Tuesday, April 28, 2015

What's the big attraction for hackers? Cosmetic surgery is rarely covered, so a new face seems out. Do you suppose it might be that hacking health care is easier?
Now that I know what I’m looking for, I’m finding more evidence of targeted email attacks affecting members of Ascension Health. For previous reports on this incident, read here and here.
On March 16, Sacred Heart Health System in Florida posted this notice on their site about a breach they reported to HHS as affecting 14,177 patients:
On February 2, 2015, we were notified by one of our third-party billing vendors that one of its employee’s e-mail user name and password had been compromised as a result of an e-mail hacking attack. The hacking attack was detected by our billing vendor on December 3, 2014 and the employee’s user name and password were shut down the same day. … After careful review, we were able to determine that the billing vendor’s employee e-mail account contained personal information for approximately 14,000 individuals.
The personal health information in the e-mail account included patient names, date of service, date of birth, diagnosis and procedure, billing account numbers, total charges, and physician name. Approximately 40 individuals’, social security numbers were also compromised. The hackers did not gain access to individual medical records or billing records.
If Sacred Heart Health System is our fourth entry for the list, then St. Mary’s Health in Indiana is the fifth. Their breach affected 3,952 patients. The notice on their web site reads, in part:
On December 3, 2014, St. Mary’s learned that several employees’ user names and passwords had been compromised as a result of an e-mail hacking attempt. It immediately shut down the user names and passwords and launched an investigation into the matter. After careful review, St. Mary’s learned on January 8, 2015, that employee e-mail accounts subject to the hacking attempt contained some personal information for approximately 4,400 individuals. [A month to find out what was in the email accounts of their employees? Shame. Bob]
The personal health information in the e-mail account included patient name, date of birth, gender, date of service, insurance information, limited health information and, in some cases, social security numbers. The hackers did not gain access to individual medical records or billing records.

Come on educators, it's not that hard to Google “password best practices." It's even easier than findong someone who knows what they are doing when it comes to security!
Melissa Stern reports:
A metro mom says some students have taken cyberbullying to a whole new level. Her daughter is the victim, and she says school-issued technology is to blame.
Amy Laughlin says school-issued iPads at Belton Middle School have become more problematic than useful. Her daughter in the seventh grade says she’s receiving bullying emails on her iPad from someone hacking into other students’ accounts.
Read more on Fox4kc.com. The “hacking” was facilitated by the fact that a generic password had been issued to the students with the iPads, and many students hadn’t changed their passwords, it seems.
“One of the first things we`ve done is have our students set up a different username or password or both,” the Superintendent explained.
The superintendent also said they remind students to keep their passwords private. The district is working on character education in class, and tracking down students using the iPads inappropriately.
I hope they educate the students that posing as someone else could run them afoul of the law, even if they’re not posing as someone else to harass people.

(Related) Apparently, this is not limited to educators. Where is management?
Happy birthday! Now anyone can login to your Betfair account
I’m not often astounded by the woefulness of a security practice any more, but every now and then there’s a notable exception. Take this one, for example:
@BetfairHelpdesk Is it right that all one needs to change their password is their username and date of birth?
Yes, that’s exactly what it looks like and just for the sake of posterity should those Betfair responses be removed, Paul captured the discussion here. Now before we go on, do read that discussion in its entirety because context is important here.

For my Computer Security students. Note that it does not have to be your company that fails. How would you detect and reverse this?
Social Engineering: Attackers' Reliable Weapon
It begins with a baited hook.
It could be a link posted on social media that appears to lead to a subject of interest. It could be the sudden arrival of an emailed invoice. Whatever the ploy, social engineering is the opening salvo in targeted attacks against organizations all over the world. Sometimes, the social engineering begins with an email. Other times it may involve Facebook, and other times it may begin with a phone call.
That last scenario was found to be the case in the recent attack on Tesla Motors. A Tesla spokesperson told SecurityWeek that a hacker posed as a Tesla employee, called AT&T customer support and tricked them into forwarding calls to an illegitimate phone number. At that point, the impostor contacted the domain registrar company that hosts teslamotors.com, Network Solutions, and using the forwarded number, added a bogus email address to the Tesla domain admin account.
According to the spokesperson, the impostor then reset the password of the domain admin account, routed most of the site's traffic to a spoofed website and temporarily gained access to the Twitter accounts of both the company and its CEO Elon Musk.

    1. Websense Employees Targeted With Fake Raytheon Acquisition Emails

US defense contractor Raytheon announced earlier this month that it’s prepared to acquire network security firm Websense in a $1.9 billion deal. Malicious actors have leveraged this announcement in an attempt to trick Websense employees into installing a piece of malware on their computers.
According to Websense, malicious emails with the subject line “Welcome to join Raytheon” started landing in employees’ inboxes on April 23, just three days after the announcement was made. The body of the emails read, “Welcome to join Raytheon. The password is 123qwe.”

An interesting question. Now videos stream in real time, can be sent to your lawyer's server as you record, and can be made by very small (not easily recognized) devices.
What to Say When the Police Tell You to Stop Filming Them
First of all, they shouldn’t ask.
“As a basic principle, we can’t tell you to stop recording,” says Delroy Burton, chairman of D.C.’s metropolitan police union and a 21-year veteran on the force. “If you’re standing across the street videotaping, and I’m in a public place, carrying out my public functions, [then] I’m subject to recording, and there’s nothing legally the police officer can do to stop you from recording.”
“What you don’t have a right to do is interfere,” he says. “Record from a distance, stay out of the scene, and the officer doesn’t have the right to come over and take your camera, confiscate it.”
Officers do have a right to tell you to stop interfering with their work, Burton told me, but they still aren’t allowed to destroy film.

Food for thought, students!
The Pros and Cons of Cloud Computing
… not everyone is on board with this idea. For every person extolling the benefits of cloud computing, there's an opponent with an equally powerful risk or disadvantage. With so many differing opinions, how can you possibly decide what to do? Let's take a look at the major pros and cons of cloud computing.

Philosophy for geeks? (Notice that he says “When,” not “If.”)
What happens when our computers get smarter than we are?
Artificial intelligence is getting smarter by leaps and bounds — within this century, research suggests, a computer AI could be as "smart" as a human being. And then, says Nick Bostrom, it will overtake us: "Machine intelligence is the last invention that humanity will ever need to make." A philosopher and technologist, Bostrom asks us to think hard about the world we're building right now, driven by thinking machines. Will our smart machines help to preserve humanity and our values — or will they have values of their own?

I'd say this was Baksheesh, but I can't spell Baksheesh.
Google aims to transform European newsrooms
Google will give €150 million (US$163 million) to European publishers and digital journalism startups in the next three years as part of a wider package that aims to support the news sector...
… Google’s fund is similar to a €60 million fund set up to settle a dispute with French publishers in 2013 over lost revenue, and to prevent a proposed “link tax” that would make Google pay to republish news snippets.

Perspective. I was guessing $0.99 per pound.
The Market for Lawyers Revisited
by Sabrina I. Pacifici on Apr 27, 2015
Spurr, Stephen J., The Market for Lawyers Revisited (January 10, 2015). Available for download at SSRN: http://ssrn.com/abstract=2599026
“This paper examines the changes in the market for lawyers in the United States over several decades. Reviewing data from 1981 through 2012, we find that the quality of entrants to this market, as measured by the rate of attrition from law schools and mean scores on the Multistate Bar Exam, is highly responsive to the demand for legal services. Analyzing earnings of lawyers, we find that females earn substantially less than males, Blacks earn less than those of other ethnic backgrounds, and the disparity increases over the life cycle. There is also evidence that because of the decline of entrants to the profession, the share of older lawyers has increased, reducing the premium paid for experience. Finally, we examine the trend in inequality in lawyers’ earnings, and find that it has increased substantially over the period of our data.”

Perspective. New terms, same strategy? BiModal? BYOT? Historically, IT has been very slow to acknowledge – let alone attempt to integrate – new technologies. (For years, PCs were “not real computers.”)
How to Keep BYOT out of Bimodal IT Strategy
According to Gartner, by 2017 75 percent of IT organizations will have gone bimodal in some way. This shift reflects the growing need for businesses to deploy a modern mobile platform that encourages business user participation in the development process, with the full support and oversight of the IT organization.
… With BYOT (Bring Your Own Tool) there is a risk that users from different parts of the business will download their own tools and develop their own apps without IT’s involvement. This "rogue IT" approach can result in risks to data security and other corporate governance issues and should be avoided. In addition, this fragmented approach results in a lack of consistency across the organization, with assets and skills that can’t be leveraged across the business.

Perspective. I'm still trying 40 years later.
Teenager Stuns Fellow Geeks By Solving Rubik's Cube In Record 5.25 Seconds

For my Math students.
… On the GeoGebra YouTube channel you will find more 200 video tutorials. If you're just starting out with GeoGebra on your desktop or tablet, the GeoGebra quickstart videos will be of use to you. The videos are silent, but the visuals are clear.

For my Statistics students. (There's nothing like a good argument before I pull out some facts.)
… When I found that upsets are much less common in the NCAA women’s tournament than in the men’s, my mind jumped to what seemed like a logical explanation: Perhaps the lack of upsets is caused by a lack of depth in the women’s game.
In particular, teams like the epically dominant University of Connecticut Huskies — newly minted winners of their third straight national title and the 10th of Coach Geno Auriemma’s reign — must be able to win so much because they get all the best players from a shallow talent pool. Even many who love and defend women’s basketball often judge it a little differently than men’s, on the presumption that it’s a less mature sport.
… And it would make sense if there were any truth to the notion that women’s basketball is less talented.
But it isn’t. As it turns out, not only is women’s college basketball as strong and deep in college-age talent as the men’s game, but for the rarest talent, it is significantly more so.

My students and I are trying to understand social networks and how to use them.
50 Companies That Get Twitter – and 50 That Don’t
Corporate tweeters need to know that they aren’t just promoting a brand or solving a problem: they are performing for an audience, supporting customers throughout their journey, and even, subtly, selling. The best, like American Airlines, make it feel natural. They have given their social media staff a clear mission and a great deal of autonomy; the account’s managers chat with customers, offer up front to solve problems, and empathize with frustrated travelers.
But the worst have exported their old tricks to new media. Entirely devoid of empathy, their accounts might as well be run by robots. Starbucks simply redirects queries to an email address—with a grating exclamation point to add insult to injury. At least that’s better than the 70% of companies that plainly ignore complaints on Twitter.
This matters. Social media isn’t merely a place for people to chat with each other and for brands to talk at their customers. For a new generation of consumers who get their news and form their views about the world primarily on social media, it is an essential proving ground. A witty comment or botched response on Twitter can travel to Facebook and even news websites in minutes (think of the Oreo tweet during the Superbowl blackout of 2013). But a single miscalculated remark can cascade into an avalanche of disapproval

No comments: