Week 8

Article 1:

The Future of Crime: Smartphone Tracking, Neurohacking, and AI Assisted Murder

The world Marc Goodman outlines in exhaustive detail in his forthcoming book, Future Crimes, is as real, gritty, and frightening as life outside the Matrix. Indeed, Goodman opens his book by quoting the classic sci-fi epic. Do you want the red pill or the blue pill? “Remember, all I’m offering is the truth.” He would know.

Goodman, who began his career as a beat cop at the Los Angeles Police Department, has worked with the FBI, US Secret Service, Interpol, and police in over 70 countries. He is an authority on today’s exponentially scaling cybercrime and a theorist of future crimes worthy of the best sci-fi but, in fact, lurking just around the corner.

cybersecurity-goodmanYou won’t remember every detail of the book—it’s packed to the gills with them—but you may walk away with a better understanding of the challenges facing those of us engaging in the “consensual hallucination” that is modern cyberspace. And that’s the point really.

The central problem Goodman outlines—that everything with a connection is hackable—isn’t insoluble. It’s just that we need to wake up and take action. That means demanding software companies make better, more bullet-proof software, securing our own accounts, and developing new technologies with security in mind.

Cofounder of Wired and author of What Technology Wants, Kevin Kelly, said of the book, “OMG, this is a wakeup call. The outlaws are running faster than the architects…I’m a technological optimist. Now, I’m an eyes-wide-open optimist.”

We had the privilege of chatting with Goodman recently. It was a wide-ranging, eye-opening conversation. Read on to learn about the Internet of Things to Be Hacked, narrow AI as an accomplice to murder, and how startups can tell what you’re watching on television merely by the electrical fluctuations on your smart meter.

As cyber-heists grow exponentially and tens of millions of credit cards are compromised, might a cryptocurrency, like Bitcoin, provide a better way of transacting online? Or is it, on net, no better than current methods?

Are cryptocurrencies better or worse than credit cards? Maybe, maybe not.

Currently, your credit card is protected under federal law, so, if you suffer a loss, you will not be held liable. The largest reported Bitcoin theft, to date, was an attack on the Mt Gox exchange in Tokyo where investors lost over $460 million—and that money may well never be recovered or paid back.

So, cryptocurrencies may be helpful from a privacy perspective, and theoretically, they might be better protected from a security perspective. But if poorly implemented, as we saw with Mt Gox, not only are they hackable, but there’s no regulation at this time to protect you such that you get your money back.

Hackable devices are poised to leap beyond PCs and into the real world with the Internet of Things, robots, drones, driverless cars. Give us a glimpse of tomorrow’s hyperconnected world gone wrong. What new dangers will arise?

Internet connectivity is set to grow exponentially in coming years.

If today’s internet is the size of a golf ball, tomorrow’s will be the size of the Sun. We don’t need that much more connectivity for just computers or smartphones. It’s for the billions of everyday devices coming online with the Internet of Things.

As our threat surface area (the number of devices around us) grows there will be more ways to reach out and touch us for good and for harm.

Twenty years ago nobody worried about their car being hacked. Today, a typical car uses over 250 microchips that can be hacked remotely. Somebody can remotely deploy your airbag or slam on the brakes as you’re going down the highway.

The Internet of Things will also include critical infrastructure—most notably the electrical grid and the smart home—and even medical devices. Without precautions, all these will be open to attack, perhaps with catastrophic consequences.

There will also be significant privacy implications. Today, your cellphone tracks you. It knows all the people you hang out with, and we can draw inferences on your connections and closeness to these people based solely on the phone’s geolocation. We’re going to see even more of that in the future.

Smart meters, for example, are now being installed around the world. Every single device you plug into an electric socket has its own signature. When you plug in your Samsung television or Hamilton blender, the outlet knows what is being plugged into it. And from that you can derive even further intelligence.

There are startups now that are looking at the fluctuations in energy usage to deduce what pixels are highlighted on your television, and by knowing what pixels are highlighted on the TV, they can reverse engineer, based upon the electricity that you use, what television programs you’re watching.

Elon Musk, Stephen Hawking, and Bill Gates have expressed concern about artificial general intelligence. It’s a hotly debated topic. Might AI be our “final invention?” It seems even narrow AI in the wrong hands might be problematic.

artificial-general-intelligenceI would add Marc Goodman to that list. To be clear, I think AI, narrow AI, and the agents around us have tremendous opportunity to be incredibly useful. We’re using AI every day, whether it’s in our GPS devices, in our Netflix recommendations, what we see on our Facebook status updates and streams—all of that is controlled via AI.

With regard to AGI, however, I put myself firmly in the camp of concern.

Historically, whatever the tool has been, people have tried to use it for their own power. Of course, typically, that doesn’t mean that the tool itself is bad. Fire wasn’t bad. It could cook your meals and keep you warm at night. It comes down to how we use it. But AGI is different. The challenge with AGI is that once we create it, it may be out of our hands entirely, and that could certainly make it our “final invention.”

I’ll also point out that there are concerns about narrow AI too.

We’ve seen examples of criminals using narrow AI in some fascinating ways. In one case, a University of Florida student was accused of killing his college roommate for dating his girlfriend. Now, this 18-year-old freshman had a conundrum. What does he do with the dead body before him? Well, he had never murdered anybody before, and he had no idea how to dispose of the body. So, he asked Siri. The answers Siri returned? Mine, swamp, and open field, among others.

So, Siri answered his question. This 18-year-old kid unknowingly used narrow AI as an accomplice after the fact in his homicide. We’ll see many more examples of this moving forward. In the book, I say we’re leaving the world of Bonnie and Clyde and joining the world of Siri and Clyde.

Building on today’s budding fMRI brain scans, you talk about mind reading and neurohacking. What is the weirdest future criminal or crime you can imagine? What about the most frightening?

I think holding people’s memories hostage in demand of an extortion payment would be a fairly horrific crime. Of course, this is all theoretical now. We do not have the capacity to do this. But I thoroughly believe it will be forthcoming.

One study, for example, hooked up an EEG to a person’s head, showed them a pin pad of an ATM, and asked the following question: “What is your pin number?” With a 30% degree of accuracy, without the person saying a word, these researchers were able to identify a person’s pin number. Just by reading their brain waves.

Might criminals hold a victim's memories for ransom in the future?

I think we’ll see more of that, which could lead to all kinds of problems. Forget memorizing passwords—somebody could just pull that data from a brain scan.

The military is also working to help veterans better deal with trauma and PTSD. They’ve found that certain neuropharmaceuticals can isolate somebody’s traumatic memory and wipe it away, or at least push it down and minimize it.

And this is happening now.

So, if we can already erase traumatic memories, what other memories might we be able to erase in the future? Once organized crime figures out how to do this, I could see a horrific scenario wherein somebody is kidnapped and threatened that unless they pay an exorbitant sum, their lifelong memories of their wife or daughter would be erased.

We’re a long way away from that, but since you asked me to look into the future, that’s something that I would be concerned about.


Article 2:

Hackers Steal Up To $1 Billion From Banks


A hacking ring has stolen up to $1 billion from banks around the world in what would be one of the biggest banking breaches known, a cybersecurity firm says in a report scheduled to be delivered Monday.

The hackers have been active since at least the end of 2013 and infiltrated more than 100 banks in 30 countries, according to Russian security company Kaspersky Lab.

After gaining access to banks’ computers through phishing schemes and other methods, they lurk for months to learn the banks’ systems, taking screen shots and even video of employees using their computers, the company says.

Once the hackers become familiar with the banks’ operations, they use that knowledge to steal money without raising suspicions, programming ATMs to dispense money at specific times or setting up fake accounts and transferring money into them, according to Kaspersky. The report is set to be presented Monday at a security conference in Cancun, Mexico. It was first reported by The New York Times.

The hackers seem to limit their theft to about $10 million before moving on to another bank, part of the reason why the fraud was not detected earlier, Kaspersky principal security researcher Vicente Diaz said in a telephone interview with The Associated Press.

The attacks are unusual because they target the banks themselves rather than customers and their account information, Diaz said.

The goal seems to be financial gain rather than espionage, he said.

“In this case they are not interested in information. They’re only interested in the money,” he said. “They’re flexible and quite aggressive and use any tool they find useful for doing whatever they want to do.”

Most of the targets have been in Russia, the U.S., Germany, China and Ukraine, although the attackers may be expanding throughout Asia, the Middle East, Africa and Europe, Kaspersky says. In one case, a bank lost $7.3 million through ATM fraud. In another case, a financial institution lost $10 million by the attackers exploiting its online banking platform.

Kaspersky did not identify the banks and is still working with law-enforcement agencies to investigate the attacks, which the company says are ongoing.

The Financial Services Information Sharing and Analysis Center, a nonprofit that alerts banks about hacking activity, said in a statement that its members received a briefing about the report in January.

“We cannot comment on individual actions our members have taken, but on balance we believe our members are taking appropriate actions to prevent and detect these kinds of attacks and minimize any effects on their customers,” the organization said in a statement. “The report that Russian banks were the primary victims of these attacks may be a significant change in targeting strategy by Russian-speaking cybercriminals.”

The White House is putting an increasing focus on cybersecurity in the wake of numerous data breaches of companies ranging from mass retailers like Target and Home Depot to Sony Pictures Entertainment and health insurer Anthem.

The administration wants Congress to replace the existing patchwork of state laws with a national standard giving companies 30 days to notify consumers if their personal information has been compromised.



Week 7

Article 1:

Hackers target health care as industry goes digital

“Cybercriminals know that the health industry is moving into EHRs and there’s more data to steal,” said Ann Peterson, program director at the Medical Identity Fraud Alliance, an organization that works to reduce medical fraud.

Electronic health records, or EHRs, are increasingly being used by hospitals and doctors’ offices to store information such as test results and treatment plans, along with data such as patient names, Social Security numbers and birth dates.

Health insurance companies also use EHRs and store other personal data, such as credit card details, making them attractive targets for hackers. This week, Anthem, one of the largest health insurers in the U.S., said sensitive information on possibly 80 million employees and customers had been exposed during a cyberattack. The information thieves made off with included patient names, Social Security numbers, birth dates and medical identification numbers.

The information can be pieced together and used to commit a variety of types of fraud, making it lucrative for hackers. Social Security numbers, for example, can be used to gain access to bank accounts, noted John Kindervag, a principal analyst at Forrester Research.

By targeting Anthem, hackers were able to access information that is commonly used to reset user names and passwords, said Ian Campbell, CEO of Nucleus Research. People are sometimes asked to enter their mother’s maiden name when signing up for services, for example. Since this information is static, it can be combined with a person’s email address to reset a person’s email account.

“People should ask ‘Will I have a problem 10 years from now because someone knows information that’s not normally available?’” he said.

The health care industry is especially vulnerable compared to retailers and banks, which are more accustomed to cyberattacks, said Lynne Dunbrack, research vice president at IDC Health Insights.

“Cybercriminals tend to think of health care organizations as soft targets. Historically, they haven’t invested much in IT, and security specifically,” she said.

The Anthem breach could affect its finances, Dunbrack said. The U.S. Health Insurance Portability and Accountability Act, which aims to keep health care data private, requires that Anthem notify each victim, a process that costs about US$350 per record, Dunbrack said. Companies that violate HIPAA can face substantial fines. Last year, a New York City hospital was fined $4.8 million after it posted the medical data of 6,800 patients to the Web.

Health care breaches can also lead to an uptick in medical fraud, Peterson said. Health records contain insurance details that people can use to impersonate a hacking victim to receive care. Some insurance plans cover costly procedures that others don’t, so there’s a demand for credentials to access better coverage.

A set of medical data that can be used to receive care may fetch between $20 and $200 on the black market, Dunbrack said.

Fraud victims often don’t realize they’ve been attacked until it’s too late. They might receive a notice from their insurer for treatment they never received. Or they may find out in a more dramatic fashion, such as having an allergic reaction to a drug after an imposter altered a medical record.

“It can be deadly, depending on the level of compromise to the medical records and how much of their data is co-mingled with your data,” said Dunbrack.

People need to be as vigilant about protecting and reviewing their medical data as they are with their credit card information, said Peterson at the Medical Identity Fraud Alliance, noting that laws protect people only to a degree.

“We need to do our part and be aware of our medical information,” he said.


Article 2:

5 Billion Android Apps Open to Hacking

5 Billion Android Apps Open to Hacking

Over five billion downloaded Android apps are vulnerable to being hacked, cybersecurity researchers have found, as attackers exploit flaws in Google’s operating system.

Some 96 percent of malware — or malicious software — employed by hackers target Google Android, according to U.S. firm FireEye, which analysed more than 7 million mobile apps on Android and Apple iOS between January and October 2014.

Apps designed to steal financial data were especially popular, the researchers found. The open-source nature of Android allows hackers to find the code behind a popular app, they said, and recreate the app almost identically but with a malicious code to infect users.

“You can get all the code and then you can insert additional instructions and make it look and feel like the original app and no way for a consumer to tell the difference when they download it,” Jason Steer, director of technology strategy at FireEye told CNBC by phone.

Google did not respond to a request from CNBC for comment.

Malware targeted at Google’s operating system has surged from roughly 240,000 unique samples in 2013, to more than 390,000 unique samples in the first three quarters of 2014, according to the research.

Fireye said that one of Android’s biggest vulnerabilities was the way in which its mobile apps communicate information back to servers. It found that much of this communication was unencrypted, leaving it open for hackers to intercept and insert malicious code that can infect end users.

Advertisements also left some app users exposed. Many apps use third-party advertising software to display ads and make money from users. But Steer said that such data collection was often “aggressive,” and warned that sometimes the software communicates this data in an insecure way, leaving it open to hackers.

iOS vulnerabilities

It is not only Android apps that are vulnerable, however. Vulnerabilities in apps on iOS devices, once seen as very secure, were also identified.

Previously, hackers could only exploit jailbroken iOS devices with malicious apps. Jailbroken devices allow users to install apps not released through Apple’s App Store. Now, FireEye’s researchers said hackers were able to make malware that can attack a non-jailbroken device.

Apple did not respond to a request for comment.

Opportunistic hackers are also sidestepping Apple’s app verification process.

App developers typically build and test an app in beta mode on Apple’s iOS Developer Enterprise Program. It then goes through stringent tests by Apple for security before it is pushed out on the App Store.

But hackers are now creating apps through this program, then sending them to people via text messages or emails as a link. When a user clicks the link, the malicious app is downloaded on their device.

Steer said that because Apple devices have become so popular, hackers see them as a valuable target.


Week 6

Article 1:

Lenovo, Google websites hijacked by DNS attacks

internet url

On Wednesday, visitors to lenovo.com were greeted with what appeared to be webcam images of a bored young man sitting in a bedroom, and the song “Breaking Free” from an old Disney movie. On Monday, Google’s site for Vietnam also briefly redirected people to another website.

Both Google and Lenovo were victims of “domain hijacking,” a type of attack against the Domain Name System (DNS), which translates domain names into IP addresses that can be called into a browser.

The domain name records for both companies were modified to redirect to different websites when people entered “lenovo.com” and “google.com.vn.”

The changes were apparently made through Web Commerce Communications, known as Webnic.cc, a Malaysian company that registers domains names.

The hacker group Lizard Squad has claimed credit for the defacements. Lenovo appeared to restore service at one point on Wednesday afternoon, but later was unavailable due to system maintenance, a notice said. Webnic.cc could not be immediately reached for comment.

In Lenovo’s case, the hackers changed Lenovo’s domain name registration details to redirect to nameservers at CloudFlare, a San Francisco-based company that specializes in bettering the performance of websites through extensive caching. Nameservers tell a computer which IP address to look up to view a website.

Lenovo’s home page appears to have been hacked

CloudFlare’s servers then redirected people trying to go to lenovo.com to two IP addresses hosted in the Netherlands by the company Digital Ocean, said Andrew Hay, senior security research lead for OpenDNS, a company that specializes in DNS-related security.

Those redirected to the other sites saw the webcam images of the bored young man. The source code for the Web page included the line: “The new and improved rebranded Lenovo website featuring Ryan King and Rory Andrew Godfrey,” referring to persons who have reportedly been connected to the hacker group Lizard Squad.

The Lizard Squad’s access to Lenovo’s registrant account also allowed it to capture some of Lenovo’s email, which the group posted excerpts of on Twitter.

Lenovo has already been under pressure in the last week for pre-installing a secretive application called Superfish on its laptops, which substitutes some ads on encrypted websites but also created a major security vulnerability.

CloudFlare offers free services that are sometimes abused by miscreants, but the company said it moved fast to help fix Lenovo’s problem.

“As soon as we saw the unauthorized transfer, we took control of the account, notified Lenovo and worked with them to restore service while they worked on getting their domain back,” said Marc Rogers, principal security researcher at CloudFlare.

On Monday, Google’s site for Vietnam briefly redirected people to another website. Like Lenovo, Google also had its google.com.vn domain name registered with Webnic.

It is possible that Webnic.cc has a vulnerability in its network that was discovered by the Lizard Squad and allowed changes to be made to domain name registrations. Another possibility is that the Lizard Squad obtained the authentication credentials used by those companies to modify domain name records.

It’s considered a low-brow style of attack, but changes to domain name records can be dangerous for Web users since there’s little they can do to protect themselves.

Such attacks—especially against websites that receive a lot of traffic—are powerful because attackers could redirect them to websites that try to automatically install malicious software. But that doesn’t appear to be the case with either the Lenovo or Google redirects.

Domain name registrars have been slowly implementing a security technology called DNS Security Extensions (DNSSEC) to better protect domain name records. DNSSEC uses public key cryptography to digitally “sign” domain names and corresponding IP addresses.

The technology is complicated to set up, however, and it has been a years-long effort to see it supported by registrars and hosting providers.

DNSSEC could have prevented the attack against Lenovo or “at the very least it would have made it much more complicated and slow to do with many more steps for the bad guys before they succeeded,” Rogers said.


Article 2:

Worse than Superfish? Comodo-affiliated PrivDog compromises web security too

ssl lock internet

Over the weekend, a user reported on Hacker News that his system failed an online test designed to detect a man-in-the-middle vulnerability introduced by Superfish, a program preloaded on some Lenovo consumer laptops.

However, his system did not have Superfish installed. Instead, the problem was tracked down to another advertising-related application called PrivDog, which was built with the involvement of Comodo’s CEO, Melih Abdulhayoglu. New PrivDog releases are announced on the Comodo community forum by people tagged as Comodo staff.

PrivDog is marketed as a solution to protect users against malicious advertising without completely blocking ads. The program is designed to replace potentially bad ads with safer ones that are reviewed by a compliance team from a company called Adtrustmedia. As Abdulhayoglu puts it in a January 2014 post on his personal blog in which he describes the technology: “Consumers win, Publishers win, Advertisers win.”

However, according to people who recently looked at PrivDog’s HTTPS interception functionality, consumers might actually lose when it comes to their system’s security if they use the product.

Man-in-the-middle redux

In order to replace ads on websites protected with HTTPS (HTTP with SSL/TLS encryption), PrivDog installs its own self-generated root certificate on the system and then runs as a man-in-the-middle proxy. When users access secure HTTPS sites, PrivDog hijacks their connections and replaces the legitimate certificates of those sites with new ones signed with the locally installed root certificate.

encryption security lock 100052900 large

Since the root certificate installed by PrivDog on computers is trusted by browsers, all certificates that chain back to it will also be trusted. This means that users will think that they’re securely speaking to the websites they accessed, while in the background, PrivDog will decrypt and manipulate their traffic.

That in itself is not a bad implementation. There are legitimate reasons for scanning HTTPS traffic and many security products use similar techniques to analyze encrypted traffic for potential threats.

Unlike Superfish, PrivDog installs a different root certificate on every system, so there’s no shared private key that would allow attackers to generate rogue certificates. However, it turns out they don’t even need a shared key

The error in PrivDog’s implementation is simpler than that: The program doesn’t properly validate the original certificates it receives from websites. It will therefore accept rogue certificates that would normally trigger errors inside browsers and will replace them with certificates that those browsers will trust.

For example, an attacker on a public wireless network or with control over a compromised router could intercept a user’s connection to bankofamerica.com and present a self-signed certificate that would allow him to decrypt traffic. The user’s browser would normally reject such a certificate.

However, if PrivDog is installed, the program will take the attacker’s self-signed certificate and will create a copy signed with its own trusted root certificate, forcing the browser to accept it. In essence, the user’s traffic would be intercepted and decrypted by the local PrivDog proxy, but PrivDog’s connection to the real site would also be intercepted and decrypted by a hacker.

PrivDog is bundled with some products from Comodo, like Comodo Internet Security as well as its Chromodo, Dragon and IceDragon browsers. However, it seems that these products include PrivDog version 2, which lacks the HTTPS proxy functionality, and thus does not expose users to man-in-the-middle attacks.

The PrivDog version that exposes users to man-in-the-middle attacks is version 3, which is available to download as a stand-alone application and which supports a large number of browsers including Google Chrome, Mozilla Firefox and Internet Explorer, according to security researcher Filippo Valsorda, who’s online HTTPS test was updated to account for it.

This “potential issue” only exists in PrivDog versions and that have never been distributed by Comodo and are not present in the company’s browsers, a Comodo representative said Monday via email.

The PrivDog team at Adtrustmedia has published a security advisory that assigns a low threat level to the vulnerability. A maximum of 6,294 users in the USA and 57,568 users globally are potentially affected by the issue and they will be updated automatically to a patched version, the team said. The new version——is also available for download from the company’s site.

View image on Twitter

“As long as people use this practice of ‘breaking the chain of trust’ there are bound to be some who implement it utterly wrong,” said Amichai Shulman, CTO of security firm Imperva, via email. “Superfish’s mistake was using the same root certificate across all deployments. PrivDog’s mistake is not validating certificates at all.”

Some people believe that the PrivDog vulnerability is even worse than the one introduced by Superfish.

“By comparison, the Superfish ‘man-in-the-middle’ process at least requires the name of the targeted website to be inserted into the certificates alternate name field,” said Mark James, a security specialist at antivirus firm ESET. “Although Superfish allows the possibility of massive exploitation with this flaw it is still marginally better than what PrivDog is doing.”

However, it’s not just Superfish or PrivDog that open such security holes on computers. Researchers determined that the Superfish vulnerability was actually in a third-party software development kit from a company called Komodia. The same SDK is used in other products as well, including parental control applications, VPN clients andsoftware from a security vendor called Lavasoft.


Week 5

Article 1:

The Scary Things Hackers Can Do to Your Car

PHOTO: Cybersecurity measures on in-car electronics can be inconsistent across different manufacturers.

Nearly all new cars on the market include wireless technology that make drivers vulnerable to hacking or an invasion of privacy, according to a report released today.

The report, titled “Tracking and Hacking: Security and Privacy Gaps Put American Drivers at Risk,” was released by Sen.Edward Markey, D-Mass.

Markey said in his report that he wrote letters to major car manufacturers to try to determine the prevalence of technologies that are intended to improve driver safety and car performance but raise concerns about security.

For the report, he used feedback from the 16 major car manufacturers who responded, including BMW, Chrysler, Ford, General Motors, Honda, Hyundai and Jaguar Land Rover.

As for the security concerns, one expert expressed sentiments similar to Markey’s.

“Automobiles have become increasingly more connected, creating both opportunities as well as vulnerabilities, through wireless networks,” credit security expert Adam Levin, chairman and founder of IDT911, told ABC News today.

Though Markey and Levin didn’t cite actual incidents, here are some things that hackers could do potentially with access to your car and its information:

1. Car movement

In a 2013 Defense Advanced Research Projects Agency (DARPA) study cited by Markey, researchers used a laptop to see how they could control two cars from different manufacturers. They were able to cause the cars to “suddenly accelerate, kill the brakes, activate the horn” and more, according to the report.

Levin said the frightening scenarios of thieves stealing property or exposing drivers and their children to carjacking by unlocking car doors or imprisoning them by locking the doors are within reach. He adds that exposing drivers to accidents is another malicious activity that could happen.

2. Modify car indicators

In the same 2013 DARPA study, the researchers could also modify the speedometer and gas gauge readings and control the headlights. Last year, the same researchers analyzed the “hackability” of 21 different car models from 10 manufacturers and found varying levels of security for each car with respect to wireless entry points.

Of the 16 car makers that responded to Markey’s letter, 14 provided the percentage of 2013 model year cars that have wireless entry points and projections for their 2014 vehicles. Eleven of those 14 said 100 percent of their cars have wireless entry points and some cited the federal mandate for tire pressure monitoring systems as the major contributor.

3. Reading data

While car manufacturers sometimes collect data from vehicle technologies to improve safety or the customer experience, others could access driver data for malicious purposes, the report states. The report mentions previous research that shows one can “remotely and wireless access a vehicle’s network through Bluetooth connections, OnStar systems, malware in a synced Android  smartphone, or a malicious file on a CD in the stereo.”

“While I understand that vehicle manufacturers have begun the process of exchanging threat assessments and are communicating more with transportation safety officials, it is critical that we treat this matter with urgency,” Levin told ABC News.

4. Finding a driver’s location

Markey refers to the increasing use of navigation or other technologies that could be used to record someone’s location or driving history.

“A number of new services have emerged that permit the collection of a wide range of user data, providing valuable information not just to improve vehicle performance, but also potentially for commercial and law enforcement purposes,” the report states.

5. Disabling a car

Car dealerships and navigation systems providers also use “remote disabling” to track and disable cars if drivers fall behind on payments, or if cars are stolen.

Millions of these devices are on the road, including the PassTime GPS tracket that helped catch Delvin Barnes, accused last year of kidnapping Carlesha Freeland-Gaither of Philadelphia.

Corinne Kirkendall, vice president of compliance and public relations for PassTime, told ABC News in November that the company requires dealers to obtain written consent from drivers acknowledging that the device is on the car and how it is used. All dealers must follow laws regulating the collection of personal information, she said.

Spokesman for the Alliance of Automobile Manufacturers Wade Newton said the trade group hasn’t fully reviewed the report but released a statement that said, “Manufacturers today employ a variety of methods to provide consumers with clear notices of their privacy practices, including through owner’s manuals and company websites.”

“Auto engineers incorporate security solutions into vehicles from the very first stages of design and production – and security testing never stops,” Newton said in the statement.

In January, the alliance, an association of 12 major manufacturers, signed on as a “Champion of Data Privacy Day 2015.”


 Article 2:

Shhh! Your smart TV is eavesdropping on you

Smart TV spying on you
Samsung’s Smart TV privacy policy is raising new concerns about eavesdropping, though it’s not the first example of unnerving behavior from our televisions.

Some Samsung TVs now include a microphone on the remote control for entering voice commands. As one Reddit user pointed out, Samsung’s privacy policy effectively warns users to watch what they say, as the TV ships off voice data to an unnamed third party—presumably for the purpose of translating the speech to text.

“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition,” the policy states.

Samsung says it uses “industry-standard security safeguards and practices, including data encryption” to secure users’ personal information, and notes that users can disable voice commands or turn off Wi-Fi connectivity entirely. (See the bottom of this article for the full statement.) Still, that hasn’t stopped the inevitable comparisons to George Orwell’s 1984, suggesting that we’re well on the way to a dystopian future.

Why this matters: It’s worth noting that Samsung only sends voice data when you’re actually telling the TV to do so (for instance, by hitting the microphone button on the remote control), so the comparisons to Orwell’s omnipresent recording boxes are a bit overblown. Still, Samsung’s policy of shipping the data off to a third party with no guarantees of its privacy is unsettling, especially given the government’s interest in the connected home as a potential trove of personal data.

Can you trust your TV?

On a broader level, Samsung is contributing to the idea that smart TVs (and for that matter, all connected home devices) are not to be trusted.

Concerns over the safety of smart TVs date back to at least 2012, when hackers demonstrated the ability to take over televisions with built-in cameras and microphones. But more recently, the real disturbing behavior has come from TV makers themselves.

In 2013, for instance, LG was caught uploading information on file names from USB and networked storage devices, even for users who had opted out of having their viewing information collected. LG eventually disabled the data transmission through a firmware update, but only after the U.K. government started asking questions. Its smart TVs also transmit your every word to offsite servers when listening for instructions.

Still, some manufactures require users to share other kinds of information, such as viewing habits, in order to access any Internet-based features. Opt of out sharing that data with LG or Toshiba, for instance, and you won’t be able to watch Netflix.

In most cases, TV makers are just looking to squeeze out some more ad revenue while their hardware margins shrink. While Samsung’s snooping case seems a bit different, it’s not helping to restore trust in these supposedly smart televisions.

Update 2:00 P.M. EST: Samsung provided the following statement:

“Samsung takes consumer privacy very seriously. In all of our Smart TVs, any data gathering or their use is carried out with utmost transparency and we provide meaningful options for consumers to freely choose or to opt out of a service. We employ industry-standard security safeguards and practices, including data encryption, to secure consumers’ personal information and prevent unauthorized collection or use.
Voice recognition, which allows the user to control the TV using voice commands, is a Samsung Smart TV feature, which can be activated or deactivated by the user. Should consumers enable the voice recognition capability, the voice data consists of TV commands, or search sentences, only. Users can easily recognize if the voice recognition feature is
activated because a microphone icon appears on the screen.
Samsung does not sell voice data to third parties. If a consumer consents and uses the voice recognition feature, voice data is provided to a third party during a requested voice command search. At that time, the voice data is sent to a server, which searches for the requested content then returns the desired content to the TV. Samsung encourages consumers to contact the company directly with any  product concerns or questions at 0330 726 7864.”


Week 4

Article 1:

Companies Need to Take Responsibility for Protecting Sensitive User Data

Companies Need to Take Responsibility for Protecting Sensitive User Data

Cyber-criminals have grabbed headlines for highly-publicized data breaches in recent years. However, the greatest blame for many of these incidents is squarely on the shoulders of organizations that don’t properly manage sensitive data. Harvesting personally identifiable information requires far less effort due to insufficient security controls and the mass amounts of information exposed by organizations every day. The problem is exacerbated by employees with too much access and those who accidentally share mismanaged data.

While compliance helps drive business need, it is clearly not enough as evidenced by the 2013 Target breach and many subsequent retail industry breaches in 2014. A holistic approach to risk that includes data discovery, data classification and data protection is the most effective in preventing critical information from getting into the wrong hands.

Changing the breach mindset.

Organizations in all industries must stop working under the assumption of “if,” and instead, build strategies around “when” a data breach will occur. The bad guys are only getting better at what they do, and are often ahead of the security curve. When companies rely too heavily on securing the perimeter instead of managing the items within the perimeter, they’re setting themselves up for a more damaging breach.

A strong defense is important and necessary, but consider this analogy. If the world thinks you keep a pile of cash in your car, someone will try breaking in to steal it, even if the door is locked. If they knew it was secured in a safe or didn’t know it existed, they likely would not bother breaking in.

Greater attention to Sensitive Data Management.

Sensitive data management is a strategy that incorporates people, process and technology focused on data discovery, classification, security governance and protection. Sensitive data management can include the usage of data loss prevention technology, but as a whole it is a comprehensive strategy to know where your data is, what is at risk, who has access, when it is touched and how to protect it. Most organizations incorporate these steps into their sensitive data management best practices:

  • Defining what the organization deems as sensitive information.
  • Knowing where sensitive data is and who has access.
  • Classifying data in terms of importance and potential harm to your organization, if stolen.
  • Identifying who the data owner is.
  • Governing the accountability of data owners.
  • Determining if data is necessary or obsolete and if it poses unnecessary risk.
  • Eliminating data as soon it is no longer necessary or protecting it if it must exist.

The consequences of not employing effective sensitive data management strategies are quite severe, as many breached organizations have learned. It can take many years to undo the damaging impact of data breaches that are exacerbated by improper sensitive data management controls, if they can be remedied at all. Some consequences include:

  • Compliance fines, legal costs and insurance premium hikes. From HIPAA to SOX to PCI-DSS 3.0, there are any number of regulations that require organizations to protect this data and levy monetary penalties for not doing so. As a result, legal spend and insurance premiums also increase.
  • Lingering sales drop. Studies have shown that in the finance, retail and healthcare industries, up to a third of consumers will stop doing business with organizations that are breached.
  • Increased IT cost and inefficiency. Excessive data is not only a recipe for a breach nightmare, but it takes up space valuable on your network.

Organizations in all industries need to do a better job of managing sensitive data. Many are holding on to sensitive data they don’t even know they have and are at great risk that it could be stolen or exposed.  In a day when cyber criminals are sharpening their skills on a daily basis, businesses should take inventory of every piece of data they own, classify it, protect it and govern its access. Getting breached is bad enough, but losing data that had no business being there in the first place is even worse.


Article 2:

Hackers’ Next Major Target: Your Smartphone

It was difficult to go through a week this year without hearing of another major cybersecurity breach. And it looks as though 2015 will be no different but this time it’ll be mobile phones which will be the big battleground for hackers, security experts have warned.

Most of the ever-lengthening list of headline-hitting hacks—including Sony Pictures and retailer Target—have happened via a compromise to the companies’ computer networks. Up until now smartphones have escaped relatively unscathed.

But as businesses allow their employees to use their own mobile devices for work, people use their phones to log into local wi-fi and the mobile e-commerce space explodes, analysts warn hackers are likely to follow the money.

“They (smartphones) are now so integrated into people’s lives and people are using them for all the things they would have used the laptop for five years ago,” David Emm, senior security research at Kaspersky Lab, told CNBC by phone.

“We are taking them in and out of businesses and on travel and we are a target in a hotel, café and pretty much anywhere. The fact that they are switched on all the time makes them a good target.”
Kaspersky found that mobile attacks had increased fourfold in the year to the end of October 2014 to 1,363,549 unique attacks, compared with the same period in the previous year.

Business and pleasure

Behind the heightened threat of hack attacks are two major drivers: the rising trend of bring your own device (BYOD) to work, and the increasing amount of money transactions done through phones.

Twice as many employee-owned devices will be used for work than enterprise-owned devices by 2018, according to Gartner, the information technology research firm. But this also increases the risk of a breach at a company.

“Businesses and enterprises are letting employees use the latest smartphones and access things like corporate emails and suddenly the mobile device is as convenient as on working on a larger device,” Vinod Banerjee, partner and data protection specialist at law firm Taylor Wessing, told CNBC by phone.

“You have employees doing more on a mobile device and doing it ad hoc here and there and perhaps therefore not thinking about some of the risks that are apparent.”

If a hacker is able to compromise a user’s personal device, they could easily get access to corporate emails or sensitive data.

Follow the money

Mobile e-commerce or “m-commerce” has also been on the rise and is also set to continue growing, especially after Apple announced Apple Pay earlier this year. An increasing number of people are paying for items on their mobiles and near-field communication (NFC) technologies will drive future growth.

Consumers are now storing lots of financial information on their phones through banking apps and virtual wallets.

Annual transaction value of online, mobile and contactless payments will reach $4.7 trillion by 2019, up from just over $2.5 trillion this year, according to Juniper Research. And this is tasty for hackers looking to make some serious money.

“You have both Samsung and Apple with their new pay system which suddenly opens the floodgates for phones to become the predominant method for payment,” Greg Day, FireEye’s chief technology officer for EMEA, told CNBC by phone.

“The simple reality is that we as consumers use our phones more and more and our wallets and laptops less and less. The criminal will surely follow that.”


Week 3

Article 1:

A red Android mascot

As a rule, rogue Android apps don’t last long on Google Play — either Google catches them quickly, or enough people complain that something gets done. That doesn’t appear to have happened with a recent batch of apps, though. Antivirus developer Avast has noticed that multiple titles, including some with millions of downloads, have been harboring a sneaky form of adware that tries to fool you into either paying for content or violating your privacy. The apps will often work normally for days, but eventually pester you with ads warning about non-existent updates and viruses every time you unlock your phone. If you’re tempted enough to tap one of the ads, you’re steered to far more dangerous content that may send premium text messages (without asking, naturally), harvest personal info or otherwise compromise your device.

At least some of the offending apps are gone as I write this, so there’s no doubt that Google is clamping down. However, it does raise the question of why these apps managed to get relatively popular before the hammer fell — even if they were pumped up by fake downloads, there were negative reviews indicating that something was amiss. We’ve reached out to Google to get more details about what happened and what it might be doing to mitigate these problems in the future. For now, your best defenses are to either install only the apps you trust, or to read reviews carefully before you take the plunge.


 Article 2:

 People Are Still Using Terrible Passwords

People Are Still Using Terrible Passwords

Imagine you have a house where you keep your valuables. The rooms contain expensive family heirlooms, wads of cash and photos from that once-in-a-lifetime trip. You always make sure to keep the house locked, and you’re the only one with a key to the place. Now, would you hide the key under a welcome mat that reads: “There’s a key under here”?

Obviously, this seems foolish. Now think of that house as the Internet, and instead of heirlooms, it has your banking information and Social Security number. There are still photos, but there is also access to your work files. Your password is the key that keeps it all safe, so if you pick a password like “123456,” you’re essentially giving cybercriminals a spare key to your sensitive data.

We’ve told you this before, but it seems a refresher might be in order.

The Internet security app company SplashData has released its latest list of the worst passwords of the year. Once again, the dubious honor of the top slot goes to the geniuses who keep “123456” as their password of choice — though “12345,” “12345678” were in the top five, also.

The worst passwords aren’t simply numerical. The silver medal in this event of computer carelessness goes to whoever uses “password” as a password. That includes you, Sony Pictures.

New to the list are the words “access,” “superman,” “batman,” “master” and “michael.” You can see the full collection of 25 cybersecurity fails here, but it’d probably be more useful to check out this infographic on how to create a password that’s effective.


More for this article:

“123456” Maintains the Top Spot on SplashData’s Annual “Worst Passwords” List

The 2014 list of worst passwords demonstrates the importance of keeping names, simple numeric patterns, sports and swear words out of your passwords.

Worst Passwords List of 2014

Worst Passwords of 2014

“SplashData’s list of frequently used passwords shows that many people continue to put themselves at risk by using weak, easily guessable passwords”.

SplashData has announced its annual list of the 25 most common passwords found on the Internet – thus making them the “Worst Passwords” that will expose anybody to being hacked or having their identities stolen. In its fourth annual report, compiled from more than 3.3 million leaked passwords during the year, “123456”and “password” continue to hold the top two spots that they have held each year since the first list in 2011. Other passwords in the top 10 include “qwerty,” “dragon,” and “football.”

As in past years’ lists, simple numerical passwords remain common, with nine of the top 25 passwords on the 2014 list comprised of numbers only.

Passwords appearing for the first time on SplashData’s list include “696969” and “batman.”

While Valentine’s Day is less than a month away, “iloveyou” is one of the nine passwords from 2013 to fall off the 2014 list.

According to SplashData, the passwords evaluated for the 2014 list were mostly held by users in North America and Western Europe. In 2014, millions of passwords from Russian accounts were also leaked, but these passwords were not included in the analysis.

SplashData’s list of frequently used passwords shows that many people continue to put themselves at risk by using weak, easily guessable passwords.

“Passwords based on simple patterns on your keyboard remain popular despite how weak they are,” said Morgan Slain, CEO of SplashData. “Any password using numbers alone should be avoided, especially sequences. As more websites require stronger passwords or combinations of letters and numbers, longer keyboard patterns are becoming common passwords, and they are still not secure.”

For example, users should avoid a sequence such as “qwertyuiop,” which is the top row of letters on a standard keyboard, or “1qaz2wsx” which comprises the first two ‘columns’ of numbers and letters on a keyboard.

Other tips from a review of this year’s Worst Passwords List include:

  •     Don’t use a favorite sport as your password – “baseball” and “football” are in top 10, and “hockey,” “soccer” and “golfer” are in the top 100. Don’t use a favorite team either, as “yankees,” “eagles,” “steelers,” “rangers,” and “lakers” are all in the top 100.
  •     Don’t use your birthday or especially just your birth year — 1989, 1990, 1991, and 1992 are all in the top 100.
  •     While baby name books are popular for naming children, don’t use them as sources for picking passwords. Common names such as “michael,” “jennifer,” “thomas,” “jordan,” “hunter,” “michelle,” “charlie,” “andrew,” and “daniel” are all in the top 50.

Also in the top 100 are swear words and phrases, hobbies, famous athletes, car brands, and film names.

This is the first year that SplashData has collaborated on the list with Mark Burnett, online security expert and author of “Perfect Passwords” (http://www.xato.net).

“The bad news from my research is that this year’s most commonly used passwords are pretty consistent with prior years,” Burnett said. “The good news is that it appears that more people are moving away from using these passwords. In 2014, the top 25 passwords represented about 2.2% of passwords exposed. While still frightening, that’s the lowest percentage of people using the most common passwords I have seen in recent studies.”

SplashData, provider of the SplashID line of password management applications, releases its annual list in an effort to encourage the adoption of stronger passwords. Slain says, “As always, we hope that with more publicity about how risky it is to use weak passwords, more people will start taking simple steps to protect themselves by using stronger passwords and using different passwords for different websites.”

Presenting SplashData’s “Worst Passwords of 2014”:

1    123456 (Unchanged from 2013)
2    password (Unchanged)
3    12345 (Up 17)
4    12345678 (Down 1)
5    qwerty (Down 1)
6    1234567890 (Unchanged)
7    1234 (Up 9)
8    baseball (New)
9    dragon (New)
10    football (New)
11    1234567 (Down 4)
12    monkey (Up 5)
13    letmein (Up 1)
14    abc123 (Down 9)
15    111111 (Down 8)
16    mustang (New)
17    access (New)
18    shadow (Unchanged)
19    master (New)
20    michael (New)
21    superman (New)
22    696969 (New)
23    123123 (Down 12)
24    batman (New)
25    trustno1 (Down 1)

SplashData offers three simple tips to be safer from hackers online:
1.    Use passwords of eight characters or more with mixed types of characters.
2.    Avoid using the same username/password combination for multiple websites.
3.    Use a password manager such as SplashID to organize and protect passwords, generate random passwords, and automatically log into websites.


Week 2

Article 1:

To Fight Hackers, Obama Wants Companies to Share Threats

U.S. President Barack Obama on Tuesday will announce a renewed push for cybersecurity legislation after recent headline-grabbing hacks against companies like Sony Pictures and Home Depot.

Obama will throw his support behind efforts to give liability protection to companies that quickly share information about attacks, but will require strict protections for personal information, the White House said in a statement.

The White House first proposed cyber legislation in 2011. In the last Congress, the Republican-controlled House of Representatives passed a bill, but the Senate failed to clear legislation.

Lawmakers have struggled to balance corporate concerns about liability with consumer fears about privacy, especially following the leak of information about government surveillance programs by former contractor Edward Snowden.

The government itself has not been immune from cyber problems. On Monday, social media accounts for the U.S. military command that oversees operations in the Middle East were hacked by people claiming to be allied with Islamic State militants.

Obama will meet with congressional leaders at the White House on Tuesday, and is expected to discuss his cybersecurity proposals.

In a speech at the Department of Homeland Security’s cybersecurity nerve center slated for 3.10 p.m. ET, Obama also will propose new powers for law enforcement to investigate and prosecute cybercrime, the White House said.

His proposal includes measures to allow for the prosecution of the sale of botnets, and would give courts the power to shut down botnets responsible for distributed denial of service attacks.

Botnets are typically used to steal financial information, to relay spam messages and to conduct “denial-of-service” attacks against websites by having all the computers try to connect simultaneously.

Other measures would be aimed at deterring the sale of spyware and would make selling stolen credit card information overseas a crime, the White House said.

Obama also will announce details of a cybersecurity summit slated for Feb. 13, an event that will take place not at the White House, but in Silicon Valley, at Stanford University.

Obama’s legislative proposals are part of a preview of his Jan. 20 State of the Union address.

On Monday, he announced he wants to work with Congress on a law that would require companies to tell consumers within 30 days from the discovery of a data breach that their personal information has been compromised.

He also wants to codify a “Consumer Privacy Bill of Rights” that gives consumers more say in how companies use their data.


Article 2:

Make Hacking Harder

Think your website is safe? Think again. According to Sophos Labs, a computer security company, more than 30,000 websites are hacked each day. These breaches can cost companies billions of dollars and threaten customer trust.

Protecting your site starts with leadership, making sure the right people are in place to create solid plans and execute them when the worst occurs. Take a look at this exclusive infographic for the basics to focus your company’s approach.

Make Hacking Harder (Infographic)