Thursday, May 02, 2013

The 2X4 is just to get the mule's attention.”
Regular readers may recall the frustration I reported when calls to Uniontown Hospital to alert them to a security breach went unanswered. I’m not the only one who can’t get a response when a response might be in the entity’s best interests. Consider this report by security blogger Brian Krebs:
Organized hackers in Ukraine and Russia stole more than $1 million from a public hospital in Washington state earlier this month. The costly cyberheist was carried out with the help of nearly 100 different accomplices in the United States who were hired through work-at-home job scams run by a crime gang that has been fleecing businesses for the past five years.
Last Friday, The Wenatchatee World broke the news of the heist, which struck Chelan County Public Hospital No. 1, one of several hospitals managed by the Cascade Medical Center in Leavenworth, Wash. The publication said the attack occurred on Apr. 19, and moved an estimated $1.03 million out of the hospital’s payroll account into 96 different bank accounts, mostly at banks in the Midwest and East Coast.
On Wednesday of last week, I began alerting the hospital that it had apparently been breached. Neither the hospital nor the staff at Cascade Medical returned repeated calls. I reached out to the two entities because I’d spoken with two unwitting accomplices who were used in the scam, and who reported helping to launder more than $14,000 siphoned from the hospital’s accounts.
Read more on KrebsOnSecurity.
Maybe if insurers decline to cover losses if they find out that someone tried to warn the entity and the entity ignored or failed to respond to the attempted alerts, it would help?

(Related)
A great headline for Computer Security managers to pass along to management...
A few weeks ago I noted that William Jennings Bryan Dorn VA Medical Center in South Carolina was notifying over 7,000 patients of a breach involving a stolen laptop. Now two of the veterans affected have filed a lawsuit over the breach. Additional details on the lawsuit, which was filed April 12, can be found here.


Mandatory BYOD! This could be really interesting.
"Half of all employers will require workers to supply their own mobile devices for work purposes by 2017, according to a new Gartner study. Enterprises that offer only corporately-owned smartphones or stipends to buy your own will soon become the exception to the rule in the next few years. As enterprise BYOD programs proliferate, 38% of companies expect to stop providing devices to workers by 2016 and let them use their own, according to a global survey of CIOs by Gartner. At the same time, security remains the top BYOD concern. 'What happens if you buy a device for an employee and they leave the job a month later? How are you going to settle up? Better to keep it simple. The employee owns the device, and the company helps to cover usage costs,' said David Willis, a distinguished analyst at Gartner."


Attention everyone downstream! This damn breach could lead to a dam breach! (Sorry, I couldn't resist) Think of this as “Targeting Information”
Hacker Breached U.S. Army Database Containing Sensitive Information on Dams
A hacker compromised a U.S. Army database that holds sensitive information about vulnerabilities in U.S. dams, according to a news report.
The U.S. Army Corps of Engineers’ National Inventory of Dams contains information about 79,000 dams throughout the country and tracks such information as the number of estimated deaths that could occur if a specific dam failed. It’s accessible to government employees who have accounts. Non-government users can query the database but cannot download data from it.
The breach began in January and was only uncovered in early April, according to the Free Beacon, a nonprofit online publication, which first published the news.
… “The U.S. Army Corps of Engineers is aware that access to the National Inventory of Dams (NID), to include sensitive fields of information not generally available to the public, was given to an unauthorized individual in January 2013 who was subsequently determined to not to have proper level of access for the information,” Pierce said in a statement to the publication. “[U.S. Army Corps of Engineers] immediately revoked this user’s access to the database upon learning that the individual was not, in fact, authorized full access to the NID.”
The Corps of Engineers announced on its website that account usernames and passwords had since changed “to be compliant with recent security policy changes.”
All users had been sent an e-mail notification to this effect, which apparently told them that their account username had been changed to their e-mail address and included the new password in plaintext that the Corps did not ask users to change. [Not particularly well thought out... Bob]
Although the website provides links to reset the password if a user forgets it, the links were not working when Wired visited the site.
Unnamed U.S. officials told the Free Beacon that the breach was traced to “the Chinese government or military cyber warriors,” but offered no information to support the claim.


Attention Ethical Hackers! This should not impact our “Online Games for Fun and Profit” class.
Use a Software Bug to Win Video Poker? That’s a Federal Hacking Case
… The question: was it a criminal violation of federal anti-hacking law for Kane and a friend to knowingly take advantage of the glitch to the tune of at least half-a-million dollars? Prosecutors say it was. But in a win for the defense, a federal magistrate found last fall that the Computer Fraud and Abuse Act doesn’t apply, and recommended the hacking charge be dismissed. The issue is now being argued in front of U.S. District Court Judge Miranda Du, who’s likely to rule this month.


Under reporting the number of victims seems to be an Internet Meme. Makes it seem like they don't know what is happening in their own computer system.
So it seems it may not be 300,000 biometric national ID records lost, but 1.4 million….


Could this be the start of a trend?
By a vote of 49-0, the Pennsylvania Senate passed Senate Bill 114, amending the state’s data breach notification law.
Section 1. Section 3 of the act of December 22, 2005 (P.L.474, No.94), known as the Breach of Personal Information Notification Act, is amended by adding subsections to read:
Section 3. Notification of breach.
(a.1) Notification by State agency.–If a State agency is the subject of a breach of security of the system, the State agency shall provide notice of the breach of security of the system required under subsection (a) within seven days following discovery of the breach. Notification shall be provided to the Office of Attorney General within three business days following discovery of the breach. A State agency under the Governor’s jurisdiction shall also provide notice of a breach of its security system to the Governor’s Office of Administration within three business days following the discovery of the breach. Notification shall occur regardless of the existence of procedures and policies under section 7.
(a.2) Notification by county, school district or municipality.–If a county, school district or municipality is the subject of a breach of security of the system, the county, school district or municipality shall provide notice of the breach of security of the system required under subsection (a) within seven days following discovery of the breach. Notification shall be provided to the district attorney in the county in which the breach occurred within three business days following discovery of the breach. Notification shall occur regardless of the existence of procedures and policies under section 7.
(A.3) STORAGE POLICY.–
(1) THE OFFICE OF ADMINISTRATION SHALL DEVELOP A POLICY TO GOVERN THE PROPER STORAGE BY STATE AGENCIES OF DATA WHICH INCLUDES PERSONALLY IDENTIFIABLE INFORMATION. THE POLICY SHALL ADDRESS IDENTIFYING, COLLECTING, MAINTAINING, DISPLAYING AND TRANSFERRING PERSONALLY IDENTIFIABLE INFORMATION, USING PERSONALLY IDENTIFIABLE INFORMATION IN TEST ENVIRONMENTS, REMEDIATING PERSONALLY IDENTIFIABLE INFORMATION STORED ON LEGACY SYSTEMS AND OTHER RELEVANT ISSUES. A GOAL OF THE POLICY SHALL BE TO REDUCE THE RISK OF FUTURE BREACHES OF SECURITY OF THE SYSTEM.
(2) IN DEVELOPING THE POLICY UNDER PARAGRAPH (1), THE OFFICE OF ADMINISTRATION SHALL CONSIDER SIMILAR EXISTING POLICIES IN OTHER STATES, BEST PRACTICES IDENTIFIED BY OTHER STATES AND RELEVANT STUDIES AND OTHER SOURCES AS APPROPRIATE. THE POLICY SHALL BE REVIEWED AT LEAST ANNUALLY AND UPDATED AS NECESSARY.
Section 2. This act shall take effect in 60 days.


You have to go through all the efforts to match the video captured images to drivers license and other databases, but sometimes you get lucky and someone calls 911.
Boston carjack victim talks about narrow escape
Three nights after the bombing, Danny was sitting in his new Mercedes when a man came from behind the car, put his hand through the open window and opened the door from the inside before pointing a gun only inches from his head.
Danny did not know it was Tamerlan Tsarnaev. His attacker asked him if he had been following the news of the bombings.
“I said, "Yes, of course,’’’ Danny told Lauer. “Then he said, ‘I did that. And I just killed a policeman in Cambridge.’’’
… With the car stopped at a gas station, Danny made his move to escape. When Dzhokhar left his vehicle to go to an A.T.M. and pump gas, Danny unbuckled his seatbelt with his left hand, opened the door with his right hand and ran from the car with Tamerlan still sitting in it.
“I took off,’’ he said. “(Tamerlan) tried to grab me. He was trying to grab me. It was very close. I can feel it.”
Danny ran to another gas station and called 911, telling police they could locate the suspects through his car’s satellite system and the iPhone he left behind.


I'm not sure what (or who) OccupyCorporatism is, but they seems to hate everyone. Also, the headline does not match the article.
Susanne Pesel reports:
The Bill and Melinda Gates Foundation (BMGF) have funded the Measures of Effective Teaching Project (MET) which brings together volunteers and researchers “to build and test measures of effective teaching to find out how evaluation methods could best be used to tell teachers more about the skills that make them most effective and to help districts identify and develop great teaching.”
[...]
The BMGF have also invested $5 billion [also reported as $5 million... Bob] into having CCTV cameras installed in all classrooms across the nation allegedly “for every teacher in every classroom in every district to be filmed in action so they can be evaluated and, maybe, improve.”
This initiative would facilitate “videotaped lessons, classroom observations by trained observers, student satisfaction surveys, and value-added calculations based on test scores.”
Read more on OccupyCorporatism.com.
His proposals are so problematic that it’s hard to even know where to start responding to his ideas, but if you want to create an environment where kids feel emotionally safe to learn, to question, and to take risks in their thinking, constant surveillance is counter-indicated.


Hummm
May 01, 2013
Google Transparency Report
"Transparency is a core value at Google. As a company we feel it is our responsibility to ensure that we maximize transparency around the flow of information related to our tools and services. We believe that more information means more choice, more freedom and ultimately more power for the individual. In this report, we disclose:
  • Real-time and historical traffic to Google services around the world;
  • Numbers of removal requests we receive from copyright owners or governments;
  • Numbers of user data requests we receive from government agencies and courts.
  • To learn more about the laws governing our disclosure of user data and reforms to those laws that we think are important, visit http://digitaldueprocess.org/. We hope this report will shine some light on the appropriate scope and authority of government requests to obtain user data around the globe."


Think about it. How hard could it be if you know an individual's ZIP code, birth date and sex?
From the MIT Technology Review:
One of the biggest questions in biology is the nature versus nurture debate, the relative roles that genetic and environmental factors play in determining human traits.
In 2006, George Church at Harvard University and a few others started the Personal Genome Project (PGP) to help answer this question. The goal is to collect genomic information from 100,000 informed members of the public along with their health records and other relevant phenotypic data. The idea is to use this information to help tease apart the relative contributions of genetic and environmental factors.
The project does not guarantee privacy for those who sign up. Indeed, the participants can reveal as much information as they like, including their ZIP code, birth date and sex.
However, the data is ‘de-identified’ in the sense that the owners names and addresses are not included in their profiles on the PGP website and this generates a veneer of privacy.
Today, Latanya Sweeney and colleagues at Harvard show that even this is practically useless in keeping owners identities private. They say a relatively simple comparison of the list of PGP participants with other databases such as voter lists reveals the identity of a significant number of them with remarkable accuracy.
Read more on MIT Technology Review.


Could be an interesting case to watch...
Mozilla Takes Aim at Spyware That Masquerades as Firefox
Mozilla’s lawyers are sending a nasty gram to a U.K. company that writes spyware for government snoops.
The problem is that FinSpy masquerades as FireFox on the PC, according to researchers at The Citizen Lab, a University of Toronto-backed project that investigates technology and human rights. That violates Mozilla’s trademark, the browser-maker said in a statement. “As an open source project trusted by hundreds of millions of people around the world, defending Mozilla’s trademarks from this abuse is vital to our brand, mission and continued success.”
Mozilla says it’s sending the U.K. company that makes FinSpy, Gamma International, a cease-and-desist letter later today “demanding that these practices be stopped immediately.” Gamma International couldn’t immediately be reached for comment. FinFisher is the name of Gamma’s command and control server software that collects the surveillance data. It also makes FinSpy, the spyware that runs on the PC.
Gamma International markets its software as a “remote monitoring” program that government agencies can use to take control of computers and snoop on data and communications. In theory, it could be legitimately used for surveillance efforts by crime fighting agencies, but in practice, it has popped up as a spy tool unleashed against dissident movements operating against repressive regimes


Ethical Hackers: If I can “Control” it, I can hack it... (Might even work if your phone is stolen?)
If you leave your phone at home while leaving for work, you are fretting about missing important text messages and phone calls. There is nothing to do in such a situation but to go back home and fetch your phone.
… Thankfully there is now a smartphone application that provides an effective solution for this predicament that does not involve you going back home to get your phone. This application is called Phonnix.
Phonnix is a free to use smartphone application for devices that are running Android.
If you left your phone at home, then all you need to do is ensure that it has Internet connectivity – either through your carrier’s data plan or through a plain Wi-Fi network. It is then possible to log into the app using a web browser on your computer.
From then onwards you are able to send and receive text messages in the browser instantly. Missed calls notifications can also be instantly received. Integration with Facebook is possible which delivers all this information to your favorite social network and makes it possible for you to receive incoming calls there. Commands can be sent to the phone to forward your calls to another phone number.


Something for our Graphic Design students?
LinkedIn Now Lets You Add a Visual Portfolio to Your Profile
LinkedIn now lets users add visual content like photos, presentations and videos to their profile pages — a feature that has been in high demand with creative professionals like designers and photographers.


Might be handy if you have friends or relatives in places that suffer mad bombers or natural disasters.
Well, regardless of the fatality numbers, any major crisis that shuts down communication systems or travel ends up breaking off a fairly large population of people from the outside world. This isn’t just the case when there’s some kind of violent attack, but it even more commonly occurs following things like earthquakes, hurricanes and other natural disasters. When social infrastructure fails, family and friends out side of the danger zone really start to get nervous when they can’t get in touch with their loved ones. Add on top of that the fact that the news media starts immediately reporting the increase in body count, and you’ve got a situation of all-out panic.
Google Person Finder is offered as a free service for the general public, as well as emergency responders, to use following a catastrophe.
The way it works is relatively simple, and there are some additional features that you can embed on your own website, which I’ll get to later in this article. When you first go to the Google Person Finder page, you’ll see a list of current active events for which the Person Finder is currently active.
Inside of an event page, you’ll find two large link boxes. You’ll also see the current database size underneath those links.
Two links:
I’m looking for someone”
I have information about someone” link

No comments: