Saturday, July 25, 2020


The costs of a ransomware attack. Some of them...
Keizer discloses costs of recovering from recent ransomware attack
When Keizer, Oregon was attacked in June with ransomware, the attackers demanded $48,000, and the city paid.
Now Keizer Times reports that the costs of recovering city data and preventing future digital strikes have already exceeded $60,000. Among the costs, which will be detailed more at a later date:
To handle negotiations with the hacker, the city contracted with New York-based Arete Advisors. Arete provided negotiation services, is conducting a forensic analysis and installed a new virus scanner to determine whether additional viruses or malware are present in the city’s network. The cost for those services was $36,230.
Arete also sold the city a new virus protection program, SentinelOne to protect against future attacks. The cost is $12,418 for a 36-month subscription and the program covers 160 computers.
. between $10,000 and $15,000 to Lewis Brisbois Bisgaard & Lewis, a Portland-based law firm, for legal assistance in facilitating the forensic investigation and assessing consumer and regulatory notification obligations.
The cost of the actual ransom itself and a transaction fee was covered by cyberinsurance.




For my Computer Security students.
Thinking of a Cybersecurity Career? Read This
Thousands of people graduate from colleges and universities each year with cybersecurity or computer science degrees only to find employers are less than thrilled about their hands-on, foundational skills. Here’s a look at a recent survey that identified some of the bigger skills gaps, and some thoughts about how those seeking a career in these fields can better stand out from the crowd.




Another perspective.
Four steps for drafting an ethical data practices blueprint
Here are four key practices that chief data officers/scientists and chief analytics officers (CDAOs) should employ when creating their own ethical data and business practice framework.
Identify an existing expert body within your organization to handle data risks
Ensure that data collection and analysis are appropriately transparent and protect privacy
Anticipate – and avoid – inequitable outcomes
Align organizational structure with the process for identifying ethical risk




Mozart, Beethoven and Weird Al – Don’t mess with the greats!
A researcher created a 'Weird A.I. Yancovic' algorithm that generates parodies of existing songs, and now the record industry is accusing him of copyright violations
A researcher has created an algorithm that uses artificial intelligence to create new lyrics "that match the rhyme and syllables schemes of existing songs," per a Vice report published Thursday.
Mark Riedl, a researcher at Georgia Tech, told Vice he created his "Weird A.I. Yancovic" algorithm as a personal project. The algorithm's name is inspired by the parody singer Weird Al Yankovic, who does something similar, taking existing songs and creating his own spinoff version with new lyrics.
As Vice notes, however, Yankovic reportedly asks the original artist for permission before creating his parody of a given song. Riedl does not — and it's landed him in hot water.
Riedl posted a video to Twitter on May 15 with AI-generated lyrics and the instrumental part of Michael Jackson's "Beat It." On July 14, Twitter took it down after the International Federation of the Phonographic Industry, a coalition of some of the record industry's biggest companies, submitted a copyright takedown notice to Twitter, per the report. Coincidentally, Weird Al Yankovic, the parody singer, also created a version of the hit track, entitled "Eat It," in 1984.
Riedl told the outlet he thinks his videos are protected by fair use, which is a loophole in copyright laws that allow people to use copyrighted work without obtaining permission beforehand in certain circumstances. The doctrine covers parody work, among other stipulations.




I will respond to this article in great detail… Right after my nap.
AI Says Men Are Lazy




Keeping shut-ins occupied. (Has isolation killed your brain cells?)
How Smart Are You? 5 Free Online Cognitive Tests to Check How Well Your Brain Works



Friday, July 24, 2020


Know where your documents originate!
New 'Shadow Attack' can replace content in digitally signed PDF files
Fifteen out of 28 desktop PDF viewer applications are vulnerable to a new attack that lets malicious threat actors modify the content of digitally signed PDF documents.
The list of vulnerable applications includes Adobe Acrobat Pro, Adobe Acrobat Reader, Perfect PDF, Foxit Reader, PDFelement, and others, according to new research [PDF ] published this week by academics from the Ruhr-University Bochum in Germany.
Academics have named this technique of forging documents a Shadow Attack.
The main idea behind a Shadow Attack is the concept of "view layers" -- different sets of content that are overlaid on top of each other inside a PDF document.
A Shadow Attack is when a threat actor prepares a document with different layers and sends it to a victim. The victim digitally signs the document with a benign layer on top, but when the attacker receives it, they change the visible layer to another one.
Because the layer was included in the original document that the victim signed, changing the layer's visibility doesn't break the cryptographic signature and allows the attacker to use the legally-binding document for nefarious actions -- such as replacing the payment recipient or sum in a PDF payment order or altering contract clauses.




So, I can’t get there from here?
Garmin services and production go down after ransomware attack
Smartwatch and wearables maker Garmin has shut down several of its services on July 23 to deal with a ransomware attack that has encrypted its internal network and some production systems.
The incident didn't go unnoticed and has caused lots of headaches for the company's customers, most of which rely on the Garmin Connect service to sync data about runs and bike rides to Garmin's servers, all of which went down on Thursday.
But in addition to consumer wearables and sportswear, flyGarmin has also been down today. This is Garmin's web service that supports the company's line of aviation navigational equipment.
Pilots have told ZDNet today that they haven't been able to download a version of Garmin's aviation database on their Garmin airplane navigational systems. Pilots need to run an up-to-date version of this database on their navigation devices as an FAA requirement. Furthermore, the Garmin Pilot app, which they use to schedule and plan flights, was also down today, causing additional headaches.




I wonder how much they spent on security?
NY Charges First American Financial for Massive Data Leak
In May 2019, KrebsOnSecurity broke the news that the website of mortgage title insurance giant First American Financial Corp. had exposed approximately 885 million records related to mortgage deals going back to 2003. On Wednesday, regulators in New York announced that First American was the target of their first ever cybersecurity enforcement action in connection with the incident, charges that could bring steep financial penalties.
As first reported here last year, First American’s website exposed 16 years worth of digitized mortgage title insurance records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images.
The documents were available without authentication to anyone with a Web browser.
According to a filing (PDF) by the New York State Department of Financial Services (DFS), the weakness that exposed the documents was first introduced during an application software update in May 2014 and went undetected for years.
Worse still, the DFS found, the vulnerability was discovered in a penetration test First American conducted on its own in December 2018.
Remarkably, Respondent instead allowed unfettered access to the personal and financial data of millions of its customers for six more months until the breach and its serious ramifications were widely publicized by a nationally recognized cybersecurity industry journalist,” the DFS explained in a statement on the charges.
Reuters reports that the penalties could be significant for First American: The DFS considers each instance of exposed personal information a separate violation, and the company faces penalties of up to $1,000 per violation.




I would imagine that insurance companies are reluctant to insure against risks they can’t accurately forecast.
CISOs: Cyber Insurance Fails to Cover Modern Threats and Remote Workforces
A large majority of CISOs are seeking additional cyber insurance coverage because of an increase in vulnerabilities resulting from the work from home surge.
According to research by Arceo of 250 CISOs at companies with $250m to $2bn in annual revenue, over three-quarters (77%) said there are incidents they need coverage for, but are unable to get it. Also, 88% of respondents were not completely satisfied with the performance of their company’s primary insurance brokerage.
However, 96% want additional coverage, as they believe the security practices followed when working remotely are unlikely to be as stringent as those at the office, leading to a higher risk of attack. Those CISOs stated that cloud usage (49%), personal devices usage (45%) and unvetted apps or platforms (41%) posed the biggest threats during this work from home period.




What is “appropriate transparency” in this context?
Intelligence community rolls out guidelines for ethical use of artificial intelligence
The U.S. intelligence community (IC) on Thursday rolled out an “ethics guide” and framework for how intelligence agencies can responsibly develop and use artificial intelligence (AI) technologies.
Among the key ethical requirements were shoring up security, respecting human dignity through complying with existing civil rights and privacy laws, rooting out bias to ensure AI use is “objective and equitable,” and ensuring human judgement is incorporated into AI development and use.
The IC wrote in the framework, which digs into the details of the ethics guide, that it was intended to ensure that use of AI technologies matches “the Intelligence Community’s unique mission purposes, authorities, and responsibilities for collecting and using data and AI outputs.”
Download a copy of the: AI Principles of Ethics for the IC
Download a copy of the: AI Ethics Framework for the IC




Future resource?
New Journal: AI and Ethics
A new interdisciplinary academic journal, AI and Ethics, aims to “promote informed debate and discussion of the ethical, regulatory, and policy implications that arise from the development of AI.”
The journal will “focus on how AI techniques, tools, and technologies are developing, including consideration of where these developments may lead in the future” and “provide opportunities for academics, scientists, practitioners, policy makers, and the public to consider how AI might affect our lives in the future, and what implications, benefits, and risks might emerge.”




Russia implements Reagan’s ‘Star Wars’ plan?
The US says Russia just tested an “anti-satellite weapon” in orbit
The US Space Command has announced it’s found evidence that Russia recently conducted a test of anti-satellite weapons , albeit one that did not destroy or harm any objects. SpaceCom claims that on July 15, Russian satellite Kosmos 2543 deployed a new object into its own orbit, similar to a previous anti-satellite demonstration in 2017.
What does that mean? A US SpaceCom spokesperson told MIT Technology Review that Kosmos 2543 had been operating “abnormally close” to a US government satellite in low Earth orbit, before it maneuvered away and over to another Russian satellite. Kosmos 2543 then released another object in proximity to the Russian target satellite. This test, SpaceCom says, is “inconsistent” with Kosmos 2543’s stated purpose as an “inspector satellite,” and is actually a demonstration of anti-satellite weaponry.



Thursday, July 23, 2020


We can’t imagine how to use facial recognition correctly (answering security and privacy concerns) so it’s much easier to ban it.
New York bans use of facial recognition in schools statewide
The New York legislature today passed a moratorium on the use of facial recognition and other forms of biometric identification in schools until 2022. The bill, which has yet to be signed by Governor Andrew Cuomo, comes in response to the launch of facial recognition by the Lockport City School District and appears to be the first in the nation to explicitly regulate or ban use of the technology in schools.




Interesting, but you would need to flood social media with ‘altered’ images (and only altered images) to make it work.
Fawkes: Digital Image Cloaking
Fawkes is a system for manipulating digital images so that they aren't recognized by facial recognition systems.
At a high level, Fawkes takes your personal images, and makes tiny, pixel-level changes to them that are invisible to the human eye, in a process we call image cloaking. You can then use these "cloaked" photos as you normally would, sharing them on social media, sending them to friends, printing them or displaying them on digital devices, the same way you would any other photo. The difference, however, is that if and when someone tries to use these photos to build a facial recognition model, "cloaked" images will teach the model a highly distorted version of what makes you look like you. The cloak effect is not easily detectable, and will not cause errors in model training. However, when someone tries to identify you using an unaltered image of you (e.g. a photo taken in public), and tries to identify you, they will fail.
Research paper.




I admit, this was not the first job I expected AI to take…
I Am a Model and I Know That Artificial Intelligence Will Eventually Take My Job
Shudu Gram is a striking South African model. She’s what fashion likes to call “one to watch,” with a Balmain campaign in 2018, a feature in Vogue Australia on changing the face of fashion, and a red carpet appearance at the 2019 BAFTAs in a custom Swarovski gown.
I’m also a model. I’m from Canada, although I live in New York City now. Unlike Shudu, who’s considered a “new face,” I’ve been in the business for almost five years. I am also a futurist; I spend a lot of time researching emerging technologies and educating young people about the future of work through my startup WAYE. Also unlike Shudu, I’m a real model, and by that I mean I’m a real person. Shudu’s not. She’s a 3D digital construction.




It’s obvious, isn’t it?
Gartner: Companies must reset their business strategy due to the COVID-19 pandemic
Gartner refers to "the reset" as three phases that leaders will go through during the pandemic. The duration of each phase varies by country, industry, and enterprise, as well as by business unit, product, or service. As business leaders reset their strategies during the pandemic, the three stages their organizations will experience are: Respond, recover and renew.




Tech for shut-ins.
Plex launches a live TV service with over 80 free channels, most available worldwide
Streaming media platform Plex announced today it’s further expanding into live TV with the addition of over 80 free live TV channels accessible by free users and subscribers alike. The company had already allowed consumers to capture and record live TV by way of a digital antenna and tuner connected to a Plex media server, but this had required investment in additional hardware and involved a more complicated setup process.
The new Live TV service, meanwhile, will offer easier access to a broad range of free content across categories like news, sports, film, classic TV, comedy, game shows, anime, kids, entertainment, esports, and more.



Wednesday, July 22, 2020


Managers, know thy systems! If you have or want a government contract…
Cyber Hygiene is the Key to CMMC Compliance Preparedness
The Defense Department’s Cybersecurity Maturity Model Certification, or CMMC, auditing process aims to create consistent cybersecurity practices for contractors that do business with the federal government—and protect the defense supply chain from security breaches.
Defense contractors will be required to prove they have—and they are using—the mandatory cyber practices to achieve each level of cyber maturity.
The challenge is that many contractors don’t have full visibility into their organization’s network and security, which leaves their networks—along with DOD networks—vulnerable to attacks. They need complete, continuous threat monitoring and visibility into all assets on the network—an increasingly complex goal in the internet of things, bring-your-own-device, and work-from-home world.


(Related)
Cybersecurity teams are struggling with a lack of visibility into key security controls
89% of security professionals are most concerned about phishing, web and ransomware attacks. This is especially alarming, considering that only 48% confirm that they have continuous visibility into the risk area of phishing, web and ransomware, a Balbix report reveals.




Managers, know the law!
FoxRothschild: U.S. States And Territories Data Breach Statutes (Updated)
Fox Rothschild’s Privacy and Data Security practice group maintains this searchable PDF document as well as the Data Breach 411 app to inform businesses of the breach notification statutes in each of the 50 states, Guam, Puerto Rico and the U.S. Virgin Islands, so they can better understand their rights, obligations and potential liability.
Download their free e-book.




Strong privacy is good security!
New Data Privacy Report Reveals Grim Numbers for Organizations With Poor Privacy Practices: An 80% Increase in the Chance of a Data Breach
In spite of a seemingly never-ending stream of high profile data breaches and hacks, a worrying number of organizations still feel that updating and optimizing privacy practices is a backburner item. A new study from data privacy compliance platform Osano provides some very sharp and eye-popping numbers to the contrary; sloppy privacy practices can be tied directly to an 80% increase in the likelihood of being breached.




I’m not concerned. My AI tells me it is trustworthy.
AI Update: EU High-Level Working Group Publishes Self Assessment for Trustworthy AI
On July 17, 2020, the High-Level Expert Group on Artificial Intelligence set up by the European Commission (“AI HLEG) published The Assessment List for Trustworthy Artificial Intelligence (“Assessment List”). The purpose of the Assessment List is to help companies identify the risks of AI systems they develop, deploy or procure, and implement appropriate measures to mitigate those risks.




More summary than update.
Leading Law Enforcement Facial Recognition Provider Clearview AI Faces Joint International Privacy Investigation
With sales already halted in Canada due to an ongoing investigation by the country’s Office of the Privacy Commissioner, Clearview AI is facing additional global pressure as the United Kingdom and Australia open a joint privacy investigation into the facial recognition software provider.
The company had operated below the public’s radar for years before major social media platforms (such as Facebook and YouTube) took action against it for violating terms of service by scraping billions of photos of people from them to supply its facial recognition database.
Clearview AI faces developing issues in Europe as well. The European Data Protection Board, the body in charge of application of the EU’s General Data Protection Regulation (GDPR), declared in June that the company’s facial recognition technology is likely illegal under the data protection rules that all members states are subject to. Sweden’s data protection authority initiated a privacy investigation into the company in March.




Justice for Justin?
Justin Bieber Strikes a Brutal Blow to Internet Trolls Everywhere
Justin Bieber might have just struck a blow that ultimately leads to the death of the internet troll.
This isn’t the outcome anyone expected when two anonymous Twitter accounts accused Justin Bieber of sexual assault.
Like all claims of sexual misconduct, the Bieber allegations should have been – and thankfully, were – taken seriously.
It didn’t take long for the truth to start coming out. Bieber not only denied the charges but filed a full-on defamation lawsuit against the accusers. Based on the evidence his camp has provided, it seems likely the allegations are patently false.
The defamation lawsuit quickly hit a hurdle. The two “women” who accused him made the allegations using anonymous Twitter accounts. No one knows their real names – or if they are even women at all.
Justin Bieber’s lawyer, Evan N. Spiegel, asked Los Angeles Superior Court Judge Terry Green for permission to subpoena information about the accounts from Twitter:
We just want to uncover who is behind these two accounts, and it may be the same person.
The judge granted Bieber’s request.




A different perspective.
Want to buy a parrot? Please login via Facebook.
In Bangladesh, there is no Amazon. There is no eBay. If you want to buy a dress or a crested finch from the comfort of your home, you have to use Facebook.




Perspective.
Jeff Bezos hated ads — now Amazon is America's top advertiser
Amazon spent nearly $7 billion on U.S. advertising in 2019, making it the top ad spender in the country, according to a new analysis from Kantar featured in AdAge.
Total U.S. ad spending in 2019 (in millions):
Amazon: $6,879
Comcast Corp.: $6,142
AT&T: $5,484
Procter & Gamble: $4,281
Walt Disney Co.: $3,154
Alphabet (Google): $3,130
Verizon: $3,071
Charter Communications: $3,044
American Express: $2,990
General Motors Co.: $2,952




Who was that masked rider? (Certainly not Bob)
Google Map revamps its bike routes for easy riding
CNET – “To help people get around this summer in an eco-friendly — and healthy — way, Google Maps has added new features to its offerings for cyclists. Users can now access the most up-to-date bike routes generated by machine learning algorithms, as well as data from government authorities and community contributions. In addition, Google Maps now offers better end-to-end directions that include docked bikeshare program information. The docked bikeshare information will be available in 10 cities worldwide, including Chicago, New York and Washington DC in the US. Users can also access the new bikeshare information in London, Mexico City, Montreal, Rio De Janeiro, São Paulo, Taipei and New Taipei City…”




Tools. Did you take hand written notes before ‘everyone’ got a smartphone?
Convert Handwritten Notes Into Google Documents
This week my Practical Ed Tech Tip of the Week newsletter was about tools for digitizing physical notes. There are tools like CamScanner and Office Lens specifically made for that task. There are also tools that have the "hidden" capability to digitize physical notes. One of those tools is Google Drive.
When you snap a picture and upload it to Google Drive you can then have it converted into a Google Document that you can edit and share just like any other Google Doc. In the following video I demonstrate how easy it is to use Google Drive to convert physical notes into Google Docs.




Too stressful to read a real book?
The LibriVox Free Audiobook Collection
Internet Archive – “LibriVox – founded in 2005 – is a community of volunteers from all over the world who record public domain texts: poetry, short stories, whole books, even dramatic works, in many different languages. All LibriVox recordings are in the public domain in the USA and available as free downloads on the internet. If you are not in the USA, please check your country’s copyright law before downloading.”
The Internet Archive is home to thousands of recordings from Librivox —an organization of volunteers that turns public domain texts into free audiobooks. Take a long drive and listen to classic novels such as Treasure Island, Little Women, or Frankenstein. Go on a hike while enjoying books about nature like Walden or The Call of the Wild. Or have a picnic while listening to poetry from the world’s greatest writers.”