It’s depressing to see that they have not yet
closed the holes that allowed the attack on the Bank of Bangladesh.
North
Korean hacker group linked to Taiwan bank cyberheist
Lazarus, a hacking group linked to North Korea,
may have been behind this month’s theft of $60 million from
Taiwan’s Far Eastern International Bank, according to BAE Systems
PLC researchers.
The cyberattack, in which malware was used to
steal the money through the international Swift banking network, bore
“some of the hallmarks” of Lazarus, according to a BAE blog post
on Monday.
Lazarus and its offshoots have been blamed for
attacks ranging from last year’s heist of Bangladesh’s central
bank to assaults on cryptocurrency exchanges and South Korean ATMs.
North Korea is becoming increasingly starved of hard currency as the
United Nations imposes sanctions amid a standoff with the U.S. over
Kim Jong Un’s nuclear weapons program.
Here’s a good indicator of how seriously people
are taking that WiFi vulnerability.
Here's
every patch for KRACK Wi-Fi vulnerability available right now
… According to security researcher and
academic Mathy Vanhoef, who discovered
the flaw, threat actors can leverage the vulnerability to decrypt
traffic, hijack connections, perform man-in-the-middle attacks, and
eavesdrop on communication sent from a WPA2-enabled device.
US-CERT has known of the bug for some months and
informed vendors ahead of the public disclosure to give them time to
prepare patches and prevent the vulnerability from being exploited in
the wild – of which there are no current reports of this bug being
harnessed by cyberattackers.
Hackers might find a list of unpatched
vulnerabilities rather valuable.
Microsoft
responded quietly after detecting secret database hack in 2013
Microsoft Corp’s secret internal database for
tracking bugs in its own software was broken into by a highly
sophisticated hacking group more than four years ago, according to
five former employees, in only the second known breach of such a
corporate database.
… The database contained descriptions of
critical and unfixed vulnerabilities in some of the most widely used
software in the world, including the Windows operating system. Spies
for governments around the globe and other hackers covet such
information because it shows them how to create tools for electronic
break-ins.
… “Bad guys with inside access to that
information would literally have a ‘skeleton key’ for hundreds of
millions of computers around the world,” said Eric Rosenbach, who
was U.S. deputy assistant secretary of defense for cyber at the time.
Refreshing.
Starting to design Privacy into their phones?
Apple
responds to Senator Franken’s Face ID privacy concerns
Apple has now
responded to a
letter from Senator Franken last
month in which he asked the company to provide more information
about the incoming Face
ID authentication technology which is baked into its
top-of-the-range iPhone
X, due to go on sale early next month.
… In its response letter, Apple first points
the Senator to existing public info — noting it has published a
Face
ID security white paper and a Knowledge
Base article to “explain how we protect our customers’
privacy and keep their data secure”. It adds that this “detailed
information” provides answers “all of the questions you raise”.
But also goes on to summarize how Face ID facial
biometrics are stored, writing: “Face ID data, including
mathematical representations of your face, is encrypted and only
available to the Secure Enclave. This
data never leaves the device. It is not sent to Apple,
nor is it included in device backups. Face images captured during
normal unlock operations aren’t saved, but are instead immediately
discarded once the mathematical representation is calculated for
comparison to the enrolled Face ID data.”
… Notably Apple hasn’t engaged with Senator
Franken’s question about responding to law enforcement requests —
although given enrolled Face ID data is stored locally on a user’s
device in the Secure Element as a mathematical model, the technical
architecture of Face ID has been structured to ensure Apple
never takes possession of the data — and couldn’t therefore hand
over something it does not hold.
The fact Apple’s letter does not literally spell
that out is likely down to the issue
of law enforcement and data access being rather politically
charged.
How about the Fourth? If I had to keep a finger
on the phone for it to operate, would that change the court’s
thinking? Somewhere along the line, we need to get lawyers involved
in the design process.
FourthAmendment.com
makes us aware of this opinion:
An order compelling persons to provide fingerprints to unlock Apple devices doesn’t violation the self-incrimination clause of the Fifth Amendment. In re Search Warrant Application for [Name Redacted by the Court], 2017 U.S. Dist. LEXIS 169384 (N.D. Ill. Sept. 18, 2017):
The United States seeks review of the magistrate judge’s denial of one aspect of the government’s search-warrant application in this investigation: authorization to require the four residents of a home to apply their fingers and thumbs (as chosen by government agents) to the fingerprint sensor on any Apple-made devices found at the home during the search. Ordinarily, review of the magistrate judge’s decision on a warrant application would be ex parte. But because the magistrate judge’s thoughtful opinion addressed a novel question on the scope of the Fifth Amendment’s privilege against self-incrimination, the Court invited the Federal Defender Program in this District to file an amicus brief to defend the decision (the government did not object to the amicus participation). The Court is grateful for the Federal Defender Program’s excellent service in fulfilling this request. After reviewing the competing filings and the governing case law, the Court holds that requiring the application of the fingerprints to the sensor does not run afoul of the self-incrimination privilege because that act does not qualify as a testimonial communication.
It’s important, so try to get around to it
before the next Ice Age.
DHS Orders
Federal Agencies to Use DMARC, HTTPS
The
U.S. Department of Homeland Security (DHS) has issued a binding
operational directive requiring all federal agencies to start using
web and email security technologies such as HTTPS, DMARC and STARTTLS
within
the next few months.
Within
the next 30 days, agencies will have to develop a plan of action for
implementing the requirements of Binding
Operational Directive (BOD) 18-01.
Agencies
have been given 90 days to configure all Internet-facing email
servers to use STARTTLS, a protocol command that allows clients to
indicate that they want unprotected connections upgraded to a secure
connection using SSL or TLS.
The
DHS also wants them to gradually roll out DMARC (Domain-based Message
Authentication, Reporting and Conformance), an email authentication,
policy, and reporting protocol designed to detect and prevent email
spoofing.
… The
decision to order the use of these security technologies comes just
months after Senator Ron Wyden urged
the DHS to get federal agencies to deploy DMARC for .gov domains.
A
study
conducted recently by email security firm Agari showed that many
Fortune 500, FTSE 100 and ASX 100 companies still
haven’t properly implemented DMARC.
My
Computer Security students might find this interesting.
New
Pluralsight Course: Emerging Threats in IoT
… Play
by Play: Emerging Threats in IoT is now live on Pluralsight!
So, nothing Russia or North Korea can do (cyber
wise) would be considered an at of war?
Cybersecurity,
Encryption and United States National Security Matters
by Sabrina
I. Pacifici on Oct 16, 2017
Cybersecurity,
Encryption and United States National Security Matters,
Senate Armed Services Committee, September 13, 2016 (published
September 2017), via FAS.
Steven Aftergood, Secrecy News: “What
constitutes an act of war in the cyber domain? It’s a
question that officials have wrestled with for some time without
being able to provide a clear-cut answer. But in newly-published
responses to questions from the Senate Armed Services Committee,
the Pentagon ventured last year that “The determination of what
constitutes an ‘act of war’ in or out of cyberspace, would be
made on a case-by-case and fact-specific basis by the President.”
“Specifically,” wrote then-Undersecretary of Defense
(Intelligence) Marcel Lettre, “cyber attacks that proximately
result in a significant loss of life, injury, destruction of critical
infrastructure, or serious economic impact should be closely assessed
as to whether or not they would be considered an unlawful attack or
an ‘act of war.'” Notably absent from this description is
election-tampering or information operations designed to disrupt the
electoral process or manipulate public discourse. Accordingly, Mr.
Lettre declared last year that “As of this point, we have not
assessed that any particular cyber activity [against] us has
constituted an act of war.”
Have I been missing something here? Why would a
security clearance be required to say “This account is Russian?”
Is the threat of government investigators looking at Facebook’s
code that likely?
Facebook Is
Looking for Employees With National Security Clearances
Facebook
Inc. is looking to hire people who have national security
clearances, a move the company thinks is necessary to prevent foreign
powers from manipulating future elections through its social network,
according to a person familiar with the matter.
Workers with such clearance can access information
classified by the U.S. government. Facebook plans to use these
people -- and their ability to receive government information about
potential threats – to search more proactively for questionable
social media campaigns ahead of elections, according to the person,
who asked not to be identified because the information is sensitive.
A Facebook spokesman declined to comment.
… Without employees who can handle classified
material, Facebook would
need to give government investigators access to its system to
investigate threats, according to Scott Amey, general
counsel of the Project on Government Oversight, a Washington-based
group that studies national security issues. So the move to hire
people with clearances may be aimed at controlling access to the
inner workings of its platform, like code and user data, he said.
Yet another App I have never heard of… (Maybe
because it’s not available in Colorado?)
Facebook
acquires anonymous teen compliment app tbh, will let it run
Today, Facebook
announced
it’s acquiring positivity-focused
polling startup tbh and will allow it to operate somewhat
independently with its own brand.
tbh
had scored 5 million downloads and 2.5 million daily active users in
the past nine weeks with its app that lets people
anonymously answer kind-hearted multiple-choice questions about
friends who then receive the poll results as compliments. You see
questions like “Best to bring to a party?,” “Their perseverance
is admirable?” and “Could see becoming a poet?” with your
uploaded contacts on the app as answer choices.
tbh has racked up more than 1 billion poll answers
since officially launching in limited states in August, mostly from
teens and high school students, and spent
weeks topping the free app charts. When we
profiled tbh last month in the company’s first big interview,
co-creator Nikita Bier told us, “If we’re improving the mental
health of millions of teens, that’s a success to us.”
Is this paper detailed enough to allow us to
create an App to write contracts?
FCL: A
Formal Language for Writing Contracts
by Sabrina
I. Pacifici on Oct 16, 2017
Farmer W.M., Hu Q. (2018) FCL: A
Formal Language for Writing Contracts. In: Rubin S.,
Bouabana-Tebibel T. (eds) Quality Software Through Reuse and
Integration. FMI 2016, IRI 2016 2016. Advances in Intelligent Systems
and Computing, vol 561. Springer, Cham
“A contract is an artifact that records an
agreement made by the parties of the contract. Although contracts
are considered to be legally binding and can be very complex, they
are usually expressed in an informal language that does not have a
precise semantics. As a result, it is often not clear what a
contract is intended to say. This is particularly true for
contracts, like financial derivatives, that express agreements that
depend on certain things that can be observed over time such as
actions taken of the parties, events that happen, and values (like a
stock price) that fluctuate with respect to time. As the complexity
of the world and human interaction grows, contracts are naturally
becoming more complex. Continuing to write complex contracts in
natural language is not sustainable if we want the contracts to be
understandable and analyzable. A better approach is to write
contracts in a formal language with a precise semantics. Contracts
expressed in such a language have a mathematically precise meaning
and can be manipulated by software. The formal language thus
provides a basis for integrating formal methods into contracts. This
paper outlines fcl, a formal language with a precise semantics for
expressing general contracts that may depend on temporally based
conditions. We present the syntax and semantics of fcl and give two
detailed examples of contracts expressed in fcl. We also sketch a
reasoning system for fcl. We argue that the language is more
effective for writing and analyzing contracts than previously
proposed formal contract languages.”
When we’re done with the computer labs?
Feel like helping people but don’t have the
time, money, or energy? Well, there’s an app for that. Or rather,
there are several. From something as simple as opening a tab to
playing some games, here’s how to help.
For several of these, all you need to do is
install an app or open a tab. The app or tab will then access the
unused processing power of your computer and use it to run
calculations. It then shares these with millions of other such
computers via the internet. The result is a virtual supercomputer
for scientists to run complex calculations.
No comments:
Post a Comment