Pete Recommends – Weekly highlights on cyber security issues July 7 2018

Subject: Capital Gazette gunman harassed journalists on Twitter. Why wasn’t he stopped?
Source: USA Today

The failure to stop Jarrod Ramos, charged with five counts of first-degree murder for Thursday’s deadly rampage at the Capital Gazette newspaper in Annapolis, shows the blind spots that foil law enforcement and Internet companies — even as the social media gusher puts the warning signs in plain sight.

“The terror and violence that we saw at Capital Gazette is another horrible example why our laws need to be updated to reflect modern-day crime,” said Rep. Katherine Clark, D-Mass., who has been pushing for years to bolster federal online harassment laws and increase cyber-training for police departments around the country.

Ramos, 38, posted harassing social media messages that alarmed editors at the paper and led police to investigate, but fell short of leading authorities to pursue charges or Twitter to ban him. Twitter suspended Ramos’ account Friday. It declined to comment on it.

Subject: ‘Why You Should Not Use Google Cloud’
Source: Slashdot

A user on Medium named “Punch a Server” says you should not use Google Cloud due to the “‘no-warnings-given, abrupt way’ they pull the plug on your entire system if they (or the machines) believe something is wrong.” The user has a project running in production on Google Cloud (GCP) that is used to monitor hundreds of wind turbines and scores of solar plants scattered across 8 countries. When their project goes down, money is lost. An anonymous Slashdot reader shares the report: Early today morning (June 28, 2018) I receive an alert from Uptime Robot telling me my entire site is down. I receive a barrage of emails from Google saying there is some “potential suspicious activity” and all my systems have been turned off. EVERYTHING IS OFF. THE MACHINE HAS PULLED THE PLUG WITH NO WARNING. The site is down, app engine, databases are unreachable, multiple Firebases say I’ve been downgraded and therefore exceeded limits.

Customer service chat is off. There’s no phone to call. I have an email asking me to fill in a form and upload a picture of the credit card and a government issued photo id of the card holder. Great, let’s wake up the CFO who happens to be the card holder. What if the card holder is on leave and is unreachable for three days? We would have lost everything — years of work — millions of dollars in lost revenue. I fill in the form with the details and thankfully within 20 minutes all the services started coming alive. The first time this happened, we were down for a few hours. In all we lost everything for about an hour. An automated email arrives apologizing for “inconvenience” caused. Unfortunately The Machine has no understanding of the “quantum of inconvenience” caused.

Subject: I-95 study tests taxing cars per miles-driven, not gas used
Source: Delaware Online via The Republic

But the idea of tracking private vehicles raises privacy concerns. I-95 Corridor Coalition director Patricia Hendren says user data would be erased after each month’s invoice, and aggregated data would be seen only by state transportation departments from Maine to Florida.

Subject: Facial Recognition Company Kairos CEO argues that technology’s bias and capacity for abuse make it too dangerous for use by law enforcement
Source: Slashdot via NNSquard via The Risks Digest

Lauren Weinstein<[email protected]>Mon, 25 Jun 2018 11:27:38 -0700
Facial recognition technologies, used in the identification of suspects, negatively affects people of color. To deny this fact would be a lie. And clearly, facial recognition-powered government surveillance is an extraordinary invasion of the privacy of all citizens—and a slippery slope to losing control of our identities altogether.

via NNSquad

Subject: Bitcoin Could Break the Internet, Central Bank Overseer Says
Source: Bloomberg

The Bank for International Settlements just told the cryptocurrency world it’s not ready for prime time — and as far as mainstream financial services go, may never be.

In a withering 24-page article released Sunday as part of its annual economic report, the BIS said Bitcoin and its ilk suffered from “a range of shortcomings” that would prevent cryptocurrencies from ever fulfilling the lofty expectations that prompted an explosion of interest — and investment — in the would-be asset class.

In one of its most poignant findings, the BIS analyzed what it would take for the blockchain software underpinning Bitcoin to process the digital retail transactions currently handled by national payment systems. As the size of so many ledgers swell, the researchers found, it would eventually overwhelm everything from individual smartphones to servers.

The report may also revive concerns that for all its ingenuity, blockchain transactions will get harder and harder to protect as it scales up.

Subject: Why Hackers Aren’t Afraid of Us
Source: The New York Times

At his confirmation hearings in March to become director of the N.S.A. and commander of the United States Cyber Command, Gen. Paul Nakasone was asked whether our adversaries think they will suffer if they strike us with cyberweapons. “They don’t fear us,” General Nakasone replied.

So while the United States remains the greatest cyberpower on earth, it is increasingly losing daily cyberconflicts. The range of American targets is so wide and deep that it is almost impossible to understand all of the vulnerabilities. And because most of those targets don’t belong to the government — banks, power grids, shipping systems, hospitals and internet-linked security cameras, cars and appliances — confusion reigns over who is responsible for defending them and who will decide when to strike back. We have the most fearsome cyberweaponry on the planet, yet we’re afraid to use it for fear of what will come next.

But the United States’ problem isn’t toughness — it’s an absence of strategy. The larger lesson of the past few years is that unless we get smarter a lot faster about deterring these pernicious, hard-to-find forms of cyberaggression, much of what binds our digitally connected society will be eaten away. We have spent so much time worrying about a “cyber Pearl Harbor,’’ the attack that takes out the power grid, that we have focused far too little on the subtle manipulation of data that can mean that no election, medical record or self-driving car can be truly trusted. And ultimately that absence of trust will destroy the glue of American society the way the Stuxnet computer worm destroyed those Iranian centrifuges. It will cause them to spin out of control.

So what is to be done?

Subject: A new way to do big data with entity resolution
Source: Web Informant blog

I have this hope that most of you reading this post aren’t criminals, or terrorists. So this might be interesting to you, if you want to know how they think and carry out their business. Their number one technique is called channel separation, the ability to use multiple identities to prevent them from being caught.

Let’s say you want to rob a bank, or blow something up. You use one identity to rent the getaway car. Another to open an account at the bank. And other identities to hire your thugs or whatnot. You get the idea. But in the process of creating all these identities, you aren’t that clever: you leave some bread crumbs or clues that connect them together, as is shown in the diagram below.

Entity resolution is big business. There are more than 50 firms that sell some kind of service based on this, but they offer more of a custom consulting tool that requires a great deal of care and feeding and specialized knowledge. Many companies end up with million-dollar engagements by the time they are done. Jonas is trying to change all that and make it much cheaper to do it. You can run his software on any Mac or Windows desktop, rather than have to put a lot of firepower behind the complex models that many of these consulting firms use.


Subject: Google reportedly allows outside app developers to read people’s Gmails
Source: Business Insider

  • Google promised a year ago to provide more privacy to Gmail users, but The Wall Street Journal reports that hundreds of app makers have access to millions of inboxes belonging to Gmail users.
  • The outside app companies receive access to messages from Gmail users who signed up for things like price-comparison services or automated travel-itinerary planners, according to The Journal.
  • Some of these companies train software to scan the email, while others enable their workers to pore over private messages, the report says.
  • What isn’t clear from The Journal’s story is whether Google is doing anything differently than Microsoft or other rival email services.

Subject: New survey shows executives heavily underestimate cybersecurity threats
Source: Tampa Bay Business Journal

A new survey shows a large disparity of understanding between IT and security professionals and their C-level counterparts. ERP Maestro, a provider of automated and cloud-based controls for access and security, conducted the survey. It showed that executives’ security concern was 55 percent lower than that of IT and security professionals. Dean Moez Limayem of USF’s MUMA College of Business believes that’s why universities are teaching students and executives the basics of cybersecurity.

“Executives aren’t aware of the threats that could jeopardize their assets,” Limayem said. “This is why we’re trying to bridge that gap, so that IT professionals and businessmen and women speak the same language in addressing these types of threats.”

Subject: How to Send Encrypted Email
Source: Consumer Reports

Setting up encryption used to be a complicated process, but that has changed. “It’s gotten so much easier in the last few years,” says Gabriella Coleman, the Wolfe Chair in Scientific and Technological Literacy at McGill University in Montreal. “It’s pretty unbelievable.”

Here are three of the most convenient and effective tools available.

Posted in: Blockchain, Cybercrime, Cybersecurity, Data Mining, Economy, Privacy, Social Media