We’ve been building the hardware for hackers.
Hackers Infect Army of Cameras, DVRs for Massive Internet
Attacks
Attackers used an army of hijacked security cameras and
video recorders to launch several massive internet attacks last week, prompting
fresh concern about the vulnerability of millions of “smart” devices in homes
and businesses connected to the internet.
The assaults raised eyebrows among security experts both
for their size and for the machines that made them happen. The attackers used as many as one million Chinese-made security cameras, digital
video recorders and other infected devices to generate webpage requests and
data that knocked their targets offline, security experts said.
…
“We’re thinking
this is
the tip of the iceberg,”
said Dale Drew, head of security at
Level
3 Communications Inc., which runs one of the world’s largest
internet backbones, giving it a window into many of the attacks that cross the
net.
The proliferation of internet-connected devices from
televisions to thermostats provide attackers a bigger arsenal of weapons to
infiltrate.
Many are intended to be plugged in and forgotten. These devices are
“designed to be remote controlled over the internet,” said
Andy Ellis, security chief at network operator
Akamai Technologies Inc., some
of whose clients were affected.
“They’re also never going to be updated.”
What kind of backup is stored next to your live
files?
Oof. This notification from the
New Jersey
Spine Center, sent to patients on September 22, describes a
real disaster where not only essential patient files and credit card
information were locked up, but
their most
recent backup was too. No
wonder they paid the ransom.
On July 27, 2016, our computer
systems were attacked by a malware ransom virus called “CryptoWall.” The malware
was detected by our virus protection software but unfortunately not until after
our electronic patient records were encrypted. The virus encrypted, thereby rendering
unusable, all of our electronic medical record files that contained all of the
clinical information on our patients such as procedures, office notes, reports,
etc.
… The virus likely utilized a list of stolen
passwords and ran an automated program that attempted access until a correct
match was found.
Read the full letter
here.
Their
press
release, posted to their site, provides a lot less detail and doesn’t
mention paying ransom, but it does add one detail: they regained access to
their files on August 1.
They do not
mention how much the ransom was.
Sometimes all you need to detect hackers or malware is an
indication that something is “different.”
Meet Apache Spot, a new open source project for cybersecurity
Hard on the heels of the discovery of the
largest
known data breach in history, Cloudera and Intel on Wednesday announced
that they've donated a new open source project to the Apache Software
Foundation with a focus on using big data analytics and machine learning for
cybersecurity.
…
Based on
Cloudera's big data platform, Spot taps
Apache
Hadoop for
infinite log management
and data storage scale along with
Apache
Spark for machine learning and near real-time anomaly detection.
The software can analyze billions of events in
order to detect unknown and insider threats and provide new network visibility.
Essentially, it uses
machine
learning as a filter to separate bad traffic from benign and to
characterize network traffic behavior.
It also uses a process including context
enrichment, noise filtering, whitelisting and heuristics to produce a shortlist
of most likely security threats.
The insurance industry apparently likes those little “driving
habit” recorders they hope you will install in your car, but this goes much
farther.
Joe Cadillic sends along this item from
TheNewspaper.com:
Speed cameras are banned in
Virginia, but that did not stop the insurance industry from deploying them on
state highways.
As part of an effort to
promote the issuance of speeding tickets, the Insurance Institute for
Highway Safety (IIHS) and the for-profit contractor Brekford set up ten radar
units that they used to photograph the faces of motorists and identify them
through Department of Motor Vehicles (DMV) records.
The group used the data collected to call for
lowering of speed limits.
The National Motorists
Association (NMA) noticed one flaw with the IIHS plan — IIHS never asked for
permission to set up the cameras.
On
Wednesday the group filed a complaint with the Commonwealth Transportation
Board, which has jurisdiction over Virginia highways.
READ MORE….
Free speech or free self-incrimination?
Richard Winton reports:
Can police prevent hate crimes by
monitoring racist banter on social media?
Researchers will be testing this
concept over the next three years in Los Angeles, marking a new frontier in
efforts by law enforcement to predict and prevent crimes.
During a three-year experiment,
British researchers working with the Santa Monica-based Rand Corp. will be
monitoring millions of tweets related to the L.A. area in an effort to identify
patterns and markers that prejudice-motivated violence is about to occur in
real time.
The researchers then will compare
the data against records of reported violent acts.
Read more on the
Los
Angeles Times.
Joe Cadillic sent me the link to this story with a gentle
I-tried-to-warn-you-all comment:
Earlier this year, I warned
everyone that police will soon be arresting people based on ‘Sentiment
Analysis’ of their Tweets:
http://massprivatei.blogspot.com/2016/08/police-to-arrest-people-based-on.html#!/2016/08/police-to-arrest-people-based-on.html
Injury to a third party?
Wendy Davis reports:
Google can’t shake a privacy
lawsuit alleging that it unlawfully scans Gmail messages.
In a ruling issued late last
week, U.S. District Court Judge Lucy Koh in the Northern District of California
ruled that people who are suing Google can proceed
even without proof of financial injury.
[…]
The ruling stems from a
lawsuit
filed
last year by San Francisco resident Daniel Matera, who said
he doesn’t have a Gmail account, but is forced to
communicate with Gmail users due to the “ubiquity of Gmail.”
Somehow, I don’t think Dissent approves.
In what is likely to infuriate those who believe that
the Federal Trade Commission has already abused its authority in its
relentless enforcement action against a small cancer-detecting laboratory,
the FTC has
denied
LabMD’s application for a stay of their
final
order while LabMD appeals to a federal court.
In explaining its denial, the Commission said it
looked at four factors:
(1) “the likelihood of the
applicant’s success on appeal”; (2) “whether the applicant will suffer
irreparable harm if a stay is not granted”; (3) “the degree of injury to other
parties if a stay is granted”; and (4) the public interest. It is the
applicant’s burden to establish that a stay is warranted. Toys “R” Us, Inc.,
126 F.T.C. 695, 698 (1998).
Because the Commission believes it is right, it
fails to see LabMD’s chances of success on appeal. If they didn’t believe they were right, they
never would have issued their final decision and order, right? So the first factor is somewhat ridiculous and
boils down to, “We thought we were right, we think we are right, and therefore,
LabMD has no real chance of winning an appeal against us.”
On the second factor, that the Commission failed to
see “irreparable harm” given the cost of notifications and implementing the
comprehensive data security plan is…. shocking.
As to the degree of injury to other parties if the stay is
granted, given that the FTC never bothered
to contact even a single patient to inquire whether there had been any harm, the
following borders on the obscene:
Because LabMD never notified any
affected consumers of the breach, we do not know how many consumers may have
suffered harm due, for example, to identity or medical identity theft.
But they could have known – and chose not to find
out.
Keep in mind that as HHS spokesperson Rachel Seeger wrote
to this blogger, HHS not only declined to join FTC in any action against LabMD,
but this wasn’t even a reportable breach under HIPAA in 2008. There was no requirement for LabMD to notify
anyone. So they didn’t and the FTC never
did, and now the FTC would require LabMD to notify eight years
later but it can’t wait for an appeal to a court?
Without notification, affected
consumers and their insurance companies can do little to reduce the risk of
harm from identity and medical identity theft or to address harms that may
already have occurred.
They are, of course, referring to the “risk of harm” that
they decided was substantial, even though there was no evidence of any harm to
any person. Nor did they provide
controlled and replicated research demonstrating that simply having data
exposed causes substantial injury to consumers. If we ask people, “How do you feel that your
lab test results were exposed and others could have downloaded them?” I
hypothesize that many people would say they would be unhappy about that. But if we ask them, “Do you feel you have been
harmed by that exposure?” I suspect that the vast majority would say
that they had not been harmed at all, much less substantially harmed. Would even a few people claim significant
harm? It’s an empirical question, and
FTC provided no evidence on that point.
As for the fourth, and “public interest” factor, I think
the public’s interest is in getting the FTC’s authority and the notice issues
clarified by the courts, and the denial of the stay is just another poor
decision in a long chain of poor decisions in this case.
Related: FTC
v. LabMD (FTC’s case files)
Is this in response to the New York push for the Chelsea
bomber?
Feds approve updates to mobile emergency alerts
Federal regulators on Thursday overhauled the system that
pushes alerts to smartphones and other mobile devices in an emergency.
Alerts that were once restricted to 90 characters will now
be as long as 360 for some types of networks following the Federal
Communication’s vote on the new rules.
And officials responding to emergencies will now be able to include links and
phone numbers in all types of alerts. That
could allow law enforcement authorities to link to maps, for example, or other
photos.
… The commission
also told wireless providers to support alerts that were sent in Spanish. They will also now formally consider whether
to require support for other languages as well.
… The item gained
a higher profile after authorities in New York City used the alerts system to
send a message to smartphones informing the public that it was searching for
Ahmad Khan Rahami, a suspect in a bombing in Manhattan and New Jersey earlier
this month.
The Cloud covers the globe?
…
We’ve recently
joined the ranks of Google’s billion-user products.
Google Cloud Platform now
serves over one billion end-users through its customers’ products and services.
To meet this growing demand, we’ve reached an exciting
turning point in our geographic expansion efforts.
Today, we announced the locations of eight new
Google Cloud
Regions — Mumbai, Singapore, Sydney, Northern Virginia, São Paulo,
London, Finland and Frankfurt — and there are more regions to be announced next
year.
For both my Governance and Architecture classes.
Firms Spend Big Money on Flaws They Could Fix in Development
Companies are spending
millions on bug bounty programs whose goal is to identify vulnerabilities, but
it might be more efficient to take a proactive approach and focus on
identifying flaws in the development phase.
A
survey
commissioned by application security company Veracode shows that of 500 U.S.
decision makers working in cybersecurity,
83 percent
have admitted releasing code before testing it for security holes and bugs.
In contrast, a vast majority of them are
confident that their software is secure.
For my Software Architecture students. What tools will they need?
Ford sees big profits in ride-sharing
Ford Motor Co. thinks new mobility services could yield
profit margins more than double what it makes selling cars and trucks, and
Executive Chairman Bill Ford on Thursday said that’s because the automaker is
becoming more nimble and forward-thinking.
“In time, if we do this right, we will become less
capital-intensive,” he said at the World Mobility Leadership Forum, a two-day
conference in Romulus focused on the changing role of transportation. “We’ll have more revenue streams that aren’t
dependent upon heavily fixed-costs investment.”
I’m lazy and cheap.
This App might have been designed for me.
QuickKey + Inexpensive Phone = Time Saved On Grading
QuickKey is a popular iOS and Android app that can help you
save a ton of time when grading multiple choice or true/false quizzes.
I first learned about it a few years ago when
a colleague of mine was raving about it on Facebook.
Here’s the basics of how it works; create your quiz on the
Quick Key
website then print and distribute a bubble sheet.
After your students have completed the bubble
sheet
you simply scan the sheets with
your phone and the grading is done for you.
As you can learn in the video embedded below,
QuickKey will work on the cheapest of Android phones as well as on more
expensive Android phones and on iPhones.