Thursday, January 20, 2011

For my Computer Security students: “Segregation of duties” is far less likely in a small business.

Hackers Respond To Help Wanted Ads With Malware

"The FBI issued a warning Wednesday about a new twist on a long-running computer fraud technique, known as Automated Clearing House fraud. With ACH fraud, criminals install malware on a small business' computer and use it to log into the company's online bank account. In this latest twist on the scam, the criminals are apparently looking for companies that are hiring online and then sending malicious software programs that are doctored to look like job applications. One unnamed company recently lost $150,000 in this way, according to the FBI's Internet Crime Complaint Center. 'The malware was embedded in an e-mail response to a job posting the business placed on an employment website,' the FBI said in a press release. The malware, a variant of the Bredolab Trojan, 'allowed the attacker to obtain the online banking credentials of the person who was authorized to conduct financial transactions within the company.'"

Is “suspected theft” a polite (i.e. politically correct) way to say “theft” or do they mean they could have lost the 7 million, but they think it was stolen? Easy way to find out. Ask Al Gore if he got his commission.

EU locks carbon market after security breach

LONDON/BRUSSELS--The European Union locked all accounts in its carbon market today, after a security breach, seeking to protect the battered reputation of the EU's main weapon against climate change.

… The European Commission suspended much of its Emissions Trading Scheme, the hub of a 92-billion-euro ($124 billion) global market, following the suspected theft of about 7 million euros of emissions permits from the Czech Republic's carbon registry.

This theft and a hacking attack on the Austrian registry on January 10 follows a raft of scandals to hit the market in the past two years, including VAT fraud, a phishing scam, and the resale of used carbon credits.

For my Computer Security students. What security was missing and what manager was responsible.

Nurse Fired for Snooping in Tiger Woods’ Records Files Defamation Suit

By Dissent, January 20, 2011

David Rothenberg was the charge nurse on duty at Health Central Hospital in Ocoee on Nov. 27, 2009, as paramedics wheeled in Tiger Woods. The golfer had just crashed his Cadillac Escalade into a tree and fire hydrant outside his Isleworth home.

According to Rothenberg, within hours of Woods’s arrival, someone inside the hospital improperly gained access to the patient’s confidential medical records using the nurse’s computer login and password.

“They said it had something to do with Tiger Woods’ lab results and my name was on there,” said Rothenberg. “I’ll be honest with you, I was scared. And I said, ‘I have no idea what you’re talking about.’”

In a defamation lawsuit filed this week against Health Central, the nurse claims he signed on to the hospital computer system and then walked away to tend to some other business.

“I minimized my screen, a common practice at the hospital,” said Rothenberg.

Rothenberg claims someone else must have approached his terminal, and within 10 minutes typed in “Tiger Woods,” as well as “Ronald Williams” and “Ernest Smith,” which the nurse has been told are aliases for the golfer.

Read more on (via @LawandLit)

This case is worth noting for several reasons:

1. The hospital detected – but did not prevent – unauthorized access to patient records.
2. An employee was disciplined for snooping in patient records.
3. The employee may not have snooped (if his story is true), but by taking shortcuts such as minimizing the window instead of logging out, may have contributed to his own grief.
4. There is no indication as to whether the hospital’s security controls automatically time users out after a certain amount of inactivity. If the nurse’s report is accurate, the system also does not automatically log people out when a window is minimized.

Oh for shame. You did something naughty, now you have to pay me... (Not a very well written article, but you get the idea...)


It has been brought to your regional BBB’s attention via the Central and Eastern KY BBB that there is a Wikileaks automated phone scam circulating.

A caller reported she received an automated phone call telling her that her computer and IP address had been noted as having visited the Wikileaks site, and that there were grave consequences for this, including a $250,000 or $25,000 fine, perhaps imprisonment. It left an option for leaving a message as to how she was going to handle this and the fine payment. She figured it was a scam, and did nothing but hang up. It gave a number on caller ID of 852-604-4799. Reverse searches on the Internet don’t bring up anything but a couple subjective chat boards where people report similar calls.

Social Security numbers were never intended to be used as identification numbers, but “everyone does it.” Shouldn't someone have noticed long before now?

Ingenix discovers it may have been exposing health service providers’ SSNs for up to 5 years

January 19, 2011 by admin

This is one of those breaches where I really don’t blame the company, which in this case is Minnesota-based Ingenix.

Ingenix provides web-based lookups so that patients can find providers in their area covered by their health plan. The provider data Ingenix uses is provided by the health plans or preferred provider plans themselves.

Ingenix recently discovered that in some cases, the health plans or preferred providers had used the providers’ Social Security Numbers as provider identification numbers. Thus, when someone looked up that provider through Ingenix’s search tool, the provider’s SSN was exposed, even though it was not identified as a Social Security Number and may not have been readily apparent as such. In some cases, providers’ SSN may have been available for five years.

Ingenix reported the issue to the New Hampshire Attorney General’s Office on January 6. Their notification letter indicates that they have offered 142 providers in New Hampshire free credit monitoring and credit restoration services. The total number of providers notified was not mentioned in the notification.

Providers can enroll for protection through a web site set up for them by ID Experts at

Interesting “business plan” If I didn't know better, I'd think the NSA was behind this company... - Record Phone Conversations

As the title of the review puts it, this is a new application that will let you record phone conversations. This can be done without having to get any additional hardware, and the fact the whole application is web-based means that you are not required to download and install anything either.

All you have to do is to dial 877-395-3442 from your phone and follow the provided instructions for the next call that you make to be recorded. You will then be provided with a session code that you can use to retrieve the call.

This service is provided at no cost, and the basic functionality at play (that of recording phone conversations) will always remain like that. Some premium features might be implemented later on, but the recording of phone calls will remain unchanged.

And just in case you are wondering, all the recorded phone calls are stored on Twilio, IE a secure server. You should not worry about the safety and privacy of what you record being compromised at all. [I'm taking bet here... Bob]

Sufficient? Has potential in any case...

Pennsylvania Court Specifies Test for Unmasking Anonymous Online Speakers

January 19, 2011 by Dissent

Ryan Mrazik writes:

Last week, the Superior Court of Pennsylvania vacated a trial court’s order directing the disclosure of the identities of six John Does who allegedly posted defamatory remarks on the internet and adopted a four-prong modified test for unmasking anonymous online speakers in the future. In Pilchesky v. Gatelli, 2001 Pa. Super. 3, Nos. 38 MDA 2009 and 39 MDA 2009 (Jan. 5. 2001), the appeals court reviewed the standards courts use to evaluate whether the identity of an anonymous online speaker should be disclosed, and concluded that “[t]here are four requirements which must be addressed [and which] are necessary to ensure the proper balance between a speaker’s right to remain anonymous and a defamation plaintiff’s right to seek redress.” These requirements, discussed further below, are

(1) notification of the John Doe defendants,

(2) sufficiency of evidence to establish a prima facie case for all elements of a defamation claim,

(3) an affidavit from the plaintiff asserting that the information is sought in good faith and is necessary to secure relief, and

(4) that the court has expressly balanced the defendant’s First Amendment rights against the strength of the plaintiff’s prima facie case.

Read more on Digestible Law.

Another opportunity lost.

Is There a Right of Informational Privacy? Supreme Court Avoids the Issue in NASA Opinion

January 19, 2011 by Dissent

Debra Cassens Weiss discusses today’s Supreme Court opinion in NASA v. Nelson with a focus on the court’s statements about whether there is a constitutional right to information privacy:

We assume, without deciding, that the Constitution protects a privacy right of the sort” mentioned in two 1977 Supreme Court decisions, Alito wrote. “We hold, however, that the challenged portions of the government’s background check do not violate this right in the present case.”

The decision was 8-0, with a concurrence written by Justice Antonin Scalia and joined by Justice Clarence Thomas, SCOTUSblog reports. The concurrence argued there is no informational right to privacy.

“Like many other desirable things not included in the Constitution, ‘informational privacy’ seems like a good idea.” Scalia wrote. “But it is up to the people to enact those laws, to shape them, and, when they think it appropriate, to repeal them. A federal constitutional right to ‘informational privacy’ does not exist.”

Read more on ABAJournal.

Technology for my Criminal Justice students? Another tool to mount this on the dashboard of police cruisers (next to the license plate readers) and soon they will look like Google Earth cars...

Fingerprints Go the Distance – Are Our Laws Keeping Up?

January 19, 2011 by Dissent

Ian Geldard sent me a link to an article on Technology Review about a fingerprint technology that has the potential to become yet another part of public surveillance. Here are some snippets from the article so you can understand the potential for misuse:

Now a company has developed a prototype of a device that can scan fingerprints from up to two meters away, an approach that could prove especially useful at security checkpoints in places like Iraq and Afghanistan.

The device, called AIRprint, is being developed by Advanced Optical Systems (AOS). It detects fingerprints by shining polarized light onto a person’s hand and analyzing the reflection using two cameras configured to detect different polarizations.

Read the whole article on Technology Review.

As with most technology, this device clearly can be put to good use. But by now, I’ve come to look at technology and ask, “And how is this going to be misused, and with what consequences?”

So… if we have no reasonable expectation of privacy in public spaces, could these devices just record our fingerprints and match them against different databases or even add them to a database? Could law enforcement create a database on wanted criminals’ fingerprints and have these devices scan passersby to determine a match? Some might argue that that might not be a bad thing, but where is the line and our laws ready to deal with this type of possible use of surveillance technology in public spaces?

E-Mail v. Snail Mail

Mail Service Costs Netflix 20x More Than Streaming

"Netflix currently pays up to $1 per DVD mailed round trip, and the company mails about 2 million DVDs per day. By comparison, the company pays 5 cents to stream the same movie. In other words, the company pays 20 times more in postage per movie than it does in bandwidth. Doing some simple math, Netflix is spending some $700 million per year in physical disk postage. Rising content prices are offset by declining postage fees for the company, as more and more users choose the streaming-only option. Furthermore, subscriber revenues will continue to increase as Netflix increases the size of its streaming library."

I need to work this into my Business Classes...

In Graphics: What Is a 401(k) Plan?

No comments: