Wednesday, February 21, 2018

Any publicity seems to attract the hacker piranhas.
Note: as Catalin Cimpanu points out on Twitter, “Neither RedLock nor Tesla confirmed that “confidential data” was stolen. Tesla said the opposite in their statement. The reporter is going out on a limb on this one.”
Duncan Riley reports:
Elon Musk may be able to send a Tesla Inc. vehicle into space, but apparently his staff can’t secure data online so easily. A shocking report released this morning details the theft of data from the electric car company, blaming it on gross staff incompetency.
According to researchers at cloud security firm RedLock Ltd., hackers infiltrated Tesla’s Kubernotes console after the company failed to secure it with a password. Within one of the Kubernetes pods, a group of software containers deployed on the same host, sat the access credentials to Telsa’s Amazon Web Service Inc. account.
Read more on SiliconAngle.
[From the article:
Because it’s the fashion in 2018, the hackers then installed cryptomining software, including sophisticated evasion measures to hide the installation.

A “How To” article that allows us to consider “How To Avoid!”
Phishing schemes net hackers millions of dollars from Fortune 500
On Wednesday, researchers from IBM's X-Force Incident Response and Intelligence Services (IRIS) team said the Business Email Compromise (BEC) scheme is currently active and is successfully targeting Accounts Payable (AP) teams at Fortune 500 companies.
In a blog post, the researchers said that after discovering evidence of the threat in Fall 2017, their analysis of the campaign led them to Nigeria, where the threat actors appear to be operating.
The BEC uses social engineering attacks and phishing emails in order to obtain legitimate credentials for enterprise networks and email accounts.
In many cases, publicly available information is used to craft messages which appeared legitimate and entice phishing victims to visit malicious domains.
… This BEC is of special note as no malware was used and as legitimate employees were conducting transactions, traditional security products and protocols would not be able to detect any compromise.

From the White House! So you know it can’t be “fake news.”
CEA Report: The Cost of Malicious Cyber Activity to US Economy
[February 16, 2018] “the Council of Economic Advisers (CEA) released a report detailing the economic costs of malicious cyber activity on the U.S. economy. Please see below for the executive summary and read the full report here. This report examines the substantial economic costs that malicious cyber activity imposes on the U.S. economy. Cyber threats are ever-evolving and may come from sophisticated adversaries.
  • We estimate that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016.
  • Cybersecurity experts like to say that in an act of war or retaliation, the first moves will be made in cyberspace. A cyber adversary can utilize numerous attack vectors simultaneously. The backdoors that were previously established may be used to concurrently attack the compromised firms for the purpose of simultaneous business destruction.

For our discussion of Law & Regulation.
The Laws and Ethics of Employee Monitoring
… Federal and most state privacy laws give discretion to employers as to how far they can go with their employee monitoring. In some cases, employers do not have to inform employees of the monitoring, but this depends on state and local laws. Some locations require employee consent to monitor.
"As a general rule, employees have little expectation of privacy while on company grounds or using company equipment, including company computers or vehicles," said Matt C. Pinsker, adjunct professor of homeland security and criminal justice at Virginia Commonwealth University.
Monitoring must be within reason. For example, video surveillance can be conducted in common areas and entrances; however, it should be obvious that surveillance in bathrooms or locker rooms is prohibited and can open a company up to legal repercussions.

Tuesday, February 20, 2018

The Bank of Bangladesh hack showed how this could be done. I wonder if this is the same team of hackers or have they inspired copycats? Did these bank fail to make the security changes SWIFT recommended?
Malicious hackers attempted to steal millions of dollars from banks in Russia and India by abusing the SWIFT global banking network.
A report published last week by Russia’s central bank on the types of attacks that hit financial institutions in 2017 revealed that an unnamed bank was the victim of a successful SWIFT-based attack.
A copy of the report currently posted on the central bank’s website does not specify how much the hackers stole, but Reuters said they had managed to obtain 339.5 million rubles (roughly $6 million).
The news comes after Russia’s Globex bank admitted in December that hackers had attempted to steal roughly $940,000 through the SWIFT system. The attackers reportedly only managed to steal a fraction of the amount they targeted.
In India, City Union Bank issued a statement on Sunday saying that it had identified three fraudulent transfers abusing the SWIFT payments messaging system. One transfer of $500,000 through a Standard Chartered Bank account in New York to a bank in Dubai was blocked and the money was recovered.
The second transfer of €300,000 ($372,000) was made to an account at a bank based in Turkey via a Standard Chartered Bank account in Germany. The funds were blocked at the Turkish bank and City Union hopes to recover the money.
The third transfer was for $1 million and it went to a Chinese bank through a Bank of America account. City Union Bank said the funds were claimed by someone using forged documents.

How close are we to the straw that breaks the camel’s back?
North Korea poised to launch large-scale cyberattacks, says new report
North Korea is quietly expanding both the scope and sophistication of its cyberweaponry, laying the groundwork for more devastating attacks, according to a new report published Tuesday.
… Now it appears that North Korea has also been using previously-unknown holes in the Internet to carry out cyberespionage — the kinds of activities that could easily metamorphose into full-scale attacks, according to a report from FireEye, the California-based cybersecurity company.
… The Worldwide Threat Assessment published by the U.S. intelligence community last week forecast the potential for surprise attacks in the cyber realm would increase over the next year.

Surprise! Someone used your identity to launder money. Have fun explaining that to the Feds.
Money Laundering Via Author Impersonation on Amazon?
Patrick Reames had no idea why sent him a 1099 form saying he’d made almost $24,000 selling books via Createspace, the company’s on-demand publishing arm. That is, until he searched the site for his name and discovered someone has been using it to peddle a $555 book that’s full of nothing but gibberish.

Biometrics Can do more than identify you by scanning your face. Should we allow it to? This is similar to those driver analyzing dongles insurance companies put in cars. A look into your eyes could increase your health insurance rates?
Google’s new AI algorithm predicts heart disease by looking at your eyes
Scientists from Google and its health-tech subsidiary Verily have discovered a new way to assess a person’s risk of heart disease using machine learning. By analyzing scans of the back of a patient’s eye, the company’s software is able to accurately deduce data, including an individual’s age, blood pressure, and whether or not they smoke. This can then be used to predict their risk of suffering a major cardiac event — such as a heart attack — with roughly the same accuracy as current leading methods.
The algorithm potentially makes it quicker and easier for doctors to analyze a patient’s cardiovascular risk, as it doesn’t require a blood test. But, the method will need to be tested more thoroughly before it can be used in a clinical setting. A paper describing the work was published today in the Nature journal Biomedical Engineering, although the research was also shared before peer review last September.

A question: Is this bad or merely an evolution similar to the introduction of radio and then TV? Perhaps older forms of journalism need to evolve?
CJS – The Facebook Armageddon
Columbia Journalism Review: The social network’s increasing threat to journalism – “At some point over the past decade, Facebook stopped being a mostly harmless social network filled with baby photos and became one of the most powerful forces in media—with more than 2 billion users every month and a growing lock on the ad revenue that used to underpin most of the media industry. When it comes to threats to journalism, in other words, Facebook qualifies as one, whether it wants to admit it or not… The fact that even Facebook’s closest media partners like BuzzFeed are struggling financially highlights the most obvious threat: Since many media companies still rely on advertising revenue to support their journalism, Facebook’s increasing dominance of that industry poses an existential threat to their business models…”

An interesting question: Can you duplicate an algorithm? Since these algorithms are Trade Secrets (not patented or copyrighted) there is no problem disclosing how they work?
Facebook is a political battleground where Russian operatives work to influence elections, fake news runs rampant, and political hopefuls use ad targeting to reach swing voters. We have no idea what goes on inside Facebook’s insidious black box algorithm, which controls the all-powerful News Feed. Are politicians playing by the rules? Can we trust Facebook to police them? Do we really have any choice?
One emerging way to hold tech companies like Facebook accountable is to use similar technology to figuratively poke at that black box, gathering data and testing hypotheses about what might be going on inside, almost like early astronomers studying the solar system.
It’s a tactic being pioneered at the nonprofit news organization ProPublica by a team of reporters, programmers, and researchers led by Pulitzer Prize-winning reporter Julia Angwin. Angwin’s team specializes in investigating algorithms that impact people’s lives, from the Facebook News Feed to Amazon’s pricing models to the software determining people’s car insurance payments and even who goes to prison and for how long. To investigate these algorithms, they’ve had to develop a new approach to investigative reporting that uses technology like machine learning and chatbots.

(Related) If Russia was not bringing its “A” game last time, will we be ready for it this time?
Russia's Troll Operation Was Not That Sophisticated
It might be nice for Democrats and #NeverTrumpers to believe that Russia’s troll factory brought Donald Trump the 2016 Presidential Election.
But no.
Special Counsel Robert Mueller’s indictment of 13 Russians associated with the Internet Research Agency definitively shows, given current evidence, that while a small team in St. Petersburg ran a successful audience-development campaign mostly on behalf of Trump, that campaign was neither targeted nor sizable enough to change the election’s result.
Make no mistake: This was self-described and actual “information warfare.” The point was to sow discord and distrust in the American electorate. And with a few dozen people—around 80 at the peak—they managed to reach 150 million people through Facebook and Instagram. In September 2016, the indictment states that the monthly budget of the unit that contained the U.S. election-interference operation was $1.25 million. That’s pretty good bang for the buck.

(Related) Clearly, Russia is poised to take any advantage we offer…
After Florida School Shooting, Russian ‘Bot’ Army Pounced
One hour after news broke about the school shooting in Florida last week, Twitter accounts suspected of having links to Russia released hundreds of posts taking up the gun control debate.
The accounts addressed the news with the speed of a cable news network. Some adopted the hashtag #guncontrolnow. Others used #gunreformnow and #Parklandshooting. Earlier on Wednesday, before the mass shooting at Marjory Stoneman Douglas High School in Parkland, Fla., many of those accounts had been focused on the investigation by the special counsel Robert S. Mueller III into Russian meddling in the 2016 presidential election.
“This is pretty typical for them, to hop on breaking news like this,” said Jonathon Morgan, chief executive of New Knowledge, a company that tracks online disinformation campaigns. “The bots focus on anything that is divisive for Americans. Almost systematically.”

Perspective. Rather clunky infographic, but the voice trend is important.
20% of All Searches are Made with Voice (INFOGRAPHIC)
A new and very interactive infographic by Adzooma takes a look at how online advertising will be trending in 2018. And one of the data points is the growth of voice search, which now makes up 20 percent of inquiries on Google’s mobile app and Android devices.

A very interesting tool.
Tetra’s call recorder and AI-powered transcription app now works for inbound calls
… what if there was a way for you to record a call through your mobile phone and have a full transcription of the discussion delivered to you within minutes? That’s exactly what San Francisco-based Tetra is setting out to enable with its AI-powered iPhone app that not only records your calls but converts the conversations into written form using deep learning and natural language processing (NLP).
… So far, Tetra has only worked with outbound calls, but now subscribers will be able to enjoy the full benefits of Tetra for incoming calls, too.
By way of a quick recap, Tetra is basically a VoIP app that works similarly to Google Voice, insofar as it allocates you a dedicated Tetra number that must be used for all outgoing/incoming calls. Once a call is complete, Tetra will spend a short period of time generating the notes.
… In terms of pricing, everyone can get 60 free minutes per month as part of a trial. Then you’ll have to sign up to the Plus, Pro, or Business plans, which offer varying amounts of call-time per month and range from $9 to $99.
… Then there are the legal and ethical angles to consider. By default, Tetra automatically tells the people on the other end of the call that they are being recorded, however it’s possible for the Tetra subscriber to disable this announcement with the proviso that you “stay compliant with local law or get recording consent yourself,” according to Tetra.

Monday, February 19, 2018

Now I can insult anyone and the evidence deletes itself?
Obliviate is a new app from MakeUseOf that lets you send self-destructing messages. It’s great for sharing secret messages with friends that you don’t want sticking around on their phone, among other use cases.
Download: obliviate for Android and iOS.
… The app lets you set a timer between 5 and 180 seconds for how long your messages will last. Once the recipient opens it, the message will disappear after a set time. And if you change your mind, you can immediately obliviate messages and bypass the timer.
Best of all, the obliviate is free and has no ads; never will. Plus, you cannot take screenshots in the app or copy the content of the messages (this feature is currently available on Android only, coming soon on iOS). This prevents others from recording messages you intended to be private.
… Coming soon, obliviate hopes to add encryption, support for audio, pictures, and videos, custom notification sounds, and more! We hope you enjoy the app.

Interesting that the parents accept this.
AP reports:
A private school in east Georgia intends to start drug-testing its oldest students.
The Columbus Ledger-Enquirer reports that Brookstone School in Columbus recently announced that the drug-testing of students in grades 8-12 will be voluntary next school year — and then mandatory in succeeding years.
Read more on Ledger-Enquirer.
And yes, of course they can get away with doing that as a precondition of acceptance or attendance. They’re a private school. But here’s the thing: parents are waiving their children’s privacy rights. Now I know a lot of parents are just fine with that because they want to know if their child is using drugs. And somewhere, I’m guessing, this school actually/hopefully has a written policy about what happens with the results, for how long they are retained, and with whom they might be shared. And what is the testing facility’s privacy policy? Will they be sent the students’ names as identifiers or just numbers/IDs? And who might they share results with and under what circumstances?
Much to think about here….

Another “Business Continuity” angle for my students to discuss.
Most KFCs in UK remain closed because of chicken shortage
The fast food chain KFC has been forced to temporarily close most of its UK outlets after problems with a new delivery contract led to a chicken shortage.
… The chicken delivery problem is so severe that the company cannot say when operations will be back to normal. But it said it was working “flat out” to resolve the crisis.
… In a statement it blamed the chicken shortage on a contract with delivery company DHL.

An interesting tool. Now, how do we apply it?
Perform Text Analysis with IBM Watson and Google Docs
Google, Microsoft, IBM and Amazon have made it easier for developers to add human cognitive capabilities (also known as artificial intelligence) within their own applications. You need not be a machine learning expert to build a computer program that can recognize objects in photographs, or one that transforms human speech to text or even a chatbot that converses with people in natural language.

Perhaps a metaphor for the Trump Administration?

Sunday, February 18, 2018

A reminder: Just because we rarely see their name in the list of ‘usual suspects’ does not mean they aren’t capable.
Saudi foreign minister calls Iran most dangerous nation for cyber attacks
… Asked who he believed was the most dangerous nation in terms of cyber attacks and Al-Jubeir was unequivocal.
"The most dangerous nation behind cyber attacks? Iran," Al-Jubeir said.
"Iran is the only country that has attacked us repeatedly and tried to attack us repeatedly. In fact they tried to do it on a virtually weekly basis."
… Last September, the U.S. Treasury Department added two Iran-based hacking networks and eight individuals to a U.S. sanctions list, accusing them of taking part in cyber-enabled attacks on the U.S. financial system in 2012 and 2013, Reuters reported.

(Related) Our allies have some skills too.
… The hack had targeted Belgacom, Belgium’s largest telecommunications provider, which serves millions of people across Europe. The company’s employees had noticed their email accounts were not receiving messages. On closer inspection, they made a startling discovery: Belgacom’s internal computer systems had been infected with one of the most advanced pieces of malware security experts had ever seen.
As The Intercept reported in 2014, the hack turned out to have been perpetrated by U.K. surveillance agency Government Communications Headquarters, better known as GCHQ. The British spies hacked into Belgacom employees’ computers and then penetrated the company’s internal systems. In an eavesdropping mission called “Operation Socialist,” GCHQ planted bugs inside the most sensitive parts of Belgacom’s networks and tapped into communications processed by the company.

For my future managers: How do you fail to notice that you only sent 100,000 letters to notify 600,000 people? I would never call this a programming error, the program correctly did what the manager asked it to do.
Jack Corrigan reports:
A programming error kept the IRS from notifying hundreds of thousands of identity theft victims about criminals using their Social Security numbers to get themselves jobs in 2017, according to an internal investigation.
Last year, more than half a million Americans had their identities used by others to get hired, but only first-time victims received a notification from the IRS, the Treasury Inspector General for Tax Administration found. As a result, nearly 460,000 previous victims of employment identity theft were left in the dark about their information getting stolen yet again.
“Most identified victims remain unaware that their identities are being used by other individuals for employment,” TIGTA wrote in its report.
Read more on NextGov.

For my “Why you need a lawyer” lecture.
Revision Legal has a post about insider leaks. The article starts by discussing the Morrisons case in the UK, where an employee vindictively leaked data. In a ruling that surprised many, the court held that although Morrisons was a victim of their employee, other employees who sued Morrisons could hold Morrisons liable:
This creates, in effect, a form a strict liability for an employee data leak (at least in the UK). If the ruling is upheld, Morrisons will face a massive legal liability and, without question, the remaining 94,500 employees will join the class action or file their own lawsuits. Further, it is possible that British regulators will follow the court’s ruling and impose heavy regulatory fines and penalties.
The article then turns to legal principles in the U.S. that would relate to holding an employer liable for an intentional leak by an employee. As the authors note, it’s “complicated.”
Read more on JDSupra.

Just in time for the chapter on Law & Regulation.
David M. Stauss and Gregory Szewczyk of Ballard Spahr LLP write:
As we first reported in our January 22, 2018, alert, the Colorado legislature is considering legislation that, if enacted, would significantly change Colorado privacy and data security law. On Wednesday, February 14, 2018, the bill’s sponsors submitted an amended bill that addresses issues raised by numerous stakeholders, including Ballard Spahr. The amended bill also was heard before the House Committee on State, Veterans, and Military Affairs, where it was unanimously approved.
The most significant changes are highlighted below.
Read more on The National Law Review. And yes, read more, as the state statute has some interesting overlap but also differences between the proposed state law and HIPAA and GLBA. And if adopted, HIPAA-covered entities would no longer have a 60-day window from discovery to notify – they might have only 30 days.

Now we have to depend on the Postal Service to safeguard the elections? So I have to get a code for Facebook before I can place an ad like “Bob for President.” Can I get that code now? I don’t want to wait until Russia send me the text of the ad they want me to run. (Let’s hope no one else reads this “secret” code that is written on the postcard!)
Facebook plans to use U.S. mail to verify IDs of election ad buyers
Facebook Inc will start using postcards sent by U.S. mail later this year to verify the identities and location of people who want to purchase U.S. election-related advertising on its site, a senior company executive said on Saturday.
… The process of using postcards containing a specific code will be required for advertising that mentions a specific candidate running for a federal office, Katie Harbath, Facebook’s global director of policy programs, said. The requirement will not apply to issue-based political ads, she said.
“If you run an ad mentioning a candidate, we are going to mail you a postcard and you will have to use that code to prove you are in the United States,” Harbath said at a weekend conference of the National Association of Secretaries of State, where executives from Twitter Inc and Alphabet Inc’s Google also spoke.
“It won’t solve everything,” Harbath said in a brief interview with Reuters following her remarks.
But sending codes through old-fashioned mail was the most effective method the tech company could come up with to prevent Russians and other bad actors from purchasing ads while posing as someone else, Harbath said.

Saturday, February 17, 2018

Last week we discussed Backups and Disaster Recovery. Here’s another good ‘bad example.’
Ben Coley reports:
The Davidson County government’s ability to conduct business on computers has been stopped by a software virus known as ransomware, according to County Manager Zeb Hanner.
Hanner said officials learned about the issue around 2 a.m. Friday. He noted that all the files are encrypted and that the hackers are asking for an undisclosed amount of bitcoin, a type of cyber currency gaining popularity. None of the phone systems for county offices are working, as well.
Read more on The Dispatch.

The cost of a failure to ‘design for security?’
Intel facing 32 lawsuits over Meltdown and Spectre CPU security flaws
Intel has revealed today that the company is facing at least 32 lawsuits over the Meltdown and Spectre CPU flaws. “As of February 15, 2018, 30 customer class action lawsuits and two securities class action lawsuits have been filed,” says Intel in an SEC filing today. The customer class action lawsuits are “seeking monetary damages and equitable relief,” while the securities lawsuits “allege that Intel and certain officers violated securities laws by making statements about Intel’s products and internal controls that were revealed to be false or misleading by the disclosure of the security vulnerabilities.”
Intel is also facing action from three shareholders who have each filed shareholder derivative actions that allege certain board members and officers at Intel have failed “to take action in relation to alleged insider trading.” These filings appear to be related to the concerns that have been raised over Intel CEO Brian Krzanich’s stock sales.

No way to tell how many Snapchat users received the phishing email, but probably over a million.
Casey Newton reports:
In late July, Snap’s director of engineering emailed the company’s team in response to an unfolding privacy threat. A government official from Dorset in the United Kingdom had provided Snap with information about a recent attack on the company’s users: a publicly available list, embedded in a phishing website named, that listed 55,851 Snapchat accounts, along with their usernames and passwords.
The attack appeared to be connected to a previous incident that the company believed to have been coordinated from the Dominican Republic, according to emails obtained by The Verge.
Read more on The Verge.
[From the article:
The accounts compromised in July represent a tiny fraction of Snap’s 187 million active users. But the incident illustrates how sites set up to mimic login screens can do an outsized amount of damage — and how companies must increasingly rely on machine-learning techniques to identify them in real time.

A link to the indictment (PDF).
Special counsel Mueller: Russians conducted 'information warfare' against US during election to help Donald Trump win
A federal grand jury has indicted 13 Russian nationals and three Russian entities for alleged illegal interference in the 2016 presidential elections, during which they strongly supported the candidacy of Donald Trump, special counsel Robert Mueller's office said Friday.
The indictment says that a Russian organization called the Internet Research Agency sought to wage "information warfare" against the United States and to "sow discord" in the American political system by using fictitious American personas and social media platforms and other Internet-based media.

(Related). The UN is often the last to ‘notice’ trends. Who is the leader here?
Global Powers Must Address 'Episodes of Cyberwar': UN Chief
World leaders must lay the groundwork on how countries respond to cyberattacks that have proven to be a daunting threat, whether by state actors or criminal enterprises, UN secretary general Antonio Guterres said Friday.
"It is clear we are witnessing in a more or less disguised way cyberwars between states, episodes of cyberwar between states," Guterres said during one of the opening speeches at the Munich Security Conference.
"It's high time to have a serious discussion about the international legal framework in which cyberwars take place," he said.
"The fact is we haven't been able to discuss whether or not the Geneva convention applies to cyberwar and whether international humanitarian law applies to cyberwar."

The pendulum swings again!
Rejecting years of settled precedent, a federal court in New York has ruled [PDF] that you could infringe copyright simply by embedding a tweet in a web page. Even worse, the logic of the ruling applies to all in-line linking, not just embedding tweets. If adopted by other courts, this legally and technically misguided decision would threaten millions of ordinary Internet users with infringement liability.
… Courts have long held that copyright liability rests with the entity that hosts the infringing content—not someone who simply links to it. The linker generally has no idea that it’s infringing, and isn’t ultimately in control of what content the server will provide when a browser contacts it. This “server test,” originally from a 2007 Ninth Circuit case called Perfect 10 v. Amazon, provides a clear and easy-to-administer rule. It has been a foundation of the modern Internet.

My students were sure this would not happen for years and years.
Waymo is readying a ride-hailing service that could directly compete with Uber
Waymo is preparing to launch a ride-hailing service akin to Uber’s, but with driverless cars.
The self-driving carmaker spun out of Google was approved on Jan. 24 to operate as a transportation network company (TNC) in Arizona, the state department of transportation told Quartz. Waymo applied for the permit on Jan. 12.

Something for my students to ponder…
Florida Shooter: When Social Media Foretells a Mass Shooting
Disturbing social-media posts apparently made by Nikolas Cruz before a deadly shooting spree have rekindled questions about what responsibilities and capabilities technology companies and law-enforcement authorities have for detecting threats among the billions of words, images and videos online.

Does SIRI (and similar software) know about this?
Why What You Say Reveals More Than You Think
… People’s word choices can reveal such things as their mental health, ability to persuade or even if they’ll default on a loan. A company’s choice of pronouns can affect a customer’s experience and whether it will lead to a purchase. Words used by the media influence how the public thinks about social issues like casino gambling. And the placement of gender — men and women vs. women and men — affect whom the reader believes is on top.

Something for my entrepreneurs.
55 Must-Know SEO Tricks for Business Websites (Infographic)

Something for my geeks.

Something for the Intro to Computers class?
How Computers Work
We use computers every day. But how many of us actually know how they work? Sure we know how to use the software, but I'm thinking about the hardware. How does that aspect of your computer work? has a new video series that addresses that question and more.
Through watching the videos in How Computers Work you can learn about memory, logic, circuits, binary, and the interaction between hardware and software. Get started by watching Bill Gates introduce the series.

Friday, February 16, 2018

Note that there is no mention of cyber retaliation. Russia, North Korea and other actors are showing us some of what they can do. I’m hoping we keep our cyber weapons hidden, for the time being.
US will impose costs on Russia for cyber ‘acts of aggression,’ White House cybersecurity czar says
Russia will be made to pay for its acts of cyber aggression on the international stage, Rob Joyce, special assistant to the president and White House cybersecurity coordinator, told CNBC on Friday.
The act in question was the malware attack known as NotPetya that wiped out billions of dollars as it spread across 64 countries in July 2017. The White House, for the first time Thursday, directly blamed Russia's military for the attack.

I have a hard time remembering names. Perhaps this technology would help?
EFF Report on Law Enforcement Use of Face Recognition Technology
“Face recognition—fast becoming law enforcement’s surveillance tool of choice—is being implemented with little oversight or privacy protections, leading to faulty systems that will disproportionately impact people of color and may implicate innocent people for crimes they didn’t commit, says an Electronic Frontier Foundation (EFF) report released today. Face recognition is rapidly creeping into modern life, and face recognition systems will one day be capable of capturing the faces of people, often without their knowledge, walking down the street, entering stores, standing in line at the airport, attending sporting events, driving their cars, and utilizing public spaces. Researchers at the Georgetown Law School estimated that one in every two American adults—117 million people—are already in law enforcement face recognition systems. This kind of surveillance will have a chilling effect on Americans’ willingness to exercise their rights to speak out and be politically engaged, the report says. Law enforcement has already used face recognition at political protests, and may soon use face recognition with body-worn cameras, to identify people in the dark, and to project what someone might look like from a police sketch or even a small sample of DNA…

Chris Burt reports:
Many vendors of biometrics-based solutions have not anticipated legal and compliance challenges posed by their products, or expressly deny responsibility for those challenges, leading to increased legal action, according to the National Law Review. The article “Buyer Beware: Facial Recognition and the Current Legal Landscape” urges U.S. retailers to be prepared for consumer privacy laws to evolve as they consider implementing such technologies.
The article was authored by partners of law firm Morgan, Lewis & Bockius LLP, and compares the current context for biometrics with that of the earliest text messaging marketing programs.
Read more on Biometric Update.

Hack ahead, wait for the best time to strike.
Chris Bing reports:
Hackers armed with destructive malware appear to have compromised the main IT service provider for the Winter Olympic Games months before last week’s highly publicized cyberattack.
Publicly available evidence analyzed by experts and reviewed by CyberScoop suggests that whoever deployed the Olympic Destroyer malware on Feb. 9 likely previously penetrated a series of computer systems around December belonging to Atos, a multinational information technology service provider that is hosting the cloud infrastructure for the Pyeongchang games.
Read more on CyberScoop.

Tools for Ethical (and other) Hacking.
Joseph Cox reports:
Contractors, governments, and telecom giants have all previously left data on exposed Amazon Web Services (AWS) servers, meaning anyone can access them without a username or password. Now, a search engine makes combing through leaky AWS datasets that much easier. Think of it as a barebones Google, but for info that the owners may have mistakenly published to the world.
Read more on Motherboard.

I’ll follow this to see how it works. Could be useful for my Ethical Hackers.
Google Tests System to Help Locate 911 Callers
Google quietly ran a test of new technology to make it easier for 911 operators to locate cellphone callers, and 911 centers that participated said the results were promising.
The nation’s existing 911 system, which turns 50 this month, has struggled with the explosion of cellphones. The vast majority of 911 calls these days are made using a cellphone, but the location of the caller is hard to pinpoint. Federal regulators estimate shaving a minute off response times could save as many 10,000 lives each year.

Perspective. This makes our “Top 10 targets we’d love to hack (or hack again)”
Apple, Inc. Just Hit a Ridiculously Impressive Milestone
… Market researcher Strategy Analytics has just released its estimates for the smartphone market in the fourth quarter, and the numbers show that Apple has just hit a ridiculously impressive milestone: The iPhone maker just took over half of all global smartphone revenue. Specifically, Apple grabbed 51% revenue share, with Samsung coming in at a distant No. 2.

The other day, my students were wondering how anyone could compete with Amazon or Walmart…
How This Entrepreneur Helps Passionate People Stand up for Their Beliefs With Socks

A timely addition to the toolkit?

Thursday, February 15, 2018

I think training is the right choice.
Security Awareness Training Top Priority for CISOs: Report
Thirty-five percent of CISOs in the financial sector consider staff training to be the top priority for cyber defense. Twenty-five percent prioritize infrastructure upgrades and network defense.
.. The FS-ISAC's 2018 Cybersecurity Trends Report (PDF) notes a distinction in priorities based on the individual organization's reporting structure. Where CISOs report into a technical structure, such as the CIO, the priority is for infrastructure upgrades, network defense and breach prevention. Where they report into a non-technical function, such as the COO or Legal, the priority is for staff training.

Not sure what this buys the UK. Perhaps some diplomatic leverage?
U.K. Officially Blames Russia for NotPetya Attack
British Foreign Office Minister for Cyber Security Lord Tariq Ahmad said the June 2017 NotPetya attack was launched by the Russian military and it “showed a continued disregard for Ukrainian sovereignty.”
The Kremlin has positioned Russia in direct opposition to the West yet it doesn’t have to be that way. We call upon Russia to be the responsible member of the international community it claims to be rather then secretly trying to undermine it,” the official stated.
The U.K. was also the first to officially accuse North Korea of launching the WannaCry attack. The United States, Canada, Japan, Australia and New Zealand followed suit several weeks later.

Gosh Harvard, we’ve been saying that for years!
… we found that a good corporate privacy policy can shield firms from the financial harm posed by a data breach — by offering customers transparency and control over their personal information — while a flawed policy can exacerbate the problems caused by a breach. Together, this evidence is the first to show that a firm’s close rivals are directly, financially affected by its data breach and also to offer actionable solutions that could save some companies hundreds of millions of dollars.

Interesting article.
The Age of Unregulated Social Media Is Over
… Last week, U.K. Members of Parliament traveled to the United States to meet with experts on questions at the intersection of technology, media and democracy ahead of a day receiving testimony from technology executives in Washington DC. Dubbed the “Inquiry on Fake News,” the panel produced seven hours of pointed — sometimes heated — discussion on issues ranging from the role of companies like Facebook and Twitter in enabling propagandists, to questions about how recommendations systems can be gamed by bad actors, to the problems of algorithmic bias.
Despite little clarity from either the politicians or the executives on the specifics of what should be done, one thing was abundantly clear: as far as the House of Commons members are concerned, the age of unregulated social media is over.

Good idea or bad?
Twitter's Marjory Stoneman Douglas High School Live Stream Was Part Of A New Initiative
Twitter is starting to show live, local news broadcasts in a live streaming window next to its timeline during major breaking news events.
Twitter's initiative to air these videos is currently rolled out across the platform, a company spokesperson confirmed to BuzzFeed News. The company will rely on a set of partnerships with local news stations to select the footage.
On Wednesday, Twitter put the initiative into action in a big way, streaming hours of footage from Miami's WSVN 7 next to the timelines of US users as the news station covered the shooting at Broward County's Marjory Stoneman Douglas High School in Florida.

Fits with my Computer Security class discussion of eDiscovery. Was this data stored in the US?
Rafia Shaikh reports:
Following Bill Gates comments yesterday that encouraged tech companies to share consumer data when the government comes calling to avoid future regulation, it appears at least the company’s rival is doing exactly the same. In potentially one of the first such incidents, Sony has coughed up PS4 data to the Federal Bureau of Investigation (FBI) on a user who was suspected of planning to fly from Kansas to the Middle East to join a terrorist organization.
The FBI warrant (link) mentions nine related search warrants (from Facebook, Microsoft, Yahoo, and others) that will help the agency get information from the suspect’s social media accounts and electronic devices, including his PlayStation 4.
Read more on WCCFTech.

Might be interesting if you are planning your argument... What are the hot buttons and how to push them?
U of M crowdsourcing project transcribes Supreme Court justices’ handwritten notes
University of Minnesota News: “…If you have ever wanted to be a fly on the wall during deliberations by U.S. Supreme Court justices or travel back in time to witness Supreme Court decisions, a new crowdsourcing project led by researchers at the University of Minnesota and Michigan State University allows you to do just that. The project, named SCOTUS Notes, is the newest citizen science project under the Zooniverse platform originated at the University of Minnesota. Zooniverse, the world’s largest and most popular people-powered online research platform, runs on support from volunteers that now number more than 1.5 million. These volunteers act as armchair scientists and archivists helping academic research teams with their projects from the comfort of their own homes. In this project, members of the public transcribe handwritten notes from U.S. Supreme Court justices. Unlike members of Congress, justices cast their votes in complete privacy during weekly conference meetings. Only justices are allowed in the Chief Justice’s conference room when they discuss, deliberate, and make initial decisions on cases that focus on some of the nation’s most pressing legal issues. The only record of what has been said, and by whom, is provided by the handwritten personal notes the justices themselves take during conference. These crucial documents detail the discussions and debates that took place in thousands of cases spanning multiple decades…”

Perspective. A look at that cloud thing we’re all moving to.
Top cloud providers 2018: How AWS, Microsoft, Google Cloud Platform, IBM Cloud, Oracle, Alibaba stack up
… a few things to note: This list of public cloud providers revolves around the service providers that offer software-, platform- and infrastructure-as-a-service offerings. There are many more cloud providers that specialize in some part of the enterprise software stack.
Increasingly, companies will combine the large public cloud providers along with a specialist.

Perspective. (And for those of us keeping score.)
Amazon dethrones Microsoft to become the world’s third most valuable company
Amazon stock climbed 2.6 percent Wednesday, giving the company a market value of $702.5 billion and topping Microsoft’s market cap for the first time. The online retailer now trails only Apple and Google’s parent, Alphabet, as the most valuable companies in the world.