Saturday, September 24, 2016

A real threat that follows hacker attacks.  DDoS attacks may now be too expensive to defend!
The silencing of KrebsOnSecurity opens a troubling chapter for the Internet
For the better part of a day, KrebsOnSecurity, arguably the world's most intrepid source of security news, has been silenced, presumably by a handful of individuals who didn't like a recent series of exposés reporter Brian Krebs wrote.  The incident, and the record-breaking data assault that brought it on, open a troubling new chapter in the short history of the Internet.
The crippling distributed denial-of-service attacks started shortly after Krebs published stories stemming from the hack of a DDoS-for-hire service known as vDOS.
   On Thursday morning, exactly two weeks after Krebs published his first post, he reported that a sustained attack was bombarding his site with as much as 620 gigabits per second of junk data.  That staggering amount of data is among the biggest ever recorded.  Krebs was able to stay online thanks to the generosity of Akamai, a network provider that supplied DDoS mitigation services to him for free.  The attack showed no signs of waning as the day wore on.  Some indications suggest it may have grown stronger.  At 4 pm, Akamai gave Krebs two hours' notice that it would no longer assume the considerable cost of defending KrebsOnSecurity.  Krebs opted to shut down the site to prevent collateral damage hitting his service provider and its customers.


For my Governance students. 
Here’s How Microsoft Plans to Work Around Data Snooping
Data snooping by the US government has always been a major concern for most tech conglomerates but Microsoft Corporation may have found a way to turn things around to its favor.  The Redmond tech giant just opened its two newest data centers – located in Magdeburg and Frankfurt – to make it harder for the authorities demand access to customer data.
   Microsoft’s choosing of Germany as the site for its newest data centers was no accident.  The country is notorious for its strict data privacy and sovereignty laws.  As stipulated in the German law, no other country can demand access to customer data; it will stay in the country.  This could be the reason why more and more cloud computing services are opening shop in Germany, which is also one of the EU’s largest economy.
   Of course, such move is hardly new.
Amazon.com, Inc.‘s Web Services were the first to take advantage of Germany’s strict consumer access laws when the company unveiled its data centers two years ago in Frankfurt.  All the largest cloud computing service providers are now building data centers in various parts of the world, including Google-parent Alphabet Inc.


For my IT Architecture students.  A new term: “DRaaS.”
Disaster Recovery: Confidence High, Experience Low
With everything moving to the cloud, it is little surprise that Disaster Recovery (DR) is now also offered as cloud-based DRaaS.  The majority of organizations still employ on-premise DR, but cloud usage is growing.  A new survey investigates how and why UK businesses are employing DR; how they rate their existing DR readiness, and whether they are considering a move to cloud.
An Opinion Matters survey, which questioned 250 IT decision makers, was commissioned by iland.  iland is a US-based cloud infrastructure provider with eight data centers in the US, UK and Singapore.  In Gartner's 2016 Magic Quadrant for DRaaS it was placed squarely among the leaders.
The majority of outages are still caused by system failure (reported by 53% of respondents) closely followed by human error (52%).  Cyber attacks are relatively low in comparison at 32%, while environmental issues (flood, storm, fire and power outages) are even lower at 20%.
What is immediately apparent from the survey is that DR is a necessity rather than a luxury -- 95% of respondents admitted to an outage over the last 12 months.


May be important in this year’s Presidential race.
Paul Alan Levy writes:
In Doe v. Coleman, a decision issued yesterday, the Kentucky Supreme Court overruled a decision of the state court of appeals which, considering the validity of a subpoena to identify defendants who had been sued for defamation based on comments about a local official, had held that the plaintiff officials’ conclusory affidavits attesting to the falsity of the anonymous comments were sufficient to meet the standards for enforcing such subpoenas set by Doe v. Cahill, the Delaware Supreme Court decision that the Court of Appeals had endorsed in a 2014 decision in the same case.  Instead, the Supreme Court held that Kentucky courts are to follow the full standard adopted by the New Jersey Superior Court Appellate Division in Dendrite International v. Doe, which includes a balancing stage that weighs the relative interests of the plaintiff in securing redress and of the defendant in retaining his or her First Amendment right of speaking anonymously, given such considerations as the nature of the speech at issue and any special dangers to the defendant from being identified.
Read more on Public Citizen.


I love reporting serious science!
Best News We've Heard All Day: Study Shows Beer Is Good for Business


Almost as cool as beer.  The new version of a stud finder. 
Walabot
Look Inside Your Walls and take the guesswork out of your next DIY construction project
See up to 4 inches/10cm in concrete and drywall
Multiple sensing modes of raw data and pipe
Adjustable sensitivity for optimal calibrations to your specific construction
Easy snapshot taking for offline analysis
Requires Android phones running 5.0 (Lollipop) and above with OTG
Are you a Maker, Engineer or Builder?
Check out programmable versions of Walabot!


For the next time I teach Math.


Every Saturday, like clockwork.
Hack Education Weekly News
   “After Gayle Manchin took over the National Association of State Boards of Education in 2012, she spearheaded an unprecedented effort that encouraged states to require schools to purchase medical devices that fight life-threatening allergic reactions,” writes USA Today.  The move helped to give Mylan, maker of the Epipen, a near monopoly in schools.  And what a coincidence: the CEO of Mylan was Heather Bresch, Gayle Manchin’s daughter.  And Manchin’s husband: Joe Manchin, the senior Senator from West Virginia.
   Inside Higher Ed has more details on the University of California Berkeley’s announcement that they’ll remove free online content rather than comply with a Justice Department demand to make it accessible to those with disabilities.
   Via AL.com: “Two more Alabama schools were on lockdown today after a social media posts and phoned-in threat warned ‘clowns’ might show up at two Birmingham area schools.” Clowns.

Friday, September 23, 2016

Yesterday, this was a mere 200 million.  What will we see tomorrow?
Yahoo hit with hack affecting at least 500 million user accounts, FBI investigating
In what appears to be the biggest data breach in history, Yahoo has been hit by a massive hack affecting at least 500 million user accounts, the company said Thursday.
   Yahoo blamed a “state-sponsored actor” for the huge theft, which it said occurred in 2014 when thieves hacked into the Sunnyvale tech firm’s data centers. [Easy to blame, now that “state sponsored” whoevers are in the news so often.  Bob] 
   However, the company said, stolen passwords were “hashed,” meaning converted into randomized characters, and that the “vast majority” were heavily encrypted.
“Passwords that have been hashed can’t be converted into the original plain text password,” Yahoo said.  The “bcrypt” heavy encryption on the bulk of the passwords provides “advanced protection against password cracking,” the company said.


Another reason why I don’t have one. 
Mobile devices are one of the weakest links in corporate security.  Executives are wrestling with managing a proliferation of devices, protecting data, securing networks, and training employees to take security seriously.  In our Tech Pro Research survey of chief information officers, technology executives, and IT employees, 45% of respondents saw mobile devices as the weak spot in their company’s defenses.  (Employee data was cited by 37%, followed by wireless access of networks at 34% and bring-your-own-device efforts at 29%.)
Meanwhile, the potential for mobile attacks continues to expand.  In July comScore reported that half of all digital time was spent on smartphone apps, and 68% percent of time was spent on a mobile device.  If mobile security isn’t a problem for your company yet, it will be.


Anything is possible, but this would mean that someone did not follow the checklist and his partner didn’t notice.  More likely this was deliberate. 
NSA hacking tools were reportedly left unprotected on remote computer
A U.S. investigation into a leak of hacking tools used by the National Security Agency is focusing on a theory that one of its operatives carelessly left them available on a remote computer and Russian hackers found them, four people with direct knowledge of the probe told Reuters.


Useful for my Forensics students.
EFF Warns Police, Courts About Unreliability of IP Addresses
A report published this week by the Electronic Frontier Foundation (EFF) warns about the misuse of IP addresses by police and courts, and makes recommendations on how such information can be used efficiently.
An increasing number of incidents shows that law enforcement often considers IP addresses a clear indicator of a person’s location or identity.  For instance, several privacy activists maintaining Tor exit nodes in their homes have been raided by law enforcement investigating child pornography and other crimes.  Internet mapping services that provide a default location when only limited information is available has also caused problems for innocent individuals.
Another issue is that police often overstate the reliability of IP address information when trying to obtain a warrant or subpoena.  According to the EFF, law enforcement also often uses inaccurate metaphors to explain IP addresses, such as comparing them to physical mailing addresses and license plates.
Some judges have begun to realize that an IP address is not enough to determine someone’s guilt.  In one such case, a federal court in Oregon dismissed a direct copyright infringement complaint against an individual who allegedly pirated a movie.
However, there is more work to be done and the report published by the EFF aims to teach law enforcement and courts on how to reliably use IP information when investigating crimes.


Interesting.  Likely to become a hacking target.
New Data Tool Aims for Transparency in Police Use of Force
   Bayes Impact, a nonprofit startup that aims to apply data analysis to societal problems, launched a web-based platform Thursday that all California police departments must use to record whenever an officer is involved in a “use of force” incident, which the state defines as a shooting or assault that results in death or serious injuries.
Starting next year, the public will be able to access the information on the Open Justice Portal, which publishes criminal-justice data collected by the California Department of Justice.
   There is no national database for recording use-of-force data, and no standard definition for “use of force.”  The Federal Bureau of Investigation’s records have omitted hundreds of homicides by police officers.  There hasn't been a widely used tool to collect data on violence involving law enforcement.


Why kill the source of campaign contributions?
How the Maker of the EpiPen Made Government Its Ally
In most respects, Wednesday’s congressional hearing into Mylan Corp.’s steep price increases on the EpiPen followed an all-too-familiar script.  Mylan’s C.E.O., Heather Bresch, was berated by legislators for the price hikes, and for her $18.9-million pay package.  Bresch tried, feebly, to explain that Mylan doesn’t actually make that much money from the EpiPen, and was careful never to offer the only real explanation for why the product costs six times as much as it did in 2007, namely that the company kept raising prices because it could.  The politicians got their soundbites.  Bresch got to state her case.  And, at day’s end, nothing meaningful had changed.


For what I didn’t teach my students?
LinkedIn reveals what it’s doing with Lynda.com: LinkedIn Learning
LinkedIn has released a product geared to the professional social network that it hopes will expedite its vision to create “economic opportunity for every member of the global workforce, which is north of 3 billion people.”  The company on Thursday launched LinkedIn Learning, the integration of its economic graph with its Lynda.com acquisition.
   What LinkedIn is doing is simply copying the education service and meshing it with its data so while you’re on the professional social network, you can learn new skills based on the context of jobs you want or are interested in. [Think that will work?  Bob]
   LinkedIn Learning costs $29.99 per month, but those that have a premium subscription with LinkedIn will get the service automatically.  [Still free at your local library!  Bob] 

Thursday, September 22, 2016

Material impact on the sale to Verizon?  Probably not.
Yahoo is expected to confirm massive data breach, impacting hundreds of millions of users
Yahoo is poised to confirm a massive data breach of its service, according to several sources close to the situation, hacking that has exposed several hundred million user accounts.
While sources were unspecific about the extent of the incursion, since there is the likelihood of government investigations and legal action related to the breach, they noted that it is widespread and serious.
Earlier this summer, Yahoo said it was investigating a data breach in which hackers claimed to have access to 200 million user accounts and was selling them online.  “It’s as bad as that,” said one source.  “Worse, really.”
   But there’s nothing smooth about this hack, said sources, which became known in August when an infamous cybercriminal named “Peace” said on a website that he was selling credentials of 200 million Yahoo users from 2012 on the dark web for just over $1,800.  The data allegedly included user names, easily decrypted passwords, personal information like birth dates and other email addresses.
At the time, Yahoo said it was “aware of the claim,” but the company declined to say if it was legitimate and said that it was investigating the information.  But it did not issue a call for a password reset to users.  Now, said sources, Yahoo might have to, although it will be a case of too little, too late.


Is that the same as saying, “before the potential breach was discovered, we hadn’t bothered to secure the system?” 
The day after an FBI investigation descended on the Camden County Courthouse, County Attorney Charles McElyea has acknowledged a “possible security breach” of the courthouse computer systems.
McElyea said once the potential breach was discovered, “the Camden County Commission took immediate steps to secure the system and started an investigation to determine if there was in fact a breach of the system, how it might have occurred and how to prevent such a breach in the future.”
Read more on LakeExpo.com.
I guess we’ll have to wait to find out what this is about, although it sounds like some insider wrongdoing is suspected.


For my Governance students.
Paper – Examining the costs and causes of cyber incidents
by Sabrina I. Pacifici on Sep 21, 2016
Examining the costs and causes of cyber incidents, Sasha Romanosky, Journal of Cybersecurity, DOI: http://dx.doi.org/10.1093/cybsec/tyw001.  First published online: 25 August 2016.
“In 2013, the US President signed an executive order designed to help secure the nation’s critical infrastructure from cyberattacks.   As part of that order, he directed the National Institute for Standards and Technology (NIST) to develop a framework that would become an authoritative source for information security best practices.  Because adoption of the framework is voluntary, it faces the challenge of incentivizing firms to follow along.  Will frameworks such as that proposed by NIST really induce firms to adopt better security controls?  And if not, why?  This research seeks to examine the composition and costs of cyber events, and attempts to address whether or not there exist incentives for firms to improve their security practices and reduce the risk of attack.  
   Specifically, we find that the cost of a typical cyber incident in our sample is less than $200 000 (about the same as the firm’s annual IT security budget), and that this represents only 0.4% of their estimated annual revenues.”

(Related) Another consideration for Governance.
Achieving Trust Through Data Ethics
Success in the digital age requires a new kind of diligence in how companies gather and use data.
   Digital trust — identified as a key trend in the Accenture Technology Vision 2016 report — is very difficult for businesses to build with customers, but very easy to lose.


It’s not just for “International Terrorist Masterminds” and more. 
   there are all sorts of good — non-criminal — reasons why you may want to have a second phone number.  While you may want to get a second physical phone, for most purposes, you can just get an app on your existing phone.
Why Use a Burner App?
  • Online dating is more popular than ever, but it does carry certain risks, particularly for women.  Using a temporary number provides a valuable extra layer of privacy.
  • If you’re buying or selling something on Craigslist, or placing an ad anywhere, a disposable number means you don’t have to deal with calls once your business is done.
  • If you’re job hunting, you may be expecting a lot of calls from unknown numbers. It’s good to know that these are related to your job search before you answer.
  • If you’re moving to a different area, or even a different country, you might want to pick up a local number before you move.
  • If your job requires you to be on call or you’re running your own business, you’ll want a dedicated number that you know to answer professionally and can ignore when you’re off the clock, without having to carry two phones.
  • If someone is monitoring your calls and texts (like an abusive parent or partner), you can reach out for help using a number they don’t have access to.


A growing number of twits or more people/agencies requesting?
US increases requests for account info from Twitter
The U.S. government increased its requests for information from Twitter in the first half of 2016, according to a report released by the social networking site Wednesday.
From Jan. 1 to June 30, the U.S. government made 2,520 requests for information, up from 2,436 in the first half of last year.
The report says that Twitter produced some information in 82 percent of requests.


Nothing like a last minute law to fix years of no planning! 
New legislation seeks to prevent U.S. voting systems from being hacked
A U.S. lawmaker has introduced two bills to protect voting systems from hacking, amid fears that Russian cyber spies may be interfering with this year's presidential election.
Representative Hank Johnson, a Democrat serving Georgia, is proposing a moratorium on state purchases of electronic voting machines that don't produce a paper trail.  His Election Integrity Act, introduced Wednesday, would also prohibit voting systems from being connected to the internet as a way to prevent online tampering.
   Johnson's second bill proposes designating U.S. voting systems as critical infrastructure, meaning that the federal government would take a role in protecting it.  The country's electrical grid and banking sector are among those already designated as critical infrastructure.
Johnson's bill would also require the Department of Homeland Security to submit a plan to Congress to protect the U.S. election process from threats including cyber terrorism.  In addition, it asks that better standards be developed so that citizens can verify their votes.


A new world!  What else would this work for?  Mortgages?  Student loans? 
P2P insurance firm Lemonade launches out of stealth, powered by chatbots, morals, and big bucks
Lemonade, a peer-to-peer (P2P) insurance firm that’s been in stealth for a year, has finally launched to the public in its first market.
   Lemonade announced today that it is now a fully licensed insurance carrier in New York, which means homeowners and tenants across the state can get insured and settle claims on the spot, across multiple devices.
   Lemonade is also setting out to combat existing models through an annual “giveback,” where it donates unclaimed money to good causes.  Through the app, users select a cause that they care about, and this cause-creation process generates virtual groups of like-minded people — or “peers.”  (Why not “giveback” to me?  Bob)
Premiums from each group cover any claims made by individuals, with leftover money going to their common cause.  And Lemonade makes money by taking a 20 percent flat fee from monthly policy payments.

(Related) …and they’re all going to need insurance!
Mobile Networks Are Key to Global Financial Inclusion, Report Finds
The ubiquity of cellphones could allow a rapid expansion of financial services throughout the developing world, with major implications for growth and credit accessibility, a McKinsey & Co. report concludes.
“With the technology that’s available today you could provide billions of people and millions of businesses opportunities that don’t exist to them today,” Susan Lund, co-author of the McKinsey Global Institute report on digital finance, said in an interview.
The report found that with coordinated action by financial firms, telecommunications companies and developing-country governments, some 1.6 billion people could gain access to financial services by 2025, all without major new expenditures on physical infrastructure.


Be as smart as a Congressman.  (A rather low bar, but better than nothing.)
Researching Current Federal Legislation and Regulations: A Guide to Resources for Congressional Staff
by Sabrina I. Pacifici on Sep 21, 2016
Researching Current Federal Legislation and Regulations: A Guide to Resources for Congressional Staff, Jerry W. Mansfield, Lead Information Services Coordinator.  September 19, 2016.
“This report is designed to introduce congressional staff to selected governmental and nongovernmental sources that are useful in tracking and obtaining information on federal legislation and regulations.  It includes governmental sources, such as Congress.gov, the Government Publishing Office’s Federal Digital System (FDsys), and U.S. Senate and House websites.  Nongovernmental or commercial sources include resources such as HeinOnline and the Congressional Quarterly (CQ) websites.  The report also highlights classes offered by the Congressional Research Service (CRS) and the Law Library of Congress.”


This is Apple being innovative?  Are the people who buy iPhones also into motorcycles?
Apple Is Said to Be Talking to Vehicle Technology Companies
   Apple is also in talks with Lit Motors, a San Francisco start-up that has developed an electric self-balancing motorcycle, about a potential acquisition, according to three people who spoke on the condition of anonymity.  Apple has already hired several former Lit Motors engineers.

Wednesday, September 21, 2016

Is this the best they are capable of, or is this just to tease western security services?
German Political Parties Hit by Cyber Attacks
German political parties have fallen victim to a new round of cyber attacks, documents showed Wednesday, after Berlin's domestic spy agency accused Russia of a series of operations aimed at spying and sabotage.
Politicians and employees of several parties received emails purporting to be sent from NATO headquarters, but which instead contained a link that installed spyware on the recipient's computer, the Sueddeutsche Zeitung daily and regional broadcasters NDR and WDR reported.
Citing unnamed security experts, German media said the attacks on August 15 and 24 appeared to have been carried out by state-backed Russian hackers.


Which begs these questions: Are you looking?  Would you recognize your data if you saw it?
Joseph Cox reports:
It’s pretty hard to know when your data might have been compromised.  Over the last few years, an industry of threat intelligence firms has popped up that offer to monitor criminal forums, paste sites, and Tor hidden services for stolen intellectual property or customer information.
Now, one of these companies is letting anyone monitor the dark web for a limited amount of their own personal information.  On Tuesday, Terbium Labs announced it was opening up its “Matchlight” product to the general public, allowing users to keep tabs on five different pieces of info for free.
Read more on Motherboard.


The University has a very large format printer but I’m not sure we could do this in one pass.
There have been a ton of articles trying to wake up the public to just how much Facebook knows about you.  I generally skip posting those articles, as my readers tend to be pretty savvy.  But this article by Larry Kim is worth noting, because you may want to save it and show it to your kids or co-workers or those who need a wake-up call.
Just look at all of Facebook’s ad-targeting options in this infographic by Wordstream to realize how much info Facebook has about you – and keep in mind that there are those (advertisers) who think this is a good thing!


Does Guinness know?  What my Computer Security students will face. 
Brian Krebs' Blog Hit by 665 Gbps DDoS Attack
Investigative cybercrime journalist Brian Krebs reported on Tuesday that his website, KrebsOnSecurity.com, was hit by a massive distributed denial-of-service (DDoS) attack that could be the largest in history.
According to Krebs, his site was targeted with various types of DDoS attacks, including SYN and HTTP floods.  The attack peaked at 665 Gbps and 143 Mpps (million packets per second), but it was successfully mitigated by Akamai, the company that provides DDoS protection services for KrebsOnSecurity.


Vague on security and privacy, but hey, it’s only 115 pages!
Federal Automated Vehicles Policy - September 2016

The U.S. Department of Transportation's Federal Automated Vehicles Policy, published September 2016.


Helping my students think at the C-level. 
What to think about when moving to the cloud
   Enterprises across all sectors are either in the cloud, transitioning to the cloud, or thinking about making the idea of cloud a reality. 
For those who are preparing to make the move, there are a variety of concerns to consider and plan for in order to make for a smooth transition.  In addition to deciding on the right cloud provider and whether to go with a private or a public cloud, CISOs also need to think about implementing solutions for controls on access, encryption, legal and compliance issues.  



Perhaps this is why my Computer Security classes are full?
Zero-percent cybersecurity unemployment, 1 million jobs unfilled


It’s obvious, in retrospect.
Amazon’s Daring Move Could Mean the End of Cable Subscriptions
Amazon.com, Inc. is looking to offer a new benefit to its Prime members.  The world’s largest online retailer plans to get live video rights in a variety of sports that have a more global appeal.  These include soccer, tennis, golf, rugby, and auto-racing.  The company is also looking to offer live streaming of more popular US sports like basketball, baseball, football, and hockey.  If Amazon closes its deals, it could entice new customers to sign up for its online TV service.
Numbers have shown that live sports are some of the few reasons people remain subscribed to cable networks.


Some sources for my next Statistics class?
Univ. of Michigan – Deep Blue Data Repository
by Sabrina I. Pacifici on Sep 20, 2016
Deep Blue Data is a repository offered by the University of Michigan Library that provides access and preservation services for digital research data that were developed or used in the support of research activities at U-M.  The datasets that underlie research findings are increasingly in demand.  Funding agencies require that research data be discoverable, accessible and preserved for future use.  Publishers ask for data sets to be included alongside of publications as supplemental files to support research findings.  Researchers seek out existing data sets to test out new theories or generate new discoveries.  In response, The University of Michigan Library has developed Deep Blue Data, a repository for sharing and archiving research data that were developed at the University of Michigan.  Deep Blue Data is a component of a suite of services provided by the U-M Library designed to broadly disseminate the intellectual contributions in research, teaching and creativity made by the University of Michigan community and to ensure its longevity.  Why deposit in Deep Blue Data?
  • Share your data — Deep Blue Data provides a means for you to publish your data through a protected and secure repository, making your research more visible to the world.
  • Compliance with grant requirements — Depositing your data into Deep Blue Data enables you to demonstrate compliance with funding agency requirements to share and archive your data sets.
  • Get credit for your work — Your data will be assigned a Digital Object Identifier upon deposit making it easier for people to cite your data set and provide proper attribution.
  • Preserve your data — The University of Michigan Library is committed to preserving the data sets deposited into Deep Blue Data. See File formats and Preservation for details.
  • It’s Free — There is no charge to deposit data into the Deep Blue Data repository in most cases…”


Imagine someone not knowing all about Medium!
7 Awesome Tools You Should Definitely Try If You Love Medium
It’s easy to see why Medium is popular.  Lots of influential people and websites have set up publications and the Medium site as a whole gets some serious traffic (upwards of 75 million a month).
   Some third-party tools are now appearing to make your Medium experience a good one.  Here are a few of the best


Something for small town Colorado?
AT&T unveils AirGig for low-cost wireless broadband along power lines
&T on Tuesday announced a low-cost, high-speed wireless internet technology that relies on plastic antennas positioned along medium-voltage power lines.
   plastic antennas will be attached to the power lines and serve as a mesh network to distribute signals to homes and businesses.  To test the technology, AT&T is looking for a location somewhere in the next year with a favorable regulatory environment, since the carrier would need to partner with an existing electric utility.
   By using power lines, AirGig avoids the expense of digging trenches to lay fiber optic cable.  A utility company would be able to use the technology to help spot problems on its power lines from something like a downed tree.
“It’s a transformative technology that delivers low-cost and multigigabit speeds using power lines,” said John Donovan, chief strategy officer for AT&T.  “There’s no need for enhancements for new towers, and it’s over existing infrastructure.”

Tuesday, September 20, 2016

Amusing or merely prophetic?
Russian Police Make First Official Arrest Of A Robot And Skynet Is Not Pleased
Is it possible to arrest a robot?  Do robot’s even have the ability to make unlawful decisions?  Philosophy aside, Russian police just made the first robot arrest in Moscow at a political rally.
The “Promobot” was arrested at a rally for Russian parliament candidate Valery Kalachev, but it is currently unclear why the robot was detained.  The Moscow police have not released an official reason for the arrest, however, local Russian media sources claim that the robot was “recording voters" opinions on [a] variety of topics for further processing and analysis by the candidate's team”.  A Promobot representative hypothesized that the robot was detained because “perhaps this action wasn't authorized”.
A Promobot representative stated, “Police asked to remove the robot away from the crowded area, and even tried to handcuff him.”  The representative noted that the Promobot did not “put up any resistance”.  


Something my students will discuss.
Corporate Judgment Call: When to Disclose You’ve Been Hacked
Companies are getting hacked more frequently but aren’t disclosing the incidents in their regulatory filings, a trend that worries investors.
Just 95 of the nation’s roughly 9,000 publicly listed companies have informed the Securities and Exchange Commission of a data breach since January 2010, according to an analysis of their filings by Audit Analytics.
Yet, the number of breaches or hacks across all U.S. businesses—public and private—totaled 2,642 during the same period, according to the Privacy Rights Clearinghouse, an advocacy group.
The reason many data breaches aren’t reported to the SEC, say chief financial officers, is that the damage isn’t “material,” meaning it isn’t significant enough to influence an investor’s decision to buy a company’s stock.


Local.  A specific need or just “everyone else is doing it!?”
Denver police spent $30K on social media surveillance tools in May
In May, Denver police spent at least $30,000 on surveillance software designed to monitor and collect social media posts across at least a dozen networks, according to police records.
Documents acquired by Daily Dot under the Colorado Open Records Act include an invoice to the Denver Police Department from Geofeedia, Inc., a startup whose location-based surveillance wares are exhibited at national security and law enforcement summits across the country. 
   With Geofeedia, Denver police have acquired the ability to simultaneously monitor posts on Facebook, Twitter, YouTube, Instagram, Vine, Periscope, and Flickr, among others.  Its location-based search capabilities enable police to vacuum up nearly every social media post emanating from within specified geographical boundaries.  The tweets, photos, videos, and live broadcasts of anyone identified by the software within the area are intercepted and recorded by police through a process developers call “geo-fencing.”
   Tools like Geofeedia offer police the ability to conduct real-time social media surveillance during mass shootings or terrorism events.  They are also capable of sucking up copious amounts of data about criminals and innocents alike, information which can then be stored by authorities for later use.
   In the past, police departments have defended the use of such software, promoting in particular its ability to identify eyewitnesses to crimes who might have otherwise never come forward.  It may also be used to locate guns in schools or identify the sources of illegal drug activity.


How much is too much, how much is too little?
Smartphone alert during NY manhunt draws criticism


Interesting.  This could only happen in New York or New Jersey?  "Leave the gun. Take the cannoli." Is a Godfather quote. 
Thieves Helped Crack the Chelsea Bombing Case, Sources Say
Leave the bomb, take the bag.
In two separate cases, thieves snatching bags from city streets and train stations inadvertently helped law enforcement get the upper hand in an ongoing bomb spree that's hurt dozens of people and spans both sides of the Hudson River, sources said.
   two thieves accidentally helped to disable his second pressure cooker bomb left inside a rolling suitcase on West 27th Street, sources said.
The young men, who sources described as being well-dressed, opened the bag and took the bomb out, sources said, before placing the explosive into a garbage bag and walking away with the rolling suitcase.
   Investigators believe they inadvertently disabled the explosive, sources said.
   Then, on Sunday night, two homeless men snatched a backpack resting atop a trash can near a train station in Elizabeth, N.J., officials said.
“They probably thought there was something of value in that backpack,” said the mayor of Elizabeth, Christian Bollwage.
They started rooting through the bag and found five explosives that officials say are tied to Rahami, prompting them to immediately drop the bag in the middle of the street and alert police, officials said.
"When they opened it up and found the wire and the pipe they immediately walked around the other corner to Elizabeth police headquarters and turned it in," Bollwage said. [So they knew the cops were just around the corner?  Bob]


Best Practices.  Simple enough?
1. Make regular backups.
2. Keep your computer updated.
3. Spot suspicious files, enable file extensions.
4. Use mail filtering.
5. Employ an internet security suite.


For my IT Governance class. 
Catalin Cimpanu reports:
A recent brute-force scan of FTP servers available online via an IPv4 address revealed that 796,578 boxes can be accessed without the need for any credentials.
The perpetrator of this scan is a security researcher that goes by the name of Minxomat, owner of a cyber-security firm that performs these types of scans on a regular basis, but usually in a much more targeted manner and for the purpose of detecting malicious traffic and its sources.
Read more on Softpedia.

(Related)
The CFO Imperative: Managing Risks Arising from Technology
   The issue is this: Data that could warn about potential risks are usually scattered across different departments in a company.  Without the right tools and structure to bring those data points together, companies are hampered in how well they manage risk.  Another challenge is that in many companies, there is no consensus on the appetite for risk.  “At the very least, you need to have a discussion about the risks,” Ittner says.  “Risks aren’t standalone, so they need to consider their interdependencies and get the cross-functional discussion going.”  Without adequate risk protection, the inevitable reaction to a breach is immediate crisis management.  But usually, such short-term actions distract from planning for longer-term growth.


Another really good ‘bad example’ for my Governance class.  How do you make certain that what is supposed to happen, happens?
Flaws in Fingerprint Records Allowed Hundreds to Become U.S. Citizens
The Department of Homeland Security granted citizenship to hundreds of people who had previously been ordered deported or removed under different names because of flaws in keeping fingerprint records, according to a report released Monday.
The report from the department’s Office of Inspector General found that nearly 900 individuals were granted citizenship because neither the agency nor the F.B.I. databases contained all of the fingerprint records of people who had previously been ordered to be deported.
Nearly 150,000 older fingerprint records were not digitized or simply were not included in the Department of Homeland Security’s databases when they were being developed, the report said.  In other cases, fingerprints that were taken by immigration officials during the deportation process were not forwarded to the F.B.I.


Virtual money is real money! 
Bitcoin Is Real Money, Judge Rules in J.P. Morgan Hack
   U.S. District Judge Alison Nathan in Manhattan rejected a bid by Anthony Murgio to dismiss two charges related to his alleged operation of Coin.mx, which prosecutors have called an unlicensed bitcoin exchange.
Murgio had argued that bitcoin did not qualify as “funds” under the federal law prohibiting the operation of unlicensed money transmitting businesses.
But the judge, like her colleague Jed Rakoff in an unrelated 2014 case, said the virtual currency met that definition
   The case is U.S. v. Murgio et. al., U.S. District Court, Southern District of New York, No. 15-cr-00769.


Perspective.  People seem to like these services, almost as much as investors.
Uber rival Grab raises $750M led by SoftBank at a $3B valuation
   Grab said it 400,000 drivers on its platforms and it has seen over 21 million app downloads to date.  In an announcement, the company added that it sees “up to 1.5 million daily bookings,” which a Grab spokesperson confirmed means ride requests not completed rides.  Uber doesn’t provide business data for Southeast Asia so it is hard to compare them, but we previously reported that Uber is operationally profitable in parts of Southeast Asia and there seems to be little to choose between the two.


Someday I’m gonna get me some culture!
The Museum of Modern Art’s Miraculous New Online Archive
   This archive, available for free on the Museum of Modern Art’s website, now documents every show that it has exhibited, going back to its very first in 1929.
   The photos are almost all spare and without people. They seem to have been captured for documentary purposes, not expressive ones.

Monday, September 19, 2016

Imagine what a dedicated, nation sponsored hacking team could access…
A private message to DataBreaches.net on Saturday evening was the prelude to a young hacker downloading tremendous amounts of data from states.
Over the next few hours, a teenage hacker known to DataBreaches.net from his past hacking activities would remind us once again just how insecure everything was, showing this blogger samples of files that he obtained in a hack that not only gave him access to every state with a domain on .us, but also to some .gov domains such as the U.S. Department of Education.
When asked how he obtained access, he replied:
I gained access to an ftp server, that listed access to all the ftp’s on .us domains, and those .us domains were hosted along with .gov , so I was able to access everything they hosted, such as, public data, private data, source codes etc…
He declined to reveal what .gov sites, other than USED, he was able to access, but did expand a bit on his previous answer, telling DataBreaches.net:
It was very simple to gain access to the 1st box that listed all the .us domains, and their ftp server logins.  I went through each and every one, it was legit.  I am pretty sure about every person who does security researching can do this, yes, it may have took me about 3 hours or 4 hours or looking around, but it is still possible.
Encryption was no obstacle for him, he said, because he saw no evidence that encryption was used at all: “I was able to read all of it in plain text form.”
As he acquired files, the teenager commented in a private chat on what he was obtaining: Social Security numbers in one file, credit card numbers in another, postal and email addresses and phone number of Minnesota school board candidates in another, web-banking transactions from the First Bank of Ohio, and more, he claimed.
   Web-banking transactions, First Bank of Ohio
According to the teen, he was able to get customer credit card records from the bank because the state had access to the bank and he then went through several SQL tables:
   The hacker seems to have paid particular attention to Florida.  Just one file alone from Florida had 267 million records, another had 76 million, he told DataBreaches.net.
   When asked, the teenager, who prefers to be called “Fear,” claimed that he was also able to acquire voter registration databases.  Although such databases are publicly available in many states, there has been growing concern about their too-easy accessibility and the risk that a hacker could tamper with the lists to corrupt the election process.  Ironically, on Thursday, US-CERT issued an advisory on securing voter registration data in the wake of some highly publicized hacks.
   Fear (also known as @hackinyolife on Twitter) claims that he was also able to access Florida’s pharmacy prescription monitoring program that is used for law enforcement purposes, telling DataBreaches.net in chat:
they had monthly reports on every citizen in Florida, and it included phone, address, name, SSN.
On inquiry, he noted that those records also contained the medication names and corresponding prescription numbers, but declined to provide any screenshots as proof.

(Related) Apparently, no one considers security or privacy.  No lawyers or auditors involved in the development of these systems? 
Ohio State Rep. 
Many are often shocked to hear, as was I, that the addresses and personal information of domestic violence and stalking victims in Ohio is public record.  This means that anyone, including the victim’s perpetrator, can easily use public documents, such as Ohio’s voting rolls, to locate an individual.  That is, until now.
At the beginning of this month, House Bill 359 went into effect across Ohio, which allows domestic violence and stalking victims to shield their address and other personal information from public records.  Not only will this help these victims to feel safe at home, but it will also give them the ability and peace-of-mind to register to vote, obtain an Ohio driver’s license or even get a library card.
Read more on TimesReporter.com, and kudos to Ohio for enacting this law.  Ohio is not the only state to have an address confidentiality law, but I don’t know that those who are eligible to avail themselves of the protection always know that they can.  And of course, if a database from 2014 had what is their still-current information and that database was hacked/sold on the underground, they may still be at risk.  But these laws are generally a Good Thing, I think, and I hope that more domestic abuse victims avail themselves of the added measure of protection.


Perspective.  Can you afford not to encrypt?
Why HTTPS Adoption has Doubled this Year
HTTPS adoption among the world’s top half million sites doubled this year, achieving in one year what hadn’t been managed in 20 years’ since HTTPS’ introduction, writes Guy Podjarny over at SYNK.
Adoption among the top half million sites went from 5.5% in August last year to 12.4% by the end of July, according to data from HTTP Archive.  If BuiltWith, who provided the statistics, can be believed, adoption among the world’s top one million sites was even more impressive: a year ago only 2.9% of sites were HTTPS by default now it’s 9.6%.  That’s 3X growth.  
The question is what’s driving this dramatic growth in adoption.  For Guy, the answer is: because it’s cheaper, easier and more important than ever before to use HTTPS. 
It used to be that you had to buy your SSL certificates and pay extra costs for hosting and for a CDN to deliver the certificate.  But now certificates can be had for free at places like Let’s Encrypt, hosting companies don’t demand an extra fee for HTTPS and many of the major platforms like WordPress and Heroku offer it as standard.


Perspective.
When Information Storage Gets Under Your Skin
   The implants can be activated and scanned by readers that use radio frequency identification technology, or RFID.  Those include ordinary smartphones and readers already installed in office buildings to allow entrance with a common ID card.
   There is no comprehensive data on how many people have RFID implants in their bodies, but retailers estimate the total is 30,000 to 50,000 people globally.
The fact that the tags can’t be lost is one attraction.  Another, users say, is that the tags don’t operate under their own power but rather are activated when they’re read by a scanner.  That means they can never be rendered useless by a dead battery like smartphones.


Isn’t this the natural outcome of a “long tail” content provider?  If they don’t want Netflix to use their content, don’t accept their money!  Start your own version of Netflix and compete!
The Netflix Backlash: Why Hollywood Fears a Content Monopoly
   at a time when business is tough all over in the entertainment industry, there is a lot of gratitude for a deep-pocketed buyer that is snapping up an array of material, much of which might not find a home elsewhere.  Netflix and its chief content officer Ted Sarandos are at once a savior, offering a giant gush of money to license shows that in some cases were past their prime or even out of production, and a terrifying competitor to studios.
   The backlash is real but muted — mostly because few are willing to risk the wrath of a company that is spending $6 billion a year on programming and scored 54 Emmy nominations this year.


The age of instant Accounting?  A friend of mine, Norm Schultz, predicted that 20 years ago. 
5 Ways Inventory Tracking Technology Is Evolving For 2017
Inventory tracking isn’t a “sexy” industry, but it’s a necessary one for almost any business involved in manufacturing or shipping tangible goods.  You need some way to track how much you’re producing, how many raw materials you’re consuming, where those products are going, and how much money you’re making.
Old-school tracking systems relied on unreliable, time-consuming manual processes to make counts and organize data, but advanced modern-day systems are starting to reshape how quickly and efficiently we can track our inventory.  According to SystemID, “advancements in [the Internet of Things (IoT), big data, smart manufacturing, and mobile device management (MDM)] are literally changing how companies operate.”
1.      Real-time is becoming the new normal.
2.      Retail and fulfillment are blurring.
3.      Big data is leading to more advanced insights
4.      Companies are demanding more information.
5.      Solutions are becoming diversified.


Perhaps there is a market for a simple (i.e. cheap) smartphone?  Certainly there is a market for a “Hey! You gotta try this App!” App. 
Half of U.S. smartphone users download zero apps per month
Specifically, some 49 percent of U.S. smartphone users download zero apps in a typical month, according to comScore, reflecting a three-month average period ending this past June.
Of the 51 percent of smartphone owners who do download apps during the course of a month, “the average number downloaded per person is 3.5,” comScore’s report says.  “However, the total number of app downloads is highly concentrated at the top, with 13 percent of smartphone owners accounting for more than half of all download activity in a given month.”


I have had a paperless classroom for years.  What’s the big deal?
Why the Paperless Office Is Finally on Its Way
Every year, America’s office workers print out or photocopy approximately one trillion pieces of paper.  If you add in all the other paper businesses produce, the utility bills and invoices and bank statements and the like, the figure rises to 1.6 trillion.  If you stacked all that paper up, it would be 18,000 times as high as Mount Everest.  It would reach nearly halfway to the moon.