Saturday, August 05, 2017

Even geeks can make mistakes.
The New Indian Express reported this in July:
In a case of corporate espionage, a computer engineer’s bid to sell his employer’s data to a company, which he thought was a competitor, fell flat when the recipient discovered the two firms are in fact partners, and the data sought to be sold was their own.  Shreesha Rao (23), a resident of Vinayaka Nagar in K R Puram, has been arrested and is now cooling his heels in judicial custody.  He is a computer-aided design and drafting (CADD) professional who designs radius maps for a company called New Generation.
In a bid to make quick money, Shreesha Rao contacted another company, SBT Associates, offering to sell his employer’s data.  After SBT Associates agreed, he sent the data as an attachment to his personal email, and then forwarded it to the buyer.  However, Shreesha didn’t know that SBT Associates was a vendor for his employer, and that the data in question was in fact sourced from them.
Read more on New Indian Express.


This raises many questions for me.  What would they have done if there was a “fake news” story that might have changed a lot of votes?  Did they have any criteria for identifying such a story?  What attack on voting machine was possible that might change even 1% of the vote? 
Exclusive: FBI tracked 'fake news' believed to be from Russia on Election Day
The FBI monitored social media on Election Day last year in an effort to track a suspected Russian disinformation campaign utilizing "fake news," CNN has learned.
   On Election Day, dozens of agents and analysts huddled at a command center arrayed with large monitoring screens at the FBI headquarters in Washington watching for security threats, according to multiple sources.
   FBI analysts had identified social media user accounts behind stories, some based overseas, and the suspicion was that at least some were part of a Russian disinformation campaign, according to two sources familiar with the investigation.
The FBI declined to comment for this story.
For the FBI, this was uncomfortable territory, given the First Amendment's free speech protections even for fake news stories.
"We were right on the edge of Constitutional legality," a person briefed on the investigation said. "We were monitoring news."
   At the end of day, top officials exchanged congratulations for an election day that was completed without disruptions of the vote.

(Related).  Gosh, maybe everyone does it!  Perhaps I should add this to the Ethical Hacking course? 
South Korea Spy Agency Admits Attempting to Rig Election
South Korea's spy agency has admitted that it had engaged in a far-reaching attempt to manipulate voters as it sought to help conservatives win parliamentary and presidential elections.
In-house investigators from the National Intelligence Service (NIS) confirmed that the agency's cyber warfare unit organised and operated up to 30 teams for more than two years in the run-up to the 2012 elections, the agency said in a statement late Thursday.
They hired internet-savvy civilians and sought to sway voter opinions through postings on portals and Twitter.
   The internal probe also found Won ordered the agency to muzzle the press, provide support for pro-government conservative civic groups and put some major opposition politicians under secret surveillance.


…and the ‘proof of insurance?’ 
The march of technology is eliminating another favorite tool police use to search vehicles.  The Ninth Circuit US Court of Appeals last week said police cannot rummage through an automobile’s glovebox without permission or warrant to “find the registration” when a simple computer search can look up the same information from the VIN, the vehicle identification number visible from outside the car.
Read more on The Newspaper.


Win some, lose some.  Wait for the reversals. 
Brett Max Kaufman of the ACLU writes:
When you fill a prescription at your local drug store, you would surely bristle at someone behind you peeking over your shoulder — but in a decision issued last week, a federal court in Utah said that you have no Fourth Amendment right to object when the peeker is the United States government.
You read that correctly: In a case challenging the Drug Enforcement Administration’s warrantless access to patient prescription records stored in a secure state database, the court relied in part on an outdated legal doctrine to rule that a “patient in Utah decides to trust a prescribing physician with health information to facilitate a diagnosis,” and thereby “takes the risk . . . that his or her information will be conveyed to the government.”
Read more on ACLU.


Complete speculation.  (Fun, isn’t it?)
Snapchat would let Google finally conquer the $72 billion TV ad market and stop Facebook in its tracks
As Business Insider's Alex Health reported on Thursday, Google has looked into buying Snapchat for as much as $30 billion.
Who knows whether this deal would ever happen?  But in the meantime, it's worth examining what such an acquisition would do for Google (besides keeping Snapchat away from Facebook).
At top of the list: a marriage of Snapchat and Google's mega global video platform YouTube could help Google make a serious bid for the biggest prize in advertising — the $72 billion TV market.
   Snapchat boasts of average daily users sessions of 30 minutes.  YouTube users now average 60 minutes a day on its mobile app.  Facebook, by contrast, is doing everything it can simply to convince users to spend 3 second watching a video in its Newsfeed. 
The combination of YouTube - which reaches 1.5 billion users a month - and Snapchat could give Google an unmatchable daily "reach machine"; a direct pathway to youngsters who log their screen time hours in front of phones and tablets.  It's easy to imagine a specialized Google ad buy that connects brands with the majority of teens and 20-somethings every day, giving Google a legitimate rival to the reach marketers currently get through TV.  


Simple enough to be useful?
Flip Anim - Quickly Create Animated GIFs
Flip Anim provides possibly the easiest way draw and create an animated GIF.  Within minutes of learning about Flip Anim on Larry Ferlazzo's blog I had created a couple of animated GIFs illustrating basic addition problems.  One of those is included below.
To create an animation on Flip Anim simply go to the site and start drawing on the notepad in the center of your screen.  You can draw as much or as little as you like on each page of your notepad.  You're essentially drawing a piece of each animation on each page of your notepad much like the way that old cartoons were created.  When you're done drawing on all of your pages you can preview the animation by pressing the play button.  To save your work you do have to upload it to Flip Anim (registration is not required) then you can download it as an animated GIF.

Friday, August 04, 2017

Digital Forensics, this fall.
The Coolest Talk at Defcon 25 That No One is Writing About
   one talk blew my mind, and its surprising that no one’s been writing about it.  The room was packed for “CableTap: Wireless Tapping Your Home Network.”  I was expecting it to be a DIY class that could help hobby hackers see what’s happening on their home networks (because Comcast doesn’t provide a way).  Instead, the scope of the talk was much, much broader and more entertaining.
Three researchers, Marc Newlin and Logan Lamb, with Bastille Networks and Christopher Grayson with Web Sight, found 26 vulnerabilities within ISP network devices that would have given them remote admin access to the majority of home networks in the United States. 


It’s all in the timing.  Will anyone wait (or come back) to see if an article gets challenged?  On the other hand, these jobs might help employ people fired because computers now do their jobs. 
Facebook Expands Fight Against Fake News With Automatic, Related Articles
   On Thursday, Facebook announced it is more broadly rolling out and improving its “Related Articles” feature to help minimize the circulation and impact of false and misleading stories in peoples' news feeds.  Using updated machine learning technology, Facebook said it can now identify a higher volume of potential hoaxes on the social network and direct them more quickly to a group of third-party fact checkers.  If fact checkers review a story, Facebook may proactively show users a unit of related articles below the original post that debunks its claims or offers relevant context.  The related articles may also include a post written by a third-party fact checker critiquing or contextualizing the original story.  The feature is now rolling out more broadly within the U.S. and is extending to Germany, France and the Netherlands. Facebook said it may expand the tool further depending on individual countries’ needs.


Current research!  Not that stuff that is an Internet Century (two years) old!
JournalTOCs current awareness service for updates on latest subject matter specific articles
by on
JournalTOCs is a Current Awareness Service (CAS) where you can discover the newest papers coming directly from the publishers as soon as they have been published online.  JournalTOCs is for researchers, librarians, students and anyone who’s looking for the latest or most current papers published in the scholarly literature with international coverage.  JournalTOCs is a free service for individual users.  JournalTOCs *Premium* is a customised version for institutions, available at very economic licence rates.  It is a current awareness alert system built with the customers in mind because their feedback is what steers its continuous development.  JournalTOCs *Premium* is being used by large and small research centres and libraries worldwide.  It has many features, including an admin interface (super-user account) to ensure that each customised version exactly matches the needs of each customer.”

Thursday, August 03, 2017

It’s always worse than the initial estimates.  Why is that?
HBO Security Contractor: Hackers Stole ‘Thousands of Internal Documents’ (EXCLUSIVE)
The HBO hack may have been worse than the initial leaks of a few unaired TV show episodes suggested.  A security company hired by HBO to scrub search results for the hacked files from search engines has told Google that the hackers stole “thousands of Home Box Office (HBO) internal company documents.”
The disclosure came as part of a DMCA take-down notice sent to Google Tuesday to force the search engine to take down links to the leaked files.  The take-down notice also detailed that the hackers did away with “masses of copyrighted items including documents, images, videos and sound.”
   The perpetrators of the hack have claimed that they were able to access some of HBO’s key network infrastructure, and steal a total of 1.5 terabyte of data, and have suggested that they will release additional information in the near future.  An image file published as part of the leaks seems to corroborate at least the first part of that claim, as it appears to show screenshots of HBO’s internal administration tools, listing employee names and email addresses and their functions within the organization. 


A system my Architects could fix. 
Air Canada disappeared off SFO air traffic radar equipment for 12 seconds before near-disaster, NTSB says
The wayward Air Canada plane that nearly caused an aviation disaster at San Francisco International Airport last month dropped off radar displays for 12 seconds in the moments before it approached four fully loaded passenger jets on the taxiway, according to new information released Wednesday from federal aviation officials investigating the incident.
   The Airport Surface Surveillance Capability (ASSC) system monitors incoming aircraft to ensure they are safely landing at SFO and 34 other airports across the country.  The system, which provides a computerized visual to air traffic controllers, is designed to sound a warning from a loudspeaker in the tower if an airplane on final approach is heading for an occupied runway.  But it does not warn for planes that may be incorrectly aligned to land on a taxiway, as was the case for the Air Canada plane.
Since last year, the Federal Aviation Administration has worked to upgrade the system to also alert towers to planes lined up to taxiways, where planes awaiting takeoff queue up.
“The agency expects to begin testing some modified systems in a few months,” a FAA spokesman said.
   Federal officials were not able to gather information from the airplane’s cockpit voice recorder because it had been overwritten.  [Horsefeathers!  Bob] 


It’s not the money laundering that should concern shareholders, it’s the inability to detect or fix the problem!
Commonwealth Bank Sued for Alleged Money Laundering Breaches
Commonwealth Bank of Australia, the nation’s largest lender, has been sued by the government’s financial crime agency over 53,700 alleged breaches of money laundering and terrorism financing laws.
   The automated machines were introduced in May 2012, and the amount of cash flowing though them grew exponentially, the court documents say.  In the six months to November 2012 about A$89.1 million was deposited.  By May and June 2016 this had risen to more than A$1 billion per month.  About A$8.9 billion in cash was put through the system before the bank conducted any assessment of the money laundering risk, Austrac said.
Austrac alleges the lender failed to report suspicious matters either on time or at all involving transactions totaling more than A$77 million.  It says the lender didn’t monitor its customers to mitigate the risk even after being made aware by law enforcement agencies of suspected money laundering.


Cool!  My Ethical Hacking students should make their own App to do this!
'Dumbo' Tool Helps CIA Agents Disable Security Cameras
The U.S. Central Intelligence Agency (CIA) has developed a tool that disables security cameras and corrupts recordings in an effort to prevent its agents from getting compromised, according to documents published on Thursday by WikiLeaks.
The tool, dubbed “Dumbo,” is executed directly from a USB thumb drive by an operative who has physical access to the targeted device.  Once executed, the program can mute microphones, disable network adapters, and suspend processes associated with video recording devices.
Dumbo also informs its user of where those video recording processes store footage so that the files can be corrupted or deleted.


A prank or a prelude to something else?  Certainly uncommon. 
Navy Clears All 6 Bomb Threats Called In To Hampton Roads Bases Wednesday
The Naval Criminal Investigative Service is investigating a series of bomb threats called in against Norfolk and Virginia Beach bases throughout Wednesday that forced several evacuations and lockdowns and affected ships and pier operations while emergency crews fanned out in response, the Navy said.
The calls were deemed not credible and normal operations had resumed by mid-to-late afternoon at both bases, Naval Station Norfolk and Joint Expeditionary Base Little Creek, said Beth Baker, Navy Region Mid-Atlantic spokeswoman.
   Wednesday’s threat also came just two days after the Norfolk base locked down its piers for several hours after watch standers reported seeing someone wearing scuba gear and goggles in the water near Pier 7.  No diver was found and all ships were later cleared.
   While area bases handle threats on occasion, neither Baker nor Mohr could recall recent cases in which so many were made in quick succession.
“This is outside the norm,” Mohr said.


Even though it sounds like a noble idea, there are other consequences.
Tech groups rally against online sex trafficking bill
Internet companies are stepping up their opposition to a Senate sex trafficking bill they believe could make websites liable for what their users publish online.
   “Rather than target criminals, including traffickers and buyers of victims, the proposed legislation would have a devastating impact on legitimate online services without having a meaningful impact on ending trafficking crimes,” the letter reads.
   Portman and Blumenthal are sponsors of the Stop Enabling Sex Traffickers Act, which would make websites liable for publishing information that facilitates sex trafficking.


An article for President Trump?  (From his alma mater)
You Are What You Tweet: Using Social Media to Assess Well-being
New research from the University of Pennsylvania attempts to understand the personality traits of Americans and the well-being of the communities they live in, by studying what they tweet.  In studying a mind-boggling volume of 37 billion tweets, the researchers at the World Well-Being Project have created an interactive map of U.S. counties with scores for each on select well-being indicators.  The project has been busy: A year ago, it tracked heart disease trends based on a billion tweets, and is now working on projects in Spain, Mexico and the U.K., and is in the early stages of a project in China.


An interesting challenge.
The Coming Consumer Data Wars
When companies come looking for permission to use their European customers’ data after the General Data Protection Regulation (GDPR) takes effect on May 25, 2018, the answer may well be “no.” In a recent OliverWyman survey of 1,500 British consumers, our company discovered that as many as half said they were already leaning toward reclaiming their information.
That gives companies less than 12 months to figure out what it will take to get customers to say “yes” — as well as to figure out procedures and safeguards to assist consumers with accessing, editing, exporting, and deleting any or all of their personal data. And neither job will be easy.


Repeat!  Mark is not running for President in 2020!  Maybe the charity will run? 
Mark Zuckerberg hires former Hillary Clinton pollster
The charitable initiative of Facebook founder Mark Zuckerberg and his wife, Priscilla Chan, has reportedly taken on Democratic pollster Joel Benenson as a consultant, further fuelling speculation about his possible political ambitions. 
   The Chan Zuckerberg Initiative also took on Obama campaign manager David Plouffe earlier this year to head up policy and advocacy, as well as Amy Dudley, a former adviser to Clinton running mate Tim Kaine who is now the charity’s spokesperson.


PowerPoint.  Enough said.

Wednesday, August 02, 2017

Again?  Are we sure this has not risen to the level of “enemy action?” 
British Airways apologises for check-in failure
Passengers at Heathrow, Gatwick and London City airports had to be checked in manually and faced long queues and delays.
BA said the fault was resolved at about 09:00 BST and its computerised system was now operating normally.
It comes after a power cut led to hundreds of flights being cancelled over the May bank holiday weekend.


Failure to delete data when no longer needed.   
Kevin Collier reports:
When 650 thousand Tennesseans voted in the Memphis area, they probably didn’t expect their personal information would eventually be picked apart at a hacker conference at Caesars Palace Las Vegas.
[…]
But hackers given access to an ExpressPoll-5000 electronic poll book—the kind of device used to check in voters on Election Day—have discovered the personal records of 654,517 people who voted in Shelby Country, Tennessee.
Read more on Gizmodo.


Trying to access US data stored abroad?  Like those Microsoft emails in Ireland.  Will it pass? 
Senate bill would ease law enforcement access to overseas data
Senators introduced bipartisan legislation Tuesday that would create a legal framework allowing law enforcement to access Americans' electronic communications in servers located in other countries.
The International Communications Privacy Act from Sens. Orrin Hatch (R-Utah) and Chris Coons (D-Del.) would also require law enforcement to notify other countries of such data collection on their citizens in accordance with their laws.
The bill also allows law enforcement to get communications regarding foreign nationals in certain instances.

(Related).  Could it be that someone is beginning to understand basic security? 
U.S. senators to introduce bill to secure 'internet of things'
The new bill would require vendors that provide internet-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards.  It would also prohibit vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities.  
Republicans Cory Gardner and Steve Daines and Democrats Mark Warner and Ron Wyden are sponsoring the legislation, which was drafted with input from technology experts at the Atlantic Council and Harvard University.


For my Computer Forensics students?
Alex Hern reports:
A judge’s porn preferences and the medication used by a German MP were among the personal data uncovered by two German researchers who acquired the “anonymous” browsing habits of more than three million German citizens.
“What would you think,” asked Svea Eckert, “if somebody showed up at your door saying: ‘Hey, I have your complete browsing history – every day, every hour, every minute, every click you did on the web for the last month’?  How would you think we got it: some shady hacker?  No.  It was much easier: you can just buy it.”
Read more on The Guardian.


Anything to help…
Microsoft Word has a new trick up its sleeve, and it should help anyone who struggles with the written word.  The new feature is called Read Aloud, and it’s a significant improvement on the previous text-to-speech offerings in Word.  Let’s hope this helps eradicate typos once and for all.
   Read Aloud is a new feature which has arrived as part of the latest Office 365 updates.  Read Aloud does exactly what you’d expect it to do, with Word reading your document back to you.  However, Word can now highlight each word as it’s read aloud right from within your workflow. …   Read Aloud, which is listed under the Review tab, is currently only available to Office Insiders.  However, Microsoft promises it will become widely available to the general population “later this year”.  Which, in Microsoft parlance, means anytime between now and December 31st.

Tuesday, August 01, 2017

Oh gosh, it’s the old ‘baby monitor’ attack, re-designed for the whole family!
Amazon Echo Could Become an Attacker's Listening Device
The Amazon Echo is an always-listening device designed to play music, answer questions via the Alexa voice service, and control connected home devices such as WeMo, Hive and Nest.  Now researchers have demonstrated that while it listens to you, attackers could be listening to you as well.
Mike Barnes, a researcher at MWR Infosecurity, has published details of an attack that can compromise the device while leaving no evidence of tampering.  The attack requires physical access, and continues work (PDF) published last year by researchers from The Citadel, The Military College of South Carolina. 
   In effect, everything that the Echo hears can now also be heard by attackers without any alteration to the functionality of the Echo or evidence of tampering.


You can fool all the people some of the time…
White House officials tricked by email prankster
A self-described "email prankster" in the UK fooled a number of White House officials into thinking he was other officials, including an episode where he convinced the White House official tasked with cyber security that he was Jared Kushner and received that official's private email address unsolicited.
   Cyber experts consulted by CNN say the incidents are illustrative of how vulnerable Americans -- even those in the highest reaches of power -- remain to the potential threat of spear-phishing, the process through which officials are duped by hackers, and expose government computers and systems to various cyber threats.


Remember, these companies were NOT the target of this attack.  This is all collateral damage. 
Malware Attack Disrupts Merck's Worldwide Operations
American pharmaceutical giant Merck revealed in its financial results announcement for the second quarter of 2017 that a recent cyberattack has disrupted its worldwide operations, including manufacturing, research and sales.
While Merck has not provided details about the incident in its financial report, the June 27 attack referenced by the company is most likely the NotPetya malware outbreak that affected tens of thousands of systems in more than 65 countries.
   Merck, which was named as one of the victims of the NotPetya attack shortly after the outbreak started, said on Friday that it had yet to fully assess the impact of the disruption.  The company said it had still been working on restoring operations and minimizing the effects of the incident.
   Merck is just one of several major companies affected by the NotPetya attack.  The list also includes Ukraine's central bank, Russian oil giant Rosneft, UK-based advertising group WPP, Danish shipping giant A.P. Moller-Maersk, and FedEx-owned TNT Express.
FedEx reported last month that it had still been working on restoring systems hit by the destructive malware attack, and admitted that it may not be able to fully restore all affected systems and recover all the critical business data encrypted by NotPetya.
Reckitt Benckiser, the British consumer goods company that makes Nurofen, Dettol and Durex products, said the attack disrupted its ability to manufacture and distribute products.  The firm estimated that the incident could have an impact of £100 million ($130 million) on its revenue.


No encryption?  Pity.
Hackers Threaten ‘Game of Thrones,’ as HBO Confirms Cyberattack
HBO confirmed on Monday that the network had been the target of a cyberattack, as an anonymous hacker boasted about leaking full episodes of upcoming shows along with written material from next week’s episode of “Game of Thrones.”
In an email to journalists, the hacker or hackers claimed to have obtained 1.5 terabytes of data from HBO, according to Entertainment Weekly, which broke the news


Not really complete, but a place to start.


…and you thought Google was only an online threat. 
From EPIC.org:
EPIC has filed a complaint with the FTC asking the Commission to investigate Google’s tracking of in-store purchases.  According to EPIC, Google collects billions of credit and debit card transactions and then links that personal data to the activities of Internet users.  Google claims that it protects online privacy but refuses to reveal details of the algorithm that “deidentifies” consumers while tracking their purchases.  EPIC’s complaint asks the FTC to stop Google’s tracking of in-store purchases and determine whether Google adequately protects consumer privacy.  EPIC has filed several successful FTC complaints that led to FTC investigations, including complaints about changes to Facebook’s privacy preferences and the launch of Google Buzz.  EPIC has also focused on the adequacy of privacy techniques, with complaints against AskEraser (search histories that are not deleted) and Snapchat (images that do not “vanish”).  EPIC’s recent complaint against Google notes that the company is seeking to extend its dominance of online advertising to the physical world.


“Those who do not understand Privacy are willing to deny it to all those ‘second class’ citizens out there.” 
UK home secretary Amber Rudd says 'real people' don't need end-to-end encryption
UK home secretary Amber Rudd has called on messaging apps like WhatsApp to ditch end-to-end encryption, arguing that it aids terrorists.
Writing in The Telegraph on Tuesday, the Conservative minister said that "real people" don't need the feature and that tech companies should do more to help the authorities deal with security threats.
   "The inability to gain access to encrypted data in specific and targeted instances ... is right now severely limiting our agencies' ability to stop terrorist attacks and bring criminals to justice." 


I find this amusing.
Citing ‘basic physics,’ a judge berated the FAA over shrinking airline seats
   In a fiery ruling on Friday, an appeals court judge in Washington ordered the Federal Aviation Administration to look into it what she called “the Case of the Incredible Shrinking Airline Seat.”
Judge Patricia Millett upbraided the FAA for “vacuous” and “vaporous” evidence that the agency previously used to argue that diminishing leg room was not a problem — or at least not its problem.
   But when it came to emergency evacuations — you know, those things a flight attendant reminds you about before every departure — the court agreed with FlyersRights.org that the “Incredible Shrinking Airline Seat” might be a problem.
The FAA had argued otherwise, the judge wrote, citing studies and internal reviews to contend that seat spacing had no impact on evacuations.
But FAA hadn’t actually shown anyone some of those reports, the judge complained, writing information that “no one can see does not count.” [Exactly what I tell my students!  Bob]


I bet I could think of a hundred similar tests.  If not, I’ll keep drinking beer until I do!  Purely for science, of course.
Can Alcohol Fuel Creativity?
   The study featured 70 young adults between the ages of 19 and 32.  They began the experiment by taking one test measuring executive function, and two measuring creative potential
   Upon completion, participants were given beers to drink while they watched a half-hour documentary.  For half of them, it was a standard alcoholic beer, while, for the others, it was a non-alcoholic brew of nearly identical taste and color.  The subjects were not told which they were drinking.  As planned, those who drank the real beer ended up with a blood alcohol concentration of nearly 0.03.
Having quenched their thirst, all participants performed the tests a second time.  The key result: Solution rates on the Remote Associates Test were higher among those who had been drinking.  There were no significant differences on the Alternative Uses Task.


Even dumb questions can provoke good discussions.

Monday, July 31, 2017

This could (and likely did) happen to everyone/anyone!  Why haven’t companies in other industries reported similar incidents? 
Airlines Alert Customers, Employees of Cybersecurity Incidents
Virgin America said it detected unauthorized access to information systems containing employee and contractor data on March 13.  According to the company, a third-party accessed logins and passwords used for its corporate network.
   Canada-based WestJet Airlines told customers on Friday that an unauthorized third party disclosed some WestJet Rewards member profile data.  While the leaked data did not contain any payment card or other financial information, the company has notified the Calgary Police Service and the RCMP’s cybercrime unit.
   Florida-based ultra low cost carrier Spirit Airlines has sent an email to customers to notify them of an incident involving their FREE SPIRIT account.
   Security expert Troy Hunt, the owner of the Have I Been Pwned service, told SecurityWeek that all the email addresses he tested from the leaked data show up in Exploit.in, a list of nearly 600 million email address and password combinations compiled using data stolen from various online systems.
Cybercriminals have used the Exploit.in list for credential stuffing attacks, where attackers automatically inject username/password combinations into a website’s login page in hopes that account owners have used the same credentials on multiple online services.


Not all hackers are brilliant.
Teen was writing a fraud to-do list when the cops came. Now he’ll be doing time
When police executed a search warrant at Phyllistone Termine’s North Miami-Dade home in 2016, he was listening to tunes and doing a fraudster’s to-do list that included buying other people’s credit card numbers and security codes.
Termine, 19, was sentenced last week to 4 1/2 years in federal prison for aggravated identity theft and access device fraud.
The scam involved converting the modern tax return scam to unemployment benefits — amassing names and Social Security numbers and getting benefits in multiple fraudulent filings, Termine admitted in court documents.  Using more than 1,000 names and numbers, the teenager falsely collected more than $1 million in benefits from March 2015 through May 2016.
   When cops burst into Termine’s home with a search warrant on May 20, 2016, they found him in his bedroom, listening to music and writing what appeared to be a summer to-do list on a legal pad.  The list included the tasks “Buy Online, Merrick BNK & CCVs” and “Buy 3 phones, 1 clean 2 dirty’s.”
The first phrase means buying Merrick Bank credit card numbers and the security code on the back from sites on the “dark web.”
Next to Termine on his bed: three cellphones and laptop.  Hidden between the mattress and box spring: debit and credit cards that didn’t belong to Termine or anybody who lived with Termine.  Also, there were blank white plastic cards with magnetic strips.  Termine also had equipment to encode the magnetic strip on a credit or debit card.


Useful tool for my Computer Security classes.
Have you ever seen a visualization of the world’s biggest data breaches?  If not, you can see it here.  Hovering over incidents will lead you to additional information on the incident, and you can also use  a variety of filters.
I love that site, especially because that wonderful tool relies on DataBreaches.net as a source of its data.  It’s a great use of my site and my work, and yes, I gave them permission.  I’m pleased to see my work used for some worthy noncommercial tools like that one.


Also illustrates a very simple hack, based on very poor design.
Kids Pass Just Reminded Us How Hard Responsible Disclosure Is
Only a couple of months ago, I did a talk titled "The Responsibility of Disclosure: Playing Nice and Staying Out of Prison".  The basic premise was to illustrate where folks finding security vulnerabilities often go wrong in their handling of the reporting, but I also wanted to show how organisations frequently make it very difficult to responsibly disclose the issue in the first place.  Just for context, I suggest watching a few minutes of the talk from the point at which I've set the video below to start:


A Privacy breach occurs when we move from what we can see (old, white male) to what requires technology to reveal. 
Turna Ray reports:
Genealogy firm Family Tree DNA has challenged the constitutionality of Alaska’s Genetic Privacy Act on the grounds that the statute is so vague in its definitions of terms, such as “DNA analysis,” “disclosure,” and “informed consent,” that the firm cannot know how to comply with the law.
The move is part of Family Tree DNA’s defense strategy in a lawsuit in which a customer, Alaska resident Michael Cole, is alleging the company breached his rights under the Genetic Privacy Act by publicly sharing his genetic information without his consent.
Read more on Genome Web.


A tool we should understand.

(Related)
Putin Signs Controversial Law Tightening Internet Restrictions
Russian President Vladimir Putin has signed controversial legislation prohibiting the use of Internet proxy services -- including virtual private networks, or VPNs -- and cracking down on the anonymous use of instant messaging services.
The law on proxy services, signed by Putin on July 29 and published by the government on July 30, was promoted by lawmakers who said it is needed to prevent the spread of extremist materials and ideas.
Critics say Putin's government often uses that justification to suppress political dissent.

(Related)
Apple removes VPN apps from the App Store in China
The Chinese government’s crackdown on the internet continues with the news that Apple has removed all major VPN apps, which help internet users overcome the country’s censorship system, from the App Store in China.


An interesting idea.  Would there be much of a market for my Ethical Hackers?  (If not, why not?) 
How Deep & Dark Web Intelligence Supports Merger and Acquisition Due Diligence
After all, for an M&A engagement to be truly advantageous, the acquirer must first gain an accurate and comprehensive understanding of the target company’s business risk profile.  Extensive due diligence is essential, as any unknowns pertaining to the target company’s finances, reputation, strategy, liabilities, or compliance could hinder the short- and/or long-term success of any merger or acquisition.  Given that an abundance of such unknowns exist in the form of threats emerging from the Deep & Dark Web, gaining visibility into these online regions is crucial.
Indeed, Deep & Dark Web intelligence can enable potential acquirers to proactively detect and address a broad spectrum of cyber and physical threats to which target companies may be susceptible, such as:
Insider Threats
Ransomware
Fraud
Data Theft
Supply Chain Security 
Hacktivism


At all?  Ever? 
German court rules bosses can't use keyboard-tracking software to spy on workers
The Federal Labour Court ruled on Thursday that evidence collected by a company through keystroke-tracking software could not be used to fire an employee, explaining that such surveillance violates workers’ personal rights.
The complainant had been working as a web developer at a media agency in North Rhine-Westphalia since 2011 when the company sent an email out in April 2015 explaining that employees’ complete “internet traffic” and use of the company computer systems would be logged and permanently saved. Company policy forbade private use of the computers.
The firm then installed keylogger software on company PCs to monitor keyboard strokes and regularly take screenshots.
Less than a month later, the complainant was called in to speak with his boss about what the company had discovered through the spying software.  Based on their findings, they accused him of working for another company while at work, and of developing a computer game for them.
He was fired that same day.


English words, grammar has changed.  More efficient than English?  Probably.  Dangerous? Unlikely.  Cute headline though.  Let’s see who panics… 
Facebook AI Invents Language That Humans Can't Understand: System Shut Down Before It Evolves Into Skynet
   Facebook had to pull the plug on an artificial intelligence system that its researchers were working on because things got out of hand.  The AI did not start shutting down computers worldwide or something of the sort, but it stopped using English and started using a language that it created.
   The AI agents were not confined to a limitation of only using the English language, and so they deviated from it and created one that made it easier and faster for them to communicate.  Facebook researchers, however, decided to shut down the AI systems and then force them to speak to each other only in English.


Likely to be installed in every Whole Foods location? 
Amazon’s new ‘Hub’ delivery lockers will accept packages from any sender
Amazon is expanding its delivery locker concept into apartment lobbies, with a twist: the new lockers will accept packages not just from Amazon but from any sender, shipped via any carrier, according to the company.
   With the Hub rollout, the company is broadening the concept to let people receive packages from friends and family, competing retailers or anyone else.  The move could make Amazon a much bigger rival to retail mailbox stores and existing package lockers.  It could also give the Seattle-based tech giant access to a trove of new shipping and customer data that provide a competitive edge.

Sunday, July 30, 2017

Every four years the vulnerability of voting machines makes the news.  Someday, someone may actually consider security when designing a voting system.  NOTE: it is unclear from the article when (or if) these machines actually connected to the Internet (except for the one hacked via WiFi).
It took DEF CON hackers minutes to pwn these US voting machines
This year at the DEF CON hacking conference in Las Vegas, 30 computer-powered ballot boxes used in American elections were set up in a simulated national White House race – and hackers got to work physically breaking the gear open to find out what was hidden inside.
In less than 90 minutes, the first cracks in the systems' defenses started appearing, revealing an embarrassing low level of security.  Then one was hacked wirelessly.
   The machines – from Diebolds to Sequoia and Winvote equipment – were bought on eBay or from government auctions, and an analysis of them at the DEF CON Voting Village revealed a sorry state of affairs.  Some were running very outdated and exploitable software – such as unpatched versions of OpenSSL and Windows XP and CE.  Some had physical ports open that could be used to install malicious software to tamper with votes.


Defining “official” communication in the age of Social Media?
A Tweet Is a Direct Order
In the two days since President Trump’s tweets barring transgender troops from the U.S. armed forces, a consensus has emerged among senior military leaders and members of Congress that those tweets do not constitute an official policy announcement.  “We don’t have guidance.  We have a tweet.  We don’t execute policy based on a tweet,” said one Pentagon spokesperson.
This creative interpretation allows Pentagon leaders to avoid conflict with their commander in chief, and maybe signal a little dissent too.  It’s a posture, though, that has little basis in law.  Military officers and Cabinet officials have a legal duty to obey presidential orders and statements of policy, no matter what form they take.  This kind of clever disobedience only adds uncertainty to the chain of command and could create bigger problems in the event of a real crisis.

(Related)
My friend Phil Carter has written an excellent piece for Slate, pointing out the institutional dangers of disregarding President Trump’s recent series of tweets that announced an unjustified retrograde policy barring transgender personnel from service in the armed forces.  What follows is a slight friendly amendment to Phil’s fine essay, offering some additional perspective drawn from the Manual for Courts-Martial that may interest readers.  (The Manual is an executive order, issued and amended from time to time by the president.  It sets forth many provisions that would, in comparable civilian settings, be found in a code of criminal procedure.  It has the force of law.)