Is North Korea trading US stocks?
Hackers May
Have Profited From SEC Corporate Filing System Attack
The vulnerability of governments and businesses to
cyberattacks was exposed again Wednesday when a top U.S. financial
regulator said hackers had breached its electronic database of
market-moving corporate announcements, and may have profited from the
information they stole.
The hack of an aspect of the U.S. Securities and
Exchange Commission’s Edgar filing system occurred last year, the
regulator said in a
statement.
While the SEC has been
aware
of the breach since 2016, it wasn’t until last month
that the agency concluded that the cybercriminals involved may have
used their bounty to make illicit trades. The regulator
disclosed
the intrusion for the first time Wednesday.
… The SEC didn’t say which companies may
have been impacted by the 2016 intrusion. Chris Carofine, a
spokesman for Clayton, declined to comment when asked what type of
information was improperly accessed.
This is just poor training. Why would you have
anyone type a URL when you could copy and paste?
Equifax
tweets fake phishing site to concerned customers
It keeps getting more complicated for Equifax.
The credit agency's Twitter account tweeted links
on Wednesday to a fake site
pretending to be
Equifax,
further bungling
the company's response to a
massive
hack that affected 143 million customers.
Equifax, like many companies, handles customer
service and complaints through its Twitter account. But in tweets
replying to people asking for help and more information, it
occasionally directed them to "securityequifax2017.com."
The domain, designed to look like a phishing site,
was set up to criticize how the company handled the situation.
The
official account tweeted links to the same site multiple times
since September 9, two days after the breach was first announced.
The links have been deleted, but
screenshots
show it was not a one-time flub.
It's easy to mistake the fake site for the real
one: equifaxsecurity2017.com. The company created it earlier this
month to share information on the major data breach.
Security experts criticized Equifax's decision to
use this domain and website because it looks a lot like a scam site.
Soon after it launched, some browsers
flagged
it as a phishing site. Experts warned hackers could
create similar websites and trick people into giving up personal
information.
(Related). In humor, truth? A video for my
Computer Security class.
Equifax
F.A.Q.
An interesting follow-up! If you want to avoid
detection, piggyback on software the target already uses and trusts.
Very slick.
Attack on
Software Firm Was Sophisticated, Highly Targeted
…
While
initially shouting out loud that the compromise was addressed before
any harm was done to users, Avast on Wednesday confirmed
that this was in fact a highly targeted attack and that a secondary
payload was executed on some of the impacted systems.
Analysis of
the logs found on the C&C server revealed that 20 machines in a
total of 8 organizations received the second-stage payload. However,
the logs only covered just over three days, and the actual number of
machines that received the payload could be of hundreds, Avast says.
The security
firm wouldn’t reveal the names of targeted organizations, but says
that these were “select large technology and telecommunication
companies in Japan, Taiwan, UK, Germany and the US.” This clearly
means that most of the CCleaner users weren’t of interest to the
attackers.
Another
follow-up.
NotPetya
cyber attack on TNT Express cost FedEx $300m
Falling victim to
the
Petya cyber attack cost FedEx around $300m during the last
quarter of the financial year, the company has revealed in its latest
earnings report.
… While no data breach or data loss occurred
as a result of Petya, the company previously warned that it may not
be able to recover all of the systems affected by the cyber attack.
Technology restrained?
Court
upholds Illinois biometrics law on use of facial scans
Fortune
– “A federal judge this week delivered a key victory for
customers who claim the digital scrapbook company
Shutterfly
violated their privacy by collecting scans of their faces without
permission. In a 19-page
opinion,
U.S. District Judge Joan Gottschall rejected Shutterfly’s argument
that an Illinois state law, which restricts how companies can use
biometric data, should not apply.”
What could possibly go wrong?
Apparently Joe Cadillic and I aren’t the only
ones who thought that a Ravens promo raised a lot of warning flags,
although our concern wasn’t as regulatory as much as
privacy-oriented. Joe sent along this update:
Jeff Barker reports:
Massachusetts biotech firm still intends
to give away DNA test kits to fans at a Ravens game this season,
according to the team, but the promotion first must undergo scrutiny
from a federal agency and the state.
The “DNA Day”
event, scheduled for last Sunday’s Ravens-Cleveland
Browns game at M&T Bank Stadium, was postponed after the
federal Centers for Medicare & Medicaid Services raised questions
with the state about approvals, state and federal officials said.
[From
the article:
Fans attending the game were to receive test kits
and, if they chose to participate, swab the inside of their cheek,
drop the sample into a bin at the stadium and register with the
company online to receive a free analysis.
Another example of, “Gee, maybe that algorithm
isn’t perfect?” No doubt the FBI will be asking for a list of
Amazon’s customers who purchased the suggested items...
Amazon
‘Reviewing’ Its Website After It Suggested Bomb-Making Items
Amazon said on Wednesday that it was reviewing its
website after a British television report said the online retail
giant’s algorithms were automatically suggesting bomb-making
ingredients that were “Frequently bought together.”
The news is particularly timely in Britain, where
the authorities are investigating a terrorist attack last week on
London’s Underground subway system. The attack
involved
a crude explosive in a bucket inside a plastic bag, and detonated
on a train during the morning rush.
The news report is the latest example of a
technology company drawing criticism for an apparently faulty
algorithm.
Google
and Facebook have come under fire for allowing advertisers to
direct ads to users who searched for, or expressed interest in,
racist sentiments and hate speech. Growing awareness of these
automated systems has been accompanied by calls for tech firms to
take more responsibility for the contents on their sites.
Interesting.
Kade N. Olsen and Craig A. Newman report on a
court opinion in the D-Link case – a case that addresses some of
the issues also raised in LabMD vs. FTC:
Yesterday,
a District Court in Northern California weighed in on the U.S.
Federal Trade Commission’s (FTC) authority to protect consumers
from “unfair” and “deceptive” data security practices. The
decision,
which granted in part and denied in part the defendant’s motion to
dismiss, is a mixed bag for the Commission.
As
we previewed earlier this year, the FTC filed suit against D-Link
Systems, Inc. (“D-Link”), a company that manufactures and sells
home networking devices.
According
to the FTC, D-Link failed to protect its products from “widely
known risks of unauthorized access” by not providing “easily
preventable” measures against “‘hard-coded’ user credentials
and other backdoors,” not maintaining the confidentiality of the
private key D-Link used with consumers to validate software updates,
and
not deploying “free
software, available since at least 2008, to secure users’ mobile
app login credentials.” These practices, the FTC
maintained, were both (1) “deceptive” and (2)“unfair” under
Section 5 of the FTC Act, 15 U.S.C. § 45.
Read more on Patterson Belknap
Data
Security Law Blog. Here’s the part that may give LabMD a smile
or a “That’s what we think, too” nod:
But,
the court ultimately found “merit” in D-Link’s argument that
the FTC had failed to plead sufficiently that consumers had been
injured. As followers of our
LabMD
coverage will recall, Section 5(n) of the FTC Act provides that
the Commission cannot declare an act “unfair” unless,
inter
alia, that act “causes or is likely to cause
substantial
injury to consumers.”
The
district court explained that the FTC did “not allege any actual
consumer injury in the form of a monetary loss or an actual incident
where sensitive data was accessed or exposed.” It was not enough,
Judge Donato held, that the FTC claimed that D-Link “put consumers
at ‘risk.’” Without “concrete facts” of a “single
incident where a consumer’s financial, medical or sensitive data
has been accessed, exposed or misused in any way,” the unfairness
claim depended on “wholly conclusory allegations” of “potential
injury.”
I’m not sure I would go that far…
America
needs Amazon more than Amazon needs America
… There may be
blood
in the water in Silicon Valley, but it isn’t coming from
Amazon. The company’s stock is up roughly 30% this year,
unperturbed by tepid financial results and the angry tweets of US
president Donald Trump. Its business practices remain unfettered by
federal regulators and seem unlikely to be criticized at the local
and state level so long as HQ2 is on the auction block.
… As for the American public, why would they
turn against Amazon? By one estimate, 85 million people, or roughly
two-thirds
of US households, are subscribers to Prime, Amazon’s $99-a-year
membership program. They rely on it for everything from toilet paper
to blenders to bluetooth speakers, spending an annual average of
$1,300. Bezos wants Prime to be such a good deal “you’d be
irresponsible not to be a member.” Put another way, that you’d
be irresponsible not to like Amazon.
Perspective. Does the need to access technology
now override security concerns?
Saudi
Arabia to lift ban on internet calls
Saudi Arabia will lift a ban on internet phone
calls, a government spokesman said, part of efforts to attract more
business to the country.
All online voice and video call services such as
Microsoft’s Skype and Facebook’s WhatsApp that satisfy regulatory
requirements will become accessible at midnight (2100 GMT), Adel Abu
Hameed, spokesman for the telecoms regulator CITC said on Twitter on
Wednesday.
The policy reversal represents part of the Saudi
government’s broad reforms to diversify the economy partly in
response to low oil prices, which have hit the country’s finances.
Perspective. Think about this one. Your camera
‘knows’ when you are taking a picture of a cake or a bird.
Perhaps it will rat you out to Mom & Dad when you start Sexting?
Facebook's
New 'AI Camera' Team Wants to Add a Layer to the World
Take a video of a birthday cake’s candles
sparkling in an Instagram story, then tap the sticker button. Near
the top of the list you’ll see a slice of birthday cake.
It’s a little thing. This simple trick is not
breathtaking nor magical. But it
is the beginning of something transformative. Smartphones
already changed how most people take pictures. The latest Silicon
Valley quest is to reimagine what a camera is, applying the
recent progress in artificial intelligence to allow your phone to
read the physical world as easily as Google read the web.
… The AI Camera team is responsible for giving
the cameras inside these apps an understanding of what you’re
pointing them at. In the near future, your camera will understand
its location, recognize the people in the frame, and be able to
seamlessly augment the reality you see.
(Related).
Researchers at the University of Nottingham and
Kingston University have
created
an algorithm that can translate any front-facing 2D photo into a
bizarrely realistic 3D image.
… You can play around with the tool for
yourself
online.
The researchers kindly provide a few photos for you to test out, and
you can also upload a photo of yourself to try.
For my Computer Security students.
Preventing
and Responding to Identity Theft
“You
can be a victim of identity theft even if you never use a computer.
Malicious people may be able to obtain personal information (such as
credit card numbers, phone numbers, account numbers, and addresses)
by stealing your wallet, overhearing a phone conversation, rummaging
through your trash (a practice known as dumpster diving), or picking
up a receipt at a restaurant that has your account number on it. If
a thief has enough information, he or she may be able to impersonate
you to purchase items, open new accounts, or apply for loans. The
Internet has made it easier for thieves to obtain personal and
financial data. Most companies and other institutions store
information about their clients in databases; if a thief can access
that database, he or she can obtain information about many people at
once rather than focus on one person at a time. The Internet has
also made it easier for thieves to sell or trade the information,
making it more difficult for law enforcement to identify and
apprehend the criminals…”
For all my students.
For my cable cutting students.
Interesting App. What could similar Apps do for
my students? Read their textbooks, for example?
LC – An
App to Answer Your Questions about the Constitution
Margaret
M. Wood, legal reference librarian in the Law Library.
“Two years ago, in honor of Constitution Day—celebrated annually
on September 17—I wrote a
post
about the publication “Constitution of the United States: Analysis
and Interpretation,” also referred to as the “Constitution
Annotated.” Along with the
U.S.
Code, it is one of my favorite work resources. Unfortunately, it
is a behemoth of a work—
it takes two hands to hold the volume,
which weighs a good 10 pounds. Fortunately, the text is also
available online through
Congress.gov
and through the
U.S.
Government Publishing Office, whose digital system includes both
the most recent edition (
2016)
as well as historic editions back to
1992.
But given my
penchant
for bringing work topics into social situations,
even the
online version is not very practical. I cannot, very easily,
fire up the computer during a conversation at a dinner or cocktail
party. However, fortunately for me,
there
is an app
for the “Constitution Annotated.” It
debuted
in 2013, when Congress.gov was still in
beta,
and has since been updated…”
[From
the App description:
This app:
- Delivers the full
text of “Constitution of the United States of America: Analysis and
Interpretation”
- Contains a clause-by-clause discussion of
the entire Constitution
- Discusses all Supreme Court cases and
selected historical documents relevant to interpreting the
Constitution
- Lists all federal, state, and local laws struck
down by the Supreme Court, and all cases where the Court overturned
its prior precedent
- Contains a table of contents, table of
cases, and an index