Tuesday, October 17, 2017

It’s depressing to see that they have not yet closed the holes that allowed the attack on the Bank of Bangladesh.
North Korean hacker group linked to Taiwan bank cyberheist
Lazarus, a hacking group linked to North Korea, may have been behind this month’s theft of $60 million from Taiwan’s Far Eastern International Bank, according to BAE Systems PLC researchers.
The cyberattack, in which malware was used to steal the money through the international Swift banking network, bore “some of the hallmarks” of Lazarus, according to a BAE blog post on Monday.
Lazarus and its offshoots have been blamed for attacks ranging from last year’s heist of Bangladesh’s central bank to assaults on cryptocurrency exchanges and South Korean ATMs. North Korea is becoming increasingly starved of hard currency as the United Nations imposes sanctions amid a standoff with the U.S. over Kim Jong Un’s nuclear weapons program.




Here’s a good indicator of how seriously people are taking that WiFi vulnerability.
Here's every patch for KRACK Wi-Fi vulnerability available right now
… According to security researcher and academic Mathy Vanhoef, who discovered the flaw, threat actors can leverage the vulnerability to decrypt traffic, hijack connections, perform man-in-the-middle attacks, and eavesdrop on communication sent from a WPA2-enabled device.
US-CERT has known of the bug for some months and informed vendors ahead of the public disclosure to give them time to prepare patches and prevent the vulnerability from being exploited in the wild – of which there are no current reports of this bug being harnessed by cyberattackers.




Hackers might find a list of unpatched vulnerabilities rather valuable.
Microsoft responded quietly after detecting secret database hack in 2013
Microsoft Corp’s secret internal database for tracking bugs in its own software was broken into by a highly sophisticated hacking group more than four years ago, according to five former employees, in only the second known breach of such a corporate database.
… The database contained descriptions of critical and unfixed vulnerabilities in some of the most widely used software in the world, including the Windows operating system. Spies for governments around the globe and other hackers covet such information because it shows them how to create tools for electronic break-ins.
… “Bad guys with inside access to that information would literally have a ‘skeleton key’ for hundreds of millions of computers around the world,” said Eric Rosenbach, who was U.S. deputy assistant secretary of defense for cyber at the time.




Refreshing. Starting to design Privacy into their phones?
Apple responds to Senator Franken’s Face ID privacy concerns
Apple has now responded to a letter from Senator Franken last month in which he asked the company to provide more information about the incoming Face ID authentication technology which is baked into its top-of-the-range iPhone X, due to go on sale early next month.
… In its response letter, Apple first points the Senator to existing public info — noting it has published a Face ID security white paper and a Knowledge Base article to “explain how we protect our customers’ privacy and keep their data secure”. It adds that this “detailed information” provides answers “all of the questions you raise”.
But also goes on to summarize how Face ID facial biometrics are stored, writing: “Face ID data, including mathematical representations of your face, is encrypted and only available to the Secure Enclave. This data never leaves the device. It is not sent to Apple, nor is it included in device backups. Face images captured during normal unlock operations aren’t saved, but are instead immediately discarded once the mathematical representation is calculated for comparison to the enrolled Face ID data.”
… Notably Apple hasn’t engaged with Senator Franken’s question about responding to law enforcement requests — although given enrolled Face ID data is stored locally on a user’s device in the Secure Element as a mathematical model, the technical architecture of Face ID has been structured to ensure Apple never takes possession of the data — and couldn’t therefore hand over something it does not hold.
The fact Apple’s letter does not literally spell that out is likely down to the issue of law enforcement and data access being rather politically charged.




How about the Fourth? If I had to keep a finger on the phone for it to operate, would that change the court’s thinking? Somewhere along the line, we need to get lawyers involved in the design process.
FourthAmendment.com makes us aware of this opinion:
An order compelling persons to provide fingerprints to unlock Apple devices doesn’t violation the self-incrimination clause of the Fifth Amendment. In re Search Warrant Application for [Name Redacted by the Court], 2017 U.S. Dist. LEXIS 169384 (N.D. Ill. Sept. 18, 2017):
The United States seeks review of the magistrate judge’s denial of one aspect of the government’s search-warrant application in this investigation: authorization to require the four residents of a home to apply their fingers and thumbs (as chosen by government agents) to the fingerprint sensor on any Apple-made devices found at the home during the search. Ordinarily, review of the magistrate judge’s decision on a warrant application would be ex parte. But because the magistrate judge’s thoughtful opinion addressed a novel question on the scope of the Fifth Amendment’s privilege against self-incrimination, the Court invited the Federal Defender Program in this District to file an amicus brief to defend the decision (the government did not object to the amicus participation). The Court is grateful for the Federal Defender Program’s excellent service in fulfilling this request. After reviewing the competing filings and the governing case law, the Court holds that requiring the application of the fingerprints to the sensor does not run afoul of the self-incrimination privilege because that act does not qualify as a testimonial communication.




It’s important, so try to get around to it before the next Ice Age.
DHS Orders Federal Agencies to Use DMARC, HTTPS
The U.S. Department of Homeland Security (DHS) has issued a binding operational directive requiring all federal agencies to start using web and email security technologies such as HTTPS, DMARC and STARTTLS within the next few months.
Within the next 30 days, agencies will have to develop a plan of action for implementing the requirements of Binding Operational Directive (BOD) 18-01.
Agencies have been given 90 days to configure all Internet-facing email servers to use STARTTLS, a protocol command that allows clients to indicate that they want unprotected connections upgraded to a secure connection using SSL or TLS.
The DHS also wants them to gradually roll out DMARC (Domain-based Message Authentication, Reporting and Conformance), an email authentication, policy, and reporting protocol designed to detect and prevent email spoofing.
The decision to order the use of these security technologies comes just months after Senator Ron Wyden urged the DHS to get federal agencies to deploy DMARC for .gov domains.
A study conducted recently by email security firm Agari showed that many Fortune 500, FTSE 100 and ASX 100 companies still haven’t properly implemented DMARC.




My Computer Security students might find this interesting.
New Pluralsight Course: Emerging Threats in IoT
Play by Play: Emerging Threats in IoT is now live on Pluralsight!




So, nothing Russia or North Korea can do (cyber wise) would be considered an at of war?
Cybersecurity, Encryption and United States National Security Matters
by Sabrina I. Pacifici on Oct 16, 2017
Cybersecurity, Encryption and United States National Security Matters, Senate Armed Services Committee, September 13, 2016 (published September 2017), via FAS.
Steven Aftergood, Secrecy News: “What constitutes an act of war in the cyber domain? It’s a question that officials have wrestled with for some time without being able to provide a clear-cut answer. But in newly-published responses to questions from the Senate Armed Services Committee, the Pentagon ventured last year that “The determination of what constitutes an ‘act of war’ in or out of cyberspace, would be made on a case-by-case and fact-specific basis by the President.” “Specifically,” wrote then-Undersecretary of Defense (Intelligence) Marcel Lettre, “cyber attacks that proximately result in a significant loss of life, injury, destruction of critical infrastructure, or serious economic impact should be closely assessed as to whether or not they would be considered an unlawful attack or an ‘act of war.'” Notably absent from this description is election-tampering or information operations designed to disrupt the electoral process or manipulate public discourse. Accordingly, Mr. Lettre declared last year that “As of this point, we have not assessed that any particular cyber activity [against] us has constituted an act of war.”




Have I been missing something here? Why would a security clearance be required to say “This account is Russian?” Is the threat of government investigators looking at Facebook’s code that likely?
Facebook Is Looking for Employees With National Security Clearances
Facebook Inc. is looking to hire people who have national security clearances, a move the company thinks is necessary to prevent foreign powers from manipulating future elections through its social network, according to a person familiar with the matter.
Workers with such clearance can access information classified by the U.S. government. Facebook plans to use these people -- and their ability to receive government information about potential threats – to search more proactively for questionable social media campaigns ahead of elections, according to the person, who asked not to be identified because the information is sensitive. A Facebook spokesman declined to comment.
… Without employees who can handle classified material, Facebook would need to give government investigators access to its system to investigate threats, according to Scott Amey, general counsel of the Project on Government Oversight, a Washington-based group that studies national security issues. So the move to hire people with clearances may be aimed at controlling access to the inner workings of its platform, like code and user data, he said.




Yet another App I have never heard of… (Maybe because it’s not available in Colorado?)
Facebook acquires anonymous teen compliment app tbh, will let it run
Today, Facebook announced it’s acquiring positivity-focused polling startup tbh and will allow it to operate somewhat independently with its own brand.
tbh had scored 5 million downloads and 2.5 million daily active users in the past nine weeks with its app that lets people anonymously answer kind-hearted multiple-choice questions about friends who then receive the poll results as compliments. You see questions like “Best to bring to a party?,” “Their perseverance is admirable?” and “Could see becoming a poet?” with your uploaded contacts on the app as answer choices.
tbh has racked up more than 1 billion poll answers since officially launching in limited states in August, mostly from teens and high school students, and spent weeks topping the free app charts. When we profiled tbh last month in the company’s first big interview, co-creator Nikita Bier told us, “If we’re improving the mental health of millions of teens, that’s a success to us.”




Is this paper detailed enough to allow us to create an App to write contracts?
FCL: A Formal Language for Writing Contracts
by Sabrina I. Pacifici on Oct 16, 2017
Farmer W.M., Hu Q. (2018) FCL: A Formal Language for Writing Contracts. In: Rubin S., Bouabana-Tebibel T. (eds) Quality Software Through Reuse and Integration. FMI 2016, IRI 2016 2016. Advances in Intelligent Systems and Computing, vol 561. Springer, Cham
“A contract is an artifact that records an agreement made by the parties of the contract. Although contracts are considered to be legally binding and can be very complex, they are usually expressed in an informal language that does not have a precise semantics. As a result, it is often not clear what a contract is intended to say. This is particularly true for contracts, like financial derivatives, that express agreements that depend on certain things that can be observed over time such as actions taken of the parties, events that happen, and values (like a stock price) that fluctuate with respect to time. As the complexity of the world and human interaction grows, contracts are naturally becoming more complex. Continuing to write complex contracts in natural language is not sustainable if we want the contracts to be understandable and analyzable. A better approach is to write contracts in a formal language with a precise semantics. Contracts expressed in such a language have a mathematically precise meaning and can be manipulated by software. The formal language thus provides a basis for integrating formal methods into contracts. This paper outlines fcl, a formal language with a precise semantics for expressing general contracts that may depend on temporally based conditions. We present the syntax and semantics of fcl and give two detailed examples of contracts expressed in fcl. We also sketch a reasoning system for fcl. We argue that the language is more effective for writing and analyzing contracts than previously proposed formal contract languages.”




When we’re done with the computer labs?
Feel like helping people but don’t have the time, money, or energy? Well, there’s an app for that. Or rather, there are several. From something as simple as opening a tab to playing some games, here’s how to help.
For several of these, all you need to do is install an app or open a tab. The app or tab will then access the unused processing power of your computer and use it to run calculations. It then shares these with millions of other such computers via the internet. The result is a virtual supercomputer for scientists to run complex calculations.


No comments: