Saturday, October 07, 2017

Would Equifax ignore a warning like this?
Critical Flaw Found in Siemens Smart Meters
Siemens’ 7KT PAC1200 multichannel measuring devices, part of the company’s SENTRON energy management portfolio, are designed to allow customers to monitor energy consumption. The product uses sensors to collect data that can be viewed via a desktop web browser or mobile applications for Android and iOS.
Researcher Maxim Rupp discovered that the product’s integrated web server, which is accessible on TCP port 80, has a vulnerability that allows a remote attacker to bypass authentication using an alternate path or channel. An attacker can exploit the security hole to access the web interface and perform administrative operations.
Siemens has advised customers to update their products to version 2.03 and secure network access to the web server.




Illustrating why password security isn’t enough…
Easy way to bypass passcode lock screens on iPhones, iPads running iOS 11
With iOS 11, you can still bypass the iPhone lock screen and trick Siri into getting into a person's phone. The bypass is the same as it was in the earlier version of the operating system




...and the future of AI?
Google’s Clips camera offers a snapshot of things to come
Pixel-branded smartphones, two Google Home devices, a new Pixelbook laptop, new earbuds called Pixel Buds, and a consumer camera called Google Clips.
Of all the new Google products announced, Google Clips is the most interesting by far — which is to say that it represents the most interesting trend. This consumer device represents the future of enterprise A.I.
… Clips is a 12-megapixel camera.
Google Clips uses artificial intelligence (A.I.) to choose when to take pictures. To “use” the camera, you twist the lens to get it started, place it somewhere, then forget about it.
It learns familiar faces, then favors those people (and pets!) when deciding when to take pictures. It looks for smiles and action, novel situations and other criteria. It discards blurry shots.
Each time it takes pictures, it captures a burst of photos at 15 frames per second, which you can use or edit as a GIF or from which you can cherry-pick your favorite still photographs.




I probably need one.
Finally: Actual, Physical Vet Cards Will Be Issued To Veterans Who Apply Starting In November
The law, which was originally sponsored by Republican Rep. Vern Buchanan of Florida, orders the VA to issue a hard-copy photo ID to any honorably discharged veteran who applies for one. Currently, only veterans enrolled in the VA health-care system or who receive retirement pay have photo ID cards.
Goods, services and promotional activities are often offered by public and private institutions to veterans who demonstrate proof of service in the military, but it is impractical for a veteran to always carry Department of Defense form DD-214 discharge papers to demonstrate such proof,” the law states.
The cards will be available free of charge to any honorably discharged veteran who applies for one online via the VA website; however, a VA official told Military.com that the department has yet to finalize a “timeline for how long it will take to receive a card” once the application is sent in. Given the VA’s reputation for being a well-oiled paperwork processing super machine, I think it’s safe to assume that the turnaround time will be lightning fast. [Might be a bit of sarcasm there… Bob]




An article for the birds.
National Audubon Society Offers Great Educational Resources
The mission of the National Audubon Society is to, "Protect birds and the places they need, today and tomorrow, throughout the Americas, using science, advocacy, education, and on-the-ground conservation." Their beautiful website is full of resources that could be used in a variety of subjects and with students of all ages.
Here are some of the highlights:
  • Binocular guide- provides tips on selecting binoculars as well as a guide to identify birds in the field.
  • News- numerous articles that focus on science.
  • Ideas for how to get involved and help be an advocate for birds.
  • Live bird webcams from around the United States.
  • Education page with information on different nature camps for kids.
  • Tips and tricks for photographing birds.
  • Bird Guide with beautiful illustrations as well as bird calls for hundreds of different birds.
If you want to see more posts about birds make sure you check out Wall of Birds and an Interactive Mural of Birds.


Friday, October 06, 2017

Inevitable. Fortunately, no one would ever conduct government business on a personal phone.
John Kelly's personal cellphone was compromised, White House believes
White House officials believe that chief of staff John Kelly’s personal cellphone was compromised, potentially as long ago as December, according to three U.S. government officials.
The discovery raises concerns that hackers or foreign governments may have had access to data on Kelly’s phone while he was secretary of Homeland Security and after he joined the West Wing.
Tech support staff discovered the suspected breach after Kelly turned his phone in to White House tech support this summer complaining that it wasn’t working or updating software properly.
Kelly told the staffers the phone hadn’t been working properly for months, according to the officials.
… A White House spokesman said Kelly hadn’t used the personal phone often since joining the administration. This official said Kelly relied on his government-issued phone for official communications.




It’s just a little tiny-weeny bit of war. That doesn’t count, right?
Russia Raises Tensions in Baltic Region With Testing of Cyber Weapons
"Russia has opened a new battlefront with NATO," claims the Wall Street Journal. "Russia may have tested cyber warfare on Latvia," says Reuters. These are two reports about two separate incidents in the Baltic area close to Russia's largest military war games since 2013: Zapad.
The first incident revolves around hacking soldiers' smartphones. Two separate methodologies have been reported: the use of drones with sophisticated electronics equipment, and in an earlier incident, a mobile telephone tower (similar to law enforcement's use of stingray equipment). The sophistication of the attacks leaves little doubt that there is some state-sponsorship involved.
The Reuters report claims, "Moscow was probably behind interruptions in Latvia's mobile communications network before Russia's war games last month, in an apparent test of its cyber attack tools, Baltic and NATO officials said, based on early intelligence of the drills."
The effect of the jammer was to take out Latvia's emergency services' 112 hotline in a disruption that lasted about seven hours. This is the first time that the service has failed, and occurred on September 13, just prior to the most intensive period of the Russian Zapad war games.




If this is true, they should have been a bit more forthcoming when they banned Kaspersky.
Russian hackers reportedly stole NSA data in 2015, likely via Kaspersky software
Russian government-backed hackers stole highly classified U.S. cyber secrets in 2015 from the National Security Agency after a contractor put information on his home computer, two newspapers reported on Thursday.
As reported first by The Wall Street Journal, citing unidentified sources, the theft included information on penetrating foreign computer networks and protecting against cyber attacks and is likely to be viewed as one of the most significant security breaches to date.
In a later story, The Washington Post said the employee had worked at the NSA’s Tailored Access Operations unit for elite hackers before he was fired in 2015.
… Citing unidentified sources, both the Journal and the Post also reported that the contractor used antivirus software from Moscow-based Kaspersky Lab, the company whose products were banned from U.S. government networks last month because of suspicions they help the Kremlin conduct espionage.
Kaspersky Lab has strongly denied those allegations.
Russian government officials could have used flaws in Kaspersky software to hack into the machine in question, security experts told Reuters. They could also have intercepted traffic from the machine to Kaspersky computers.
Kaspersky said in a statement on Thursday that it found itself caught in the middle of a geopolitical fight.
… “The baffling parts are that he was able to get stuff out of the building and that he was using Kaspersky, despite where he worked,” Lewis said. He said that intelligence agencies have considered Kaspersky products to be a source of risk for years.




Why? And who else got this level of access? (Clearly, Apple has it, right?)
Apple gave Uber's app 'unprecedented' access to a secret backdoor that can record iPhone screens
Uber's iPhone app has a secret backdoor to powerful Apple features, allowing the ride-hailing service to potentially record a user's screen and access other personal information without their knowledge.




I hope they do it more securely than India did. (Will the US point to this as they consider replacing the Social Security number as an ID?)
EU to implement electronic ID for residents to accelerate adoption of e-government services
The European Union’s member states signed a sweeping declaration today designed to transform the way governments across the continent deliver services by embracing e-government initiatives.
Chief among these plans is an agreement to move forward with development of a digital identification system that can be used by residents to access a wide range of new online public and private services. The agreement calls on the EU to create a framework for ensuring the implementation of electronic IDs, while also ensuring protection of privacy and security of the data.




For my Computer Security students.
Business Email Scams: Protecting Your Company’s Information
by Sabrina I. Pacifici on Oct 5, 2017
From the Pennsylvania Department of Banking and Securities, a succinct and very useful Infographic guide: “Business Email Compromise is a cyber threat targeted against businesses, both large and small, that typically involves a con artist targeting employees with access to company financial or sensitive documents. The scammers lead the employees to believe they are a trusted partner or are legitimately entitled to the information, when in reality, they are criminals. A common tactic of these cybercriminals is the use of a “spear-phishing” emails and use of malware to first infiltrate the organization and eventually send a sham email supposedly from the CEO to an employee with access to financial information, requesting money to be transferred…” [h/t Pete Weiss]




For our CJ students.
CrimeSolutions.gov helps justice professionals improve effectiveness
by Sabrina I. Pacifici on Oct 5, 2017
“It’s important to celebrate milestones, and CrimeSolutions.gov has hit a big one — 500 rated programs. That’s 500 opportunities for the criminal and juvenile justice and victim service practitioners and policymakers we serve to learn about what works, what doesn’t, and what’s promising. While I am relatively new to the National Institute of Justice, I have spent a good part of my career championing evidence-based policy and the need for rigorous, replicated, program evaluations. All our resources are limited, and we need to ensure the programs we fund are effective in addressing the many issues faced by criminal justice agencies. CrimeSolutions.gov helps justice professionals, who may or may not be social scientists, improve their effectiveness. The systematic, independent review process and evidence ratings are intended to help practitioners and policymakers understand the implications of social science evidence that can otherwise be difficult to understand or apply, and serve as a basis for gauging the quality of evidence. In short, CrimeSolutions.gov strives to help practitioners answer the question: Does it work?”
  • “CrimeSolutions.gov content is organized a variety of ways, including by topic. The topic pages capture summary information as well as programs and practices that have been reviewed by CrimeSolutions.gov. Additionally, links to topical publications, Q&A, and related resources are also captured on the topical pages.”




Computers & Law, what a concept!
Survey – Ready or Not: Artificial Intelligence and Corporate Legal Departments
by Sabrina I. Pacifici on Oct 5, 2017
Lawyers have long been characterized as technology Luddites who are slow to change and wary of innovation. For corporate counsel, though, this stereotype may be fading. According to the results of a new Thomson Reuters report, “Ready or Not: Artificial Intelligence and Corporate Legal Departments“, corporate counsel believe they are tech savvy but acknowledge that their comfort level and confidence with technology have limitations, specifically around artificial intelligence (AI). The applications and impact of AI are growing, and AI tools will undoubtedly affect how the legal profession practices over the next decade. Consider how dramatically technology inventions have already changed the practice of law: From typewriters to computers and from fax machines to email, each advance has been transformative in the law. Lawyers have accepted and adopted each of these evolutions. AI is the next frontier. To better understand corporate counsel’s knowledge of and comfort with the use of artificial intelligence in the profession, Thomson Reuters conducted a survey of 207 in-house attorneys to measure current perceptions regarding the use of AI in corporate legal departments and the perceived benefits of AI once adopted.




Perspective.
Facebook is spending $1 billion for a building that basically no one will work in
The Commonwealth of Virginia celebrated on Thursday with the announcement that Facebook would be investing $1 billion to build a massive, new facility in the state.
There's a catch. Facebook's building will be a data center—and it will require almost no people to operate.
The project will mean plenty of money spent on construction and then 100 jobs in the data center afterward.




Perspective.
The state of Twitter: Trump passes Pope as most-followed world leader
… as of May 2016, Trump’s follower count was in the 7 million range. Now he’s about to blow past 40 million.
Of course, Katy Perry has 104.5 million followers, making her the most-followed person overall on Twitter. So, Trump still has a ways to go before knocking her from that perch.


Thursday, October 05, 2017

Brian Krebs reported this Sept 26.
Fast Food Chain Sonic Confirms Card Breach
Sonic Drive-In, a fast food restaurant chain with more than 3,500 locations across the United States, confirmed on Wednesday that cybercriminals may have stolen customers’ credit and debit card information using a piece of malware.
The company has provided only little information about the incident, but says it’s working with law enforcement and third-party forensics firms to investigate the breach. Sonic said it delayed notifying customers of the intrusion at the request of law enforcement.
While it’s unclear which locations were hit by the malware attack and how many customers are impacted, security blogger Brian Krebs last week learned of a cybercrime marketplace selling a batch of 5 million cards, at least some of which appear to come from Sonic’s systems.
The cards were put up for sale on September 18, but IBM researchers said the first batch appeared on a different cybercrime service that checks card validity for fraudsters on September 15, which suggested that the attackers had been collecting card data on an ongoing basis.
The list of major restaurant chains that informed customers of a payment card breach in the past year includes Wendy’s, Cicis, Arby’s, Chipotle, Shoney’s, and Noodles & Company.




Ready or not, here it comes.
Pew Report – Automation in Everyday Life
by Sabrina I. Pacifici on Oct 4, 2017
“Advances in robotics and artificial intelligence have the potential to automate a wide range of human activities and to dramatically reshape the way that Americans live and work in the coming decades. A Pew Research Center survey of 4,135 U.S. adults conducted May 1-15, 2017, finds that many Americans anticipate significant impacts from various automation technologies in the course of their lifetimes – from the widespread adoption of autonomous vehicles to the replacement of entire job categories with robot workers. Although they expect certain positive outcomes from these developments, their attitudes more frequently reflect worry and concern over the implications of these technologies for society as a whole. To gauge the opinions of everyday Americans on this complex and far-reaching topic, the survey presented respondents with four different scenarios relating to automation technologies. Collectively, these scenarios speak to many of the hopes and concerns embedded in the broader debate over automation and its impact on society. The scenarios included: the development of autonomous vehicles that can operate without the aid of a human driver; a future in which robots and computers can perform many of the jobs currently done by human workers; the possibility of fully autonomous robot caregivers for older adults; and the possibility that a computer program could evaluate and select job candidates with no human involvement.”


(Related).
Google unit launches group to explore ethical impacts of AI
An artificial intelligence research company owned by Google-parent Alphabet is launching a new division to examine the ethical impacts of AI.
DeepMind's new research unit, "Ethics & Society," will push to "help technologists put ethics into practice" with the goal of helping “society anticipate and direct the impact of AI so that it works for the benefit of all.”




Perspective. Pure politics? Anything that upsets the US is worth supporting?
North Korea Gets Second Web Connection Via Russian Firm
A state-owned Russian company has opened up a second internet connection for North Korea which could strengthen Pyongyang's cyber capabilities and undermine US efforts to isolate the regime, security experts said.
The activation of the new line from TransTeleCom was first detected Sunday by analysts at Dyn Research, which monitors global internet connectivity
The additional line gives Pyongyang "significantly more resilience against attacks on their network infrastructure," said Bryce Boland, the chief technology officer in the Asia-Pacific for cybersecurity firm FireEye.
The Washington Post reported earlier that the US Cyber Command had carried out attacks against hackers in North Korea aimed at cutting off their access to the Internet.
with only one internet provider to rely on, the regime has often found itself vulnerable to external cyberattacks against its own network infrastructure.
North Korea suffered several internet connection failures – some which lasted for hours – shortly after the Sony attack, which many suspected to be a US retaliation.




Perspective.
Top web browsers 2017: Microsoft takes another thrashing
… Microsoft forced Windows users to upgrade to the latest version of Internet Explorer supported by their version of Windows — which meant IE11 for most users — or run Edge on Windows 10.
Rather than nudging customers to upgrade IE or adopt Edge, the mandate prompted millions to abandon Microsoft's browsers and choose alternatives, for the most part Google's Chrome. The decision, which Microsoft described in mid-2014 as necessary for security reasons as well as to ensure compatibility with services like Office 365, turned out to be among the company's most disastrous. Since the upgrade order went into effect in January 2016, IE has shed nearly two-thirds of its user share, tumbling from 48.6% to last month's 19.3%.


Wednesday, October 04, 2017

Again I say, the numbers never seems to go down.
Yahoo says all three billion accounts hacked in 2013 data theft
Yahoo on Tuesday said that all 3 billion of its accounts were hacked in a 2013 data theft, tripling its earlier estimate of the size of the largest breach in history, in a disclosure that attorneys said sharply increased the legal exposure of its new owner, Verizon Communications Inc.




Not a unique idea.
Russia Targets NATO Soldier Smartphones, Western Officials Say
… Troops, officers and government officials of North Atlantic Treaty Organization member countries said Russia has carried out a campaign to compromise soldiers’ smartphones. The aim, they say, is to gain operational information, gauge troop strength and intimidate soldiers.


(Related). 18.02.2017
State-Sponsored Hackers Took Over Israeli Soldiers’ Android Phones
New research has revealed that state-sponsored hackers have been using malware to spy on soldiers in the Israeli Defense Force through their smartphones.
Reports indicate that more than 100 Israeli servicemen were first affected by this attack this in July 2016, and that the most recent reported attacks happened just this month. The malware, called "ViperRAT," was specifically designed to target Android devices, with hackers gaining access to the phone’s location, video, audio and SMS functions.


(Related). Even earlier: 19 Nov 2014
Russian spy threat to troops' phones and computers




Update.
Researchers Link CCleaner Attack to State-sponsored Chinese Hackers
The sophisticated supply chain attack that resulted in millions of users downloading a backdoored version of the popular CCleaner PC software utility was the work of state-sponsored Chinese hackers, according to a new report.
Investigation into the attack revealed that the backdoored code was only the first stage of the intended user compromise, and that a second-stage payload had been delivered to a small number of selected targets.




I wonder if the President even remembers this?
Daniel Rivero and Brendan O’Connor report:
In April, the Trump Administration launched what it called the Victims of Immigration Crime Engagement (VOICE) hotline, with a stated mission to “provide proactive, timely, adequate, and professional services to victims of crimes committed by removable aliens.” But internal logs of calls to VOICE obtained by Splinter show that hundreds of Americans seized on the hotline to lodge secret accusations against acquaintances, neighbors, or even their own family members, often to advance petty personal grievances.
The logs—hundreds of which were available for download on the Immigrations and Customs Enforcement web site despite containing extremely sensitive personal information—call to mind the efforts of closed societies like East Germany or Cuba to cultivate vast networks of informants and an atmosphere of fear and suspicion.
Read more on Splinter News.




Looks like Congress is starting to hear from the voters.
'I don't think we can pass a law that fixes stupid': Lawmakers berate Equifax ex-CEO
Equifax Inc.’s former chief executive trekked to Capitol Hill on Tuesday to offer contrition and explanation for the credit reporting company’s massive data breach. He was met with bipartisan incredulity and calls for tougher cybersecurity laws to protect Americans’ sensitive information.
… He blamed the breach on “human error and technology errors.”
Equifax failed to apply a software patch for a consumer dispute website in March, and the company’s systems did not detect the vulnerability until July 29, Smith said.
Lawmakers were dumbfounded by the company’s failure to patch the software and then, once the problem was discovered, to delay notifying the public for nearly six weeks.
… Rep. Joe Barton (R-Texas) said he thought financial penalties were needed to force companies to take security of sensitive consumer information more seriously.
“You’re really only required to notify people and say, ‘So sorry, so sad,’” Barton said. “It seems to me you might pay more attention to security if you had to pay everybody who got hacked a couple thousand bucks or something.”




It won’t result in a Theory of Relativity, but it is interesting.
How will AI change strategy? That’s the single most common question the three of us are asked from corporate executives, and it’s not trivial to answer. AI is fundamentally a prediction technology. As advances in AI make prediction cheaper, economic theory dictates that we’ll use prediction more frequently and widely, and the value of complements to prediction – like human judgment – will rise. But what does all this mean for strategy?
Here’s a thought experiment we’ve been using to answer that question. Most people are familiar with shopping at Amazon. Like with most online retailers, you visit their website, shop for items, place them in your “basket,” pay for them, and then Amazon ships them to you. Right now, Amazon’s business model is shopping-then-shipping.
… At some point, as they turn the knob, the AI’s prediction accuracy crosses a threshold, such that it becomes in Amazon’s interest to change its business model. The prediction becomes sufficiently accurate that it becomes more profitable for Amazon to ship you the goods that it predicts you will want rather than wait for you to order them. Every week, Amazon ships you boxes of items it predicts you will want, and then you shop in the comfort and convenience of your own home by choosing the items you wish to keep from the boxes they delivered.




I can’t imagine anything that could possibly go wrong. (Think of the hacks!)
Available soon: Sex robots with artificial intelligence
Come January, lifelike sex robots will be one step closer. That’s when a Southern California company will unveil Harmony, an anatomically correct sex doll with a patented animatronic talking head with programmable personality and memory.


Tuesday, October 03, 2017

The number never seems to go down.
Equifax raises estimate of people hit by breach
Equifax says that 2.5 million more Americans than originally believed have been affected by the record-breaking cyber attack on the firm.
The new additions bring the total of affected Americans to 145.5 million. Names, social security numbers, birthdates and other information were all compromised in the breach.


(Related).
Equifax Announces Cybersecurity Firm Has Concluded Forensic Investigation Of Cybersecurity Incident




Something for my Computer Security students to kick around.
The Increasing Effect of Geopolitics on Cybersecurity
The effect of geopolitics on cybersecurity can be seen daily – from Chinese cyber espionage to Russian attacks on the Ukraine and North Korea’s financially-motivated attacks against SWIFT and Bitcoins – and, of course, Russian interference in western elections and notably the US 2016 presidential election.
The primary cause is political mistrust between different geopolitical regions combined with the emergence of cyberspace as a de facto theater of war.
"Of course there is a connection between cybersecurity and geopolitics,” Ilia Kolochenko, CEO of High-Tech Bridge, told SecurityWeek. “Hackers are now acting as soldiers, and it's difficult to find a country that has never used a cyber weapon.”
Although not necessarily recognized at government level, few people involved with cybersecurity have any doubt that cyber warfare is current and ongoing. Governments are reluctant to openly acknowledge this reality for fear that recognition will require retaliation – and the big fear then is that it could escalate into kinetic warfare. Kinetic provocation leads to kinetic responses; cyber provocation tends not to. Consider, for example, the U.S. response to North Korea’s missile tests compared to the response to North Korea’s cyber attacks against Sony and SWIFT.
Cyber warfare has further advantages: the difficulty of attribution provides plausible deniability.
The first negative effect is already being felt: it is the balkanization of the internet. There are two aspects to this: the first is to protect the national internet from the global internet; and the second is to promote the use of locally produced products over foreign-produced, and therefore suspect, products. The Iranian, North Korean and Chinese intranets are the best known examples.


(Related). Should we assume this was at the direction of the President?
U.S. Cyber Command Launched DDoS Attack Against North Korea: Report
The United States Cyber Command has reportedly been engaged in offensive activity, namely a DDoS attack, against North Korea's military spy agency, the Reconnaissance General Bureau (RGB). The attack is thought to have commenced on September 22, and continued until September 30.
The attack occurred just five weeks after President Trump elevated U.S. Cyber Command to a Unified Combatant Command.


(Related).
Over the last two years, U.S. banks and government agencies have enjoyed a notable respite from malicious Iranian cyber activity. The timing of this drop-off happens to coincide with the signing of the nuclear deal with Iran in 2015.
Now with U.S. President Donald Trump threatening to walk away from the nuclear deal, cybersecurity experts say it is likely Iran could resume its attacks against Western targets should Trump actually follow through with his threat.




Think about this. If an IG finds a poorly managed process in one agency, this website could provide everything other agencies need to correct the problem! Or, we could find evidence that management should have known about a particular problem because it had been found in one or more other agencies.
New Website Shows IGs Found More Than $25B in Potential Cost Savings in FY 2017
by Sabrina I. Pacifici on Oct 2, 2017
Oversight.gov was created by the Council of the Inspectors General on Integrity and Efficiency (CIGIE) to consolidate in one place all public reports from Federal Inspectors General (IGs) in order to improve the public’s access to independent and authoritative information about the Federal Government. The site includes a publicly accessible, text searchable repository of reports published by IGs. The reports appearing on Oversight.gov, as well as the data associated with them, have been posted directly to the site by the IG that issued it. CIGIE operates and maintains the site. Reports on Oversight.gov can also be accessed through the websites of the individual Offices of Inspectors General (OIGs)…
The data presented in the charts on the Home and Reports pages are from three sources:
  • CIGIE’s Annual Progress Reports the President, which present aggregate data about the annual accomplishments of Federal OIGs. This data is uploaded to Oversight.gov directly by CIGIE upon publication of a new annual report.
  • OIGs’ Semiannual Reports, which present data about the semiannual accomplishments of individual OIGs. This data is uploaded to Oversight.gov by each OIG.
  • Data from individual reports uploaded to Oversight.gov. This data is uploaded to Oversight.gov by each OIG…”
See alsoOversight Garden – “a free and open source project of Eric Mill, David Cook, Olivia Cheng, Steve Pulec, and other wonderful humans. Original writing licensed under CC-BY 4.0…Gathers and allows users to search for reports of every U.S. federal IG that publishes them..”




Perhaps we could train them to build robots?
Robots Are Taking Americans’ Jobs. What Can Be Done?
David Besanko, the IBM professor of regulation and competitive practice at the Kellogg School, says halting automation would only harm the nation’s global competitiveness. Instead of banning driverless trucks or hitting companies with a “robot” tax, Besanko argues in a new white paper cowritten with Max Meyers that the most strategic way to protect workers is through policies that help them adjust to the new economy. Such policies should be aimed at offering workers better access to training and equipping them to build their own businesses.




Thoughtful.
Mass Shootings Are A Bad Way To Understand Gun Violence




See readers? You are not alone!
Why blogs endure: A study of recent college graduates and motivations for blog readership
by Sabrina I. Pacifici on Oct 2, 2017
Why blogs endure: A study of recent college graduates and motivations for blog readership, Alison J. Head, Michele Van Hoeck, Kirsten Hostetler. First Monday, Volume 22, Number 10 – 2 October 2017.
“This paper reports the results from a mixed methods study of recent college graduates who were asked if and why they used blogs as sources for continued learning purposes. Findings are based on 1,651 online survey responses and 63 follow-up telephone interviews with young graduates from 10 U.S. colleges and universities. Despite the media’s declarations about the impending demise of the blogosphere, almost two-thirds of the respondents (62 percent) had read blogs to fulfill their learning needs during the past 12 months. Blogs were an affordable source of information to these readers, especially for acquiring additional knowledge and closing skill gaps in their personal lives after college. Results from a logistic regression analysis indicated respondents were more likely to have read blogs during the past 12 months if they needed step-by-step instructions for hobbies, do-it-yourself household repairs, or money management and creating a personal budget. Respondents who used blogs were also more likely to also use complementary sources, such as educational videos on YouTube, to meet their learning needs. The concept of shared utility is introduced as a basis for explaining reasons for use of the blog format, and conclusions are drawn about why blogs, an early Web form, are still useful to millennials as sources of continued learning.”


Monday, October 02, 2017

So? If HP’s software is designed correctly, Russia will not be able to modify it or bypass it. If it is faulty, Cyber Command is likely monitoring the faults.
Special Report: HP Enterprise let Russia scrutinize cyberdefense system used by Pentagon
Hewlett Packard Enterprise allowed a Russian defense agency to review the inner workings of cyber defense software used by the Pentagon to guard its computer networks, according to Russian regulatory records and interviews with people with direct knowledge of the issue.
The HPE system, called ArcSight, serves as a cybersecurity nerve center for much of the U.S. military, alerting analysts when it detects that computer systems may have come under attack. ArcSight is also widely used in the private sector.
The Russian review of ArcSight’s source code, the closely guarded internal instructions of the software, was part of HPE’s effort to win the certification required to sell the product to Russia’s public sector, according to the regulatory records seen by Reuters and confirmed by a company spokeswoman.




I wonder how he protected himself?
At the Center of the Equifax Mess: Its Top Lawyer
The board of Equifax Inc. is reviewing the actions of the credit-reporting company’s top lawyer in connection with share sales by executives there in the aftermath of a massive data breach, according to a person familiar with the matter, as it tries to size up who knew what, and when, about the hack and how it was handled.
John J. Kelley, Equifax’s chief legal officer, had the ultimate responsibility for approving share sales by top executives days after the company discovered in late July that it had been hacked, according to people familiar with the matter. He also is central to broader questions facing the board because he is responsible for security at the company.




Oh gosh, now we’ll have to hack into their files never, ever know.
Federal Judge Rules FBI Not Required To Disclose Details On Hacked iPhone In San Bernadino Case
In December 2015, a man in San Bernadino, California and his wife participated in a terrorist attack that left 14 people dead. In the wake of that attack, the FBI opened an investigation into the couple and ties to other potential terrorists living within the US. An iPhone 5C was discovered that belonged to one of the terrorists, and the FBI wanted Apple to create a tool that would bypass the security on the iPhone in question and allow law enforcement into the device to look for leads and other evidence.
Apple refused to help the FBI develop a backdoor into the device leading the Justice Department to file a suit against Apple to force the company to participate in the investigation. However, the FBI eventually backed off that request after an unnamed third-party company came to the FBI with a tool that could bypass the security on the iPhone. Since that company came forward, a Freedom of Information Act suit was filed by three news organizations seeking to force the FBI to detail the company and hacking method used to access the iPhone in the case.
… . A Federal Judge has now ruled that the FBI doesn't have to release any details on the company or the hack that gave it access to the terrorists smartphone. The reasoning for the ruling was that revealing the company name could pose risk to the vendor who unlocked the smartphone.
The ruling stated, "It is logical and plausible that the vendor may be less capable than the FBI of protecting its proprietary information in the face of a cyberattack. The FBI's conclusion that releasing the name of the vendor to the general public could put the vendor's systems, and thereby crucial information about the technology, at risk of incursion is a reasonable one."
The ruling also protects the FBI from releasing the exact price that it paid to have the device unlocked, despite the public disclosures that claim the cost to unlock the device was around a million dollars.
[The ruling:




Once upon a time, this guy would have been gently placed in a padded cell. Now we consider suicide bombers (no matter the religious background) and act accordingly. Although in New York, they might have simply tossed him off the train.
Doomsday preacher’ on Wimbledon train causes passengers to flee
… Passengers said a man wearing a rucksack was reciting verses from the Bible and talking about homosexuality and sex outside of marriage being sins. He was also said to have referred to “doomsday”. A passenger pulled the emergency alarm and some people prised open the doors and went on to the tracks.




I have to ask: Smart Marketing or proof that the national IQ is quickly heading south?
Selfie Factories: The Rise of the Made-for-Instagram Museum
When the Museum of Ice Cream opened in New York in 2016, it was more a temporary curiosity than a rival to, say, the Whitney Museum of American Art, which stood just across the street.
… One year and three cities later, the Museum of Ice Cream has graduated to cult status on Instagram. More than 241,000 people follow its page, and countless more have posted their own photos from within the space. (Instagram doesn’t show how many photos have been posted at a particular geotag, but there are over 66,000 images with the #museumoficecream hashtag.) All those grams have made the Museum of Ice Cream a coveted place to be: In New York, the $18 tickets to visit—300,000 in total—sold within five days of opening. At its San Francisco location, which opened this month, single tickets went up to $38. The entire six-month run sold out in less than 90 minutes.




Might be useful for my website students.
X-Ray Goggles Help Students See How Webpages Are Made
Mozilla's X-ray Goggles is a neat tool that helps students learn the code that powers much of what they see on the Web. X-ray Goggles is a free tool that lets you remix any page that you find on the Internet. You can install X-ray Goggles in your Chrome or Firefox bookmarks bar. Then you can launch it on any webpage. When you launch X-ray Goggles you will be able to select images and text on a page and then shown the code behind your selection. X-ray Goggles will let you then alter the code to display new things on that page. In the video embedded below I provide an overview of using X-ray Goggles.




I like lists like this because I sometimes find things I didn’t know about. I found two such things on this list! (Unfortunately, in slide show format.)
The best free software for your PC


Sunday, October 01, 2017

The Privacy Foundation at University of Denver Sturm College of Law will host a seminar on October 27th, from 10:00am-1:00pm (with lunch to follow) at the Ricketson Law Building.
Privacy and Cyber Security – Equifax
The seminar will examine the history and current status of interactions between Privacy and Computer Security, with particular emphasis on the recent Equifax data breach.
For more information or to register contact Privacy Foundation Event Coordinator at sbrunswick@law.du.edu




Speaking of Equifax… However, there is so much information about the techniques of Nation State hackers, that any reasonably competent hacker can understand and use the techniques. Something we try to discourage our students from doing.
The Equifax Hack Has the Hallmarks of State-Sponsored Pros
In the corridors and break rooms of Equifax Inc.'s giant Atlanta headquarters, employees used to joke that their enormously successful credit reporting company was just one hack away from bankruptcy. They weren't being disparaging, just darkly honest
… Nike Zheng, a Chinese cybersecurity researcher from a bustling industrial center near Shanghai, probably knew little about Equifax or the value of the data pulsing through its servers when he exposed a flaw in popular backend software for web applications called Apache Struts. Information he provided to Apache, which published it along with a fix on March 6, showed how the flaw could be used to steal data from any company using the software.
The average American had no reason to notice Apache's post but it caught the attention of the global hacking community. Within 24 hours, the information was posted to FreeBuf.com, a Chinese security website, and showed up the same day in Metasploit, a popular free hacking tool. On March 10, hackers scanning the internet for computer systems vulnerable to the attack got a hit on an Equifax server in Atlanta, according to people familiar with the investigation.
… By the time they were done, the attackers had accessed dozens of sensitive databases and created more than 30 separate entry points into Equifax's computer systems. The hackers were finally discovered on July 29, but were so deeply embedded that the company was forced to take a consumer complaint portal offline for 11 days while the security team found and closed the backdoors the intruders had set up.
… In one of the most telling revelations, Equifax and Mandiant got into a dispute just as the hackers were gaining a foothold in the company's network. That rift, which appears to have squelched a broader look at weaknesses in the company's security posture, looks to have given the intruders room to operate freely within the company's network for months. According to an internal analysis of the attack, the hackers had time to customize their tools to more efficiently exploit Equifax's software, and to query and analyze dozens of databases to decide which held the most valuable data. The trove they collected was so large it had to be broken up into smaller pieces to try to avoid tripping alarms as data slipped from the company's grasp through the summer. In an e-mailed statement, an Equifax spokesperson said: “We have had a professional, highly valuable relationship with Mandiant. We have no comment on the Mandiant investigation at this time.”
The massive breach occurred even though Equifax had invested millions in sophisticated security measures, ran a dedicated operations center and deployed a suite of expensive anti-intrusion software. The effectiveness of that armory appears to have been compromised by poor implementation and the departure of key personnel in recent years. But the company's challenges may go still deeper. One U.S. government official said leads being pursued by investigators include the possibility that the hackers had help from someone inside the company. “We have no evidence of malicious inside activity,” the Equifax spokesperson said. “We understand that law enforcement has an ongoing investigation.”
… “Internally, security was viewed as a bottleneck,” one person said. “There was a lot of pressure to get things done. Anything related to IT was supposed to go through security."
… Although the hackers inside Equifax were able to evade detection for months, once the hack was discovered on July 29, investigators quickly reconstructed their movements down to the individual commands they used. The company's suite of tools included Moloch, which works much like a black box after an airliner crash by keeping a record of a network's internal communications and data traffic. Using Moloch, investigators reconstructed every step.




What’s that saying about mountains and Mohammad?
Apple’s Global Web of R&D Labs Doubles as Poaching Operation
In recent years, Apple Inc. has quietly put together a global network of small research and development labs, from the French Alps to New Zealand.
Nothing unusual about that for a company that spends $11 billion a year on R&D. Look a little closer, however, and you'll notice that many of these labs are located near companies with a strong record in mapping, augmented reality and other areas Apple is pushing into. In several cases, these companies lost employees to Apple not long after the iPhone maker came to town. Apple spokeswoman Trudy Muller declined to comment.
Denver
Just last week, Apple posted a job listing for a software engineer in Denver specializing in mapping. Back in May, local media reported the company was close to securing office space in a building that just happens to be two blocks from the headquarters of Verizon Communications Inc.'s Mapquest unit.




For my Computer Security students.
How to stop your devices from listening to (and saving) everything you say