Saturday, October 23, 2021

Computer Security just got more interesting.

https://www.cpomagazine.com/cyber-security/dhs-secretary-killware-malware-designed-to-do-real-world-harm-poised-to-be-worlds-next-breakout-cybersecurity-threat/

DHS Secretary: “Killware,” Malware Designed To Do Real-World Harm, Poised To Be World’s Next Breakout Cybersecurity Threat

Ransomware is the current king of the cybersecurity threat landscape, in part because of a demonstrated willingness by criminal groups to escalate to real-world damage to infrastructure. U.S. Department of Homeland Security Secretary Alejandro Mayorkas thinks that things are poised to go a step further in that direction in the very near future.

Referencing recent attacks on water treatment plants and hospitals, Mayorkas told USA Today that “killware” made to intentionally cause death is the next breakout cybersecurity threat. Research from Gartner backs up his speculation; the firm projects that within the next four years, threat actors will be weaponizing operational environments to harm and kill people.



Here we go again?

https://www.businessinsider.com/harvard-freshman-facetag-stokes-facial-recognition-debate-tiktok-mark-zuckerberg-2021-10

A Harvard freshman made a social networking app called 'The FaceTag.' It's sparked a debate about the ethics of facial recognition.

Harvard freshman Yuen Ler Chow created an app in his dorm room that lets students sign up, scan the face of another user, and exchange contact information like phone numbers and Instagram handles. Right now, it's only available at Harvard. Chow calls it, "The FaceTag."

When a person first makes a FaceTag profile, the app scans their face and extracts points and measurements. That information is saved, Chow said, but not the image itself. If you scan the face of someone who hasn't signed up for The FaceTag, it won't work. But if they are signed up, too, the app will make a match.



I’m shocked! Shocked I tell you!”

https://www.pogowasright.org/a-look-at-what-isps-know-about-you-examining-the-privacy-practices-of-six-major-internet-service-providers/

A Look at What ISPs Know About You: Examining the Privacy Practices of Six Major Internet Service Providers

Many internet service providers (ISPs) collect and share far more data about their customers than many consumers may expect—including access to all of their Internet traffic and real-time location data—while failing to offer consumers meaningful choices about how this data can be used, according to an FTC staff report on ISPs’ data collection and use practices.
The staff report, which details the expanding scope and some troubling aspects of some ISP data collection practices, stems from orders the FTC issued in 2019 using its authority under 6(b) of the FTC Act to six internet service providers, which make up about 98 percent of the mobile Internet market:
    • AT&T Mobility LLC;
    • Cellco Partnership, which does business as Verizon Wireless;
    • Charter Communications Operating LLC;
    • Comcast Cable Communications, which does business as Xfinity;
    • T-Mobile US Inc.; and
    • Google Fiber Inc.
The FTC also issued orders to three advertising entities affiliated with these ISPs: AT&T’s Appnexus Inc., rebranded as Xandr; Verizon’s Verizon Online LLC; and Oath Americas Inc., rebranded as Verizon Media. The FTC sought information on their data collection and use practices, as well as any tools provided to consumers to control these practices.
As noted in the report, these companies have evolved into technology giants who offer not just internet services but also provide a range of other services including voice, content, smart devices, advertising, and analytics—which has increased the volume of information they are capable of collecting about their customers. The report identified several troubling data collection practices among several of the ISPs, including that they combine data across product lines; combine personal, app usage, and web browsing data to target ads; place consumers into sensitive categories such as by race and sexual orientation; and share real-time location data with third-parties.
At the same time, the report found the privacy protections many of the companies offer raised several concerns. Even though several of the ISPs promise not to sell consumers personal data, they allow it to be used, transferred, and monetized by others and hide disclosures about such practices in fine print of their privacy policies. For example, several news outlets noted that subscribers’ real-time location data shared with third-party customers was being accessed by car salesmen, property managers, bail bondsmen, bounty hunters, and others without reasonable protections or consumers’ knowledge and consent, according to the report.
Many of the ISPs also claim to offer consumers choices about how their data is used and allow them to access such data. The FTC found, however, that many of these companies often make it difficult for consumers to exercise such choices and sometimes even nudge them to share even more information. In addition, while several of the ISPs promise to only keep the data for as long as needed for business purposes, the definition of what constitutes a “business purpose” varies widely among the companies.
The report concludes that many of the ISPs’ data collection and use practices mirror problems identified in other industries and underscore the importance of restricting data collection and use.
The Commission voted 4-0 to approve and issue the report. Staff presented findings from the report at Wednesday’s open virtual Commission meeting. Chair Lina M. Khan issued a separate statement on the report.

Source: FTC

Related: Text of the FTC Staff Report (4.86 MB)



How a simple failure creates a FERPA kerfuffle.

https://www.databreaches.net/ohio-state-university-email-gaffe-creates-a-ferpa-breach/

Ohio State University email gaffe creates a FERPA breach

An email gaffe due to not using bcc: instead of cc: or TO: revealed almost 400 Ohio State University students’ disability status to other students. Read the story on The Lantern.

Note that this is a FERPA issue, and there really is no requirement for breach notification to those impacted, but the unintended disclosure needs to be noted in their education records/file.



Is ‘ethical AI’ useful in a war?

https://www.nato.int/cps/en/natohq/news_187934.htm

NATO releases first-ever strategy for Artificial Intelligence

On Thursday (21 October 2021), NATO Defence Ministers agreed to NATO’s first-ever strategy for Artificial Intelligence (AI).

A summary of the strategy is available here.

The strategy outlines how AI can be applied to defence and security in a protected and ethical way. As such, it sets standards of responsible use of AI technologies, in accordance with international law and NATO’s values. It also addresses the threats posed by the use of AI by adversaries and how to establish trusted cooperation with the innovation community on AI.



Who will be the first to use?

https://news.usni.org/2021/10/22/report-to-congress-on-emerging-military-technologies-3

Report to Congress on Emerging Military Technologies

Members of Congress and Pentagon officials are increasingly focused on developing emerging military technologies to enhance U.S. national security and keep pace with U.S. competitors. The U.S. military has long relied upon technological superiority to ensure its dominance in conflict and to underwrite U.S. national security. In recent years, however, technology has both rapidly evolved and rapidly proliferated—largely as a result of advances in the commercial sector. As former Secretary of Defense Chuck Hagel observed, this development has threatened to erode the United States’ traditional sources of military advantage.

Download the document here.


(Related)

https://www.axios.com/ai-future-united-states-military-9ea3766b-e415-4fb6-adf0-5366a79b58db.html

How AI is rising up the ranks of the military

The National Counterintelligence and Security Center said in a new paper published Friday that China and Russia are using legal and illegal methods to undermine and overtake U.S. dominance in critical industries including AI and autonomous systems



Another example of “the rules don’t apply to me.” Neither does reality.

https://www.theverge.com/2021/10/22/22740354/trump-truth-social-network-spac-mastodon-license-software-freedom-conservancy?scrolla=5eb6d68b7fedc32c19ef33b4

Trump’s social network has 30 days to stop breaking the rules of its software license

The Software Freedom Conservancy (SFC) says former President Donald Trump’s new social network violated a free and open-source software licensing agreement by ripping off decentralized social network Mastodon. The Trump Media and Technology Group (TMTG) has 30 days to comply with the terms of the license before its access is terminated — forcing it to rebuild the platform or face legal action.

TMTG launched a special purpose acquisition company fundraising effort yesterday with promises to build a sweeping media empire. Its only product so far is a social network called Truth Social that appears strongly to be forked from Mastodon. While anyone can freely reuse Mastodon’s code (and groups like right-wing social network Gab have already done so ), they still have to comply with the Affero General Public License (or AGPLv3) that governs that code, and its conditions include offering their own source code to all users.

Truth Social doesn’t comply with that license and, in fact, refers to its service as “proprietary.” Its developers apparently attempted to scrub references that would make the Mastodon connection clear — at one point listing a “sighting” of the Mastodon logo as a bug — but included direct references to Mastodon in the site’s underlying HTML alongside obvious visual similarities.


Friday, October 22, 2021

How can you confirm/control third party security?

https://www.databreaches.net/44-of-healthcare-and-pharmaceutical-organizations-have-experienced-a-data-breach-caused-by-a-third-party-in-the-last-12-months/

44% of Healthcare and Pharmaceutical Organizations Have Experienced a Data Breach Caused By a Third Party in the Last 12 Months

SecureLink, a leader in critical access management, has released a new report titled “A Matter of Life And Death: The State of Critical Access Management in Healthcare, revealing that third-party attacks in healthcare are on the rise and fundamentally threaten not just highly sensitive medical data, but patient care.
The report, which includes data from research conducted in partnership with Ponemon Institute, reveals that within the last year, 44% of healthcare and pharmaceutical organizations experienced a data breach caused by a third party – posing compliance, reputational, and financial risks.

Read more of the SecureLink press release. Obviously there is a self-serving element to their report and release, but it highlights an important issue: the prevalence of breaches in the healthcare sector that involve third-parties.



Brilliant, but unlikely.

https://www.databreaches.net/why-not-hold-ransomware-attackers-hostage-for-a-change/

Why Not Hold Ransomware Attackers Hostage for a Change?

Mark Rasch writes about a fourth option for ransomware victims in terms of response:

what happens in the case where you are able to identify—either by name, location, computer, IP address, MAC address or otherwise—the individual(s) responsible for the ransomware, extortionware or electronic demand for payment? Right now, a ransomware victim has few options. One: Pay the ransom. Two: Don’t pay the ransom and restore/rebuild. Or, three: Choose option one or two but work with law enforcement in the hope that the perpetrator will be caught and prosecuted. The real-world law offers another option. A form of self-help, you could say. Why not ransomware the ransomware purveyors?

Read more on Security Boulevard.

[From the article:

In many cases, the law permits what is called “prejudgement attachment.” In a prejudgement attachment, a litigant making a claim against a person, property or money can—with appropriate supervision—simply “take” the thing they want pending the ultimate outcome of the case. This is particularly true where the item will tend to dissipate or was obtained by fraud.



You wrote the algorithm, why don’t you know how it works? (Perhaps it’s not the algorithm at all…)

https://www.protocol.com/policy/twitter-algorithm-right-wing-bias

Twitter’s own research shows that it’s a megaphone for the right. But it’s complicated.

Twitter is publicly sharing research findings today that show that the platform's algorithms amplify tweets from right-wing politicians and content from right-leaning news outlets more than people and content from the political left.

The research did not identify whether or not the algorithms that run Twitter's Home feed are actually biased toward conservative political content, because the conclusions only show bias in amplification, not what caused it. Rumman Chowdhury, the head of Twitter's machine learning, ethics, transparency and accountability team, called it "the what, not the why" in an interview with Protocol.

"We can see that it is happening. We are not entirely sure why it is happening.



Privacy in a place you have to ‘open up.”

https://themarkup.org/blacklight/2021/10/21/nonprofit-websites-are-riddled-with-ad-trackers

Nonprofit Websites Are Riddled With Ad Trackers

Such organizations often deal in sensitive issues, like mental health, addiction, and reproductive rights—and many are feeding data about website visitors to corporations

Last year, nearly 200 million people visited the website of Planned Parenthood, a nonprofit that many people turn to for very private matters like sex education, access to contraceptives, and access to abortions. What those visitors may not have known is that as soon as they opened plannedparenthood.org, some two dozen ad trackers embedded in the site alerted a slew of companies whose business is not reproductive freedom but gathering, selling, and using browsing data.

The Markup ran Planned Parenthood’s website through our Blacklight tool and found 28 ad trackers and 40 third-party cookies tracking visitors, in addition to so-called “session recorders” that could be capturing the mouse movements and keystrokes of people visiting the homepage in search of things like information on contraceptives and abortions. The site also contained trackers that tell Facebook and Google if users visited the site.

The Markup’s scan found Planned Parenthood’s site communicating with companies like Oracle, Verizon, LiveRamp, TowerData, and Quantcast—some of which have made a business of assembling and selling access to masses of digital data about people’s habits. 



Learning how to “Privacy.”

https://www.cpomagazine.com/data-privacy/new-iapp-ey-privacy-governance-report-shows-rising-concerns-about-cross-border-data-transfers-widespread-adoption-of-sccs/

New IAPP-EY Privacy Governance Report Shows Rising Concerns About Cross-Border Data Transfers, Widespread Adoption of SCCs

The annual Privacy Governance Report from researchers at IAPP and EY focuses on the ongoing COVID-19 pandemic and its impact on privacy professions. But it also examines at least one seismic event that has had nearly as much impact on companies doing business in the EU: the Schrems II decision and the resulting complications it has created for data transfers to the United States.

The report finds that the majority of privacy professionals are having to deal with the Schrems decision, and that the most common strategy by far is the use of standard contractual clauses (SCCs) and third countries in the data transfer chain.



Keeping an eye on AI.

https://venturebeat.com/2021/10/21/ai-driven-strategies-are-becoming-mainstream-survey-finds/

AI-driven strategies are becoming mainstream, survey finds

Deloitte today released the fourth edition of its State of AI in the Enterprise report, which surveyed 2,857 business decision-makers between March and May 2021 about their perception of AI technologies. Few organizations claim to be completely AI-powered, the responses show, but a significant percentage are beginning to adopt practices that could get them there.

In the survey, Deloitte explored the transformations happening inside firms applying AI and machine learning to drive value. During the pandemic, digitization efforts prompted many companies to adopt AI-powered solutions to back-office and customer-facing challenges. A PricewaterhouseCoopers whitepaper found that 52% percent of companies have accelerated their AI adoption plans, with global spending on AI systems set to jump from $85.3 billion in 2021 to over $204 billion in 2025, according to IDC.

https://www2.deloitte.com/content/dam/insights/articles/US144384_CIR-State-of-AI-4th-edition/DI_CIR-State-of-AI-4th-edition.pdf


(Related) Another view.

https://venturebeat.com/2021/10/21/gartners-list-of-top-tech-initiatives-for-2022-focuses-on-cloud-native-platforms/

Gartner’s list of top tech initiatives for 2022

Gartner released its annual list of top strategic technology trends this week, projecting that 2022 will keep enterprise executives busy with new developments in everything from artificial intelligence to cybersecurity.

While much of this tech is centered on greater automation and even autonomy in data systems, there are also some outliers in areas like mesh networks and application-level composability.



Perspective.

https://www.cnbc.com/2021/10/22/palantirs-peter-thiel-surveillance-ai-is-more-concerning-than-agi.html

Palantir’s Peter Thiel thinks people should be concerned about surveillance AI

Tech billionaire Peter Thiel believes that people should be more worried about “surveillance AI” rather than artificial general intelligences, which are hypothetical AI systems with superhuman abilities.

The venture capitalist, who co-founded big data firm Palantir, said at an event in Miami on Wednesday that on the path to AGI, you get surveillance AI, which he described as a “communist totalitarian technology.”

Those that are worried about AGI aren’t actually “paying attention to the thing that really matters,” Thiel said, adding that governments will use AI-powered facial recognition technology to control people.

His comments come three years after Bloomberg reported that “Palantir knows everything about you.”



Perspective.

https://www.bbc.com/news/technology-59008812

Tech Tent: The world in 2031

This week Tech Tent gets out its crystal ball and asks some big thinkers to work out what the world will look like a decade from now.

Listen to the latest Tech Tent podcast on BBC Sounds



Don’t ya hate it when you have to re-think everything? Available Nov 9th

https://www.theatlantic.com/magazine/archive/2021/11/graeber-wengrow-dawn-of-everything-history-humanity/620177/

Human History Gets a Rewrite

It is also, according to Graeber and Wengrow, completely wrong. Drawing on a wealth of recent archaeological discoveries that span the globe, as well as deep reading in often neglected historical sources (their bibliography runs to 63 pages), the two dismantle not only every element of the received account but also the assumptions that it rests on. Yes, we’ve had bands, tribes, cities, and states; agriculture, inequality, and bureaucracy, but what each of these were, how they developed, and how we got from one to the next—all this and more, the authors comprehensively rewrite. More important, they demolish the idea that human beings are passive objects of material forces, moving helplessly along a technological conveyor belt that takes us from the Serengeti to the DMV. We’ve had choices, they show, and we’ve made them. Graeber and Wengrow offer a history of the past 30,000 years that is not only wildly different from anything we’re used to, but also far more interesting: textured, surprising, paradoxical, inspiring.

The Dawn of Everything: A New History of Humanity



Sign away everything.

https://dilbert.com/strip/2021-10-22


Thursday, October 21, 2021

Is a programming language a hacking tool? How about software to detect security weaknesses?

https://gizmodo.com/the-u-s-wants-to-crack-down-on-sales-of-commercial-hac-1847904305

The U.S. Wants to Crack Down on Sales of Commercial Hacking Tools for Obvious Reasons

After a slew of hacking scandals involving private surveillance companies, the U.S. is looking to impose new restrictions on the sale of commercial hacking tools—in the hopes of clamping down on abuse perpetuated by the industry.

On Wednesday, the Commerce Department announced a rule change that will put new limitations on the resale or export of “certain items that can be used for malicious cyber activities.” This applies to tools used to infiltrate digital systems and conduct surveillance—such as the notorious commercial spyware, Pegasus —as well as other hacking and “intrusion” software, the Washington Post first reported. The rule, which has reportedly been in development for years, will be put into effect in 90 days.

While the intricacies of the new 65-page rule are somewhat thorny, the biggest result is a new license requirement for American companies that want to sell hacking tools to countries “of national security or weapons of mass destruction concern,” as well as to “countries subject to a U.S. arms embargo,” the Commerce Department’s announcement says.



The new world order. Familiar technology vs. those incomprehensible idiots in Washington? Who do you trust? Who had responses ready and the will to use them?

https://www.foreignaffairs.com/articles/world/2021-10-19/ian-bremmer-big-tech-global-order

The Technopolar Moment

How Digital Powers Will Reshape the Global Order

After rioters stormed the U.S. Capitol on January 6, some of the United States’ most powerful institutions sprang into action to punish the leaders of the failed insurrection. But they weren’t the ones you might expect. Facebook and Twitter suspended the accounts of President Donald Trump for posts praising the rioters. Amazon, Apple, and Google effectively banished Parler, an alternative to Twitter that Trump’s supporters had used to encourage and coordinate the attack, by blocking its access to Web-hosting services and app stores. Major financial service apps, such as PayPal and Stripe, stopped processing payments for the Trump campaign and for accounts that had funded travel expenses to Washington, D.C., for Trump’s supporters.

The speed of these technology companies’ reactions stands in stark contrast to the feeble response from the United States’ governing institutions. Congress still has not censured Trump for his role in the storming of the Capitol. Its efforts to establish a bipartisan, 9/11-style commission failed amid Republican opposition. Law enforcement agencies have been able to arrest some individual rioters—but in many cases only by tracking clues they left on social media about their participation in the fiasco.

States have been the primary actors in global affairs for nearly 400 years. That is starting to change, as a handful of large technology companies rival them for geopolitical influence. The aftermath of the January 6 riot serves as the latest proof that Amazon, Apple, Facebook, Google, and Twitter are no longer merely large companies; they have taken control of aspects of society, the economy, and national security that were long the exclusive preserve of the state. The same goes for Chinese technology companies, such as Alibaba, ByteDance, and Tencent. Nonstate actors are increasingly shaping geopolitics, with technology companies in the lead. And although Europe wants to play, its companies do not have the size or geopolitical influence to compete with their American and Chinese counterparts.



Maturity models provide a good outline for thinking about improvement…

https://www.zdnet.com/article/ai-ethics-maturity-model/

AI ethics maturity model: A company guide

How to develop a maturity model for building an ethical and responsible AI practice.



All you have to get right is the hardest part.

https://techxplore.com/news/2021-10-machine-fair-accurate.html

How machine learning can be fair and accurate

Carnegie Mellon University researchers are challenging a long-held assumption that there is a trade-off between accuracy and fairness when using machine learning to make public policy decisions.

As the use of machine learning has increased in areas such as criminal justice, hiring, health care delivery and social service interventions, concerns have grown over whether such applications introduce new or amplify existing inequities, especially among racial minorities and people with economic disadvantages. To guard against this bias, adjustments are made to the data, labels, model training, scoring systems and other aspects of the machine learning system. The underlying theoretical assumption is that these adjustments make the system less accurate.

"You actually can get both. You don't have to sacrifice accuracy to build systems that are fair and equitable," Ghani said. "But it does require you to deliberately design systems to be fair and equitable. Off-the-shelf systems won't work."

Kit T. Rodolfa et al, Empirical observation of negligible fairness–accuracy trade-offs in machine learning for public policy, Nature Machine Intelligence (2021). DOI: 10.1038/s42256-021-00396-x

Journal information: Nature Machine Intelligence



How would you redesign a university to take advantage of these new technologies?

https://theconversation.com/future-of-college-will-involve-fewer-professors-166394

Future of college will involve fewer professors



Can’t hurt…

https://www.makeuseof.com/useful-web-tools-student-should-use/

5 Useful Web Tools Every Student Should Use


Wednesday, October 20, 2021

Also, take advantage of the employees you are paying all that tuition money for. Talk to their Computer Security instructor and see what projects you can guide.

https://threatpost.com/guide-cyberintelligence-restricted-budget/175574/

A Guide to Doing Cyberintelligence on a Restricted Budget

In a recent SANS 2021 survey, “Threat Hunting In Uncertain Times,” we were shown that 11 percent of organizations have had their threat-hunting and intelligence programs impacted by the pandemic, with 12 percent of the organizations polled stopping their hunting programs altogether. With ransomware affiliate actions on the rise and organizations constantly under the target of business email compromise (BEC) scams, this is a horrible time to be stuck with a shrinking budget.

In light of this, we’re going to go through some broad suggestions and checklists for how to do 80 percent of what you need to do on the cyberintelligence front, at just 20 percent of the typical cost for an enterprise program.



Do you have cameras in your home?

https://www.pogowasright.org/woman-finds-amazon-has-thousands-of-recordings-of-her-all-from-home-devices/

Woman finds Amazon has thousands of recordings of her – all from home devices

John Bett reports:

A woman was shocked to discover how much information Amazon had collected on her from just a few devices – and created a video to shared the shocking truth with others.
TikTok star @my.data.not.yours uploaded a clip for her fans documenting all the information that the tech giant had collected about her.

Read more on The Mirror.



Curious. Is this likely to change Facebook’s strategy going forward?

https://www.pogowasright.org/zuckerberg-to-be-added-to-facebook-privacy-suit/

Zuckerberg to Be Added to Facebook Privacy Suit

Cecilia Kang reports:

The attorney general for the District of Columbia plans to add Facebook’s chief executive, Mark Zuckerberg, to a consumer protection lawsuit, in one of the first efforts by a regulator to expose him personally to potential financial and other penalties.
The attorney general, Karl Racine, said on Tuesday that continuing interviews and reviews of internal documents for the case had revealed that Mr. Zuckerberg played a much more active role in key decisions than prosecutors had known.
The complaint against Facebook was filed in December 2018 in the Superior Court of the District of Columbia. The suit alleges that Facebook misled consumers about privacy on the platform by allowing Cambridge Analytica, a political consulting firm, to obtain sensitive data from more than 87 million users, including more than half the district’s residents.

Read more on New York Times.



Thinking about data...

https://www.technologyreview.com/2021/10/16/1037303/in-unpredictable-times-a-data-strategy-is-key/

In unpredictable times, a data strategy is key

. According to the survey, the most common value companies are hoping to take advantage of is smarter decision-making (79%). They also want to more deeply understand their customers and industry trends (61%), provide better services and products (42%), and implement more efficient internal operations (33%).

Companies also learned valuable lessons about the importance of data as they struggled to stay competitive during the pandemic. Roughly four out of 10 survey respondents, for example, report that they need to look at more sources of data, including demographic, geospatial, and competitor information. More than a third (37%) are evaluating machine learning and analytics—technologies essential to extract critical insights from their data. And 34% need help acting on the vast sums of data they gather and process.

Download the full report.



This adds several steps that must be documented and explained. Is it worth the added complications?

https://sloanreview.mit.edu/article/the-real-deal-about-synthetic-data/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+mitsmr+%28MIT+Sloan+Management+Review%29

The Real Deal About Synthetic Data

Synthetic data is artificially generated by an AI algorithm that has been trained on a real data set. It has the same predictive power as the original data but replaces it rather than disguising or modifying it. The goal is to reproduce the statistical properties and patterns of an existing data set by modeling its probability distribution and sampling it out. The algorithm essentially creates new data that has all of the same characteristics of the original data — leading to the same answers. However, crucially, it’s virtually impossible to reconstruct the original data (think personally identifiable information) from either the algorithm or the synthetic data it has created.



Motivation is a two edged sword?

https://dilbert.com/strip/2021-10-20