Saturday, September 03, 2016

The extent of a breach is not always clear.  I think most breaches are updated as more information becomes available.
Noble House & Resorts seems to have updated its disclosure concerning the payment card breach reported recently to include more properties and restaurants than they had known about at the time of their first public statement.  At that time, the only property that they had confirmed as compromised was Ocean Key Resort & Spa.


This is a rather extreme example of “clueless.”
Noble House & Resorts wasn’t the only hospitality sector issuing a breach disclosure in the past 24 hours   Hutton Hotel also broke news of a payment card breach to its customers, but whereas Noble House’s breach began in April 2016, Hutton’s appears to have begun in 2012.
NASHVILLE, Tenn., Sept. 2, 2016 /PRNewswire/ — Hutton Hotel values the relationship it has with its guests and understands the importance of protecting payment card information.  After being alerted to a potential security incident by its payment processor, Hutton Hotel began an investigation of its payment card system and engaged a leading cybersecurity firm to assist.  Findings from the investigation show that unknown individuals were able to install a program on the payment processing system at the Hutton Hotel designed to capture payment card data as it was routed through the system.  The program could have affected payment card data—including cardholder name, payment card account number, card expiration date, and verification code—of guests who used a payment card to pay for or place hotel reservations during the period from September 19, 2012 to April 16, 2015, or who made purchases at the onsite food and beverage outlets from September 19, 2012 to January 15, 2015 and from August 12, 2015 to June 10, 2016.


Update.  How much would you spend to avoid this big an impact to revenues?  I wonder if everything is backed up now? 
Delta outage price tag: $100 million
Delta Air Lines says the August computer outage that led to thousands of flight cancellations cost the company about $100 million in lost revenue.
The Atlanta-based airline, whose annual revenue is about $40 billion, included the estimate in a monthly performance report Friday.  The amount includes both cancellations — about 2,300 over four days — and recovery efforts, Delta said.
Delta offered $200 travel vouchers to passengers whose flights were canceled or delayed for more than three hours during the outage, but it hasn’t said how many have sought the vouchers.
   Delta said the outage occurred after a hardware breakdown led to a power failure at an Atlanta facility.  Some of the airline’s servers were not connected to backup power, preventing a smooth restart.


For my (you had better be) researching Computer Security students.
Internet Tracking Has Moved Beyond Cookies
   A new survey from a group of Princeton researchers of one million websites sheds some light on the cutting-edge tricks being used to follow your digital trail.  Rather than placing a tracker on your browser, many sites are now “fingerprinting” — using information about your computer such as battery status or browser window size to identify your presence.
On this week’s What’s The Point, Arvind Narayanan, one of the authors of the Princeton study, discusses his research, the latest in online tracking and what you (and our lawmakers) can do to counter the trackers.


The French are a bit different…
Claire Lintingre reports:
The French Supreme Court recently ruled that an employer could not rely on the report of a private detective it had hired to spy on one of its employees to obtain an injunction against him because this was a breach of the employee’s privacy and that could not be justified, however legitimate were its concerns.
Read more about the case and ruling on the National Law Review.


Proof that Europeans are more neutral than us here in the US? 
The EU really doesn’t want your ISP blocking adverts or pornography
The European Union has put its foot down and said that ISPs and mobile networks that block advertisements and pornography are in breach of rules published by BEREC – the Body of European Regulators for Electronic Communications.
Currently, the EU allows network-level content blocking for three reasons: for security purposes, to comply with a nation state’s laws, or to manage network traffic.
   These rules essentially clarify the EU’s position on network neutrality, and contain more robust explanations of the rules surrounding zero-rating and “fast lanes”, in addition to network-level content blocking.


I imagine there will be many stories like these.  Sounds like a lawyer being very defensive to me. 
The 5 most outrageous things Hillary Clinton said in her FBI interview
Hillary Clinton was already having a bad week as polls show Donald Trump closing the gap between them and, in a few polls, even pulling ahead.  It got worse Friday after the FBI released Clinton's answers to investigators' questions over her use of a private email server, revealing some pretty damaging responses from the former Secretary of State.  

(Related) The article kind of rambles about. 
Hillary Clinton’s Team Lost a Laptop Full of Her Emails in the Actual Mail

(Related) Check it out yourself.
FBI FOIA Release – Hillary R. Clinton documents
by Sabrina I. Pacifici on Sep 2, 2016
Via WSJ.com: “On Friday afternoon September 2, 2016, the Federal Bureau of Investigation released a summary of its investigation into allegations that classified information was improperly stored or transmitted on a personal e-mail server Hillary Clinton used during her tenure as secretary of state.  The FBI also released its summary of former Mrs. Clinton’s July 2, 2016 interview with the FBI.  The FBI concluded its probe earlier this year and recommended not bringing charges in the matter.
Here are the documents released Friday:


Have we moved beyond, “Open the pod bay door, Hal?”  For my Architecture students. 
CHATBOTS EXPLAINED: Why businesses should be paying attention to the chatbot revolution
Advancements in artificial intelligence, coupled with the proliferation of messaging apps, are fueling the development of chatbots — software programs that use messaging as the interface through which to carry out any number of tasks, from scheduling a meeting, to reporting weather, to helping users buy a pair of shoes.
Foreseeing immense potential, businesses are starting to invest heavily in the burgeoning bot economy.
·  AI has reached a stage in which chatbots can have increasingly engaging and human conversations, allowing businesses to leverage the inexpensive and wide-reaching technology to engage with more consumers.


For my student gamers.  (Remember my cut!)


It’s Saturday already?
Hack Education Weekly News
   Via The New York Times: “Broadband Law Could Force Rural Residents Off Information Superhighway.”  The headline should, perhaps, read “laws,” as it’s currently restrictive laws in North Carolina and Tennessee that are curbing city-run Internet service providers who are reaching customers in areas that corporate providers won’t go.
   Via the AP: “A judge ruled Friday that school districts [in Florida] can’t hold 3rd graders back just because they score badly on a mandated standardized reading test, saying that classroom grades and teacher evaluations have to be considered.”

Friday, September 02, 2016

Not time to replace all those new chip cards, yet.  But that day is coming. 
Crooks are selling a skimmer that works on all chip card readers
   Researchers have spotted a website setting EMV skimmers -- at www.emvskimmer.com, if it hasn't already been taken down -- that claims to sell "the most advanced EMV chip data collector in the world."
And it's a scary piece of equipment.


According to the seller, it's powered by the point of sale terminal, and can hold information on up to 5,000 credit cards in its memory.  It can also be used on machines made by Ingenico and Verifone, as well as terminals on gas station pumps, ticket purchase stations, and on small ATMs, specifically those manufactured by Triton.  
The primary market for this device is Latin America, according to Andrei Barysevich, director of Eastern European research and analysis at Flashpoint.
The reason is that Latin America, an early adopter of EMV, is still heavily reliant on static data authentication chips, which allow the criminal using it to create usable new chip cards with the data it catches.
The rest of the world uses dynamic data authentication, where the codes sent to the terminal change with every transaction.  The criminals can still get the data, but can only use it to create magnetic stripe cards.
   "This technology can be used in any point of sale device," he said.  "It literally takes less than 10 seconds to install, and once installed, it stays there forever.


Pay attention!  This may be us in November!
Hong Kong Authorities 'Attacked by Chinese Hackers'
The attack occurred in August, in the run-up to parliamentary elections Sunday, as fear of Beijing's tightening grip on semi-autonomous Hong Kong creates unprecedented social and political divides.
California-based security firm FireEye said Friday a China-based group they have been tracking since 2011 attacked at least two Hong Kong government agencies early last month.


A quick heads-up for my students.
Samsung to Recall Galaxy Note 7 Smartphone Over Reports of Fires


Update.  “We still don’t know what happened?”
Massive Data Breach Puts French Sub Maker in Crosshairs
Officials in France and India have launched investigations of a massive data breach involving thousands of documents belonging to defense industry contractor DCNS, which was scheduled to deliver six Scorpene-class submarines to the Indian navy later this year.
   Indian government officials took up the incident with the director general of armament of the French government.  They asked for an investigation and for the findings to be shared with the Indian government.
The Indian government also is conducting an internal investigation to rule out any security compromise.  However, the leak appears to have taken place outside of India, according to defense officials.
The evidence so far has led some to suspect a link to state-sponsored activity or even organized crime, noted Pierluigi Paganini, chief information security officer at Bit4id.


Tilting at windmills?
ACLU urges FCC to crack down on cell phone trackers
The American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF), a digital rights group, filed an FCC complaint Thursday in which they attempt to illustrate the danger of cell phone tracking technology used by police.
   “The extreme secrecy surrounding use of cell site simulators has stymied effective oversight and left Americans’ cellular communications without sufficient protections against interference,” the filing reads.  “We are aware only of a handful of jurisdictions where lawmakers and the public have been presented with any information about cell site simulators prior to purchase or use.”
   The ACLU said it has found, “66 state and local law enforcement agencies in 23 states and the District of Columbia that own cell-site simulators,” noting that stingrays in these departments were often used “with frequency.”


Sure they are…
How Tech Giants Are Devising Real Ethics for Artificial Intelligence
   Now five of the world’s largest tech companies are trying to create a standard of ethics around the creation of artificial intelligence.  While science fiction has focused on the existential threat of A.I. to humans, researchers at Google’s parent company, Alphabet, and those from Amazon, Facebook, IBM and Microsoft have been meeting to discuss more tangible issues, such as the impact of A.I. on jobs, transportation and even warfare.
   The importance of the industry effort is underscored in a report issued on Thursday by a Stanford University group funded by Eric Horvitz, a Microsoft researcher who is one of the executives in the industry discussions. The Stanford project, called the One Hundred Year Study on Artificial Intelligence, lays out a plan to produce a detailed report on the impact of A.I. on society every five years for the next century.


I try to keep up.  Silly me.
How Instagram Opened a Ruthless New Chapter in the Teen Photo Wars
Exactly one month ago, Instagram pilfered a major feature from Snapchat, and the teen photo wars entered a new and more ruthless chapter.
   While a 24-hour Snapchat story lasts much longer than a 10-second disappearing Snapchat message, a 24-hour Instagram story perishes faster than an Instagram post, which is never automatically deleted.  In other words, Snapchat invented stories to promote permanence, but Instagram adopted them to encourage ephemerality.


Perhaps I could use this to start my book on “Academic Research by Drone.”
Open Source Guide to Drone Journalism
by Sabrina I. Pacifici on Sep 1, 2016
Via Poynter: “…a pair of….early adopters have teamed up to create a user-friendly (and open-source) guide to the burgeoning field of drone journalism.  With funding from The Knight Foundation, Matt Waite, a professor at the University of Nebraska, and Ben Kreimer, a beta fellow with BuzzFeed’s Open Lab for Journalism, Technology and the Arts, have put together the Drone Journalism Lab Operations Manual, a 23-page explainer on everything drone…”


You would never know this from talking to my students!
Pew – Book Reading 2016
by Sabrina I. Pacifici on Sep 1, 2016
“A growing share of Americans are reading e-books on tablets and smartphones rather than dedicated e-readers, but print books remain much more popular than books in digital formats.  Americans today have an enormous variety of content available to them at any time of day, and this material is available in a number of formats and through a range of digitally connected devices.  Yet even as the number of ways people spend their time has expanded, a Pew Research Center survey finds that the share of Americans who have read a book in the last 12 months (73%) has remained largely unchanged since 2012.  And when people reach for a book, it is much more likely to be a traditional print book than a digital product.  Fully 65% of Americans have read a print book in the last year, more than double the share that has read an e-book (28%) and more than four times the share that has consumed book content via audio book (14%).”


How do I learn something new in the modern age?  Simple.  I assigned my students the task of explaining BlockChain to me.  I either learn or I get to fail a bunch of students.  Win-Win! 
Original Satoshi Nakamoto Bitcoin White Paper

Thursday, September 01, 2016

Protecting Miss Daisy.
Dating-Website Users Fall Prey to Fake Profiles
   Cyber-swindlers lift photos of real people from the internet, and use the images to create fictitious profiles on dating sites such as Match.com, part of Match Group Inc. and the dominant brand in the U.S.’s $2.5 billion dating-services industry.
Victims lost nearly $120 million to “romance scams” in the first six months of 2016, up 23% from the year-earlier period, according to the FBI’s Internet Crime Complaint Center, which collects data on crimes primarily reported in the U.S.  The $203 million in losses from romance scams in 2015 exceeded most other internet crimes tracked by the center.
   Romance scammers often claim to be Americans temporarily working overseas, said Monica Whitty, a professor at the Cyber Security Centre at the University of Warwick in England and a romance-scam expert.  After a sometimes extended “grooming” process, the suitor manufactures emergencies and requests “loans,” saying his own funds are temporarily tied up, said Ms. Whitty.  Once hooked, victims struggle to cut ties because they become emotionally attached and because they often have “lent” large sums of money and want to get it back.  Scammers typically target people middle-aged and up, said U.S. authorities.


Perspective.
Risk Based Security reports:
Risk Based Security and RPS Executive Lines are pleased to announce the release of the latest installment of the Data Breach QuickView Report.  The MidYear 2016 Report shows that, while the number of data breaches for the year is down approximately 17% compared to the same time last year, the number of records compromised is off the charts, with over 1.1 billion – yes billion – records exposed in the first six months of 2016.  With another 6 months still to go, this year is already the worst year on record for the amount of sensitive information compromised.
Read more on RBS, where you can also request a copy of their report.
[NOTE: “This page (https://www.riskbasedsecurity.com/) is currently offline.” I’ll try again later.  Bob]

(Related) With lots of pretty graphs.
From the Information Commissioner’s Office, an interesting report with data for Q1 of 2016/17 by sector and attack type.
·         Not surprisingly, the greatest number of breaches were reported by the healthcare sector:
·         Analysis of the types of health data security incidents revealed that the most common sources were errors involving paper records, such as mailing or faxing errors, or loss or theft of paperwork:
·         Health data security incidents, which had decreased in 2015, appear to be increasing again:
·         Apart from healthcare, the general business and local government sectors showed the sharpest increase in reported incidents:
·         Cyber-incidents were the fifth most frequent source of a data security incident:
·         An analysis of the cyber incidents revealed that human error and exfiltration accounted for approximately half of reported incidents:
You can find additional details and analyses on the ICO’s web site.


My government in action inaction.
Naomi Jagoda reports:
The Internal Revenue Service identified close to 1.1 million taxpayers who were victims of employment-related identity theft from 2011 through 2015, but almost none of the victims were informed, a Treasury Department watchdog found in a report made public this week.
“Employment-related identity theft can cause significant burden to taxpayers, including the incorrect computation of taxes based on income they did not earn,” said J. Russell George, the Treasury inspector general for tax administration, whose office issued the report.
Read more on The Hill.


“Any sufficiently advanced technology is indistinguishable from magic.”  Arthur C. Clarke
Paper – Human identification using WiFi signal
by Sabrina I. Pacifici on Aug 31, 2016
Full text only available to subscribers, but the abstract alone will illuminate the extensive power of Wi-Fi sensing technology: “WiFi devices are now pervasive in our environment.  Recent research has demonstrated that it is possible to sense the perturbations created by human motion in the WiFi spectrum to identify basic activities, gestures and even keystrokes.  In this demo, we address the yet unsolved problem of human identification using WiFi spectrum sensing.  We present WiFi-ID, a device-free system that uses off-the-shelf equipment to uniquely identify individuals as they walk through urban spaces that are filled with WiFi transmissions.  Our system exploits the fact that each individual has a unique walking style which causes unique disturbances in the WiFi signals. WiFi-ID analyses the Channel State Information and extracts unique features that allow us to identify individuals.  We will demonstrate a functioning prototype of our system and use conference attendees as test subjects.”

(Ditto)
Andrew Couts reports:
The light surrounding you this very second may be used to expose how much money you make, where you live, when you’re home, and much more.
That’s the big takeaway from a new analysis of ambient light sensors by Lukasz Olejnik, a London-based security and privacy consultant and a researcher at University College London.  He warns that the data created by device light sensors may betray user privacy far more than anyone previously imagined.
Read more on the Daily Dot.
[From the article:
Because these values are so specific, a website or a hacker could use this data to identify specific users.  More troubling, writes Olejnik, this data could be used to “map the user's home arrangement,” and “discover its size, number or rooms” or more about the user's environment, including the time of day a user is working, how frequently a user moves around the house or leaves altogether, or simply the type of lighting a particular person prefers.


For the Computer Security book shelf. 
The NIST Cybersecurity Framework and the FTC
by Sabrina I. Pacifici on Aug 31, 2016
Via Andrea Arias at the FTC: “…The Framework provides organizations with a risk-based compilation of guidelines that can help them identify, implement, and improve cybersecurity practices.  The Framework does not introduce new standards or concepts; rather, it leverages and integrates cybersecurity practices that have been developed by organizations like NIST and the International Standardization Organization (ISO).  The Framework terms this compilation of practices as the “Core.”  This Core is composed of five concurrent and continuous functions—Identify, Protect, Detect, Respond, and Recover—that provide a strategic view of the lifecycle of an organization’s management of cybersecurity risk.  Each function is further divided into categories tied to programmatic needs and particular activities.  In addition, each category is broken down into subcategories that point to informative references.  Those references cite specific sections of standards, guidelines, and practices that illustrate a method to achieve the outcomes associated with each subcategory.  The five functions signify the key elements of effective cybersecurity.  Identify helps organizations gain an understanding of how to manage cybersecurity risks to systems, assets, data, and capabilities.  Protect helps organizations develop the controls and safeguards necessary to protect against or deter cybersecurity threats.  Detect are the steps organizations should consider taking to provide proactive and real-time alerts of cybersecurity-related events.  Respond helps organizations develop effective incident response activities.  And Recover is the development of continuity plans so organizations can maintain resilience—and get back to business—after a breach….”


Perspective.  Think this could happen in the US?
Reliance’s Ambani Lays Out Plan for Low-Cost Mobile Data in India
Mukesh Ambani, India’s richest man, on Thursday outlined his plans to shake up the country’s telecommunications industry through his new cellular company, which aims to steal customers from the competition and bring millions of Indians online for the first time by offering data at unprecedented rates.
The chairman of Reliance Industries Ltd. , told its annual general meeting that its wireless phone unit, Reliance Jio Infocomm Ltd., will undercut its competitors by offering data for 50 rupees (75 cents) per gigabyte and monthly plans for as little as 149 rupees ($2.23).  The first group of users signing up for the new platform, which launches Monday, will be offered free service until next year, Mr. Ambani said.
   His foray into cellular services began in 2002 with the launch of Reliance Infocomm Ltd., which triggered cutthroat price competition and a shake out.  Analysts expect he is trying to do the same with high-speed data connectivity.
At stake is potentially hundreds of millions of customers who—thanks to smartphones that now cost as little as $50—are getting online for the first time.  Consultancy McKinsey & Co. reckons roughly one billion people in India are still without internet access.  By next year it should overtake the U.S. as the world’s second-biggest smartphone market behind China, according to research firm IDC.
   Bharti Airtel Ltd. , India’s largest cellular company, this week began offering one-gigabyte data packages for $0.76 with a $22 upfront charge.


This is a polite way of saying that our government lied to us about the “agreement” they were so proud they had negotiated.
Exclusive: U.S., others agreed to 'secret' exemptions for Iran after nuclear deal - report
The United States and its negotiating partners agreed "in secret" to allow Iran to evade some restrictions in last year's landmark nuclear agreement in order to meet the deadline for it to start getting relief from economic sanctions, according to a report reviewed by Reuters.
The report is to be published on Thursday by the Washington-based Institute for Science and International Security, said the think tank’s president David Albright, a former U.N. weapons inspector and co-author of the report.
   Among the exemptions were two that allowed Iran to exceed the deal's limits on how much low-enriched uranium (LEU) it can keep in its nuclear facilities, the report said. LEU can be purified into highly enriched, weapons-grade uranium.
   The U.S. administration has said that the world powers that negotiated the accord -- the United States, Russia, China, Britain, France and Germany -- made no secret arrangements.


A “reality show” for my students?  We need to move quick!
Jessica Alba Joins Apple’s ‘Planet of the Apps’ Reality Series
   Producers have invited up to 100 aspiring app developers to submit proposals at PlanetOfTheApps.com for a chance to appear in the show, and extended the deadline to Wednesday, Sept. 21.


For history buffs. 
LC – Chronicling America through historic newspapers
by Sabrina I. Pacifici on Aug 31, 2016
Chronicling America is a website providing access to information about historic newspapers and select digitized newspaper pages, and is produced by the National Digital Newspaper Program (NDNP).  NDNP, a partnership between the National Endowment for the Humanities (NEH) and the Library of Congress (LC), is a long-term effort to develop an Internet-based, searchable database of U.S. newspapers with descriptive information and select digitization of historic pages.  Supported by NEH, this rich digital resource will be developed and permanently maintained at the Library of Congress.  An NEH award program will fund the contribution of content from, eventually, all U.S. states and territories.  More information on program guidelines, participation, and technical information can be found at http://www.neh.gov/projects/ndnp.html or http://www.loc.gov/ndnp/.


Worth a look!
Most schools will provide you with a sparkling new “.edu” email address, like john.doe@stanford.edu or john.doe@nyu.edu.  This email is your gateway to a world of discounted and free programs for which you’d need to shell out some big bucks otherwise.  Here’s just some of the stuff you can look forward to.

Wednesday, August 31, 2016

We may need BlockChain sooner than I thought. 
Exclusive: SWIFT discloses more cyber thefts, pressures banks on security
SWIFT, the global financial messaging system, on Tuesday disclosed new hacking attacks on its member banks as it pressured them to comply with security procedures instituted after February's high-profile $81 million heist at Bangladesh Bank.
In a private letter to clients, SWIFT said that new cyber-theft attempts - some of them successful - have surfaced since June, when it last updated customers on a string of attacks discovered after the attack on the Bangladesh central bank.
"Customers’ environments have been compromised, and subsequent attempts (were) made to send fraudulent payment instructions," according to a copy of the letter reviewed by Reuters.  "The threat is persistent, adaptive and sophisticated - and it is here to stay." [Are they saying they can’t prevent these attacks?  Bob]
The disclosure suggests that cyber thieves may have ramped up their efforts following the Bangladesh Bank heist, and that they specifically targeted banks with lax security procedures for SWIFT-enabled transfers.
   All the victims shared one thing in common: Weaknesses in local security that attackers exploited to compromise local networks and send fraudulent messages requesting money transfers, according to the letter.
   (For a graphic [Video, actually.  Bob] on how hackers made off with millions, click tmsnrt.rs/29WrMai)

(Related)
http://www.bespacific.com/collapsew3c-workshop-report-blockchains-and-the-web/
Collapse W3C Workshop Report: Blockchains and the Web
by Sabrina I. Pacifici on Aug 30, 2016
On August 26, 2016, “W3C published the report of the W3C Blockchains and the Web workshop held on 29-30 June, 2016, in Cambridge, Massachusetts, USA.  Participants at the workshop found many topics for possible standardization or incubation, including various aspects of identity and proof-of-existence, as well as smaller blockchain primitives that could increase interoperability across different distributed ledgers...  The organizers strove to have representation by different classes of stakeholders within the larger blockchain community, loosely organized around technology stacks and applications.  The technology stacks include Bitcoin, Ethereum, Hyperledger, and others.  Applications include identity and asset management, smart contracts, and infrastructure around a decentralized Web (IPFS).  The workshop was deliberately aimed at non-payment uses for blockchains, since W3C already has an existing Web Payments activity where payments-related technology is discussed…”


This is a new way to profit from security problems, so I want to find out what actually happened.  This does not seem to be a final resolution.  Who should step in?  The SEC might find this questionable, for example.
Study finds flaws in criticism of St. Jude cyber security
University of Michigan researchers on Tuesday said their own experiments undermine recent allegations of security flaws in St. Jude Medical Inc's pacemakers and other implantable medical devices.
Shares of St. Jude fell 5 percent on Thursday after short-selling firm Muddy Waters and its business partner, cyber security company MedSec Holdings Inc, alleged finding significant security bugs in the company's Merlin@home device for monitoring implanted heart devices.  They said the flaws could potentially enable others to remotely speed up the heart devices or drain their power.
The university said its researchers came "to strikingly different conclusions" after generating the conditions reported by Muddy Waters.
   "We're not saying the (Muddy Waters) report is false; we're saying it's inconclusive because the evidence does not support their conclusions," said Kevin Fu, University of Michigan associate professor of computer science and engineering and director of the Archimedes Center for Medical Device Security.
   Muddy Waters issued a statement saying the firm was not surprised that the result of the research was inconclusive.
"We deliberately did not publish detailed information on the vulnerabilities, exploits or attacks on the devices in order to avoid giving the play book to potential attackers," the statement said.  "If anything, this proves that we were responsible with our disclosure."


Smack!  Take that, FBI!
Chris Bing reports:
FBI Director James Comey wants to see private businesses report data breach incidents and other detected cyber intrusions directly to the Bureau more than they are already doing so.
[…]
The FBI director explained that the Bureau’s strategy to increase cooperation will center on four missions: partner outreach and education, establishing trusted relationships, working to minimize the disruption felt by both a company’s employees and customers, and keeping all investigations private by securely holding and not disclosing internal enterprise data publicly.
Read more on FedScoop.
Pardon me while I spit.
What kind of “partnership” is it, Mr. Comey, if when the FBI is notified of a hack, it refuses to reach out to alert the hacked entity?  If FBI field offices take the position that their role is to take in information, but that they do not alert entities of breaches that they learn about, why should anyone inform the FBI of cybercrimes they learn about?
Don’t know what I’m talking about, Mr. Comey?  Get the phone recordings from your Baltimore field office from last night.  It will become quite clear.


By lawyers, for lawyers?
Remember the lawsuit against Yahoo! for scanning non-users’ emails for advertising purposes?  David Kravets writes:
Days ago, a Silicon Valley federal judge signed off (PDF) on a settlement (PDF).  The lawyers won, they were awarded $4 million (£3 million), and the public got nothing.  What’s more, the settlement allows Yahoo to continue to scan e-mails without non-Yahoo users’ consent.  (Yahoo Mail customers have granted consent to the scanning as a condition of using the service.)  The major change the lawsuit produced was that Yahoo is agreeing to scan the e-mail while it’s at rest on its servers instead of while the mail is in transit.  This, according to the settlement, satisfies the California Invasion of Privacy Act (CIPA) claims.  The deal spells out that Yahoo only has to do this for three years, but Yahoo said it would continue with the new scanning protocol after the three years expire.
Read more on Ars Technica.


After encrypting any data that you want to keep secure, create a text file that says: “As promised, here is the gibberish created by my new “random number and text” generator.  Please keep this confidential as you analyze it for true randomness.”  Append your encrypted file, then re-encrypt the whole thing.  If you are required to decrypt, you can do so immediately and “prove” you have nothing to hide. 
Orin Kerr writes:
Back in June, I blogged at length about a pending Third Circuit case that considers the Fifth Amendment limits on ordering a suspect to decrypt his hard drives.  The court recently announcedthat it will hear oral argument in the case on Sept. 7 before Judges Jordan, Vanaskie and Nygaard.
Read more on The Volokh Conspiracy.


For both Computer Security and Disaster Recovery. 
Data Breach Aftermath and Recovery for Individuals and Institutions
by Sabrina I. Pacifici on Aug 30, 2016
Anne Johnson and Lynette I. Millett, Rapporteurs; Forum on Cyber Resilience Workshop Series; National Academies of Sciences, Engineering, and Medicine: “In January 2016, the National Academies of Sciences, Engineering, and Medicine hosted the Workshop on Data Breach Aftermath and Recovery for Individuals and Institutions.  Participants examined existing technical and policy remediations, and they discussed possible new mechanisms for better protecting and helping consumers in the wake of a breach.  Speakers were asked to focus on data breach aftermath and recovery and to discuss ways to remediate harms from breaches.  This publication summarizes the presentations and discussions from the workshop.”


An interesting collection of Data Science links, if nothing else…
Get started in data science: 5 steps you can take online for free

(Related)  Even more…
A Gentle Intro to Data Science with 5 Udemy Courses


Something the Criminal Justice students can use?
How Private Investigators Use the Internet to Track You


Purr-spective?  Check the date on this article.  It isn’t April 1st.  This is real?
Acer is going all in on pets, whose population is growing faster than humans’
At a conference today in Berlin before the consumer trade show IFA, Acer CEO Jason Chen announced that his company had identified “petware” or “petwear” (could be either, I guess) as a $20 billion market opportunity for the Taiwanese computing company.
“We all know that the pet population is growing,” Chen said.  “The global pet population is growing so rapidly, in the U.S., the pet numbers are 2X the baby numbers.”
To address this market, Chen said Acer had acquired crowdfunded Pawbo to launch a new hub of connected pet products.  He did not say how much Acer paid.


If there is a way to tweak the system, Kim Dotcom will find it. 
Kim Dotcom's extradition hearing live stream makes legal history but no drama
The live streaming of Kim Dotcom’s extradition hearing in a New Zealand high court kicked off on Wednesday with warped pictures, delayed audio and dwindling viewership as the day wore on.
Megaupload founder Dotcom is fighting an extradition order to the United States, where he is wanted on online piracy charges.
On Tuesday, his lawyers were granted permission to live stream the court proceedings on YouTube, on the condition that it would be deleted at the conclusion of the case (estimated to be in six to eight weeks’ time) and that the video would air after a 20-minute delay in case any evidence was suppressed.  Comments on the live stream have also been disabled.
Dotcom’s court case is the first in New Zealand ever to be live streamed.


Interesting that Congress had this research done.
CRS – How Can the Results of a Presidential Election Be Contested?
by Sabrina I. Pacifici on Aug 30, 2016
“In the midst of the presidential campaign season, the possibility of election fraud has been raised.  This discussion briefly examines how the results of a presidential election may be contested.  Although it has national impact, the presidential election is in essence 50 state and District of Columbia elections for presidential electors, held on the same day throughout the country.  Therefore—and consistent with the states’ traditional authority over the administration of elections within their jurisdictions—states have the initial responsibility for resolving challenges, recounts, and contests to the results of a presidential election.  Specifically, the Electoral Count Act of 1887, as amended, contemplates that contests and challenges to the vote for presidential electors are to be initially handled in the states.  Codified in part at 3 U.S.C. § 5 , the law provides that if a contest or challenge in a state to the election or appointment of presidential electors is resolved in that state before the sixth day prior to the meeting of the electors, such determination shall be “conclusive” and shall “govern” when Congress counts the electoral votes as directed by the Twelfth Amendment.  The Supreme Court has referred to this as the “safe harbor” provision.  This year, the presidential electors are scheduled to meet on December 19.  Six days prior is December 13, which therefore, will be the last day for the states to make a final determination in order for it to be conclusive when Congress counts the votes…”


Amusement?
Washington Post publishes searchable document archive for new book on Trump
by Sabrina I. Pacifici on Aug 30, 2016
Via WaPo – “Trump Revealed, a biography of the Republican presidential nominee published August 23 [2016] by Scribner….The archive is searchable and navigable in a number of ways.  It is meant as a resource for other journalists and a trove to explore for our many readers fascinated by original documents.” 


Back to school time is App list time. 
60 Awesome iPhone & iPad Apps for Students Heading Back to School


Even cheaper than a used book sale!
6000+ Children's Books Available for Free
The University of Florida's Digital Collections offers a huge library of digitized children's books.  Thanks to Open Culture I discovered this collection this afternoon and immediately started to browse through it.  The books that you will find in the collection consist of works that are in the public domain.  You can search for books according to topic, language, publisher, genre, and publication date.
All of the children's books in the collection can be read online.  Reading the books online could be a bit difficult for some as there is a border with menus surrounding each page of the books.  To avoid that, you can print all of the books for free.  The printed version does not display anything but the book as it was scanned.
   The children's book available through the UFDC aren't books that your students or their parents are likely to see on bookstore shelves.  The value of this collection is that it could introduce parents and students to books that they might enjoy reading together and wouldn't have otherwise found.


Does this sum up communications in the digital age, or merely TL;DR?

Tuesday, August 30, 2016

Who does Putin want to win and by how much? 
Russian Hackers Attack Two U.S. Voter Databases: Reports
Russian-based hackers may have been responsible for two recent attempts to breach US voter registration databases in two states, raising fears Moscow is trying to undermine November's presidential election, US media said Monday.
The incidents led the FBI to send a "flash alert" to election officials earlier this month, asking them to watch for similar cyber-attacks.
The FBI alert, first reported by Yahoo News, did not mention Russia.
However, the authorities have attributed the attacks to Russian spy agencies, NBC News quoted US intelligence officials as saying.
   Although the alert does not identify targeted states, Yahoo News quoted officials as saying they were Illinois and Arizona.

(Related)
How Electronic Voting Could Undermine the Election


Things just got a lot worse for St. Jude.  What could they recover if they can “prove” their innocence?  (What will they lose if they can’t?)  
From the you’re-not-really-surprised-by-this-are-you? dept., Don DeBenedictis reports:
In a class action that sounds like a Tom Clancy novel, a patient claims that pacemakers and other implanted heart devices sold by St. Jude Medical can be attacked by hackers to steal personal information and even harm patients.
Clinton W. Ross Jr. claims that several lines of St. Jude’s heart-regulating devices designed to be monitored remotely with in-home equipment, rather than during in-person visits to the doctor, lack “even the most basic security defenses” to safeguard their computer communications from outsiders.
Gee, what could have possibly given him that idea?
Read more on Courthouse News.


For my Computer Security student debate on Incident Response.  Too extreme or just right? 
Daniel Tyson reports:
Appalachian Regional Hospitals in Beckley and Summers County computer systems were breached Saturday afternoon, but company officials were tight-lipped as to the extent or what information was seized by the hackers.
The hospitals’ parent company, Appalachian Regional Healthcare, issued a two-paragraph statement that their hospitals in West Virginia and Kentucky are on an Emergency Operations Plan, after hackers planted a computer virus in its electronic web-based services and electronic communications.
A spokesperson for ARH said all computers were shut down to prevent further spreading of the virus, which affected Beckley Appalachian Regional Hospital and Summers County Appalachian Regional Hospital in Hinton.
By Saturday afternoon, all patient care, registration, medication, imaging and laboratory services were managed manually.
Read more on The Register-Herald.
The FBI has been called in to investigate, and patients are concerned that their personal information may have been stolen or compromised, but at this point, there’s no indication from the healthcare system that any information was exfiltrated and this may turn out to be a situation in which the data was just locked up for ransom.  The biggest concern, of course, was that hospital operations were threatened, even though it sounds like the system quickly implemented its emergency plan so it could continue to provide services to patients.


“We have a great law, but we don’t have any way to enforce it.”
Shawn Shinneman reports:
The Office of the Attorney General hasn’t disciplined a single Texas company for failing to notify customers of a data breach – and records show it is only directly notified of a small portion of the incidents, the Dallas Business Journal has learned.
The issue could stem from the way Texas’ cybersecurity law is constructed.  Although it calls for the OAG to penalize companies who don’t notify their customers about data breaches, Texas’ standard doesn’t require businesses to actually report breaches to any governmental agency.
The state is effectively looking for speeders without a radar gun.
Read more on the Dallas Business Journal.


Fodder for dossier builders?  How many database duplicate the same information? 
EFF – Transparency Hunters Capture More than 400 California Database Catalogs
by Sabrina I. Pacifici on Aug 29, 2016
Dave Maass – A team of over 40 transparency activists aimed their browsers at California this past weekend, collecting more than 400 database catalogs from local government agencies, as required under a new state law.  Together, participants in the California Database Hunt shined light on thousands upon thousands of government record systems.  California S.B. 272 requires every local government body, with the exception of educational agencies, to post inventories of their “enterprise systems,” essentially every database that holds records on members of the public or is used as a primary source of information.  These database catalogs were required to be posted online (at least by agencies with websites) by July 1, 2016.  EFF, the Data Foundation, the Sunlight Foundation, and Level Zero, combined forces to host volunteers in San Francisco, Washington, D.C., and remotely.  More than 40 volunteers scoured as many local agency websites as we could in four hours—cities, counties, regional transportation agencies, water districts, etc.  Here are the rough numbers:
680 – The number of unique agencies that supporters searched
970 – The number of searches conducted (Note: agencies found on the first pass not to have catalogs were searched a second time)
430 – Number of agencies with database catalogs online
250 – Number of agencies without database catalogs online, as verified by two people…”
Download a spreadsheet of local government database catalogs: Excel/TSV 
Download a spreadsheet of cities and counties where we did not find S.B. 272 catalogs: Excel/TSV


Speaking of dossier creators…
Kashmir Hill writes:
Facebook’s ability to figure out the “people we might know” is sometimes eerie.  Many a Facebook user has been creeped out when a one-time Tinder date or an ex-boss from 10 years ago suddenly pops up as a friend recommendation.  How does the big blue giant know?
While some of these incredibly accurate friend suggestions are amusing, others are alarming, such as this story from Lisa*, a psychiatrist who is an infrequent Facebook user, mostly signing in to RSVP for events.  Last summer, she noticed that the social network had started recommending her patients as friends—and she had no idea why.
Read more on Fusion.


Background for budget time.
What's the Real Value of "Cost of Breach" Studies?
The European Union Agency for Network and Information Security (ENISA) published The cost of incidents affecting CIIs – a review ‘of studies concerning the economic impact of cyber-security incidents on critical information infrastructures’.  Published this month, it is an analysis of ‘cost of breach’ reports; and it draws some worrying conclusions.
   ENISA is not alone in this view. The current Verizon DBIR 
   Ponemon’s latest report puts the average cost of a breach at $4 million, or at $158 per stolen record.  In a study conducted for the UK government, PwC put the overall cost of a breach for major companies at between £1.46 million and £3.14 million (smaller companies £75,000 to £311,000).  In 2015 Kaspersky Lab put the average direct cost at $551,000 for large companies and $38,000 for SMBs (with indirect costs adding an extra $69,000 and $8,000 respectfully).


I have a rather high percentage of international students this quarter.  We should probably talk about not carrying the “Ethical Hacking” textbook through Customs.
Constitutional law professor Noah Feldman writes:
Wall Street Journal reporter Maria Abi-Habib made waves in journalistic circles last month after she posted on Facebook that Department of Homeland Security officials tried to seize her phones as she entered the U.S. at Los Angeles International Airport.
What was striking about her post was that Homeland Security’s demand (which it eventually gave up) was probably lawful and certainly constitutional.  Under established U.S. Supreme Court precedent, there is an exception to the Fourth Amendment privacy right when you are at the border entering or leaving the country.
Read his full commentary on The Commercial Appeal.


For my IT Architecture class.  
Private Clouds a ‘Big Priority’ for Dell
Dell Inc. hopes its pending $60 billion acquisition of EMC Corp. will make the combined company a favored supplier in the rapidly growing market for cloud computing, where companies tap software programs via the internet.
Dell Chief Executive Michael Dell appeared Monday at the annual conference of EMC’s VMware unit, underscoring the deal’s importance for Dell’s future.  He is betting that companies will use Dell’s equipment to build “private clouds,” where their employees access software programs through the internet.  “A big priority for us is making private clouds easy,” Mr. Dell told the VMworld conference Monday.


If everyone loved what Iran was selling, this would not be necessary.  They know that and yet they waste money creating a very porous wall rather than anything attractive and convincing.  Strange, but not unusual.
Iran rolls out domestic internet
   The state news agency Irna said the initiative would offer "high quality, high speed" connections at "low costs".
But critics suggest the true aim is to tighten the authorities' control over citizens' use of the net.
Although Iran already blocks access to overseas-based social media services - including Twitter and Facebook - many users still access them via proxy sites and virtual private networks (VPNs).


In aggregate, this data is useful.  Targeting individuals is a different story.
Ford, MIT use Bostonians’ cellphone location data for traffic planning
By collecting the anonymous cellphone location data from nearly two million Bostonians, MIT and Ford were able to produce near-instant urban mobility patterns that typically cost millions of dollars and take years to build.
The big data experiment holds the promise of more accurate and timely data about urban mobility patterns that can be used to quickly determine whether particular attempts to address local transportation needs are working.
In making decisions about infrastructure development and resource allocation, city planners rely on models of how people move through their cities -- on foot, in cars and by public transportation.  Those models are largely based on socio-demographic information from costly, time-consuming manual surveys, which are in small sample sizes and infrequently updated.  Cities might go more than a decade between surveys.


Of course they do.
Jamie Williams writes:
Imagine being convicted of a crime for logging into a friend’s social media account with their permission?  Or for logging into your spouse’s bank account to pay a bill, even though a pop-up banner appeared stating that only account holders were permitted to access the system?  The Ninth Circuit Court of Appeals last month issued two decisions—by two different 3-judge panels in two separate cases—which seem to turn such actions into federal crimes.  We teamed up with the ACLU and ACLU of Northern California to ask the court to review both decisions en banc—with 11 judges, not just 3—and issue a ruling that will ensure innocent Internet users are not transformed into criminals on the basis of innocuous password sharing.  We want the court to come up with a clear and limited interpretation of the notoriously vague statute at the heart of both cases, the Computer Fraud and Abuse Act (CFAA).
Read more on EFF.


This will put a small dent in the petty cash fund.  (You don’t think Ireland was planning this all along, do you?)
Apple should repay Ireland 13bn euros, European Commission rules
After a three-year investigation, it has concluded that the US firm's Irish tax benefits are illegal.
The Commission said Ireland enabled the company to pay substantially less than other businesses, in effect paying a corporate tax rate of no more than 1%.
   "Member states cannot give tax benefits to selected companies - this is illegal under EU state aid rules," said Commissioner Margarethe Vestager.


Then add in hobby drones and illegal drones – we may never see the sun again!
FAA Expects 600,000 Commercial Drones In The Air Within A Year


3D printing and raspberry pi, my students will love this article!  (I want the cryptex!)  
30 Useful Ways 3D Printing Could Be Used At Home


Great consultants choose their words carefully.