Saturday, February 05, 2022

Hacking for insider information?

https://www.databreaches.net/news-corp-says-it-was-hacked-believed-to-be-linked-to-china/

News Corp says it was hacked; believed to be linked to China

Eric Tucker and Frank Bajak report:

News Corp, publisher of The Wall Street Journal, said Friday that it had been hacked and had data stolen from journalists and other employees, and a cybersecurity firm investigating the intrusion said Chinese intelligence-gathering was believed behind the operation.
The news company, whose publications and businesses include the New York Post and WSJ parent Dow Jones, said it discovered the breach on Jan. 20

Read more at TechXPlore



Because individual computers are easier?

https://www.databreaches.net/a-look-at-the-new-sugar-ransomware-demanding-low-ransoms/

A look at the new Sugar ransomware demanding low ransoms

Lawrence Abrams reports:

A new Sugar Ransomware operation actively targets individual computers, rather than corporate networks, with low ransom demands.
First discovered by the Walmart Security Team, ‘Sugar’ is a new Ransomware-as-a-Service (RaaS) operation that launched in November 2021 but has slowly been picking up speed.
The name of the ransomware is based on the operation’s affiliate site discovered by Walmart at ‘sugarpanel[.]space’.

Read more at BleepingComputer.



Another voice?

https://www.defense.gov/News/News-Stories/Article/Article/2923986/new-dod-chief-digital-artificial-intelligence-office-launches/

New DOD Chief Digital Artificial Intelligence Office Launches 

The Defense Department must become a digital and artificial intelligence-enabled enterprise capable of operating at the speed and scale necessary to preserve its military advantage, according to a memorandum issued by Deputy Secretary of Defense Kathleen H. Hicks.  

The memorandum, published on defense.gov, outlines how the chief digital and artificial intelligence officer, or CDAO, is charged with making sure DOD supports such an enterprise. John Sherman, DOD chief information officer, will serve as the acting chief digital and artificial intelligence officer until the position is filled permanently.



Summary.

https://www.pogowasright.org/jump-in-facial-and-voice-recognition-raises-privacy-cybersecurity-civil-liberty-concerns/

Jump in Facial and Voice Recognition Raises Privacy, Cybersecurity, Civil Liberty Concerns

Joseph J. Lazzarotti, Jason C. Gavejian, and Jody Kahn Mason of JacksonLewis write:

Facial recognition, voiceprint, and other biometric-related technology are booming, and they continue to infiltrate different facets of everyday life. The technology brings countless potential benefits, as well as significant data privacy and cybersecurity risks.
Whether it is facial recognition technology being used with COVID-19 screening tools and in law enforcement, continued use of fingerprint-based time management systems, or the use of various biometric identifiers such as voiceprint for physical security and access management, applications in the public and private sectors involving biometric identifiers and information continue to grow … so do concerns about the privacy and security of that information and civil liberties. Over the past few years, significant compliance and litigation risks have emerged that factor heavily into the deployment of biometric technologies, particularly facial recognition. This is particularly the case in Illinois under the Biometric Information Privacy Act (BIPA).

Read our Special Report which discusses these concerns and the growing legislating activity. You can also access our Biometric Law Map.



Coming soon to the US?

https://www.cnbc.com/2022/02/04/britain-beefs-up-online-safety-bill-with-new-criminal-offences.html

Britain takes aim at online fraud, revenge porn with beefed-up rules for Big Tech

The U.K. government has updated proposals to regulate online platforms with new criminal offences to tackle fraud and revenge porn.

Britain’s landmark Online Safety Bill seeks to combat the spread of harmful and illegal content on social media sites including Facebook, Instagram, YouTube, Twitter and TikTok.

Late last year, lawmakers wrapped up an inquiry into how online platforms deal with such material, concluding the government should add more offences to the scope of the law, such as self harm, racial abuse and scam advertising.

The government said Friday that the bill will now include extra-priority provisions outlawing content that features revenge porn, drug and weapons dealing, suicide promotion and people smuggling, among other offences.

It will also target individuals who send online abuse and threats, with criminal sentences ranging up to five years.


(Related) They keep trying.

https://www.schneier.com/blog/archives/2022/02/the-earn-it-act-is-back.html

The EARN IT Act Is Back

Senators have reintroduced the EARN IT Act, requiring social media companies (among others) to administer a massive surveillance operation on their users:

A group of lawmakers led by Sen. Richard Blumenthal (D-CT) and Sen. Lindsey Graham (R-SC) have re-introduced the EARN IT Act, an incredibly unpopular bill from 2020 that was dropped in the face of overwhelming opposition. Let’s be clear: the new EARN IT Act would pave the way for a massive new surveillance system, run by private companies, that would roll back some of the most important privacy and security features in technology used by people around the globe. It’s a framework for private actors to scan every message sent online and report violations to law enforcement. And it might not stop there. The EARN IT Act could ensure that anything hosted online — backups, websites, cloud photos, and more — is scanned.

Slashdot thread.



Perspective. Am I missing out? Just because I own it, doesn’t make it valuable.

https://www.theatlantic.com/technology/archive/2022/02/future-internet-blockchain-investment-banking/621480/?scrolla=5eb6d68b7fedc32c19ef33b4

The Internet Is Just Investment Banking Now

The internet has always financialized our lives. Web3 just makes that explicit.

Twitter has begun allowing its users to showcase NFTs, or non-fungible tokens, as profile pictures on their accounts. It’s the latest public victory for this form of … and, you know, there’s the problem. What the hell is an NFT anyway?

There are answers. Twitter calls NFTs “unique digital items, such as artwork, with proof of ownership that’s stored on a blockchain.” In marketing for the new feature, the company offered an even briefer take: “digital items that you own.” That promise, mated to a flood of interest and wealth in the cryptocurrency markets used to exchange them, has created an NFT gold rush over the past year. Last March, the artist known as Beeple sold an NFT at auction for $69.5 million. The digital sculptor Refik Anadol, one of the artists The Alantic commissioned to imagine a COVID-19 memorial in 2020, has brought in millions selling editions of his studio’s work in NFT form. Jonathan Mann, who started writing a song every day when he couldn’t find a job after the 2008 financial collapse, began selling those songs as NFTs, converting a fun internet hobby into a viable living.



For the faculty.

https://www.makeuseof.com/best-platforms-to-start-online-tutoring-career/

The 8 Best Platforms to Start a Successful Online Tutoring Career

Are you looking to start your own online tutoring career? Here are some of the best platforms that'll help you to get started.



Thinking about computers…

https://spectrum.ieee.org/on-beyond-moores-law-4-new-laws-of-computing

Moore’s Not Enough: 4 New Laws of Computing

Moore’s and Metcalfe’s conjectures are taught in classrooms every day—these four deserve consideration, too

I teach technology and information-systems courses at Northeastern University, in Boston. The two most popular laws that we teach there—and, one presumes, in most other academic departments that offer these subjects—are Moore’s Law and Metcalfe’s Law. Moore’s Law, as everyone by now knows, predicts that the number of transistors on a chip will double every two years. One of the practical values of Intel cofounder Gordon Moore’s legendary law is that it enables managers and professionals to determine how long they should keep their computers. It also helps software developers to anticipate, broadly speaking, how much bigger their software releases should be.

Metcalfe’s Law is similar to Moore’s Law in that it also enables one to predict the direction of growth for a phenomenon. Based on the observations and analysis of Robert Metcalfe, co-inventor of the Ethernet and pioneering innovator in the early days of the Internet, he postulated that the value of a network would grow proportionately to the number of its users squared.

Law 1. Yule’s Law of Complementarity

If two attributes or products are complements, the value/demand of one of the complements will be inversely related to the price of the other complement.

Law 2. Hoff’s Law of Scalability

The potential for scalability of a technology product is inversely proportional to its degree of customization and directly proportional to its degree of standardization.

Law 3. Evans’s Law of Modularity

The inflexibilities, incompatibilities, and rigidities of complex and/or monolithically structured technologies could be simplified by the modularization of the technology structures (and processes).

Law 4. The Law of Digitiplication

The law of digitiplication stipulates that whenever a resource or process is digitalized, its potential value grows in a multiplicative manner.



For my hackers.

https://www.darkreading.com/careers-and-people/want-to-be-an-ethical-hacker-here-s-where-to-begin

Want to Be an Ethical Hacker? Here's Where to Begin

By utilizing these resources, beginner hackers can find their specific passions within the cybersecurity space and eventually make their own mark in the ethical hacking profession.


(Related) Just like real hacking!

https://www.makeuseof.com/ethical-hacking-steps/

What Are the 5 Steps of Ethical Hacking?

Ethical hacking is not a contradiction; some people use their evil-genius skills to help improve security, and here’s how they do it.



Friday, February 04, 2022

The next frontier that we need to tame.

https://thenextweb.com/news/metaverse-needs-laws-protect-users-data

The metaverse needs laws to protect users and data

The “metaverse seems to be the latest buzzword in tech. In general terms, the metaverse can be viewed as a form of cyberspace. Like the internet, it’s a world – or reality, even – beyond our physical world on Earth.

The difference is that the metaverse allows us to immerse a version of ourselves as avatars in its environment, usually through augmented reality (AR) or virtual reality (VR), which people are and will increasingly be able to access using tools like VR goggles.

While it all seems very exciting, a curious lawyer like me is inclined to ask: who or what governs the metaverse? The way I see it, there are three key areas that, at this stage, are legally murky.

1. A boundless marketplace

2. Data

3. User interactions



This could be useful if the results are timely and can lead to Best Practices.

https://www.wsj.com/articles/biden-administration-forms-cybersecurity-review-board-to-probe-failures-11643898601?mod=djemalertNEWS

Biden Administration Forms Cybersecurity Review Board to Probe Failures

The Biden administration has formed a panel of senior administration officials and private-sector experts to investigate major national cybersecurity failures, and it will probe as its first case the recently discovered Log4j internet bug, officials said.

The new Cyber Safety Review Board is tasked with examining significant cybersecurity events that affect government, business and critical infrastructure. It will publish reports on security findings and recommendations, officials said. Details of the board will be announced Thursday.

The board, officials have said, is modeled loosely on the National Transportation Safety Board, which investigates and issues public reports on airplane crashes, train derailments and other transportation accidents.


(Related)

https://thehackernews.com/2022/02/cynet-log4shell-webinar-thorough-and.html

Cynet Log4Shell Webinar: A Thorough - And Clear - Explanation

Most security practitioners are now aware of the Log4Shell vulnerability discovered toward the end of 2021. No one knows how long the vulnerability existed before it was discovered. The past couple of months have had security teams scrambling to patch the Log4Shell vulnerability found in Apache Log4j, a Java library widely used to log error messages in applications. Beyond patching, it's helpful and instructive for security practitioners to have a deeper understanding of this most recent critical vulnerability.

Fortunately, Cynet Senior Security Researcher Igor Lahav is hosting a webinar [Register here ] to provide "buzzword free" insights into Log4Shell. Based on a webinar preview provided by Cynet, the discussion will cover the software bugs in Apache Log4j that permitted the critical vulnerability, the exploits used to take advantage of the vulnerabilities and the remediation options available to protect your organization.



Do you identify people authorized to access the base, or ‘everyone else.’ (Clearly Clearview is still has an irresistible sales pitch.)

https://www.nytimes.com/2022/02/03/technology/air-force-clearview-ai-glasses.html

Air Force taps Clearview AI to research face-identifying augmented reality glasses.

In a flyer, Clearview said the product “saves lives,” “saves time” and “improves health” by increasing social distancing and keeping officers’ hands free to grab their weapons.

The U.S. Air Force is looking into keeping its airfields safer with help from the facial recognition start-up Clearview AI.

The Air Force Research Laboratory awarded Clearview $49,847 to research augmented reality glasses that could scan people’s faces to help with security on bases.

Last month, Mr. Ton-That said in a public letter that his company would not use its technology “in a real-time way,” but outfitting glasses with the technology to recognize faces seems to fit that bill.



Something to think about?

https://venturebeat.com/2022/02/03/the-state-of-ai-ethics-the-principles-the-tools-the-regulations/

The state of AI ethics: The principles, the tools, the regulations

The Montreal AI Ethics Institute (MAIEI) is an international nonprofit organization democratizing AI ethics literacy. It aims to equip citizens concerned about artificial intelligence to take action, as its founders believe that civic competence is the foundation of change.

The institute’s State of AI Ethics Reports, published semi-annually, condense the top research & reporting around a set of ethical AI subtopics into one document. As the first of those reports for 2022 has just been released, VentureBeat picked some highlights from the almost 300 page document to discuss with Gupta.



Tools & Techniques.

https://www.zdnet.com/article/singapore-releases-software-toolkit-to-guide-financial-sector-on-ai-ethics/

Singapore releases software toolkit to guide financial sector on AI ethics

Singapore has released a software toolkit aimed at helping financial institutions ensure they are using artificial intelligence (AI) responsibly. Five whitepapers also have been issued to guide them on assessing their deployment based on predefined principles.

The Monetary Authority of Singapore (MAS) said the documents detailed methodologies for incorporating the FEAT principles – of Fairness, Ethics, Accountability, and Transparency – into the use of AI within the financial services sector.

The whitepapers were developed by the Veritas consortium, which is part of Singapore's national AI strategy and comprises 27 industry players that include Amazon Web Services, Bank of China, Bank of Singapore, Google Cloud, Goldman Sachs, OCBC Bank, and Unionbank of the Philippines.

The Veritas consortium also developed the software toolkit to automate the fairness metrics assessment and facilitate visualisation of the assessment interface. Available on GitHub, the open source toolkit allows for plugins to enable integration with the financial institution's IT systems.


Thursday, February 03, 2022

Yes, this is amusing. It also reiterates the possibility of an individual making an attack that could be mistaken for the start of a cyber war.

https://www.databreaches.net/north-korea-hacked-him-so-he-took-down-its-internet/

North Korea Hacked Him. So He Took Down Its Internet

What a great — and thought-provoking — story by Andy Greenberg:

For the past two weeks, observers of North Korea’s strange and tightly restricted corner of the internet began to notice that the country seemed to be dealing with some serious connectivity problems. On several different days, practically all of its websites—the notoriously isolated nation only has a few dozen—intermittently dropped offline en masse, from the booking site for its Air Koryo airline to Naenara, a page that serves as the official portal for dictator Kim Jong-un’s government. At least one of the central routers that allow access to the country’s networks appeared at one point to be paralyzed, crippling the Hermit Kingdom’s digital connections to the outside world.
Some North Korea watchers pointed out that the country had just carried out a series of missile tests, implying that a foreign government’s hackers might have launched a cyberattack against the rogue state to tell it to stop saber-rattling.
But responsibility for North Korea’s ongoing internet outages doesn’t lie with US Cyber Command or any other state-sponsored hacking agency. In fact, it was the work of one American man in a T-shirt, pajama pants, and slippers, sitting in his living room night after night, watching Alien movies and eating spicy corn snacks—and periodically walking over to his home office to check on the progress of the programs he was running to disrupt the internet of an entire country.

Read more at Wired about why and how a security researcher known as P4x sought revenge on North Korea. The story will make some people cheer but it should also raise questions as to whether our government did enough when security researchers were attacked by a foreign government — and what our government will do now. Will it sit back and let vigilantes strike back or what? Is our government going to put its cyberskills where its mouth is or not?

If individuals are the target of a hacking campaign and the government doesn’t show up to help them in meaningful ways, and doesn’t say to them, “Look, we’ve got something going on right now so sit tight for a while please,” then why shouldn’t individuals take matters into their own hands to protect themselves?



Perhaps we are not inclined to think of TikTok as a real threat?

https://www.wsj.com/articles/tiktok-security-risk-china-biden-11643807751?mod=djemalertNEWS

U.S. Moving—Some Say Too Slowly—to Address TikTok Security Risk

The Biden administration is moving to revise federal rules to address potential security risks from TikTok and other foreign-owned apps, eight months after opting not to pursue a forced shutdown of the Chinese-owned video-sharing platform.

The Commerce Department recently concluded a public-comment period on the proposed rule change, which would expand federal oversight to explicitly include apps that could be used by “foreign adversaries to steal or otherwise obtain data,” according to a filing in the Federal Register.

Under the rule, the commerce secretary could effectively bar foreign apps deemed unacceptable security risks. That could force social-media platforms such as TikTok and other software applications connected to the internet to submit to third-party auditing, source-code examination and monitoring of the logs that show user data, according to the proposed rule.



The future of Colorado privacy?

https://www.databreaches.net/prepared-remarks-attorney-general-phil-weiser-on-the-way-forward-on-data-privacy-and-data-security-jan-28-2022/

Prepared remarks: Attorney General Phil Weiser on the way forward on data privacy and data security (Jan. 28, 2022)

Colorado’s Attorney General, Phil Weiser, gave a speech for Data Privacy Day that talks about Colorado’s Privacy Act and its provisions with respect to both privacy and data security.

It is a speech worth reading, especially if you want an overview of what is coming your way in Colorado.

With three states now having state laws, you’d think Congress would be under more pressure to have one federal law, but given how dysfunctional Congress is and how much money is spent — including by data brokers and media outlets — lobbying them not to seriously protect our privacy and data security, I’m not holding my breath. Thank goodness some states keep pushing forward to protect consumers and to hold entities accountable.

Read AG Weiser’s speech here.


(Related)

https://www.huntonprivacyblog.com/2022/02/02/colorado-ag-publishes-guidance-on-data-security-practices-and-announces-upcoming-rulemaking-under-the-colorado-privacy-act/

Colorado AG Publishes Guidance on Data Security Practices and Announces Upcoming Rulemaking Under the Colorado Privacy Act

The “Data Security Best Practices guidance document outlined nine key steps companies should take to protect their data, including:



Perspective.

https://www.bespacific.com/divergent-global-views-on-social-media-free-speech-and-platform-regulation/

Divergent Global Views on Social Media, Free Speech, and Platform Regulation: Findings from the United Kingdom, South Korea, Mexico, and the United States

Wihbey, John and Chung, Myojung and Peacey, Mike and Morrow, Garrett and Tian, Yushu and Vitacco, Lauren and Rincon Reyes, Daniela and Clavijo, Melissa, Divergent Global Views on Social Media, Free Speech, and Platform Regulation: Findings from the United Kingdom, South Korea, Mexico, and the United States (January 3, 2022). Available at SSRN: https://ssrn.com/abstract=

Citizens and policymakers in many countries are voicing frustration with social media platform companies, which are, increasingly, host to much of the world’s public discourse. Many societies have considered regulation to address issues such as misinformation and hate speech. However, there is relatively little data on how countries compare precisely in terms of public attitudes toward social media regulation. This report provides an overview of public opinion across four diverse democracies – the United Kingdom, South Korea, Mexico, and the United States – furnishing comparative perspectives on issues such as online censorship, free speech, and social media regulation. We gathered nationally representative samples of 1,758 (South Korea), 1,415 (U.S.), 1,435 (U.K.), and 784 (Mexico) adults in the respective countries. Across multiple measures, respondents from the United States and Mexico are, on the face of it, more supportive of freedoms of expression than respondents from the United Kingdom and South Korea. Additionally, the United Kingdom, South Korea, and Mexico are more supportive of stricter content moderation than the United States, particularly if the content causes harm or distress for others. The data add to our understanding of the global dynamics of content moderation policy and speak to civil society efforts, such as the Santa Clara Principles, to articulate standards for companies that are fair to users and their communities. The findings underscore how different democracies may have varying needs and translate and apply their values in nuanced ways.”


Wednesday, February 02, 2022

Demonstrating an ability to grasp the obvious. Perhaps there is hope for DHS yet.

https://www.cpomagazine.com/cyber-security/dhs-bulletin-warns-of-russian-cyber-attacks-in-retaliation-if-us-responds-to-a-ukraine-invasion/

DHS Bulletin Warns of Russian Cyber Attacks in Retaliation if US Responds to a Ukraine Invasion

As the great “will they or won’t they” continues to play out in the news, the Department of Homeland Security (DHS) has issued a bulletin to law enforcement agencies warning that Russian cyber attacks in the US are possible if Ukraine is invaded.


(Related) If they are saying amateurs can successfully attack the pros, they have it right. But can amateurs survive retaliation?

https://www.brookings.edu/blog/order-from-chaos/2022/02/01/cascading-chaos-nonstate-actors-and-ai-on-the-battlefield/

Editor's Note: This piece is part of a series titled "Nonstate armed actors and illicit economies in 2022 from Brookings's Initiative on Nonstate Armed Actors.



Stay current.

https://www.isaca.org/resources/news-and-trends/newsletters/atisaca/2022/volume-5/report-provides-insights-on-evolving-privacy-landscape?cid=edmi_3000861&Appeal=edmi&utm_source=sfmc&utm_medium=email&utm_campaign=AtISACA_20220202&utm_term=evol-privacy-land&utm_id=172072&sfmc_id=97787913

Report Provides Insights on Evolving Privacy Landscape

New research from ISACA explores the latest trends in enterprise privacy—from privacy workforce and privacy by design to privacy challenges and the future of privacy—in its new Privacy in Practice 2022 survey report, sponsored by OneTrust.

The survey report was discussed in depth in the free webinar, “The State of Privacy: 2022,” available on demand at https://store.isaca.org/s/community-event?id=a334w000004cmroAAA. A complimentary copy of the Privacy in Practice 2022 survey report and additional privacy resources and articles can be accessed at www.isaca.org/dataprivacy. Additional information on ISACA’s privacy resources, including the Certified Data Privacy Solutions Engineer™ (CDPSE™) certification, is available at www.isaca.org/cdpse. ISACA also hosts a Privacy group in its Engage online forums to discuss the topic and share best practices.



This could also be viewed as a “Things managers should never do” manual.

https://www.bespacific.com/cias-simple-sabotage-field-manual-a-timeless-guide-to-subverting-any-organization-with-purposeful-stupidity-1944/

Read the CIA’s Simple Sabotage Field Manual: A Timeless Guide to Subverting Any Organization with “Purposeful Stupidity” (1944)

Open Culture: “…Now declassified and freely available on the Homeland Security website, the manual the agency describes as “surprisingly relevant” was once distributed to OSS officers abroad to assist them in training “citizen-saboteurs” in occupied countries like Norway and France. Such people, writes Rebecca Onion at Slate, “might already be sabotaging materials, machinery, or operations of their own initiative,” but may have lacked the devious talent for sowing chaos that only an intelligence agency can properly master. Genuine laziness, arrogance, and mindlessness may surely be endemic. But the Field Manual asserts that “purposeful stupidity is contrary to human nature” and requires a particular set of skills. The citizen-saboteur “frequently needs pressure, stimulation or assurance, and information and suggestions regarding feasible methods of simple sabotage.”…

Managers

    • In making work assignments, always sign out the unimportant jobs first. See that important jobs are assigned to inefficient workers.

    • Insist on perfect work in relatively unimportant products; send back for refinishing those which have the least flaw.

    • To lower morale and with it, production, be pleasant to inefficient workers; give them undeserved promotions.

    • Hold conferences when there is more critical work to be done.

    • Multiply the procedures and clearances involved in issuing instructions, pay checks, and so on. See that three people have to approve everything where one would do...”



Perspective. Why are tech companies ignoring math?

https://www.technologyreview.com/2022/02/01/1044561/meet-the-nsa-spies-shaping-the-future/

Meet the NSA spies shaping the future

For someone with a deeply scientific job, Gil Herrera has a nearly mystical mandate: Look into the future and then shape it, at the level of strange quantum physics and inextricable math theorems, to the advantage of the United States.

Herrera is the newly minted leader of the National Security Agency’s Research Directorate.



Might be an interesting perspective on our Supremes.

https://www.bespacific.com/uk-supreme-court-has-launched-its-first-free-online-course-for-the-public/

UK Supreme Court has launched its first, free, online course for the public

Paul Sandles, Librarian and Departmental Records Officer: “The Supreme Court has launched its first, free, online course for the public. https://www.futurelearn.com/courses/inside-the-supreme-court We have worked in partnership with Royal Holloway, University of London, to create the course. Our aim is to give people a behind the scenes look at the work of the Supreme Court and Judicial Committee of the Privy Council (JCPC). The course is designed to increase awareness and understanding of the role and work of the Court.

  • The course is highly interactive. Content takes the form of articles, case studies, video interviews, quizzes, and mini lectures. Hosted on the social learning platform FutureLearn, everything is presented by academic experts from Royal Holloway, present and former Supreme Court Justices, and a range of people who work at the Court.

  • Registration is open now. The course will begin on Monday 21 February and learners can complete it in their own time, within the two-week window. We estimate that it will take four hours a week.

  • Further information is provided on the programme syllabus and on our website…”