Wednesday, December 13, 2017

I’m shocked, shocked I tell you! You can’t even trust potential lawyers!
Hard disk mysteriously stolen after DU compiled attendance of law students
Prawesh Lama reports:
A computer’s hard disk along with its CPU was stolen from Law Faculty in Delhi University on December 3 — the day officials started compiling the attendance of faculty members and that of over 7,000 law students.
The law faculty’s dean, Ved Kumari, in her complaint alleged that the stolen CPU contained records of attendance of both students and teachers.
Read more on Hindustan Times.
[From the article:
Out of over 7,000 students, the attendance of around 200 students were reportedly below the minimum required attendance mark. It is mandatory for every student to have at least 70% attendance to be eligible to sit for an examination. The law faculty has its semester exam this month.






Something for my Ethical Hacking students to try? Okay, probably not.
https://www.schneier.com/blog/archives/2017/12/remote_hack_of_.html
Remote Hack of a Boeing 757
Last month, the DHS announced that it was able to remotely hack a Boeing 757:
"We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration," said Robert Hickey, aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate.
"[Which] means I didn't have anybody touching the airplane, I didn't have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft." Hickey said the details of the hack and the work his team are doing are classified, but said they accessed the aircraft's systems through radio frequency communications, adding that, based on the RF configuration of most aircraft, "you can come to grips pretty quickly where we went" on the aircraft.






...because it’s so easy, that’s why!
https://www.bespacific.com/wired-how-email-open-tracking-quietly-took-over-the-web/
Wired – How Email Open Tracking Quietly Took Over the Web
Bryan Merchant: “There are some 269 billion emails sent and received daily. That’s roughly 35 emails for every person on the planet, every day. Over 40 percent of those emails are tracked, according to a study published last June by OMC, an “email intelligence” company that also builds anti-tracking tools. The tech is pretty simple. Tracking clients embed a line of code in the body of an email—usually in a 1×1 pixel image, so tiny it’s invisible, but also in elements like hyperlinks and custom fonts. When a recipient opens the email, the tracking client recognizes that pixel has been downloaded, as well as where and on what device. Newsletter services, marketers, and advertisers have used the technique for years, to collect data about their open rates; major tech companies like Facebook and Twitter followed suit in their ongoing quest to profile and predict our behavior online…”






Could we do this here? Would nervous parents insist they need to keep in touch with their kids?
https://www.theguardian.com/world/2017/dec/11/france-to-ban-mobile-phones-in-schools-from-september
France to ban mobile phones in schools from September
The French government is to ban students from using mobile phones in the country’s primary, junior and middle schools.
Children will be allowed to bring their phones to school, but not allowed to get them out at any time until they leave, even during breaks.






Shouldn’t judges do it whenever they have a question?
https://www.bespacific.com/aba-issues-ethical-guidance-on-when-judges-should-use-the-internet-for-independent-factual-research/
ABA issues ethical guidance on when judges should use the internet for independent factual research
The American Bar Association Standing Committee on Ethics and Professional Responsibility has issued Formal Opinion 478 that provides the nation’s judicial branch guidance related to the ethical boundaries of independent factual research on the internet. The guidance is consistent with the ABA Model Code of Judicial Conduct, but notes that judicial notice is governed by the law of evidence in each jurisdiction. The opinion draws a bright-line distinction between independent investigation of “adjudicative facts” and research of “legislative facts” of law and policy. Formal Opinion 478 also provides guidance on internet research by judges of the lawyers and the parties involved in the case. “Stated simply, a judge should not gather adjudicative facts from any source on the Internet unless the information is subject to proper judicial notice,” Formal Opinion 478 said. “Further … judges should not use the Internet for independent fact-gathering related to a pending or impending matter where the parties can easily be asked to research or provide the information. The same is true of the activities or characteristics of the litigants or other participants in the matter.” The opinion provides five hypothetical situations, and provides an analysis of each and how they might be handled by a judge. The ABA Standing Committee on Ethics and Professional Responsibility periodically issues ethics opinions to advise lawyers, courts and the public in interpreting and applying ABA model ethics rules to specific issues of legal practice, client-lawyer relationships and judicial behavior. Formal Opinion 478 and previous ABA ethics opinions are available on the ABA Center for Professional Responsibility website under “Latest Ethics Opinions.” Go to www.abalegalfactcheck.com for the ABA’s new feature that cites case and statutory law and other legal precedents to distinguish legal fact from fiction.”






Perspective. Try a search for your hot button.
https://trends.google.com/trends/yis/2017/GLOBAL/
Year in Search 2017






For the Movie club...
https://seekingalpha.com/article/4131425-costco-partners-moviepass
Costco Partners With MoviePass
… Costco and MoviePass announced that they have partnered (along with MoviePass streaming affiliate, Fandor) to offer a "Movie Lovers' Package" to the public.
… the Costco offer provides a one-year subscription to MoviePass and Fandor for a flat fee of $89.99. The deal is available exclusively to Costco members and only until December 18th.



Tuesday, December 12, 2017

Somehow, this does not give me that warm fuzzy feeling.
Hackers hit U.S., Russian banks in ATM robbery scam: report
A previously undetected group of Russian-language hackers silently stole nearly $10 million from at least 18 mostly U.S. and Russian banks in recent years by targeting interbank transfer systems, a Moscow-based security firm said on Monday.
Group-IB warned that the attacks, which began 18 months ago and allow money to be stolen from banks’ automated teller machines (ATMs), appear to be ongoing and that banks in Latin America could be targeted next.
… The firm said it was continuing to investigate a number of incidents where hackers studied how to make money transfers through the SWIFT banking system, while stopping short of saying whether any such attacks had been carried out successfully.
SWIFT said in October that hackers were still targeting its interbank messaging system, but security controls instituted after last year’s $81 million heist at Bangladesh’s central bank had thwarted many [but not all? Bob] of those attempts. (reut.rs/2z1b7Bo)
Group-IB has dubbed the hacker group “MoneyTaker” after the name of software it used to hijack payment orders to then cash out funds through a network of low-level “money mules” who were hired to pick up money from automated teller machines.
… The average amount of money stolen in each of 14 U.S. ATM heists was $500,000 per incident. Losses in Russia averaged $1.2 million per incident, but one bank there managed to catch the attack and return some of the stolen funds, Group-IB said.




Should there be a law to protect LinkedIn’s data? How could you write that to keep my researching students from violating it every day?
EFF to Court: LinkedIn is wrong about accessing publicly available information online
… The social networking giant wants violations of its corporate policy against using automated scripts to access public information on its website to count as felony “hacking” under the Computer Fraud and Abuse Act, a 1986 federal law meant to criminalize breaking into private computer systems to access non-public information.
EFF, together with our friends DuckDuckGo and the Internet Archive, have urged the Ninth Circuit Court of Appeals to reject LinkedIn’s request to transform the CFAA from a law meant to target “hacking” into a tool for enforcing its computer use policies. Using automated scripts to access publicly available data is not “hacking,” and neither is violating a website’s terms of use. LinkedIn would have the court believe that all “bots” are bad, but they’re actually a common and necessary part of the Internet. “Good bots” were responsible for 23 percent of Web traffic in 2016. Using them to access publicly available information on the open Internet should not be punishable by years in federal prison.




So what do we do about it? Rather simplistic and opinionated.
How Russia Hacked America—And Why It Will Happen Again
During the 2016 presidential campaign, Russian hackers attacked the U.S. on two fronts: the psychological and the technical. Hackers used classic propaganda techniques to influence American voters, bought thousands of social media ads to propagate fake news, and broke into Democratic party email servers to steal information.




They talk to the people who should know.
Deloitte’s tech predictions for 2018: More AI, digital subscriptions, AR, and live events
Accounting and tech consultant Deloitte released its predictions for the technology industry in 2018, covering topics from the growth of augmented reality to the triumph of live programming on the Internet.
The predictions are part of the company’s 17th annual Technology, Media, & Telecommunications report. Some of the predictions are for tech growth in 2018, while other predictions refer to growth in future years.




I wonder if detailed analysis of signatures in those little screens or the signatures by finger suggests that nothing matches?
American Express and MasterCard are quietly killing one of the most annoying things about buying things in stores
In 2018, major credit card companies including MasterCard, Discover, and American Express will no longer require customers to sign their receipts.
… With the rise of online shopping and new tech like EMV chips in credit cards, signatures have become less necessary as a safety measure, American Express said in a press release.




For my Statistics class: There is such a thing as “Wisdom of the Crowd.” What else could we do with it?
Crowdsourcing Accurately and Robustly Predicts Supreme Court Decisions
ABSTRACT: Scholars have increasingly investigated “crowdsourcing” as an alternative to expert-based judgment or purely data-driven approaches to predicting the future. Under certain conditions, scholars have found that crowd-sourcing can outperform these other approaches. However, despite interest in the topic and a series of successful use cases, relatively few studies have applied empirical model thinking to evaluate the accuracy and robustness of crowdsourcing in real-world contexts. In this paper, we offer three novel contributions. First, we explore a dataset of over 600,000 predictions from over 7,000 participants in a multi-year tournament to predict the decisions of the Supreme Court of the United States. Second, we develop a comprehensive crowd construction framework that allows for the formal description and application of crowdsourcing to real-world data. Third, we apply this framework to our data to construct more than 275,000 crowd models. We find that in out-of-sample historical simulations, crowdsourcing robustly outperforms the commonly-accepted null model, yielding the highest-known performance for this context at 80.8% case level accuracy. To our knowledge, this dataset and analysis represent one of the largest explorations of recurring human prediction to date, and our results provide additional empirical support for the use of crowdsourcing as a prediction method.” (via SSRN)




Something for my geeks?
Microsoft Launches Free Preview Version Of Its Quantum Development Kit
Back in September, we talked about the groundwork Microsoft was laying for quantum computing with a new programming language in development. Not even three months later, Microsoft is ready to toss a free preview version of that new language to the public and it's called the Quantum Development Kit. That dev kit includes the Q# programming language, a quantum computing simulator, and other resources for people who want to write apps for quantum computers.


Somehow, this does not give me that warm fuzzy feeling.
Hackers hit U.S., Russian banks in ATM robbery scam: report
A previously undetected group of Russian-language hackers silently stole nearly $10 million from at least 18 mostly U.S. and Russian banks in recent years by targeting interbank transfer systems, a Moscow-based security firm said on Monday.
Group-IB warned that the attacks, which began 18 months ago and allow money to be stolen from banks’ automated teller machines (ATMs), appear to be ongoing and that banks in Latin America could be targeted next.
… The firm said it was continuing to investigate a number of incidents where hackers studied how to make money transfers through the SWIFT banking system, while stopping short of saying whether any such attacks had been carried out successfully.
SWIFT said in October that hackers were still targeting its interbank messaging system, but security controls instituted after last year’s $81 million heist at Bangladesh’s central bank had thwarted many [but not all? Bob] of those attempts. (reut.rs/2z1b7Bo)
Group-IB has dubbed the hacker group “MoneyTaker” after the name of software it used to hijack payment orders to then cash out funds through a network of low-level “money mules” who were hired to pick up money from automated teller machines.
… The average amount of money stolen in each of 14 U.S. ATM heists was $500,000 per incident. Losses in Russia averaged $1.2 million per incident, but one bank there managed to catch the attack and return some of the stolen funds, Group-IB said.




Should there be a law to protect LinkedIn’s data? How could you write that to keep my researching students from violating it every day?
EFF to Court: LinkedIn is wrong about accessing publicly available information online
… The social networking giant wants violations of its corporate policy against using automated scripts to access public information on its website to count as felony “hacking” under the Computer Fraud and Abuse Act, a 1986 federal law meant to criminalize breaking into private computer systems to access non-public information.
EFF, together with our friends DuckDuckGo and the Internet Archive, have urged the Ninth Circuit Court of Appeals to reject LinkedIn’s request to transform the CFAA from a law meant to target “hacking” into a tool for enforcing its computer use policies. Using automated scripts to access publicly available data is not “hacking,” and neither is violating a website’s terms of use. LinkedIn would have the court believe that all “bots” are bad, but they’re actually a common and necessary part of the Internet. “Good bots” were responsible for 23 percent of Web traffic in 2016. Using them to access publicly available information on the open Internet should not be punishable by years in federal prison.




So what do we do about it? Rather simplistic and opinionated.
How Russia Hacked America—And Why It Will Happen Again
During the 2016 presidential campaign, Russian hackers attacked the U.S. on two fronts: the psychological and the technical. Hackers used classic propaganda techniques to influence American voters, bought thousands of social media ads to propagate fake news, and broke into Democratic party email servers to steal information.




They talk to the people who should know.
Deloitte’s tech predictions for 2018: More AI, digital subscriptions, AR, and live events
Accounting and tech consultant Deloitte released its predictions for the technology industry in 2018, covering topics from the growth of augmented reality to the triumph of live programming on the Internet.
The predictions are part of the company’s 17th annual Technology, Media, & Telecommunications report. Some of the predictions are for tech growth in 2018, while other predictions refer to growth in future years.




I wonder if detailed analysis of signatures in those little screens or the signatures by finger suggests that nothing matches?
American Express and MasterCard are quietly killing one of the most annoying things about buying things in stores
In 2018, major credit card companies including MasterCard, Discover, and American Express will no longer require customers to sign their receipts.
… With the rise of online shopping and new tech like EMV chips in credit cards, signatures have become less necessary as a safety measure, American Express said in a press release.




For my Statistics class: There is such a thing as “Wisdom of the Crowd.” What else could we do with it?
Crowdsourcing Accurately and Robustly Predicts Supreme Court Decisions
ABSTRACT: Scholars have increasingly investigated “crowdsourcing” as an alternative to expert-based judgment or purely data-driven approaches to predicting the future. Under certain conditions, scholars have found that crowd-sourcing can outperform these other approaches. However, despite interest in the topic and a series of successful use cases, relatively few studies have applied empirical model thinking to evaluate the accuracy and robustness of crowdsourcing in real-world contexts. In this paper, we offer three novel contributions. First, we explore a dataset of over 600,000 predictions from over 7,000 participants in a multi-year tournament to predict the decisions of the Supreme Court of the United States. Second, we develop a comprehensive crowd construction framework that allows for the formal description and application of crowdsourcing to real-world data. Third, we apply this framework to our data to construct more than 275,000 crowd models. We find that in out-of-sample historical simulations, crowdsourcing robustly outperforms the commonly-accepted null model, yielding the highest-known performance for this context at 80.8% case level accuracy. To our knowledge, this dataset and analysis represent one of the largest explorations of recurring human prediction to date, and our results provide additional empirical support for the use of crowdsourcing as a prediction method.” (via SSRN)




Something for my geeks?
Microsoft Launches Free Preview Version Of Its Quantum Development Kit
Back in September, we talked about the groundwork Microsoft was laying for quantum computing with a new programming language in development. Not even three months later, Microsoft is ready to toss a free preview version of that new language to the public and it's called the Quantum Development Kit. That dev kit includes the Q# programming language, a quantum computing simulator, and other resources for people who want to write apps for quantum computers.


Monday, December 11, 2017

My students are not likely at risk, but others are?
LinkedIn Is China's Newest Espionage Tool, German Spies Warn
… In an unusual move, the Bundesamt für Verfassungsschutz (BfV) on Sunday released details of some of the fake social networking profiles that it said had made contact with at least 10,000 Germans, in order to recruit possible information sources.
… “The modus operandi is almost always the same,” the agency said in a report. “Supposed scientists, employment agents and headhunters contact people with a significant personal profile. They are lured in with enticing offers and eventually invited to China, where the intelligence-gathering commences.”




For my students who read. A really huge resource!
University of Pennsylvania: Online Books Page
University of Pennsylvania: Online Books Page – “The Online Books Page is a website that facilitates access to books that are freely readable over the Internet. It also aims to encourage the development of such online books, for the benefit and edification of all. Major parts of the site include:


Sunday, December 10, 2017

Helping to define the digital health ecology.
Covington & Burling Inside Privacy writes:
Covington’s global cross-practice Digital Health team has posted an illuminating three-part series on the Covington Digital Health blog that covers key questions entities should be asking as they seek to fit together the regulatory and commercial pieces of the complex digital health puzzle.
  • In the first part of the series, the Digital Health team answers key regulatory questions about digital health solutions.
  • In the second part of the series, the Digital Health team considers key commercial questions when contracting for digital health solutions.
  • In the third part of the series, the Digital Health team answers key regulatory and commercial questions about the Artificial Intelligence (AI), data privacy, and cybersecurity aspects of digital health solutions.




“Stupid is as stupid does.” F. Gump
From the this-doesn’t-seem-quite-right-to-me dept.:
Defendant’s telling someone in a recorded jail call that he knew was being recorded his Facebook ID and password so it could be changed. That was a waiver of his reasonable expectation of privacy in the information on his Facebook account that AFOSI could access. Defendant was awaiting court martial in a county jail. United States v. Langhorne, 2017 CCA LEXIS 746 (A.F. Ct. Crim. App. Dec. 5, 2017): http://afcca.law.af.mil/content/afcca_opinions/cp/langhorne_-_39047.pub.pdf
Read more on FourthAmendment.com.
Doesn’t the defendant’s action in trying to change his password for FB show that he was concerned about protecting his privacy? If they had said to the defendant, “You realize you’re waiving any expectation of privacy because this call is being recorded, right?” what would the defendant have said? And more importantly, perhaps, what would he have then done? Would he have proceeded or shut up?




Interesting application and (in my wife’s hands) extremely expensive. Not to mention the Privacy implications of giving away a 3D rendering of my home.
3D interior design company Modsy raises $23 million
Modsy, a company that allows people to create 3D renderings of their home in order to visualize what it would look like with various kinds of furniture, has raised $23 million in a series B round of funding from Advance Venture Partners (AVP), Comcast Ventures, NBCUniversal Cable Entertainment, and Norwest Venture Partners.
Founded out of San Francisco in 2015, Modsy asks you to take several photos of the specific space you are looking to renovate. Upload these photos, answer a few style-focused questions, and Modsy does the rest. You’ll be presented with 360-degree room renderings featuring furniture from more than 100 retailers — and you can buy products directly through these designs.
… Modsy offers two core pricing tiers. The basic Modsy package costs $69 and features all of the above, including two custom designs. Modsy & Style Advisor offers a few extra perks, including one-on-one access to a human style adviser over video chat or telephone.




A simple question: Has Wally learned this from Donald Trump?


Saturday, December 09, 2017

For my Computer Security students.
NIST Publishes Second Draft of Cybersecurity Framework
Introduced in 2014, the framework is designed to help organizations, particularly ones in the critical infrastructure sector, manage cybersecurity risks. Some security firms and experts advise businesses to use the NIST Cybersecurity Framework as a best practice guide. Others, however, believe such static guidelines cannot keep up with the constantly evolving threat landscape, and malicious actors may even use it to devise their attack strategy.
According to NIST, the second draft for version 1.1 of the Cybersecurity Framework “focuses on clarifying, refining, and enhancing the Framework – amplifying its value and making it easier to use.”
The second draft also comes with an updated roadmap that details plans for advancing the framework’s development process.




A nice survey of the field.
How to Encrypt All of the Things
Cryptography was once the realm of academics, intelligence services, and a few cypherpunk hobbyists who sought to break the monopoly on that science of secrecy. Today, the cypherpunks have won: Encryption is everywhere. It’s easier to use than ever before. And no amount of handwringing over its surveillance-flouting powers from an FBI director or attorney general has been able to change that.
Thanks in part to drop-dead simple, increasingly widespread encryption apps like Signal, anyone with a vested interest in keeping their communications away from prying eyes has no shortage of options.




Better locks, not attack tools.
Fighting Back Against the Cyber Mafia
Four distinct groups of cybercriminals have emerged, serving as the new syndicates of cybercrime: traditional gangs, state-sponsored attackers, ideological hackers and hackers-for-hire. This is the central thesis of a new report titled 'The New Mafia: Gangs and Vigilantes'. In this report, the gangs are the criminals and the vigilantes are consumers and businesses -- and the vigilantes are urged to 'fight back'.
The report (PDF) is compiled by endpoint protection firm Malwarebytes. It is designed to explain the evolution of cybercrime from its earliest, almost innocuous, beginnings to the currently dangerous 'endemic global phenomenon'; and to suggest to consumers and businesses they don't need to simply accept the current state. They can fight back.
Fighting back, however, is not hacking back -- or in the more politically acceptable euphemism, active defense.




We should be so lucky!
Howard Solomon reports:
Canadians don’t give up their right to privacy after sending a text message to another person, the country’s top court has ruled. It’s a decision that one privacy lawyer said still means if you want to ensure privacy, encrypt your text messages.
The case involved an Ottawa area man who had his conviction for firearms offences dismissed after the Supreme Court of Canada ruled today that evidence of text messages he sent and found on an alleged accomplice were wrongly admitted as evidence at his trial. Essentially, the court ruled that without a search warrant the accused right to privacy under the Charter of Rights had been violated.
Police in fact had a warrant to search the house of a man the court calls M and the alleged accomplice and seized their cellphones. However, the trial judge ruled that warrant was invalid for technical reasons and the text messages on M’s phone couldn’t be entered as evidence.
Read more on IT World. This is actually quite huge and a slap on the side of the head to the U.S., where third party doctrine would suggest that there is no expectation of privacy. As Solomon reports, in Marakah, the court held:
“An individual does not lose control over information for the purposes of s. 8 of the Charter [the right to privacy] simply because another individual possesses it or can access it,” the court ruled. “Nor does the risk that a recipient could disclose an electronic conversation negate a reasonable expectation of privacy in an electronic conversation. Therefore, even where an individual does not have exclusive control over his or her personal information, only shared control, he or she may yet reasonably expect that information to remain safe from state scrutiny.”




Good arguments make good laws.
Why Microsoft Challenged the Right Law: A Response to Orin Kerr
This coming spring, the Supreme Court will hear arguments in the United States v. Microsoft – a case that will determine the authority of U.S. law enforcement to compel, via a warrant, US-based companies to turn over data held outside the United States. Over at Lawfare, Orin Kerr posits that Microsoft and the government—as well as the numerous lower court judges that have weighed in—have missed the core issue in the case. According to Kerr, the key is the All Writs Act; the parties and lower court judges have, in contrast, all focused on the Stored Communications Act. According to Kerr, only the All Writs Act gives the Supreme Court the necessary latitude to craft the kind of nuanced response that is needed.
This is a more detailed reprise of a claim that Kerr made some two year ago. I disagreed then (see our back and forth here). And I disagree now.




Zig in public, Zag in private? All things are possible?
Trump says fines against Wells Fargo could be increased
… “Fines and penalties against Wells Fargo Bank for their bad acts against their customers and others will not be dropped, as has incorrectly been reported, but will be pursued and, if anything, substantially increased. I will cut Regs but make penalties severe when caught cheating!” Trump wrote.
… The financial industry is hoping regulatory agencies will adopt a less aggressive approach to fines under the Trump administration.
Those hopes were raised when Mulvaney, Trump’s pick to lead the CFPB on a temporary basis, told reporters this week that he was reviewing more than 100 enforcement actions currently in the works, including litigation, cases that are being settled and investigations. Mulvaney said he would delay at least two enforcement actions, without naming them.
“The notion that this administration is or will be tough on Wall Street doesn’t pass the laugh test, and that fact is evident in deeds, not tweets,” said Lisa Donner, the executive director of Americans for Financial Reform, a coalition of groups advocating for tougher oversight of the financial system.




Why the University has really great anti-virus security?


Friday, December 08, 2017

I might like this kind of law, assuming a company can create, maintain, and comply with a written cybersecurity program.” Who gets to say they are in compliance?
William Berglund, Robert J. Hanna and Victoria L. Vance of Tucker Ellis write:
Maintaining robust cybersecurity measures that meet government- and industry-recognized standards will provide businesses operating in Ohio with a legal defense to data breach lawsuits, if a bill recently introduced in the Ohio Senate becomes law.
Ohio Senate Bill No. 220 (S.B. 220), known as the Data Protection Act, was introduced to provide businesses with an incentive to achieve a “higher level of cybersecurity” by maintaining a cybersecurity program that substantially complies with one of eight industry-recommended frameworks. See S.B. 220, Section 1, proposed Ohio Rev. Code §§ 1354.01 to 1354.05.
Compliance Standards To Be Met
Businesses that are in substantial compliance with one of the eight frameworks outlined in S.B. 220 would be entitled to a “legal safe harbor” to be pled as an affirmative defense to tort claims related to a data breach stemming from alleged failures to adopt reasonable cybersecurity measures. S.B. 220, Section 1, proposed Ohio Rev. Code §§ 1354.02(A) and (C), 1354.03; S.B. 220, Section 2(A).
Read more on Tucker Ellis.




This is the kind of article I advise my Computer Security students to share with their employers.
Phishers Are Upping Their Game. So Should You.
Not long ago, phishing attacks were fairly easy for the average Internet user to spot: Full of grammatical and spelling errors, and linking to phony bank or email logins at unencrypted (http:// vs. https://) Web pages. Increasingly, however, phishers are upping their game, polishing their copy and hosting scam pages over https:// connections — complete with the green lock icon in the browser address bar to make the fake sites appear more legitimate.
According to stats released this week by anti-phishing firm Phishlabs, nearly 25 percent of all phishing sites in the third quarter of this year were hosted on HTTPS domains — almost double the percentage seen in the previous quarter.
Lay traps: When you’ve mastered the basics above, consider setting traps for phishers, scammers and unscrupulous marketers. Some email providers — most notably Gmail — make this especially easy.


(Related).
Oof. I read something like this notification below from Boise Cascade Company in Utah, and I wonder if the employees had been regularly trained in avoiding phishing attacks, or if it was just the case that the phishing was done so damned well that the employees fell for it despite their training. In this case, the intrusion was part of a scheme to alter or redirect employees’ payroll direct deposit accounts.
The Company’s investigation determined that a phishing scheme got into its email system on or about October 31, 2017. Our information technology team caught the scheme within minutes of the first phishing email, blocked the email, and notified employees not to click on the link in it or similar emails. Unfortunately, approximately 300 employees clicked on the link anyway. The investigation further revealed that company-wide, 23 employees’ direct deposit instructions were changed.
I’d love to see what that phishing email looked like if 300 people fell for it.




One of the better Security Week articles.
The Cumulative Effect of Major Breaches: The Collective Risk of Yahoo & Equifax
Until quite recently, people believed that a dizzying one billion accounts were compromised in the 2013 Yahoo! breach… and then it was revealed that the real number is about three billion accounts.
That raises the question: so what? Isn’t all the damage from a four-year-old breach already done?
The answer: not at all. For those who have taken control of the compromised accounts, or who possess confidential information about a billion or more individuals, the Yahoo! breach is the gift that will keep on giving.
First of all, the consequences of the breach are not yet fully realized. Criminals have only recently started using compromised email accounts to spread ransomware and spam. As email service providers increasingly use the age of the sending account as an indicator of risk, the value to criminals of long-established but compromised accounts has started to increase. These accounts become a circumvention strategy for criminals wishing to reliably deliver malicious emails. As the value of an established account goes up, the damage that can be done by using the compromised accounts does, too.
Second, criminals have only recently started to mine the contents of compromised accounts to identify promising opportunities – but that is increasingly happening now, and is becoming another source of value to the Yahoo! attackers (and anybody who has already purchased compromised accounts from them.) To a large extent, we are still in the “manual effort” phase of this type of attack, wherein attackers have not yet understood exactly what they are looking for, and therefore, have not yet written scripts to automate the task. Once their understanding matures and they automate the process, the vast volumes of compromised accounts will turn into new criminal opportunities.
And the automated extraction of meaningful content will dramatically increase the yield of the attacks that the criminals will be able to mount. Think of it like this: if your account was compromised, and a good friend or colleague gets an email from you … or rather, your email account … with a malicious attachment, will they open it? If the email is obvious spam, they probably won’t, but if the message makes sense, they will; and if the attacker knows what you and your contact normally talk about, that isn’t difficult to do.
There is also a multiplier effect as the number of major breaches of consumer data rises.
In the recent Equifax breach, criminals made off with information for more than 145 million Americans, including names, mother’s maiden names, social security numbers, addresses, birthdays, and more. But not email addresses, and not banking affiliations and account numbers. A crafty attacker can easily match the names and birthdays of the Equifax breach to the names and birthdays of the Yahoo! breach, automatically generating very powerful combinations. With this combined intelligence, the attacker can contact banks, posing as banking customers, and gain access to accounts.




“Once we figured out how to get paid all other thoughts stopped!”
Thomas Fox-Brewster reports:
Despite the catastrophic 2015 hack that hit the dating site for adulterous folk, people still use Ashley Madison to hook up with others looking for some extramarital action. For those who’ve stuck around, or joined after the breach, decent cybersecurity is a must. Except, according to security researchers, the site has left photos of a very private nature belonging to a large portion of customers exposed.
The issues arose from the way in which Ashley Madison handled photos designed to be hidden from public view. Whilst users’ public pictures are viewable by anyone who’s signed up, private photos are secured by a “key.” But Ashley Madison automatically shares a user’s key with another person if the latter shares their key first. By doing that, even if a user declines to share their private key, and by extension their pics, it’s still possible to get them without authorization.
Read more on Forbes. And no, that wasn’t Forbes’ headline for the story.


Thursday, December 07, 2017

Jobs my students should look at?
Corporate IoT Implementation Struggling, Survey Finds
Remaining competitive is the primary motivation for implementing a corporate 'internet of things' (IoT) strategy; but 90% of those doing so admit the implementation is struggling. Security is the primary concern, holding back 59% of organizations with a current IoT project.
Security is followed by the cost of implementation (46%); competing priorities (37%); an intimidatingly complex IT infrastructure (35%); and funding (32%). The figures come from a survey (PDF) published this week by Vanson Bourne, commissioned by the Wi-SUN Alliance, which questioned 350 IT decision makers from firms in the U.S., UK, Sweden and Denmark that are already investing in at least one IoT project.




Banned technology is not like banned books, is it?
Most U.S. airlines set to limit use of 'smart bags'
"Smart bags, also known as smart luggage, have become more popular over the last few months, and they are expected to be a popular gift this holiday season," said American Airlines. "However, smart bags contain lithium battery power banks, which pose a risk when they are placed in the cargo hold of an aircraft."
The bags generally have USB ports where customers can recharge their phones and other devices. They might also have GPS to track the bag's location in case it gets lost, electronic locks and a weight scale to prevent overpacking. Some even a motor to propel the bags so that they can double as a scooter or just follow their owner around the airport.
Airlines are worried that the batteries could cause a fire in the cargo hold that would go undetected. [Nonsense. The fire would be detected immediately, but suppression is not always possible. Bob]




Perhaps those VW executives should not plan on a vacation in the US?
VW exec gets maximum sentence, fine for Dieselgate role
… Oliver Schmidt, 48, was sentenced to 7 years in prison and fined $400,000 in federal court here for his role in the automaker’s diesel emissions cheating scandal. The German national had pleaded guilty in August to two charges in Volkswagen’s scheme to rig nearly 600,000 diesel cars to evade U.S. pollution standards.
“This crime ... attacks and destroys the very foundation of our economic system: That is trust,” U.S. District Judge Sean Cox said Wednesday in sentencing Schmidt. “Senior management at Volkswagen has not been held accountable.”




I wonder if anyone can keep all this law, regulation, conflicting legal precedent, and political nonsense organized enough to predict an outcome. I gave up long ago. Was Pai betting on this, ignorant of it, or aware but indifferent?
The FCC’s net neutrality plan may have even bigger ramifications in light of this obscure court case
The plan by the Federal Communications Commission to eliminate its net neutrality rules next week is expected to hand a major victory to Internet service providers. But any day now, a federal court is expected to weigh in on a case that could dramatically expand the scope of that deregulation — potentially giving the industry an even bigger win and leaving the government less prepared to handle net neutrality complaints in the future, consumer groups say.
The case involves AT&T and one of the nation's top consumer protection agencies, the Federal Trade Commission. At stake is the FTC's ability to prosecute companies that act in unfair or deceptive ways.
The litigation is significant as the FCC prepares to transfer more responsibility to the FTC for handling net neutrality complaints.
… The FTC has the power to sue misbehaving companies that mislead or lie to the public. But that power comes with an exception: It doesn't extend to a special class of businesses that are known as “common carriers.”
… Thus far, the common carrier exemption has applied to a specific slice of the economy. But the case before the U.S. Court of Appeals for the 9th Circuit, FTC v. AT&T Mobility, could vastly expand the number of companies that qualify for the exemption. In an earlier decision in the lawsuit, a federal judge effectively said that any company that runs a telecom subsidiary is considered a common carrier.
… A company that provides Internet access, such as AT&T, could seek an exemption from FTC net neutrality enforcement by pointing to its voice business and claiming common carrier status under the ruling. At the same time, the ruling could limit AT&T's net neutrality liability under the FCC, because the repeal of the net neutrality rules would mean the FCC would no longer recognize AT&T's broadband business as one that can be regulated like a telecommunications carrier.
In that scenario, neither the FCC nor the FTC would offer consumers robust protections from potential net neutrality abuses, consumer groups say.




One problem with statements like this is that some people will believe them. If public statements reflected the actual policy of North Korea, we would have no choice but to attack.
North Korea Says Nuclear War on the Peninsula Is Inevitable and an 'Established Fact'




A cautionary tale, worth reading.
How Rodrigo Duterte Turned Facebook Into a Weapon—With a Little Help From Facebook