Saturday, May 04, 2019


The unexpected costs of acquiring a company with poor security.
Kevin Martin reports:
The massive data hack of guest information from the Marriott hotel empire has triggered a $100-million class action lawsuit in Calgary.
A statement of claim filed in Calgary Court of Queen’s Bench says the data breach in which hackers accessed records on as many as 500 million hotel guests was due to the chain’s lack of adequate security.
The defendants knew or ought to have known that their databases were vulnerable to loss or theft,” says the claim, filed by Calgary lawyer Clint Docken and Edmonton counsel James Brown.
Read more on Calgary Sun.




Does this reduce their liability? Should they be required to pay ransom?
IT service provider refuses to pay ransom, hackers publish stolen data online
In a statement posted high on its official web site, CityComp publicly admits it fell victim to a “targeted cyberattack” sometime last month, and while the company has since fended off the hackers, customer data unfortunately got leaked.
A still unknown perpetrator has stolen customer data of CITYCOMP and threatened the company with publication, should it not comply with the blackmail attempt,” the company states.
… “Since CITYCOMP does not comply with blackmail the publication of customer data could not be prevented,” the notice continues. “The stolen data has now been published by the perpetrators and CITYCOMP’s customers were informed about it.”
Many of CityComp’s clients are located in the European Union, which means the company should brace for GDPR impact.




Interesting. I might have to tweak my Computer Security curriculum to reflect some of these requirements. (Probably not.)
Oh, I missed something yesterday. President Trump signed an Executive Order on America’s Cybersecurity Workforce. I can’t find it in the Federal Register yet, but you can read it here.




Let’s turn off the alarms!” a Hollywood cliche.
Design Flaws Create Security Vulnerabilities for ‘Smart Home’ Internet-of-Things Devices
Researchers at North Carolina State University have identified design flaws in “smart home” Internet-of-Things devices that allow third parties to prevent devices from sharing information. The flaws can be used to prevent security systems from signaling that there has been a break-in or uploading video of intruders.
… “Essentially, the devices are designed with the assumption that wireless connectivity is secure and won’t be disrupted – which isn’t always the case,” says Bradley Reaves, co-author of the paper and an assistant professor of computer science at North Carolina State. “However, we have identified potential solutions that can address these vulnerabilities.”
… “One reason these attacks are so problematic is that the system is telling homeowners that everything is OK, regardless of what’s actually happening in the home,” Enck says.
These network layer suppression attacks are possible because, for many IoT devices, it’s easy to distinguish heartbeat signals from other signals. And addressing that design feature may point the way toward a solution.
One potential fix would be to make heartbeat signals indistinguishable from other signals, so malware couldn’t selectively allow heartbeat signals to pass through,” says TJ O’Connor, first author of the paper and a graduate student at North Carolina State.
The paper, “Blinded and Confused: Uncovering Systemic Flaws in Device Telemetry for Smart-Home Internet of Things,” will be presented at the 12th ACM Conference on Security and Privacy in Wireless and Mobile Networks being held May 15-17 in Miami, Fla.




Welcome to ‘Big Brother Net.’
Russia's new internet law presents a cybersecurity minefield for global enterprises
A new measure signed into law this week by Russian President Vladimir Putin that would enable the country to create its own internet network, independent from the rest of the world and regulated by national telecom agency Roskomnadzor (RKN), should give corporate executives around the pause about the cybersecurity implications of doing business in the country moving forward. As part of the maneuver, Russia has also demanded 10 of the top providers of Virtual Private Networks (VPNs) to connect to a state content-filtering system or be banned from operating in the country.
According to Francis Dinha, CEO of OpenVPN, one of the aforementioned VPN providers facing a ban by the Russian government, companies with remote workers in the country that need to access sensitive information from their homes offices in the U.S., Europe or elsewhere will have to rethink their security approach moving forward as authorities will have the ability surveil any data being transmitted through the new network.




A GDPR oops!
HMRC to delete five million biometric voice records
The UK's tax authority is to delete the biometric voice records of five million people because it did not have clear consent from its customers to have those files.
HM Revenue and Customs (HMRC) uses the Voice ID biometric voice security system to make it easier for callers to pass its security processes when discussing their account. It says using the system will reduce the time it takes to speak to an advisor and will help prevent anyone else accessing accounts.
But the UK's data privacy watchdog the Information Commissioners Office (ICO) said that HMRC failed to give customers sufficient information about how their biometric data would be processed and failed to give them the chance to give or withhold consent. "This is a breach of the General Data Protection Regulation," the ICO said.




I’ll look for the new ToS June 29th at 11:59:59 PM
European Commission Forces Changes to Facebook Terms of Service
In yet another victory for privacy advocates, the European Commission (EC) has forced social media giant Facebook to amend its terms of service in order to accurately reflect how the company makes money by selling user data. The Facebook terms of service, once obfuscated by complicated, legalistic language, are now going to state very clearly that Facebook provides its services free of charge to consumers in return for the agreement that their personal data will be shared with third parties and used for targeted advertising. According to the agreement reached between the European Commission, European consumer protection authorities and Facebook, the Silicon Valley giant will have until June 30 to implement the new changes.




Perspective. Could Denver privatize RTD? Brobably not, but Leadville could.
Uber Was Supposed To Be Our Public Transit’
In 2017, the growing Toronto exurb of Innisfil, Ontario, became one of the first towns in the world to subsidize Uber rides in lieu of a traditional bus. Riders could pay a flat fare of just $3-$5 to travel to community hubs in the backseat of a car, or get $5 off regular fares to other destinations in and around town.
People loved it. By the end of the Uber program’s first full year of service, they were taking 8,000 trips a month.
Now “Innisfil Transit” is changing its structure. As of April 1, flat fares for the city-brokered Ubers rose by $1. Trip discounts dropped to $4, and a 30-ride monthly cap was implemented. Town leaders say this will allow Innisfil to continue to cover costs.
But Hudson and others see the changes as harmful, and a strange way of declaring success.



Friday, May 03, 2019


Hacking wholesale. Weaponized hacking?
A MYSTERIOUS HACKER GROUP IS ON A SUPPLY CHAIN HIJACKING SPREE
A software supply chain attack represents one of the most insidious forms of hacking. By breaking into a developer's network and hiding malicious code within apps and software updates that users trust, supply chain hijackers can smuggle their malware onto hundreds of thousands—or millions—of computers in a single operation, without the slightest sign of foul play. Now, what appears to be a single group of hackers has managed that trick repeatedly, going on a devastating supply chain spree—and becoming more advanced and stealthy as they go.
Over the last three years, supply chain attacks that exploited the software distribution channels of at least seven different companies have now all been tied to a single group of likely Chinese-speaking hackers.
The technique disturbs security researchers not only because it demonstrates Barium's ability to disrupt computers on a vast scale, but also because it exploits vulnerabilities in the most basic trust model governing the code users run on their machines.


(Related) Preparing to weaponize?
Zack Whittaker reports:
A denial-of-service attack launched against an energy company providing power in several western U.S. states was enough to report “interruptions of electrical system operations” to the government’s energy authority.
The “cyber event” lasted almost 10 hours on March 5, according to an electric emergency and disturbance report filed with the Department of Energy by the affected company.
Read more on TechCrunch.
Meanwhile, in India, energy has also been under attack.  The Hans Indireports:
Khairatabad: The official website of Telangana State Power Distribution Corporation Limited (TSSPDCL) was hacked on Thursday. The electricity officials lodged a complaint in this regard with Central Crime Station – Cybercrime police. Cybercrime Additional DCP Raghuveer said that an FIR was registered under sections 65 and 66, based on the complaint received from CGM of Electricity IT department. The hackers after deleting the data from the official website demanded Rs 35 crore to give back the data, the electricity officials said.
Read more on The Hans India.




Background.
FBI Annual Internet Crime Report: $2.7 Billion in Losses Headlined by Non-Payment Scams, Business Email Compromise
The FBI’s Internet Crime Report, which provides data on the agency’s complaints and cases for the previous year, has been released. This annual report is prepared by the bureau’s Internet Crime Complaint Center (IC3), and is always a worthwhile read as it helps to identify trending patterns in cybersecurity. This year’s report reveals that the IC3 received nearly 352,000 complaints in 2018, with the most common type being a non-payment or non-delivery scam. However, the most financially damaging scams in 2018 were business email compromise, confidence fraud and investment scams.




I did not realize this was in their scope.
TSA Lacks Cybersecurity Expertise to Manage Pipeline Security Program: Report
The TSA is responsible for the federal oversight of the physical security and cybersecurity of the more than 2.7 million miles of pipeline that transport and distribute natural gas, oil, and other hazardous products throughout the United States.
… “Further, TSA does not have a strategic workforce plan to help ensure it identifies the skills and competencies—such as the required level of cybersecurity expertise—necessary to carry out its pipeline security responsibilities,” the report reveals.




Apparently, Amazon doesn’t have it yet!
This is not a freebie but if you want to get started learning about privacy law, Privacy Law Fundamentals will be a great investment in your knowledge.
The authors are Daniel J. Solove, John Marshall Harlan Research Professor of Law at George Washington University Law School, and
Paul M. Schwartz, Professor of Law. U.C. Berkeley School of Law, and Director of the Berkeley Center for Law & Technology
In addition to the print format, the book is also available in electronic format.
Download a Preview from IAPP, where you can also purchase the book.




Gosh, only 50 years behind the times.
NIST Seeking Input on AI Technical Standards by May 31, 2019
On May 1, 2019, the National Institute of Standards and Technology (NIST) announced a Request for Information (RFI) in the Federal Register regarding ongoing efforts to develop technical standards for artificial intelligence (AI) technologies and the identification of priority areas for federal involvement in AI standards-related activities. Responses to the RFI are due by May 31, 2019.




I wonder how many in the legislature use Alexa?
Alexa, don’t store this recording: California bill targets smart home speakers
A bill making its way through the California Legislature would prohibit makers of smart home speakers from saving or storing recordings without users’ explicit consent.
The Anti-Eavesdropping Act, which cleared its first committee Wednesday, would also ban smart speaker device manufacturers from sharing with third parties recordings of verbal commands or requests heard by the devices.
Google said it is monitoring AB 1395.
We believe that the combination of strong and balanced regulations, with products that are designed with privacy in mind, will help provide individuals with confidence that they’re in control of their personal information,” a Google spokeswoman said.
Cunningham, who introduced the bill in January, did so as part of a state lawmakers’ “Your Data, Your Way” package of legislation, which aims to complement the California Consumer Privacy Act, which was signed into law last year and takes effect next year.


(Related)
What Amazon knows about you
Depending on how much you shop, watch and read with Amazon, the e-commerce behemoth may know more about you than any other company on earth.




I wonder if there is a search engine for DUMB? I’m tired of saying, “That senator is dumber than a bag of hammers.”
The Measure Of Things – search engine for finding comparative or relative measurements of physical quantities
Wondering how big, small, tall, long, fast, heavy, or old something is? The Measure of Things is a tool to help you understand physical quantities in terms of things you (or your audience) are already familiar with. Need a metaphor to emphasize a written measurement? Try including a comparison to the size of a whale, or the height of the Empire State Building, or the speed of a bullet train. Need to understand how big a metric or English unit really is? Try comparing them to real, tangible objects that you see everyday. Here are a few examples:
  • Through adopting these measures, we can reduce our total on-hand inventory by 230 units and save approximately 12,000 cubic feet of space in the warehouse, which will free up about 200 linear feet of shelf space.
  • A colony of brown bats can eat more than 3,360 fl oz of insects in a single evening.
  • The winning horse stood ran at 0.099 miles per second.
These phrases are all ok, but they’re a little hard to understand — especially when they contain less intuitive measurements like miles per second. Try this instead:




Too horrible to contemplate?
THE COMEDIAN IS IN THE MACHINE. AI IS NOW LEARNING PUNS
A pun generator might not sound like serious work for an artificial intelligence researcher—more the sort of thing knocked out over the weekend to delight the labmates come Monday. But for He He, who designed just that during her postdoc at Stanford, it’s an entry point to a devilish problem in machine learning. He’s aim is to build AI that’s natural and fun to talk to—bots that don’t just read us the news or tell us the weather, but can crack jokes or compose a poem, even tell a compelling story. But getting there, she says, runs up against the limits of how AI typically learns.




Architecture. Not just a flag on the map, but photos of the food.
Google Maps now highlights photos of restaurants' most popular dishes



Thursday, May 02, 2019


Should you notice a new user on your network?
Hackers Had Access to Citrix Network for Five Months
Citrix disclosed the incident on March 8, two days after it learned from the FBI that its systems had been breached by “international cyber criminals.” At the time, the company said the hackers may have stolen some business documents.
In a data breach notification submitted by Citrix this week to the California Office of the Attorney General, the company said the hackers had intermittent access to its network between October 13, 2018, and March 8, 2019.
The company also confirmed that the attackers removed files from its systems. Some of these files stored information on current and former employees and, in some cases, beneficiaries and/or dependents. The compromised data includes names, social security numbers, and financial information.
In an update published on its website in early April, Citrix said the hackers likely gained access to its network by using a method known as password spraying, which involves attempts to access accounts with a few commonly used passwords.




Anyone from the Privacy Foundation looking for a new job?
Exclusive: New privacy oversight on the table for Facebook, Zuckerberg
The steps, which are subject to change until a deal is final, would include appointing a federally approved privacy official at the social network and creating an "independent" privacy oversight committee that may include Facebook board members, said the person, who requested anonymity because the discussions are ongoing.




Another angle.
Anne Bolamperti and Patrick X. Fowler of Snell & Wilmer write:
Utah recently became the first state to enact a law specifically designed to protect private electronic information stored with third parties from collection by law enforcement without a valid warrant. Utah Governor Gary Herbert signed the ground-breaking legislation on March 27, 2019, and it is expected to take effect in May 2019. The aim of the new law is to protect Utahns from unreasonable searches and seizures. However, it is not without controversy. The Utah Attorney General’s Office, believes the Law could “cripple” some criminal investigations.




The challenge.
Why Isn't GDPR Being Enforced?
Politico has a long article making the case that the lead GDPR regulator, Ireland, has too cozy a relationship with Silicon Valley tech companies to effectively regulate their privacy practices.


(Related) The response.
Adrian Weckler reports:
The Irish Data Protection Commissioner says that the first batch of major investigations by her office under GDPR into companies like Facebook and LinkedIn will “conclude over the summer of 2019”.
Speaking to the US Senate, Helen Dixon said that there are currently 51 “large scale” investigations underway.
17 relate to the large tech platforms and span the services of Apple, Facebook, LinkedIn, Twitter, WhatsApp and Instagram,” she said.
Read more on The Independent.




...and what if it ain’t?
What if AI is just BS?
people who want to sound savvy keep talking about artificial intelligence as the New New Thing.
This is what you read in the popular press as well. There are lots of ways that AI could affect the social fabric: there is the potential of lost jobs, or at least a radical reorientation of what jobs would look like. There are the unexpected effects of artificial intelligence, which I believe the sci-fi genre has tackled with a great deal of enthusiasm. And for my bailiwick of international relations, there is a lot of talk about an AI “arms race” that could alter the balance of power in the future.
Are these people correct?
I strongly recommend perusing Michael Horowitz’s essay in the Texas National Security Review, which makes some very useful distinctions. Horowitz points out that AI is more of a continuum than a precise technology. He also acknowledges that the future of AI is far from clear.
I have some skin in this game, because I wrote something about technological change and international relations for the centennial anniversary of the journal International Relations that was just published.
In the Bulletin of the Atomic Scientists, Heather Roff has an interesting essay on this very question, in which she notes, “It would help matters if artificial intelligence discussions were framed in an ‘AI +’ framework, because in many cases, AI is merely a tool included in a system involving other functions or capabilities.




Lots and lots of stats.
Internet growth + usage stats 2019: Time online, devices, users
Internet users now make up 57% of the global population. On average, people spend 6 hours and 42 minutes online each day. By 2021, a projected 73% of all ecommerce sales will come from mobile.




I’m in my library at least twice a week.
Library Extension The #1 Browser Extension that lets you instantly see book and e-book availability from your local library




Perhaps as a supplement…
Learn for Free: Law Courses & Lectures Online
Learn for Free: Law Courses & Lectures Online Updated April 2019. “From interactive courses spanning several weeks to quick introductory tasters, there is a huge amount of free learning materials available online. Covering a range of topics and jurisdictions, there’s something for everyone (so long as you’re into law)!



Wednesday, May 01, 2019


Is DHS in charge of computer security or just patches?
DHS Orders Agencies to Patch Critical Vulnerabilities Within 15 Days
The U.S. Department of Homeland Security (DHS) this week issued a new Binding Operational Directive (BOD) instructing federal agencies and departments to act more quickly when it comes to patching serious vulnerabilities in internet-exposed systems.
Specifically, BOD 19-02 gives government organizations 15 days to address critical vulnerabilities and 30 days for high-severity flaws. The countdown starts when a vulnerability was initially detected, rather than when it was first reported to agencies. [Catch 22? Bob]
Internet-exposed government systems undergo Cyber Hygiene scanning to help agencies identify vulnerabilities. The recently created Cybersecurity and Infrastructure Security Agency (CISA) provides regular reports to agencies, informing them of the detected flaws, classified based on their CVSSv2 score.




Worth a try...
Plan to secure internet of things with new law
Security vulnerabilities that could be targeted by hackers have been found in everything from toy dolls to internet-connected ovens in recent years.
The new laws would mean such devices would have to come with unique passwords, for example.
The proposed legislation, launched by Digital Minister Margot James, would also introduce a new labelling system to tell customers how secure an IOT product is.
Ms James said it was part of the UK's bid to be a "global leader in online safety".
Retailers would eventually be barred from selling products without the labels although initially the scheme would be voluntary.
To gain a label and enter the market, IOT devices would have to:
    • come with unique passwords by default
    • state clearly for how long security updates would be made available
    • offer a public point of contact to whom any cyber-security vulnerabilities may be disclosed




With familiarity (of computer security best practices) comes contempt?
Local Credit Union Sues Fiserv Over 'Amateurish Security Lapses'
Fiserv, the leading bank core processor with 37% of the U.S. marketshare in 2018, is being sued by one of its own customers, the Bessemer System Federal Credit Union.
Court documents filed in a Mercer County, Pennsylvania court on April 26, 2019 show Bessemer claiming that, "Despite Fiserv's claimed expertise, Fiserv has misreported Bessemer's account records and information, while being plagued with security vulnerabilities that affect the privacy of thousands of Bessemer's members." It adds, "Bessemer's member information has been subject to several instances of critical security vulnerabilities while in Fiserv's custody – each based on baffling and amateurish security lapses."




For those of us who watch such things…
Which CCPA Amendments Made the Cut?


(Related)
California Assembly’s Privacy Committee Advances CCPA Employee Carve-Out




We missed you at the seminar, Yasmin.
Utah and Virginia are making moves on the privacy front.
We’ve been hearing non-stop about California, and the CCPA but California isn’t the only state advocating for privacy. If you haven’t heard, Utah just banned digital searches without a warrant.
A Virginia Court recently held that Automated License Plate Reader (ALPR) systems violated Virginia’s Government Data Collection and Dissemination Practices Act (Data Act).




Suspicions confirmed, under oath.
We Got U.S. Border Officials to Testify Under Oath. Here’s What We Found Out.
In September 2017, we, along with the Electronic Frontier Foundation, sued the federal government for its warrantless and suspicionless searches of phones and laptops at airports and other U.S. ports of entry.
The government immediately tried to dismiss our case, arguing that the First and Fourth Amendments do not protect against such searches. But the court ruled that our clients — 10 U.S. citizens and one lawful permanent resident whose phones and laptops were searched while returning to the United States — could move forward with their claims.
Since then, U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement have had to turn over documents and evidence about why and how they conduct warrantless and suspicionless searches of electronic devices at the border. And their officials have had to sit down with us to explain — under oath — their policies and practices governing such warrantless searches.
What we learned is alarming, and we’re now back in court with this new evidence asking the judge to skip trial altogether and rule for our clients.
The information we uncovered through our lawsuit shows that CBP and ICE are asserting near-unfettered authority to search and seize travelers’ devices at the border, for purposes far afield from the enforcement of immigration and customs laws.




It’s hard to keep tabs...
NSA says warrantless searches of Americans’ data rose in 2018
The data, published Tuesday by the Office of the Director of National Intelligence (ODNI), revealed a 28% rise in the number of targeted search terms used to query massive databases of collected Americans’ communications.
Some 9,637 warrantless search queries of the contents of Americans’ calls, text messages, emails and other communications were conducted by the NSA during 2018, up from 7,512 searches on the year prior, the report said.
The figures also don’t take into account queries made by the FBI or the Drug Enforcement Administration, which also has access to the database, nor do they say exactly how many Americans had their information collected.




Something to cheer their lawyers?
Facebook could have 4.9bn dead users by 2100, study finds
Deceased may outnumber the living if current growth rates continue, raising questions about what happens to our data




The next level: “Pizza in 30 minutes, or it’s free!”
It's Not Just Amazon: Free One-Day Delivery Is The New Normal
Amazon may have scored points on Wall Street last week with plans to invest $800 million so its Prime member subscribers can receive merchandise in one day. But analysts aren’t concerned the e-commerce giant’s brick-and-mortar competitors like Walmart and Target, with hefty online businesses themselves, have been caught off guard.
Delivery is part of today’s heated skirmish for retail turf, and Amazon simply just made its latest move.
In response, Walmart, with its stock dipping 3% Friday, issued its own news in a tweet, while taking a jab at Amazon.
One-day free shipping…without a membership fee. Now THAT would be groundbreaking,” the company said, teasing plans to cut its free two-day shipping (for purchases $35 and up) down to one, while making a reference to Amazon’s annual $119 Prime membership.
Target … already offers free one-day shipping to its no-fee loyalty REDcard holders. The benefit is for orders of at least $35, which are placed by 7 p.m. on a weekday.




Interesting perspective.
Mueller Report Illustrates Trump’s Authoritarian Rhetorical Tactics