Cybersecurity Archives - Page 37 of 88

Wednesday: Wandering

June 29, 2016/9 Comments/in Culture, Cybersecurity, Economics /by Rayne

All that is gold does not glitter; not all those who wander are lost.

— excerpt, The Lord of the Rings by J. R. R. Tolkien

It’s a lovely summer day here, cool and dry. Perfect to go walkabout, which I will do straight away after this post.

Hackety-hack-hack, Jack

Spearphishing method used on HRC and DNC revealed by security firm (SecureWorks) — Here’s their report, but read this Twitter thread if you don’t think you can handle the more detailed version. In short, best practice: DON’T CLICK ON SHORTENED LINKS using services like Bitly, which mask the underlying URL.
Researchers show speakerless computers can be hacked by listening to fans (arXiv.org) — Air-gapping a computer may not be enough if hackers can listen to fan operation to obtain information. I’ll have to check, but this may be the second such study.
Another massive U.S. voter database breached (Naked Security) — This time 154 million voters’ data exposed, revealing all manner of details. 154M is larger than the number of voters in the 2012 general election, though smaller than the 191M voters’ records breached in December. At least this time the database owner slammed the breach shut once they were notified of the hole by researcher Chris Vickery. Nobody’s fessed up to owning the database involved in the the December breach yet.
Speaking of Vickery: Terrorism databased leaked (Reddit) — Thomson-Reuters’ database used by governments and banks to identify and monitor terrorism suspects was leaked (left open?) by a third party. Vickery contacted Thomson-Reuters which responded promptly and closed the leak. Maybe some folks need to put Vickery on retainer…
Different kind of hack: Trump campaign hitting up overseas MPs for cash? Or is he? (Scotsman) — There are reports that Trump’s campaign sent fundraising emails received by elected representatives in the UK and Iceland. Based on what we know now about the spearphishing of HRC and DNC, has anybody thought to do forensics on these emails, especially since government officials are so willing to share them widely? Using these kinds of emails would be a particularly productive method to spearphish government and media at the same time, as well as map relationships. Oh, and sow dissension inside the Trump family, urm, campaign. On the other hand, lack of response from Trump and team suggests it’s all Trump.

Makers making, takers taking

Apple granted a patent to block photo-taking (9to5Mac) — The technology relies on detecting infrared signals emitted when cameras are used. There’s another use for the technology: content can be triggered to play when infrared signal is detected.
Government suppressing inventions as military secrets (Bloomberg) — There’s merit to this, preventing development of products which may undermine national security. But like bug bounties, it might be worth paying folks who identify methods to breach security; it’s a lot cheaper than an actual breach, and a bargain compared to research detecting the same.
Google wants to make its own smartphone (Telegraph-UK) — This is an effort apart from development of the modular Ara device, and an odd move after ditching Motorola. Some tech industry folks say this doesn’t make sense. IMO, there’s one big reason why it’d be worth building a new smartphone from the ground up: security. Google can’t buy an existing manufacturer without a security risk.
Phonemaker ZTE’s spanking for Iran sanction violations deferred (Reuters) — This seems kind of odd; U.S. Commerce department agreed to a reprieve if ZTE cooperated with the government. But then think about the issue of security in phone manufacturing and it makes some sense.

A-brisket, a Brexit

EU health commissioner Andriukaitis’ response to Nigel Farage’s insulting remarks (European Commission) — Farage prefaced his speech to European Commissioners yesterday by saying “Most of you have never done a proper day’s work in your life.” Nice way to win friends and influence people, huh? Dr. Vytenis Andriukaitis is kinder than racist wanker Farage deserves.
Analysis of next couple years post-Brexit (Twitter) — Alex White, Director of Country Analysis at the Economist Intelligence Unit, offers what he says is “a moderate/constructive call” with “Risks definitely to the downside not to the upside.” It’s very ugly, hate to see what a more extreme view would look like. A pity so many Leave voters will never read him.

Follow-up: Facebook effery
Looks like Facebook’s thrown in the towel on users’ privacy altogether, opening personal profiles in a way that precludes anonymous browsing. Makes the flip-flop on users’ location look even more sketchy. (I can’t tell you anymore about this from personal experience because I gave up on Facebook several years ago.)

Happy hump day!

Monday: Fierce Dog

June 27, 2016/22 Comments/in Culture, Cybersecurity, Economics /by Rayne

Hunger and fear are the only realities in dog life: an empty stomach makes a fierce dog.

— excerpt, personal journal of Capt. Robert Falcon Scott

This short film by Aaron Dunleavy was inspired by his childhood in Blackburn, Lancashire UK. The script was improvised and cast using locals.

All districts in Lancashire voted Leave during last week’s Brexit referendum, with 65% of Blackburn voters supporting Leave.

Worth noting an article in Lancashire Telegraph about an Aldi’s store under construction. Aldi’s is a German-owned grocery store chain; have to wonder if construction will be completed.

Brexit botch bits

@shockproofbeats on Brexit’s impact on Northern Ireland (Storify) — It’s messy now and promises to be even uglier.
Downside for China (and other foreign investors): Real estate purchases may be put on hold (SCMP) — Some deals in the works may be halted until the pound is more stable. On the other hand, Britain may step in and put the brakes on sales; too easy for overseas entities with big money to buy up property while pound is depressed.
Upside for China (and other banking centers): Business could pick up in Hong Kong (SCMP) — London is the second largest trading center of yuan next to Hong Kong; some of the business could shift back to Hong Kong, especially if HSBC bank choose to relocate its headquarters to HK from London.
No change in position on Brexit referendum since last Friday according to PM David Cameron (Independent-UK) — Though Cameron is now going to leave in September. He continued to push triggering of the Article 50 to his successor while taking pot shots at Labor Party over its purge this weekend. Not certain most Americans will notice just how Cameron has managed to shift the blame to both MPs and the people for a referendum he proposed, or how he has turned execution of Article 50 into a poisoned chalice. Lord Chancellor Secretary of State for Justice Michael Gove, Leave campaign proponent, was present at today’s session in Parliament but said nothing before disappearing. Boris Johnson, MP for Uxbridge and South Ruislip and Leave campaign proponent, was noticably absent. Wankers all three.

SCOTUS Week
Waiting around watching the court for good or ill until this morning is kind of like waiting for Shark Week — hey, it IS Shark Week! What a coincidence!

Texas’ HB2 ruled unconstitutional (WaPo) — Immensely restrictive state law which anti-abortion proponents claimed protected women struck down; majority justices saw through fallacious arguments. Usual suspects dissented (Robers/Thomas/Alito).
Domestic abusers can be denied guns based on misdemeanor charges (NPR) — Now if only there was a universal background check law to ensure any gun seller could identify domestic abusers…Case before SCOTUS even more exceptional as Justice Thomas asked questions from the bench.
Court turns away appeal on Montana state law limiting med marijuana sellers to 3 patients max (Billings Gazette) — What a nuisance for folks like cancer patients who need medical marijuana in a such a rural state.

Miscellaneous trouble

U.S. studied Aedes aegypti mosquitoes released in American neighborhoods (Atlas Obscura) — Are you kidding me?! The U.S. tested the same mosquitoes which carry Zika, dengue, and yellow fever by releasing them in residential neighborhoods — AFTER they had nearly been wiped out of the western hemisphere?
Pin-based security system may end after IRS hacked again (Naked Security) — Looks like the weakest link is the e-File Pin for account access, same as in hacks before April 15th this year. The knowledge-based verification component was easily undermined by determined hackers who could look up information.

Promises to be a busy week ahead. Stay tuned!

Wednesday: Get Bach

June 22, 2016/18 Comments/in automobiles, Culture, Cybersecurity /by Rayne

Summer bug laid me up. I’m indulging in the audio equivalent of tea with honey, lemon, and a shot of something to scare away the bug. A little cello playing by Yo-Yo Ma never fails to make me feel better.

This sweet video is enlightening, didn’t realize Ma had an older sister who was an accomplished musician at a tender age. Worthwhile to watch this week considering the blizzard of arguments about immigrants and refugees here and abroad.

And then for good measure, a second favorite added in the mix — Yo-Yo Ma and Itzhak Perlman together, performing Beethoven’s Triple Concerto Fantasy.

There. I feel a little better already.

Probably better than frustrated House Democrats led by Rep. John Lewis who are engaging in a sit-in protest on House floor demanding a vote on No-Fly-No-Buy gun control. If you want to watch the action, you’ll have to check social media. It’s said House GOP leadership ensured CSPAN cameras were shut off.

Diesel do you

Volkswagen streamlining offerings to cut costs, 40 makes on the chopping block (Bloomberg) — This is the old General Motors play that eventually killed Oldsmobile and Pontiac to reduce costs related to duplicative brands. Makes sense, especially if this hatchet job kills passenger diesels. Note the story says a fix may come later — uh-huh, like never? Because VW can’t handle the volume of required repairs OR the lack of actual clean diesel technology, OR both?
Testimony in S Korea: VW’s upper management may have ordered regulatory cheats (The Hankyoreh) — Story is focused on emissions controls defeat and approval process, but sound controls were also an issue in South Korea. Were those likewise suppressed by order of VW’s German head office?
Former CEO under investigation for securities fraud (Reuters) — Big investors want to know why it took a year for Winterkorn to act after the emissions controls defeat were made public by researchers. Bet there’s a link between Winterkorn’s notification of researchers’ findings and the destruction of emails.

Sigh, cyber, sigh

Why the hell is PayPal asking a German cloud service provider to monitor its customers? (Fortune) — Seafile ditched PayPal as a payment service provider after PayPal insisted Seafile must monitor its users’ files. That’s a violation of German privacy laws. But why did PayPal ask this in the first place? The argument about illicit file sharing is a stretch.
Google’s rolling out an easier Two-Factor Authentication tool (Google Apps Updates Blog) — Google’s enterprise users will see this first, but all Google users should expect new prompts on the desktop and new apps using this new 2FA system. This should replace the 6-digit text message codes as well as verification codes.
Facebook’s ethical decision process for research projects still iffy (The Chronicle of Higher Education) — If you can’t release all the details of the deliberative process, it looks pretty shady. What compromises were made? What points weren’t covered or ignored? Who knows?
Toothpic technology designed to detect photo theft (PetaPixel) — But the same well-meaning technology is based on fingerprinting a camera, identifying the user by camera. So much for privacy.

Wait, what?
Did you know Led Zeppelin is being sued over Stairway to Heaven? Allegedly a key riff in the famous 40-year-old tune was stolen, violating copyright. Forty years. ~smh~

Going back to a recumbent position. Stay braced for the outcome of the sit-in and Brexit vote tomorrow.

Monday: Buckle up, Buttercup

June 20, 2016/4 Comments/in Culture, Cybersecurity /by Rayne

After my Go-Team-Yay-Space post yesterday, it’s time for a Monday morning reality check. Going to Mars will not be a panacea to our ills, as this darkly humorous animated short, Fired on Mars by Nick and Nate, shows. On the other hand, SpaceX’s Elon Musk offers an upside while acknowledging the inherent risk of space travel and colonization: “If you’re going to choose a place to die, then Mars is probably not a bad choice.”

Certainly beats an undiginified extinction by drowning on earth, eh?

We may not be leaving the planet today, but you’d best buckle up anyhow. This week’s going to be a doozy.

Brexit, Brexit, Brexit
Say that in your best Jan Brady voice — Brexit will suck all the oxygen out of this week’s market news. I’m afraid to look at the stock market at all because of it. Euronews has a roundup on the topic (though I warn you, it’s poorly formatted — keep scrolling down the page and increase print size). I’m not posting any other UK-based links here now because it’s quite obvious each media outlet has a position and their coverage reflects it. Most blatantly obvious are those owned by Rupert Murdoch’s Newsgroup, which has prompted some angry murmurs about an Aussie living in the U.S. telling the UK what to do.

Disturbing: Mexico’s federal police fire on teachers’ protest rally
I say disturbing for two reasons: first, that a democratic government’s federal would fire on protesters supporting the CNTE teachers’ union and actively deny it happened is appalling, and second, that its neighbor’s media would ignore that it happened. Teachers and supporters have been rallying in the state of Oaxaca, protesting the government’s education reform plan, characterized by some as neoliberal. It was clear from the outset that the government was in no mood to listen, given the number of riot police in place. The protests followed the detention/disappearance days earlier by police of CNTE union leaders Francisco Manuel Villalobos Ricardez and Ruben Nuñez. Conditions degraded over the course of the day, with federal police firing upon protesters. Early accounts claimed six were killed, of which one may have been a journalist and two teacher trainees. President Enrique Pena Nieto’s government at first denied there was any violence, and then later claimed the Associated Press’ photos of the violence were false. There were enough social media reports documenting the violence on the ground to neutralize the government’s claim — and thank goodness for social media, or the U.S. would have heard very little if anything about this conflict. Not exactly the fiesta of democracy President Nieto promised when he took office in 2012. For more current information about the conflict, follow hashtags #Nochixtlan (district) and #Oaxaca in Twitter; already the death count is disputed as some claim more than eight died after yesterday’s attack by police on protesters.

It’s extremely important to remember the protesters’ anger and frustration are not merely about the ENP government’s reform plan. The 43 young men who disappeared in 2014 and are believed dead were students at a teachers’ college; the federal police have been implicated in the disappearance of these students. To date, the mass disappearance of these students has not been fully accounted for. Imagine the furor if such a mass disappearance were to happen in the U.S.

Cyber, cyber, cyber
LOL sorry, I’m on a Brady Bunch jag. Forgot to remind you last Tuesday was Patch Tuesday — make sure you’ve updated your Win-based systems if you do so manually. Can’t hurt to check all your other non-Win devices, too.

Adobe Flash zero day patch a higher priority than Microsoft’s monthly patch (TechTarget) — Again, if you manually patch, get to this one ASAP. I’m a manual Adobe patcher myself; I don’t automate patching because I want to know exactly how often Adobe must patch their products. It’s annoyingly often.
This is your brain on drugs: Too-smart identity thief busted (ABC3340-Birmingham) — Can’t tell if the drugs ate his intelligence, or if they deluded this dude. Read this, it’s like a bad episode of COPS mashed up with Monty Python.
SmartTVs not so smart, held ransom by Flocker (TrendLabs) — Leap of ransomware to Android smartTVs perfectly exemplifies the danger of connecting things to the internet. Interesting how this one deactivates based on select country locations. Yet another opportunity to sell protection software, too, as you’ll note in the article.

Your recommended long read: Apple’s Differential Privacy
Crytography expert Matthew Green reviews Apple’s announcement this past week regarding development of “differential privacy,” which Apple defined as:

Starting with iOS 10, Apple is using Differential Privacy technology to help discover the usage patterns of a large number of users without compromising individual privacy. To obscure an individual’s identity, Differential Privacy adds mathematical noise to a small sample of the individual’s usage pattern. As more people share the same pattern, general patterns begin to emerge, which can inform and enhance the user experience. In iOS 10, this technology will help improve QuickType and emoji suggestions, Spotlight deep link suggestions and Lookup Hints in Notes.

This is worth your time to read as differential privacy suggests new approaches to meeting the needs of marketers while preserving the privacy of consumers applying algorithmic solutions. Read it now before this stuff gets really convoluted.

Check your safety harness from time to time. Catch you tomorrow!

Friday: How It Begins

June 17, 2016/12 Comments/in Culture, Cybersecurity, Surveillance /by Rayne

I was half way through a post yesterday when a friend in the UK told me a member of Parliament had been killed by a fascist.

An assassination, I thought at that moment, unable to write another word for my post. How many times has an assassination kicked off a horrible chain of events?

I hoped and prayed as best a lapsed Catholic can that the murder of MP Jo Cox by a man shouting, “Britain First!” was not the beginning of something dreadful. Research says it’s less likely than if an autocratic figure had been killed, but who can really say with certainty?

We won’t know for some time if this was a trigger event for something else, though it did set off a cascade of stomach-turning crap. So many media outlets referred to politician Cox’s death by a political fanatic as something other than an assassination. Really? Would Cox have been targeted had she not been a pro-EU unity supporter? Would the assassin — characterized by so many euphemisms as mentally ill — have killed her had he not been rabidly anti-EU and racist, impelled by ramped-up anti-EU rhetoric in advance of the EU-Brexit referendum?

And the disparity in coverage between [lone white gunman suspected of mental illness] and [armed terrorist—labeled so because they’re not white]? Beyond disgusting. The racism is all the more obvious. The public is conditioned by media’s implicit bias to expect and accept the lone white gunman, but never the dark-skinned person bearing a weapon. The accused must have sympathized with white nationalism, irrespective of country, having bought his firearm components from U.S. neo-Nazis more than a decade ago. The description of his attack on Cox is chilling — it was a cold political execution, not just some wildly insane flailing without care for the outcome.

The world lost someone very special when Jo Cox died yesterday. Someone who lived progressive values out in the open, modeling a better way for us. Don’t kid yourself this was just a crazed man acting alone when white nationalist politicians like Nigel Farage believe “violence is the next step” if angry constituents feel they’ve lost control.

And don’t fool yourself into believing this was an isolated event occurring in a vacuum.

Today’s Friday jazz is a performance of She’s Crying for Me by the Yorkshire Jazz Band, in honor of Jo Cox’s home county.

A note on hacking stories
The breach of the DNC’s computers is one of a number of stories over the last several years following a pattern: the breach is attributed to one entity and then yet another entity, while the story itself has a rather interesting point of origin. Initial reports may say the hackers were affiliated with [nation/state X] and later reports attribute the hacking to [unaligned third party Y] — or a variation on this order — a key characteristic is the story’s immaculate birth.

Try looking for yourself for the earliest story reporting the hacking of the DNC. Who reported it and when? Who were the original sources? Did the story arise from a call to law enforcement or a police report, and a local beat reporter who gathered named eyewitnesses for quotes? Or did the story just pop out of thin air, perhaps simultaneously across multiple outlets all regurgitating the same thing at the same time?

My point: Be more skeptical. There’s an adage in reporting, drummed into journalism students’ heads: If your mother says she loves you, check it out.

Three examples of manipulated opinion
Speaking of being more skeptical, bias manifests itself in all manner of ways and can be easily used for good or ill.

U.S. government and military orgs tricked into running ‘imposter code’ (Ars Technica) — Suckers didn’t perform due diligence on packages of code hosted at developer communities before running them. Gee, I wonder if any political parties’ personnel might have done the same thing…
GOP-led House waffles on HR 5293 surveillance bill because Orlando (HuffPo) — Ugh. Would this vote have been different this time if a lone crazed white gunman had shot up a bar? Sadly, we can’t tell based on the bill’s approval last year because the vote took place one day before Dylan Roof’s mass shooting in a Charleston church. Nor can we tell from the bill’s 2014 approval by the House because the mass shootings the week of the vote were just plain old run-of-the-mill apolitical/non-racist with too few fatalities.
Send manuscripts out under a man’s name = agents and publishers notice (Jezebel) — If you’re a woman you can be a great writer and you won’t get any nibbles on your manuscript — unless you submit it under a male name. Hello, implicit bias, much? This isn’t the only example, either.

Worthwhile long read
This commentary at Tor.com looks at the movie V for Vendetta, saying it’s “more important than ever,” in spite of the adaptation’s rejection by Alan Moore, author of the graphic novel on which this film was based. The essay was published this past Tuesday; read it now in light of Jo Cox’s assassination Thursday. A single event can change perception. This line alone now means something very different to me:

It seems strange that my life should end in such a terrible place. But for three years I had roses, and apologized to no one.

If time permits, I may slap up a post this weekend to make up for yesterday’s writer’s block. Otherwise I’ll catch you on Monday.

At Same Time as DNC Hack Released, Funny Alleged Hacks in the Middle East

June 16, 2016/3 Comments/in Cybersecurity /by emptywheel

You’ve probably heard that hackers, probably Russian, hacked the DNC and released a bunch of information, including a really crappy oppo research report on Donald Trump. See this post for some of the materials and this analysis of the materials (including metadata to support the case these are Russians).

Given that development, I’m even more interesting in this development than I already was. Several websites in the Middle East — in this case Jordan’s Petra news service — posted a report that Mohammed bin Salman, the third ranking Saudi royal, had claimed to have provided Hillary 20% of her campaign funding.

On Sunday a report appeared on the Petra News Agency website that included what were described as exclusive comments from Saudi Deputy Crown Prince Mohammed bin Salman. The comments included a claim that Riyadh has provided 20 percent of the total funding to the prospective Democratic candidate’s campaign.

I’m particularly interested in how that report got disclaimed: with intervention by the Podesta Group, which is both a lobbying arm for the Saudis and the firm of Hillary’s campaign manager.

On Monday a spokesperson for American public relations firm the Podesta Group contacted MEE to say that they work with the Saudi Royal Court and to request a correction to our earlier story that said the Jordanian news agency had deleted the quotes from Prince Mohammed.

Senior global communications specialist Will Bohlen – who, prior to joining Podesta, was chief researcher for a best-selling history of Bill Clinton’s presidency – sent a link to a clarification issued by the Petra News Agency which said it was “totally false and untrue” that they had published then deleted the quotes from Prince Mohammed about funding the Clinton campaign.

“A technical failure on Petra ’s website occurred for a few minutes on Sunday evening, 12 June 2016,” the Jordanian news agency said. “Protection systems at the agency as well as the technical department noticed that and therefore, they suspended the transmission system and the electronic site and moved to the alternative website.

“Later, it became clear that the technical failure that occurred was an attempt to hack the agency’s transmission system and its website. The agency was surprised to see some media outlets as well as the social media publishing false news that were attributed to Petra. They said that Petra transmitted a news item related to the deputy crown prince of Saudi Arabia and later deleted this news item. This is totally false and untrue.”

For now, I will assume this was a hack, which (again) I find to coincide interestingly with the DNC hack. The Clinton Foundation does get far too much money from the Saudis, but we can review Hillary’s actual funding to be sure that Mo bin Salman is not funding her campaign directly.

In entirely unrelated news I’ll put here anyway, the big Saudi investor Alwaleed bin Talal is now Twitter’s second largest investor.

Prince Alwaleed Bin Talal Bin Abdulaziz Alsaud, who in 2011 invested $300 million in the social network, now owns 34.9 million shares of Twitter’s common stock, according to a new regulatory filing (pdf).

At nearly 5.2%, his stake in the company is now larger than that of Jack Dorsey, Twitter’s co-founder and newly re-minted CEO, whose 21.86 million shares give him 3.2% of the company, according to FactSet. (The prince previously had a stake of roughly 3%.)

Particularly given that Twitter isn’t exactly a great investment, I find Alwaleed’s interest in it notable.

Tuesday: Going Alone

June 15, 2016/28 Comments/in Culture, Cybersecurity, Guns /by Rayne

I’ve been so damned angry I’ve had difficulty wrapping words around what I want to say. It’s still Tuesday somewhere, so I’ll grit this out.

Assault weapons should be banned for sale to civilians.

Spare me the crap about hunters and taking their guns. My freezer contains 25 to 100 pounds of venison at any time. This household lives off the results of hunting and respects the power of firearms. None of this meat required an assault weapon.

If an assault weapon had been used, it would have been a waste of a deer tag. There’d be no meat left.

The embedded video above shows the damage hunting ammo does at close range — approximately 15-20 feet — on meat. The next video shows the damage #4 and #8 birdshot can do at short range, even through multiple layers of denim and drywall. Imagine what an assault weapon would do to flesh at similar range.

Better yet, listen to what a combat vet says about assault weapons.

There’s nothing in the Second Amendment to suggest a prohibition on certain weapons is wrong; if anything, the framing of a ‘well regulated militia’ suggests limitations are in order.

There’s also nothing in the Second Amendment to suggest that gun manufacturers have an absolute right to an unrestrained business model, or to profits at the expense of the public’s general welfare.

Nor does the Second Amendment say a damned thing about catering to ‘gun enthusiasts’ who want guns for ‘pleasure’. A ‘well regulated militia’ doesn’t possess guns but as necessary for the ‘security of a free state’, not personal enjoyment.

And both embedded videos embedded make a bloody good case that arguments about assault weapons being necessary to stop a home invasion are trash. Birdshot at close range can do one hell of a lot of damage, as do 00 buckshot and a 1-oz slug.

Congress — more specifically, the GOP — needs to strap on its spine and draw the line on assault weapons. How many more dead Americans is it going to take before Congress clues in the terrorist threat is already here? It’s domestic, and it’s better armed than the police because GOP-led Congress is as weak as the GOP is against Trump.

Spare the empty moments of silence and prayers which might as well be to Moloch after another human sacrifice. Such fail at protecting the American public.

Speaking of which…

Information Security Fail

USAF database with records on ~100,000 investigations ‘lost’ (Defense One) — This is such bullshit, I can’t even…why is a CONTRACTOR, which may be the subject of any one of the 100K investigations, hosting and managing a database like this? What a massive conflict of interest. The database included constituent and congressional inquiries. Don’t even get me started on the fact this system relied on Microsoft Internet Explorer. Where have we seen this kind of massive loss of data including failed backups before? Hardly a surprise the data covers the period including most of the Iraq and Afghanistan wars as well as the construction of the F-35. Somebody better lose their job for this crap, and there’d better be a respectable investigation instead of the usual fluffery hiding billions of lost dollars.
DNC database infiltrated by the Russians (WaPo) — DNC Chair Debbie Wasserman-Schultz needs to be walked out the door for this bullshit, along with responsible IT management. As if anyone able to sit up and take nourishment couldn’t see the DNC computer systems would be a target for cybercrime and cyberwarfare. No excuses for this during the run-up to a general election season, especially when her favorite candidate is already floundering because of information security failures during her tenure as Secretary of State. This bit:

The depth of the penetration reflects the skill and determination of the United States’ top cyber adversary as Russia goes after strategic targets, from the White House and State Department to political campaign organizations.

Total blowjob for access. If the hackers got in by spearphishing as suggested in the article, there’s no finesse required. Just poorly trained/educated users and no firewall between email and database. The only thing that surprises me about this is that ransomware wasn’t deployed. Imagine it: a major U.S. political party ground to a halt by spearphish-delivered ransomware.
University of Calgary paid CDN$20K after ransomware attack (Calgary Herald) — First heard about this attack the end of May. Looks like the school had no choice but to offer the bitcoin equivalent of $20K to release their systems, which says a lot about backup systems and rebuild cost. Considering the broad range of users at universities and widely different levels of experience and training, I’m surprised we haven’t seen more ransomware attacks on schools. Though monetarily they’re less appetizing than other targets, and may have more resources to deal with the threat if they have a strong IS/IS program.
Chinese IBM employee arrested for trade secret theft (Reuters) — The indictment (pdf) says the now-former IBM employee stole proprietary software related to hyperscale storage clusters, or what most consumers would know as ‘cloud storage’. This is a technology segment in which the U.S. still has considerable clout in terms of marketshare, and in terms of global economic impact based on its use. Reporting on this indictment has been vague, referring to the technology at the heart of this case as ‘networking software’. It’s more complex than that; the proprietary software underpins storage and retrieval of data across networked large storage devices. (Hi blueba. Just checking to see if you missed me. Can’t let the Russians have all the fun.)

Basta. Enough. Let’s hope Wednesday is kinder than the last handful of days have been.

Friday: Ball and Chain

June 10, 2016/11 Comments/in automobiles, Culture, Cybersecurity, Economics /by Rayne

This end-of-the-work-week observation is a little different. I’ve posted some not-jazz jazz for your listening pleasure. This piece called Ball and Chain is performed by a loosely joined group of people who worked on development of a subgenre of jazz during the 1990s. It’s called M-base — short for “macro-basic array of structured extemporization” — which relies on improvisation along with non-European elements as jazz does. But its artists’ deliberation in composition combined with a more contemporary flare set this style of music apart from other jazz.

Sample a couple more pieces with a little extra estrogen — Cassandra Wilson’s vocals in You Don’t Know What Love Is, and Geri Allen’s keyboarding here with Esperanza Spalding and Terri Lyne Carrington performing Unconditional Love at a recent Jazz in Marciac festival. Wilson and Allen have both been members of the M-base collective, along with Steve Coleman, Robin Eubanks, Graham Haynes, and Greg Osby. I recommend searching out each of those folks in YouTube to explore their continuation of M-base in their work.

That’s enough to get you through your Friday evening nightcap. You’ll probably need one after this stuff.

Volkswagen’s Dieselgate

More made-up reports to cheat compliance on emissions and now noise levels, this time in South Korea (Bloomberg) — It might be easier now to ask what didn’t VW Group didn’t fib about. No specifics yet, but this looks broader than passenger diesel vehicles if VW also lied about noise levels.
German state investigators probing VW employees’ evidence destruction (Deutsche Welle) — At least one employee encouraged co-workers to “get rid of data.” Prosecutors believe most data is still safe and some may be recovered from attempted destruction. Color me skeptical.
EU Industry Commissioner turned up his nose at proposals by Germany to tighten emissions rules (Deutsche Welle) — It’s not clear if the EU had concerns that Germany was still trying to get around emissions controls regulations even with more stringent rules as proposed.
Meanwhile, researchers surprised by role of air pollution in strokes (L’Express) — Related to the unfolding Dieselgate scandal at the intersection of increased emissions and increased deaths, researchers found

The share [of strokes] attributable to pollution has been estimated at 33.7% in countries with low and middle income against only 10.2% in high-income countries in 2013, up sharply since 1990.

Yet most of the EU has done virtually nothing to eliminate the recently discovered emissions controls cheating vehicles from the road.
Op-ed suggests making an example of Volkswagen (USAToday) — Equal protection and all, singling out this company probably won’t fly. But enforcing existing laws to the fullest extent due to brazen, persistent fraud? Hell yeah. They’re killing people with these cheats — long, slow, costly deaths.

Living in a Digital World

Twitter says it wasn’t hacked after millions of users’ account data appears online (Bloomberg) — Hey, listen up, boneheads complaining about your Twitter account being locked: 1) Change your password periodically (like every 12 weeks) and 2) DON’T USE THE SAME PASSWORD ON MORE THAN ONE ACCOUNT. Looks like some folks haven’t learned that once one account is breached, more are at risk if they use the same password or a previous iteration from another account. ~smh~ It would take very little to create a database of breached addresses from multiple platforms and compare them for same passwords. If, for example, [123456PW] is used on two known accounts, why wouldn’t a hacker try that same password on other accounts attached to the same email address?
Oklahoma state police bought debit card scanning devices (KGOU) — They’re not merely reading account data if they pull you over and take your card to scan for information. They may confiscate any funds attached to the card, too, under civil forfeiture. This is ripe for abuse and overreach, given poor past legal precedent. Why is a magnetic strip any different than your wallet?

Economics of a different kind

Economics don’t match reality, and the root of the problem is academic (BloombergView) — Each of “coffee house macro,” finance macro, Fed macro, and academic macroeconomics are grossly out of sync with reality. But the root of this distortion is the one thing they all have in common: their origin in academic economics. Yeah — academia has become little more than an indoctrination factory for the same flawed concepts, while reducing any arguments against the current “free market uber alles” thought regime.
Adbusters isn’t waiting for academia; they’re ready to Battle for the Soul of Economics (kickitover.org) — Check it, social media warfare has begun.

That’s a wrap on this week. I’m fixing myself a stiff belt and shuffling off to bed. Catch you Monday, the Fates willing and the creek not rising due to climate change.

The SSCI Contemplates Splitting CyberCommand from DIRNSA

June 10, 2016/1 Comment/in Cybersecurity /by emptywheel

The Intercept’s Jenna McLaughlin liberated a copy of the Senate Intelligence Committee’s Intelligence Authorization for 2017 which was passed out of committee a few weeks back. There are two really shitty things — a move to enable FBI to get Electronic Communications Transaction Records with NSLs again (which I’ll return to) and a move to further muck up attempts to close Gitmo.

But there are a remarkable number of non-stupid things in the bill.

I’m particularly interested in this language.

Unless I’m completely misreading it, this section would require the Director of NSA to be a separate person from the head of CyberCommand. It would require Admiral Mike Rogers’ current dual hat to be split.

Correction: DIRNSA and CyberCom would only need to be split if CyberCom gets elevated to be a full combatant command.

That’s a recommendation the President’s own Review Group made back in 2013, only to have the President pre-empt PRG’s recommendation before they could publicize it. It would also likely have some impact on NSA’s decision, earlier this year, to combine the Information Assurance Directorate — NSA’s defensive organization — in with its offensive mission.

Frankly, I think our entire cybersecurity approach deserves a more open debate. The IC has done a pretty crummy job at defending us from attacks, and it’s not clear what purpose their secrecy about that serves.

But I am intrigued that SSCI seems to think NSA should retain its defensive capability, independent of all its offensive ones.

Monday Morning: Tarantela [UPDATE]

May 23, 2016/15 Comments/in automobiles, Culture, Cybersecurity /by Rayne

I could listen to this piece on a loop. It’s Santiago de Murcia’s “Tarantela,” performed by noted lutist Rolf Lislevand. The instrument he is playing is as important as the music and his artistry; it’s an extremely rare Stradivarius guitar called the Sabionari. While tarantellas more commonly feature additional instruments and percussion like tambourines, this instrument is stunning by itself.

You can learn more about the Sabionari at Open Culture, a site I highly recommend for all manner of educational and exploratory content.

And now to dance the tarantella we call Monday.

Wheels

What’s the German word for ‘omertà’? Because Volkswagen has it (Forbes) — Besides the use of obfuscation by translation, VW’s culture obstructs the investigation into Dieselgate by way of a “code of silence.” And money. Hush money helps.
Growing percentage of VW investors want an independent investigation (WSJ) — An association 25,000 investors now demands an investigation; the problem continues to be Lower Saxony, the Qatar sovereign-wealth fund and the Porsche family, which combined own 92% of voting stock.
VW production workers get a 5% pay raise (IBT) — Is this “hush money,” too, for the employees who can’t afford to be retired like VW’s executives? The rationale for the increase seems sketchy since inflation is negligible and VW group subsidiary workers at Audi and Porsche won’t receive a similar raise.
Insanity? VW Group a buy opportunity next month (The Street) — Caveat: I am not a stockbroker. This information is not provided for investment purposes. Your mileage may vary. But I think this is absolute insanity, suggesting VW group stock may offer a buy opportunity next month when VW publishes a strategy for the next decade. If this strategy includes the same utterly opaque organization committing fraud to sell vehicles, is it smart to buy even at today’s depressed prices? The parallel made with Apple stock is bizarre, literally comparing oranges to Apples. Just, no.

Bad News (Media)

NPR uses the word “torture” — but not about the U.S. (NPR) — Focus of this audio article is on doctors’ investigating torture using the Istanbul Protocol for documentation, but neatly avoids any torture conducted by the U.S. with the aid of doctors. Or any torture performed by U.S.’ law enforcement and prison complex. Syria is repeatedly mentioned, though.

Cybersec

Organized criminals steal $13M in minutes from Japanese ATMs (The Guardian) — And then they fled the country. What?! The mass thefts were facilitated by bank account information acquired from an unnamed South African bank. Both Japan and SA use chip-and-pin cards — so much for additional security. Good thing this organized criminal entity seeks money versus terror. Interesting that the South African bank has yet to be named.(*)
Slovenian student receives 15-month suspended sentence for disclosing state-created security problems (Softpedia) — The student at Slovenia’s Faculty of Criminal Justice and Security in Maribor, Slovenia had been investigating Slovenia’s TETRA encrypted communications protocol over the last four years as part of a school project. He used responsible disclosure practices, but authorities did not respond; he then revealed the encrypted comms’ failure publicly to force action. And law enforcement went after him for ~~exposing their lazy culpability~~ hacking them.
Related? Slovenian bank intended target for Vietnamese bank’s SWIFT attempted hack funds (Reuters) — Huh. Imagine that. Same country with highly flawed state-owned encrypted communications protocol was the target for monies hackers attempted to steal via SWIFT from Vietnamese TPBank. Surely just a coincidence, right?

Just for the heck of it, consider a lunch read/watch on a recent theory: World War 0. Sounds plausible to me, but this theory seems pretty fluid.

Catch you here tomorrow morning!

* UPDATE — 1:20 P.M. EDT —
Standard Bank reported it had lost 300 million rand, or USD $19.1 million to the attack on Japanese ATMs. First reports in South African media and Reuters were roughly 11 hours ago or 9:00 a.m. Johannesburg local time. It’s odd the name of the affected bank did not get wider coverage in western media, but then South Africa has a problem with disclosing bank breaches. There were five breaches alleged last year, but little public information about them; they do not appear on Hackmageddon’s list of breaches. This offers a false sense of security to South African banking customers and to banks’ investors alike.

Japan Times report attribute the thefts to a Malaysian crime gang. Neither Japan Times nor Manichi mention Standard Bank’s name as the affected South African bank. Both report the thefts actually took place more than a week ago on May 15th — another odd feature about reporting on this rash of well-organized thefts.