, Outlook, Skype, and Cortana.  The second is that AI "brain" — a sophisticated mental model of the world.  Microsoft says its own AI efforts date back nearly 20 years.  The third is access to a social graph — people’s activity on the internet often involves their friends and coworkers.  Not coincidentally, a few days after I met Lu, Microsoft announced it would spend $26.2 billion to acquire LinkedIn, and its 433 million registered users.
The fourth piece is a platform for the artificial intelligence to operate on.  Microsoft has Windows and a family of devices, notably the Xbox.  The final piece is a network of developers eager to build on your platform, and to pay you for the privilege.  Stoking that interest had been the primary goal of the Microsoft Build developer conference in March.


Is the future of law enforcement?  Do remotely controlled robots allow cooler heads to determine how much force is required? 
The Dallas Shooting and the Advent of Killer Police Robots
   “I’m not aware of officers using a remote-controlled device as a delivery mechanism for lethal force,” said Seth Stoughton, an assistant professor of law at the University of South Carolina who is a former police officer and expert on police methods.  “This is sort of a new horizon for police technology.  Robots have been around for a while, but using them to deliver lethal force raises some new issues.”


Thoughtful analysis.  The WSJ does this well.  (even guest writers)
Roads That Work for Self-Driving Cars
In May, a Tesla “autopilot” enthusiast in Florida became the first known fatality in a self-driving car.  But this was no ordinary accident.  The car performed exactly as designed, and the (non)driver’s failure to take any corrective action could reasonably have been foreseen by the manufacturer.  This unwelcome yet widely anticipated milestone may set back progress on what promises to be one of the most valuable technologies of the 21st century.
   The National Highway Traffic Safety Administration is soon expected to issue rules that will mandate transponders for all new cars and most trucks.  This will permit vehicles to broadcast their speed, heading and braking status to anyone or anything within 300 meters, which is well beyond the range of current onboard sensors.  These devices, called “V2V” (vehicle-to-vehicle) communicators, can see around corners and convey a driver’s intent (such as, say, an impending left turn), along with other relevant information.
   The potential economic and social benefits of self-driving technology are difficult to overstate.  When the taxi you summon arrives within seconds and doesn’t require a driver, personal transportation will be far more convenient and much cheaper.  You won’t want to own (or insure) your own car.  Garages will go the way of outhouses, and the 14% of Los Angeles real estate devoted to parking can be repurposed for higher uses.
   In the fatal self-driving accident in Florida, the car failed to recognize that a truck traveling in the other direction was about to make a left turn in front of it.  Tesla pointed out that the driver also failed to take corrective action.  As the company said in a statement, “When drivers activate Autopilot, the acknowledgment box explains, among other things, that Autopilot is an assist feature that requires you to keep your hands on the steering wheel at all times.”
This disclaimer may mitigate Tesla’s liability, but it’s simply not practical to ask passengers in a self-driving vehicle to remain alert and engaged.  Reports from the accident scene in Florida suggest that the driver may have been watching a “Harry Potter” movie on a portable DVD player at the time.
The risk now is that politicians and government agencies, reacting to such unfortunate incidents, will enact a hodgepodge of new regulations that will hamper the development and adoption of the technology.


For all my students, not just the Computer Security students.
Should You Accept LinkedIn Invites from Strangers?
A recent survey, reported in SC Magazine, found that 24% of surveyed LinkedIn users have connected with people they didn’t know on the professional social network, despite LinkedIn’s repeated warnings not to do so.  Why is this an issue?
Because LinkedIn can be a vector for spear-phishing and other types of attacks.


Tips for my students.  My students already snap pictures of my math problems from the whiteboards.
Get Mad Detective Research Skills with PDF Tricks & a Smartphone
The smartphone is an invaluable tool for capturing data wherever you are.
No matter what you’re researching or what real-world information you need to save,
Maybe, you are a university student who needs to archive newspaper clippings on microfiche, an archivist that wants to save a page or two from an antique book, or a web researcher who needs to archive emails and web pages?
The PDF format — and the smartphone apps that help you create and organize PDF documents — is one of the fastest ways to collect lots of information easily.


Humor in education. 
Hack Education Weekly News
   Via ProPublica: “New Jerseys Student Loan Program is State-Sanctioned Loan-Sharking’.”  [Hey!  It’s New Jersey, what else did you expect?  Bob] 
   Via the Texas Tribune: “Three University of Texas at Austin professors sued their university and the state on Wednesday, claiming Texas’ new campus carry law is forcing the school to impose ‘overly-solicitous, dangerously-experimental gun policies’ that violate the First and Second Amendments.”
[From the article:
"Compelling professors at a public university to allow, without any limitation or restriction, students to carry concealed guns in their classrooms chills their First Amendment rights to academic freedom," the lawsuit says. 
   Michigan State University has dropped its general ed requirement that students take college-level algebra.
   From the Berkman Klein Center: “Privacy and Student Data – An Overview of Federal Laws Impacting Student Information Collected Through Networked Technologies.”
   Via the Milwaukee Wisconsin Journal Sentinel: “Over the past three decades, state and local expenditures on prisons and jails have increased more than three times as fast as spending on elementary and secondary education, according to a new brief released Thursday by the U.S. Department of Education.”

Friday, July 08, 2016

For my Computer Security students.
Study: More than 50% of SMBs were breached in the past year
A new study conducted by the Ponemon Institute and sponsored by password management provider Keeper Security analyzed the state of cybersecurity in small and medium-sized businesses (SMBs) and found that confidence in SMB security is shockingly low (just 14% of the companies surveyed rated their ability to mitigate cyber attacks as highly effective).
  • 50 percent of respondents reported that they had data breaches involving customer and employee information in the last 12 months.
  • Three out of four survey respondents reported that exploits have evaded their anti-virus solutions.
  • 59% of respondents say they have no visibility into employees' password practices and hygiene.
  • 65% do not strictly enforce their documented password policies.


The scale of a breach is very difficult to measure quickly, as articles like this consistently  illustrate.
Remember when Wendy’s updated its breach disclosure in May to report that it was 300 stores impacted?  They subsequently revealed that they had found two types of malware and the number of impacted stores could be “considerably higher.”
Well, now it’s 1,025 stores.  Here’s their statement from today:
   Wendy’s first reported unusual payment card activity affecting some restaurants in February 2016.  In May, we confirmed that we had found evidence of malware being installed on some restaurants’ point-of-sale systems, and had worked with our investigator to disable it.  On June 9th, we reported that we had discovered additional malicious cyber activity involving other restaurants.  That malware has also been disabled in all franchisee restaurants where it has been discovered.  We believe that both criminal cyberattacks resulted from service providers’ remote access credentials being compromised, allowing access – and the ability to deploy malware – to some franchisees’ point-of-sale systems.
[Apparently only the Wendy’s in Thornton Colorado was hit.  Bob]


Ah the joys of having the latest technology!
Megan Scudellari reports:
“It knows too much,” says Wang, an assistant professor of computer science at Binghamton University in Upstate New York. “If you are using a smart watch, you need to be cautious.”
He would know.  Wearable devices can give away your PIN number, according to research he and colleagues presented in June at the 11th annual Association for Computing Machinery Asia Conference on Computer and Communications Security (ASIACCS) in Xi’an, China.  By combining smart watch sensor data with an algorithm to infer key entry sequences from even the smallest of hand movements, the team was able to crack private ATM PINs with 80 percent accuracy on the first try and more than 90 percent accuracy after three tries.
Read more on IEEE Spectrum.


Computer Security, Data Management and Data Architecture! 
Buyers Beware: The Latest Wave of Retail Cyber Scams
   “Retailers have been caught out by bad data architecture.  You should never store sensitive information on a network that third-party vendors have access to.  Create a systematic classification categorizing what’s sensitive and what’s not,” suggests Yoo.
Daniel Garrie, CEO of consulting firm Law & Forensics and senior advisor at Risk Assistance Network and Exchange (RANE), suggests to his retail clients to go as far as providing cybersecurity to the vendors themselves.  “I tell my clients you need to secure them. Spending any amount of money is worth it if these are vendors you can’t live without.”


Will this reignite the encryption debate?  Stay tuned. 
‘Secret Conversations:’ End-to-End Encryption Comes to Facebook Messenger
Just a few years ago, end-to-end encryption was a nerdy niche: a tiny collection of obscure software let you encrypt communication so only your recipient could read it, but the vast majority left you no option to hide your words from hackers or eavesdroppers.  This year, that balance shifted.  And now, roughly 900 million more people are about to be invited into the crypto club.
On Friday, Facebook plans to roll out a beta version of a new feature it calls “secret conversations.”  It’s encrypted messages, end-to-end, so that in theory no one—not a snoop on your local network, not an FBI agent with a warrant, not even Facebook itself—can intercept them.  For now, the feature will be available only to a small percentage of users for testing; everyone with Facebook Messenger gets it later this summer or in early fall.


I’ll use this the next time I teach Statistics.  Isn’t the question wrong?  Did insurance rates change for these drivers? 
From TheNewspaper:
Three years ago, the insurance industry set up ten covert speed cameras across Northern Virginia to photograph and access the personal information of 65,000 drivers.  A motorist rights group is crying foul.  The Insurance Institute for Highway Safety (IIHS) gathered all of this data to make a political point.
“The association between higher speed limits and faster vehicle speeds is well-established, but not as much is known about how horsepower affects travel speeds,” wrote in a May 24 report.
The report was made possible by the 2014 decision of Virginia Department of Motor Vehicle Commissioner Richard D. Holcomb to release vehicle identification number (VIN), age and sex information from the records of 65,000 vehicle owners.  IIHS compared this personal information against the facial photograph captured by the industry’s speed cameras to conclude that vehicles “packing more horsepower” drive faster than the posted speed limit.
[…]
“Why precisely the insurance industry advocates felt the need to capture facial images of drivers and compare that to personal data in DMV records is a mystery,” NMA president Gary Biller told TheNewspaper.  “Identifying drivers isn’t germane to the horsepower versus speed question.”
Indeed.  And they could have let me know so that I could comb my hair before blowing off their speed limits in my little sports car.
Read more on TheNewspaper.com.


Well, if no one in Congress cares…
EFF – FBI Must Not Sidestep Privacy Protections For Massive Collection of Biometric Data
by Sabrina I. Pacifici on Jul 7, 2016
Iris Scans, Palm Prints, Face Recognition Data, and More Collected From Millions of Innocent Citizens – “The FBI, which has created a massive database of biometric information on millions of Americans never involved in a crime, mustn’t be allowed to shield this trove of personal information from Privacy Act rules that let people learn what data the government has on them and restrict how it can be used.  The Electronic Frontier Foundation (EFF) filed comments today with the FBI, on behalf of itself and six civil liberties groups, objecting to the agency’s request to exempt the Next Generation Identification (NGI) database from key provisions of federal privacy regulations that protect personal data from misuse and abuse.  The FBI has amassed this database with little congressional and public oversight, failed for years to provide basic information about NGI as required by law, and dragged its feet to disclose—again, as required by law—a detailed description of the records and its policies for maintaining them.  Now it wants to be exempt from even the most basic notice and data correction requirements…”

(Related)  “We’re going to do it, but we don’t know what we’re going to do yet.” 
lan Lior and Or Kashti report:
Interior Minister Arye Dery announced on Thursday that starting next year, joining the biometric database will be obligatory.
“From now on anyone obtaining a document from the Interior Ministry, whether an ID card or a passport, will receive a biometric one.  We’ve decided on having this database and we’ll soon decide what will be included in it,” Dery said at a ceremony marking the millionth person to join the biometric database, which was held at the new Population and Immigration Authority office in south Tel Aviv.
Read more on Haaretz.
So with the U.S. banking sector also embracing biometrics and with everyone’s Social Security number already have been leaked or compromised in numerous breaches, can the U.S. be far behind in switching to biometrics for identity authentication?
And if so, isn’t it even more important, then, that the FBI not be able to exempt the biometrics database from Privacy Act protections?  Have you signed EFF’s petition on this?  If not, go do so right now.


Perspective.  At least, something to think about.
Deciphering Facebook's Software Philosophy
Last week, Facebook offered a peek into the philosophy governing its News Feed algorithm, the piece of software that decides which posts are shown to people when they log into the platform’s app or homepage.  The announcement was more than just academic.  One in five adults worldwide use Facebook, and 44 percent of Americans get their news from the platform.  If traditional agenda-setting news barons like Rupert Murdoch count as powerful, then surely the News Feed algorithm wields influence, too.  In fact, its algorithm may be one of the most powerful pieces of software in the world.
Which makes the ideas governing such a piece of software extra-important.  These particular ideas came in a blog post entitled “News Feed Values,” written by Adam Mosseri, a Facebook vice president and the product manager of the News Feed.  The post is a list of broad principles and vague promises that users should expect from their News Feed.  It was at once a piece of marketing and—more interestingly—a set of operational ethics, a kind of guide to what Facebook values when it decides to alter the feed.

(Related)
Pew – The Modern News Consumer
by Sabrina I. Pacifici on Jul 7, 2016
“Wave after wave of digital innovation has introduced a new set of influences on the public’s news habits.  Social media, messaging apps, texts and email provide a constant stream of news from people we’re close to as well as total strangers.  News stories can now come piecemeal, as links or shares, putting less emphasis on the publisher.  And, hyper levels of immediacy and mobility can create an expectation that the news will come to us whether we look for it or not.  How have these influences shaped Americans’ appetite for and attitudes toward the news?  What, in other words, are the defining traits of the modern news consumer?  A new, two-part survey by Pew Research Center, conducted in early 2016 in association with the John S. and James L. Knight Foundation, reveals a public that is cautious as it moves into this more complex news environment and discerning in its evaluation of available news sources…”


The difference is important!
Augmented vs. Virtual Reality: What’s the Difference?
   Augmented reality (AR) refers to devices that combine elements of the real world with virtual aspects laid over it.  This often manifests itself in using your phone’s camera to display the “real world” with a virtual overlay, though not always.
   VR essentially boils down to: creating an entire world within virtual space.  Whereas augmented reality relies on input from the “real world”, virtual reality aims to create its own distinct and separate world.


For the Movie club?
Watch 100+ Free Public Domain Movies on YouTube Now
   The list of films on the aptly named Public Domain Full Movies channel is truly staggering, ranging from some in the 60s and 70s, and going all the back to the silent film era of the early 1900s.

Thursday, July 07, 2016

No indication of how long this was going on.  Sounds like the employee had access to “network drivers” when he shouldn’t have. 
Alexa Huffman reports:
Snooping on personal staff data, including SIN numbers, salaries and spouse names, led to a SaskPower employee being fired in January.
According to a report released in June by the Saskatchewan Information and Privacy Commissioner, Ron Kruzeniski, the employee inappropriately accessed 4,382 human resources files from current and former employees at the Crown-owned company.
The report said the information included names, addresses, social insurance numbers, salaries and life insurance coverage and beneficiaries.
Read more on Global News.
[From the article:
SaskPower concluded that the breach was due to the employee searching network drives.  The report says the employee then previewed and saved to the files to his corporate workstation without a business purpose.
The employee also put the files onto portable storage devices.
   SaskPower has improved systems security including locking affected network folders so they can only be accessed by authorized users, the report says.


I don’t get the attraction, but is this a Security risk for children?  Sure sounds like it. 
Australian cops to Pokemon fans: Do not come looking for Pikachu in our police station
The new smartphone app Pokémon Go begins with a warning screen.
Pokémon Go simply wants its players to avoid physical trauma.
Played on a smartphone screen in lieu of a Game Boy or other handheld console, Pokémon Go uses cameras and GPS to construct an augmented reality in which collectible 3-D monsters float over physical locales.
To collect these digital critters, you have to get off the couch, get outside and track them down.
   The team behind Pokémon Go — developers Niantic Labs and video game giant Nintendo — is concerned that you may walk off a bridge, for instance, while you are engrossed in a real-world hunt for the digital critters.  Recognizing that the app, which launched in the United States late Wednesday, may encourage the sort of obliviousness that comes when noses are buried in smartphones, other groups began issuing their own warnings, too.


This should interest both my Computer Security and Data Management students.
Businesses in the Dark on Value of Corporate Data
According to the company’s Risky Business Report, only 28% of CISOs conduct regular exercises to categorize and value the data within the company, which allows them to evaluate the risk associated with the loss of this data.  In fact, 17% of surveyed business executives say they didn’t take action in this regard, while 55% of them have taken partial action, the report (PDF) reveals.
What’s more, 40% of responding CISOs said they have no clear view into the location and nature of their information assets, IRM says.  The risks associated with poor knowledge of the value of data include difficulties in building an effective protection strategy, or in determining the amount that should be invested in data protection solutions, Charles White, Founder and CEO of IRM, warns.
Findings in the report are in line with thoughts from SecurityWeek columnist Rafal Los, on what he believes is the most important security question nobody seems to be able to answer: “What is your organization’s sensitive data, and where is it?”


Gosh, what would government workers do all day?
House passes bill to block porn from feds' computers


I already have one (several?) starting with Cortana. 
Are You Ready for Robot Colleagues?
   if robots become as clever as we are, how will the role of managers change?
Bernd Schmitt, the Robert D. Calkins Professor of International Business at Columbia Business School, thinks the convergence is coming, and that managers have to start preparing now.


Beware of bragging on film.
A new film gives a frightening look at how the US used cyberwarfare to destroy nukes
   A fascinating new documentary film by Alex Gibney called "Zero Days" that premieres on Friday tells the story of Stuxnet, along with the frightening takeaway that, while this was the first cyber weapon, it will certainly not be the last.
   First authorized by President Bush and then re-authorized by President Obama, the top secret computer worm was designed by the US and Israel to infect an Iranian nuclear enrichment facility at Natanz.
And it did. Too well.
The code made its way into the facility and infected the specific industrial control systems the Iranians were using.  Once it turned itself on about 13 days after infection, it sped up or slowed down the centrifuges until they destroyed themselves — all while the operators' computer screens showed everything was working as normal.
   The most incredible revelation from the film comes from Gibney's NSA source, who talks about a much larger operation than Stuxnet.  It's a news-breaking claim that The New York Times has since corroborated: The US had an in-depth cyber attack plan that was much larger than Natanz.
"We were inside, waiting, watching," the source says.  "Ready to disrupt, degrade, and destroy those systems with cyber attacks.  In comparison, Stuxnet was a back alley operation.  NZ was the plan for a full scale cyber war with no attribution."
NZ is the acronym for a separate operation called Nitro Zeus, which gave the US access into Iran's air defense systems so it could not shoot down planes, its command-and-control systems so communications would go dead, and infrastructure like the power grid, transportation, and financial systems.
   Now there is a new weapon that can do a better job at destruction than bombs.  But the difference between highly-controlled nuclear materials and computer code, is that anyone — and any state — can develop it.
“It seems pretty reasonable to think that there are things out there today that we haven’t seen that are much more advanced [than Stuxnet]," O'Murchu told TI in a phone interview.
We'll just have to wait and see who uses it next.


What am I missing?  Did the Post suddenly turn on Hillary?  This does not read like a typical Post article. 
How the FBI director systematically dismantled Hillary Clinton’s email defense


Because I need a guide.
Hey, granddad, here’s a Millennial’s guide to Snapchat 
   The social media app that’s popular with the youngest Millennials is now booming with older people:  Now 38% of people ages 25 to 34 use the flighty picture-sharing app, according to an online report — a 100% increase from just two years ago.  And 14% of people over 35 use the app, too — which represents a 35% jump.
At this point, the only adults not using Snapchat are the ones who don’t get it.  So let this bona fide Millennial — I’m 18 — explain it to you old folks:

(Related)
10 Practical Tips for New Periscope Users
Periscope is a live-streaming app owned by Twitter that allows users to broadcast moments of their lives with followers across the globe.  Viewers can interact with broadcasters through comments, and live streams can be shared through social media much like any other kind of photo or video post.

(Related)
10 Things You Didn’t Know You Could Do On Instagram


Includes my personal nemesis, the translator.
10 Handy Productivity Add-Ins for Microsoft Word

Wednesday, July 06, 2016

Local.  The hackers were inside but opted to test their ransomware rather than steal just a few thousand patient records?  Or perhaps they did that first. 
Jennie Trejo reports:
Allergy, Asthma & Immunology of the Rockies, P.C. (AAIR), a full-service allergy clinic, found evidence of ransomware on its computer systems on May 16.
[…]
Kari Hershey, an attorney for AAIR, said the disturbance was first noticed when they had trouble accessing a few of the documents.
[…]
“They weren’t able to track exactly what the hackers did, but what they did find was a draft of the ransom letter on the system,” Hershey said.  “The way it was explained to me is that it essentially looked like the hackers were still testing out the ransomware.
Because the ransomware was still in its early stages, there is no evidence that any of the information on the system has been copied or used in any way, although it did pass through a password protected firewall.  Hershey said they would expect to know if sensitive information was harvested by this point in the investigation.
“Having said that, there was a breach of the system.  Just out of an abundance of caution, we do want people to sign up for an identity theft protection program.  That way if they do have a problem they can get help.”
Read more on the Post Independent.
The incident was reported to HHS as affecting 6,851 patients.


For my Computer Security students – at least those who drive to school.
Automotive cybersecurity; what we don't hack will probably be used to kill us
   Just imagine your own car traveling at speed and having your ability to steer, alter speed, and brake, taken away and then being ransomed to regain control.
Think this impossible? Last year, Wired wrote about a couple of hackers remotely disabling a Chrysler Jeep Cherokee while it was heading down a freeway at 70 miles per hour.
   The subsequent paper by Miller and Valasek, Remote Exploitation of an Unaltered Passenger Vehicle, goes into to even more detail on how the hack was engineered
   Should you want to know more about automotive hacking, you might like to check out the recently published The Car Hacker’s Handbook: A Guide for the Penetration Tester by Craig Smith.


Together, a userid and password are intended to identify an individual.  Sharing them for any reason defeats the purpose. 
Court decision raises issues about sharing passwords
An appeals court has ruled that a former employee of a company, whose computer access credentials were revoked, had acted “without authorization” in violation of the Computer Fraud and Abuse Act, when he and other former employees used the login credentials of a current employee to gain access to data on the employer’s computers.
The opinion of the court is likely to be controversial as it is expected to have implications on commonplace sharing of passwords by husbands, co-workers and friends even for innocuous purposes.
One of the three judges, Stephen Reinhardt, dissented from the majority opinion, stating that “people frequently share their passwords, notwithstanding the fact that websites and employers have policies prohibiting it.”
The CFAA in his view “does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals.”


This could be useful.
Microsoft Proposes Independent Body to Attribute Cyber Attacks
Microsoft has published a paper that proposes a series of recommended 'norms' of good industry behavior in cyberspace, and also a route towards implementing and achieving those norms.  Most of the norms are uncontentious and self-evident - but one in particular (which is a form of 'responsible disclosure') is less so.  Furthermore, the key feature in implementing these norms (the attribution of attacks to attackers) is particularly troublesome.
From Articulation to Implementation: Enabling progress on cybersecurity norms was developed by a team led by Scott Charney, Microsoft's Corporate Vice President for Trustworthy Computing.


Something subtle for my Computer Security students to ponder.
How social media is changing what can be said, when and where
   When Dave closes a deal he takes the team out for beers, treats his family to a nice dinner out and brags about it on his social media accounts.
   Amy, in your accounting department has a different social media presence
She blogs regularly on Tumblr and posts selfies on Instagram while in pensive poses when problems overwhelm her.
Both Dave and Amy represent major risks for your company.
   Dave is a bit of a braggart and read his tweets with interest.  When he tweets about beating his toughest competitor in a sales presentation and landing a big contract, the investors buy.  
Dave has given them insider information and doesn't even know it.
   Employees who follow Amy's social media accounts sense that there's something wrong.  They see her stress level increasing, note the workload on her desk and worry about their own future.  Productivity drops.  Rumors start.  Bad things happen.
   Both Dave and Amy have innocently been doing what millions of people do every day - they have been posting about their personal lives on their social media accounts.  But what they haven't realized - and what may affect your company - is that what they write, post or repeat on social media can cause employee problems, productivity issues and even financial damage.
It's because your company doesn't have a social media policy.  In today's world you need to be aware of, or perhaps even control, what is said on your employee's Facebook, Twitter, Instagram or even Pinterest accounts.


Interesting, thoughtful and amusing.
Did The FBI End Clinton’s Email Problems Or Make Them Worse?


IT Architecture.
The future of company devices may be ‘as-a-Service’
   The ability to deploy only assets as needed based on workload is a big one.  This means a company has the ability to flex up, adding devices as needed when its workforce grows.  More importantly, however, is the ability to flex down.  The problem with the traditional PC procurement model is companies that decrease the size of their workforce due to seasonal changes, layoffs, or the like, have to deal with the surplus of PCs (and sunk costs) that result.  In a DaaS model, the provider takes back those devices, potentially redeploying them with another client.


I wonder if it would recognize all the hand gestures I learned back in New Jersey?  If so, would it try to run me down? 
Google's robot cars recognize cyclists' hand signals — better than most cyclists

Tuesday, July 05, 2016

I thought there might be too many politicians on this site.  Was I wrong? 
I can’t say I’m surprised, but it’s nice to get some confirmation.  Alastair Sharp and Allison Martell of Reuters report that the Federal Trade Commission is investigating Avid Life, parent company of Ashley Madison.
But what is the scope of their investigation.  Executives admitted to Reuters that the use of “fembots” is part of the investigation, which makes sense under the FTC’s authority to address deceptive practices.  But is FTC also investigating their data security in light of their massive breach?  I would hope so.  Avid Life executives told Reuters they still don’t know how the breach occurred.
I expect that this investigation will result in a consent order with a whopping monetary component to reimburse consumers who were duped by fembots, but we’ll see in time.


Advertise with us and we’ll guarantee many people will see your ad, even if we have to create virtual people.
HummingBad malware infects 85 million Android devices
An Android-based malware campaign masterminded from China has snared as many as 85 million Android devices and is making the gang behind it an estimated $1m every quarter.
Security software and services company Check Point claimed that it has had its eye on the Yingmob gang for five months, describing it as sophisticated, well-staffed and highly profitable. 
Its tool of choice is a piece of malware called HummingBad, and the group works alongside an official advertising analytics company, according to Check Point's From HummingBad to Worse report (PDF).
"HummingBad is a malware Check Point discovered in February 2016 that establishes a persistent rootkit on Android devices, generates fraudulent ad revenue, and installs additional fraudulent apps," Check Point explained in a blog post.


A long report that says, “We don’t know what to do.” 
House Homeland Security Report – Going Dark, Going Forward: A Primer on the Encryption Debate
by Sabrina I. Pacifici on Jul 4, 2016
June 29, 2016: “Terrorist attacks in Paris and San Bernardino have sparked a public debate on the use of encryption in our society because the attackers used encrypted communications to evade detection, a phenomenon known as “going dark.”  Today, the Majority Staff of the House Homeland Security Committee released a new report entitled, Going Dark, Going Forward: A Primer on the Encryption Debate.  This first Congressional in-depth analysis of the issue summarizes the Committee’s findings, based on more than 100 meetings and briefings Committee staff and Members have held with key stakeholders over the past year.  In addition to providing insight into arguments on all sides of the encryption debate, the report lays the groundwork for a National Commission on Security and Technology Challenges proposed by Homeland Security Chairman Michel McCaul (R-TX) and Senator Mark Warner (D-VA).  The bipartisan Commission has broad support from former and current Administration officials, national security leaders, law enforcement, and the tech industry, and will help to forge a general concurrence of opinions, informed by a common understanding of the underlying facts.  Ultimately this effort will provide a better understanding of digital security issues for Congress and the American public.  The report released today will help inform and advance debate that centers around balancing personal cyber security and national security.”


Perspective.
Snapchat’s Teen Fans Wince as App Catches On With Their Folks
   Since its founding five years ago, Snapchat has become a digital mecca for high school and college-age students, allowing them to send photos and videos that disappear in a matter of seconds.  It has amassed 150 million daily active users, said a person familiar with the matter.
Snapchat also has been a refuge from parents.  Until lately, that is.
Now, the “olds” are arriving in force, whether they are parents spying on their kids, or professionals trying out another social-media platform.


Numbers that I didn’t catch elsewhere.
Significant Digits For Tuesday, July 5, 2016
28 months
That’s how long the House select committee’s investigation into the 2012 Benghazi attacks lasted, exceeding the amount of time high-profile Congressional committees spent digging into Watergate, the assassination of John F. Kennedy, the Sept. 11 attacks and Pearl Harbor. [AJC]
20,000 pounds of cheese
Crime of the century in Wisconsin: 20,000 pounds of cheese from U.S. Foods, en route from Green Bay to New York, was stolen.   [The Associated Press]


The world changes again.  The Saudis had the most accessible oil early in the last century.  Then Russia figured out how to extract oil when wells could freeze.  Now with shale extraction, the US looks big.  Still, there is only 70 years of oil left at the current rate? 
US oil reserves surpass those of Saudi Arabia and Russia
   Rystad Energy estimates recoverable oil in the US from existing fields, discoveries and yet undiscovered areas amounts to 264bn barrels.  The figure surpasses Saudi Arabia's 212bn and Russia's 256bn in reserves.
The analysis of 60,000 fields worldwide, conducted over a three-year period by the Oslo-based group, shows total global oil reserves at 2.1tn barrels.  This is 70 times the current production rate of about 30bn barrels of crude oil a year, Rystad Energy said on Monday.
   More than half of the US's remaining oil reserves are in unconventional shale oil, Rystad Energy data show.  Texas alone holds more than 60bn barrels of shale oil.