Thursday, September 10, 2015

Too many companies take too long to detect a breach.
AP reports:
A health insurer in western New York and affiliates said Wednesday that their computers were targeted last month in a cyberattack that may have provided unauthorized access to more than 10 million personal records.
Excellus BlueCross BlueShield, headquartered in Rochester, and Lifetime Healthcare Companies said they’re offering affected individuals in upstate New York two years of free identity theft protection.
The companies said unauthorized computer access was discovered Aug. 5, and further investigation revealed that the initial attack occurred on Dec. 23, 2013.
Read more on NBC.

It's like Willie Sutton for the Internet. Automated crime, what a concept!
Cyber-Extortionists Targeting the Financial Sector Are Demanding Bitcoin Ransoms
… DD4BC – which stands for “DDoS for Bitcoin” (Distributed Denial of Service for Bitcoin) – has been targeting firms since mid-2014, so far evading international police forces.
… As cyber-attacks go, DDoS is a blunt instrument. It involves hammering a target website with traffic using a distributed network of computers under the control of one attacker. The aim is to flood the site with traffic to the point that its web server crashes and the site goes offline.
There is a commercial impact – estimated by Neustar to cost up to $100,000 per hour – but these attacks predominantly damage brand perception. “It represents vulnerability,” says Cisco’s Adam Philpott, who heads up cybersecurity in Europe. “If I can't access the service of an organization that’s handling a significant amount of my money, how can I trust it?”
DDoS extortion is not new, but DD4BC is particularly prolific.
They’ve been industrializing their operation – doing it at a scale and level that has not been seen before,” adds James Chappell, co-founder of security firm Digital Shadows.
The group is going for second- and third-tier financial organisations – ones that have money but not necessarily the defences or technical acumen to deal with a DDoS assault.

If the door is locked, try a window. Another piece of the dossier started with OPM?
Jacqueline Klimas reports:
Hackers infiltrated the Pentagon food court’s computer system, compromising the bank data of an unknown number of employees.
Lt. Col. Tom Crosson, a Defense Department spokesman, said on Tuesday that employees were notified that hackers may have stolen bank account information from people who paid for concessions at the Pentagon with a credit or debit card.
Read more on Washington Examiner.

This was a big item on today's local news. No idea why.
Energy Dept. hacked 150 times in 4 years
Hackers infiltrated the Department of Energy’s computer system over 150 times between 2010 and 2014, according to federal documents obtained by USA Today.
The records — received through a Freedom of Information Act request — reveal a blanket of digital attacks the agency has been struggling to thwart for years. In total, hackers targeted DOE networks 1,131 times over the four-year span, successfully cracking the network 159 times.
... But records show the assaults did hit some of the agency’s most sensitive systems.
The National Nuclear Security Administration, a sub-agency within DOE that secures the country’s nuclear weapons, was hit with 19 successful cyberattacks over the four years.
… In a 2013 oversight report, the agency’s inspector general noted “unclear lines of responsibility” regarding cybersecurity and a “lack of awareness by responsible officials.”

A rather strange survey. Do they think Hillary “got schooled” in Computer Security?
64 Percent of American Voters Predict a 2016 Presidential Campaign Will Be Hacked
As the 2016 presidential race heats up, data security company PKWARE announced the results of a poll conducted by Wakefield Research that examined American perceptions of the threat of political hacking, and which of the leading U.S. presidential candidates are most qualified to protect our nation from a growing onslaught of cyber-crime. According to the survey, which was sponsored by PKWARE and conducted in recent weeks, the majority (64 percent) of registered U.S. voters believe it is likely that a 2016 presidential campaign will be hacked.
… Despite Hillary Clinton's private email controversy, 42 percent of registered voters think she is the presidential candidate most qualified to protect the United States from cyber-attacks. She is followed by Donald Trump (24 percent), Scott Walker (18 percent) and Jeb Bush (15 percent).

I'm skeptical.
Justice Department Sets Sights on Wall Street Executives
Stung by years of criticism that it has coddled Wall Street criminals, the Justice Department issued new policies on Wednesday that prioritize the prosecution of individual employees — not just their companies — and put pressure on corporations to turn over evidence against their executives.
The new rules, issued in a memo to federal prosecutors nationwide, are the first major policy announcement by Attorney General Loretta E. Lynch since she took office in April. The memo is a tacit acknowledgment of criticism that despite securing record fines from major corporations, the Justice Department under President Obama has punished few executives involved in the housing crisis, the financial meltdown and corporate scandals.
“Corporations can only commit crimes through flesh-and-blood people,” Sally Q. Yates, the deputy attorney general and the author of the memo, said in an interview on Wednesday. “It’s only fair [Political correctness? Bob] that the people who are responsible for committing those crimes be held accountable.

(Related) Could we extend executive responsibility to vendors who don't use security Best Practices? Please.
When California State University decided to purchase a We End Violence program, Agent of Change, they reportedly did consider data security. The Press-Telegram reports:
Laurie Weidner, spokeswoman for the Chancellor’s Office, said CSU has not terminated its relationship with We End Violence, which administered the training program called Agent of Change. The vendor was one of three offered to campuses, when the sexual violence prevention program was rolled out, she said.
Weidner said in an email the vendor was one of several reviewed and was recommended by the White House task force on campus sexual violence prevention.
Did the White House task force review data security of the products?
“The vendor agreed to the required contract terms and conditions regarding information security, including accepting CSU definitions for what constitutes confidential data, and the requirement to maintain the privacy (of) confidential information,” Weidner said.
And what, exactly, were those terms and conditions? has emailed We End Violence to ask whether the sensitive student information was stored in plain text. Did CSU know the data would be stored in clear text? Did they accept that?
CSU has no plans to change the screening process of vendors delivering the online sexual assault prevention training, Weidner said.
So CSU has no plans to learn from this experience by investigating data security more before they make arrangements with a vendor?
“The breach occurred with one vendor not the others,” she said in the email. “The CSU has other contracts with other vendors, and there has been no data exposure.”
Perhaps she should add, “… yet.”
Keep in mind that all enrolled students in the 23-campus CSU system are reportedly required by federal law and the state auditor to take sexual assault prevention training. That is a tremendous number of students who may have their sensitive and/or personal information exposed through a vendor, as CSU’s statement about over 79,000 students being impacted illustrates.
If the U.S. Education Department and Congress are serious about data security and EdTech, maybe they should investigate the We End Violence breach and all the vendors’ contracts and assurances of data security (if they have not done so already).
And while the FTC cannot take action against CSU, it does have authority to enforce data security in the vendors. Maybe they, too, should look into whether We End Violence has a reasonable security program or if they violated Section 5 by failure to deploy commercially reasonable and appropriate safeguards for sensitive information that left consumers at risk of substantial injury.

Dell says to invest $125 bln in China over five years
Computer maker Dell Inc will invest $125 billion in China over the next five years, its chief executive said on Thursday, as the company continues to expand in the world's second-largest economy.
The world's third-largest maker of personal computers said the investment would contribute about $175 billion to imports and exports, sustaining more than one million jobs in China.
"The Internet is the new engine for China's future economic growth and has unlimited potential," Chief Executive Michael Dell wrote in a statement.
… Dell has been in China for about two decades and, before it went private in 2013, saw annual sales in the country of roughly $5 billion.
In January, it announced partnerships with state-owned China Electronics Corporation and the municipal government of Guiyang.

Perspective. For my IT Governance students.
The Talent Imperative in Digital Business
MIT Sloan Management Review's 2015 Report on Digital Business revealed two surprising insights that have profound implications for your organization’s digital initiatives.
First, employees report to a surprisingly high degree (80%) that they preferred for work for digital leaders. This result is not limited to Millennial employees, either; the percentage of employees who express preference for working for a digitally enabled company remains consistently above 70% for all age groups.
Second, fewer than half of all respondents indicated that they were satisfied with their organization’s digital efforts. As might be expected, this result is strongly correlated with the organization’s digital maturity — employees are least satisfied with those organizations that are digital laggards.

Some hype still sneaks in, but out of hundreds of articles this one looks readable.
A Hype-Free Guide to the Latest Apple Event… [Tech News Digest]

Oh joy. The debates are only a way to sell ads?
CNN to stream GOP debate for free
… The cable network announced it will lift that paywall from 6 p.m. to 11 p.m. the night of the debate and feature the live stream on its homepage. The move is meant to "showcase the value of 'TV Everywhere'" — the name the CNN gives to its streaming service.
… Fox News scored about 24 million viewers to the first GOP debate in August, breaking all previous debate and cable news records. Those rating have reportedly boosted ad prices for future debates, like the one hosted by CNN next Wednesday.
But Fox received some criticism for not offering a free livestream, which forced those without cable subscriptions to find a someone with a subscription or miss the live event.
Susan Crawford, a visiting professor at Harvard University, called Fox's move "wrong" and said it "shouldn't happen again." She described it as a new kind of poll tax.
"Fox News felt no need to ensure that online viewers could watch the debate. That meant that cord-cutters and cord-nevers — basically, Millennials and an ever-increasing chunk of Americans — whose high-speed Internet access wasn’t sold to them by a cable company had to wait for re-runs," she wrote in a Medium post.

For my Business Intelligence students? Looks interesting.
New Census Web Tool Helps Business Owners Make Data Driven Decisions
by Sabrina I. Pacifici on Sep 9, 2015
“The U.S. Census Bureau today released Census Business Builder: Small Business Edition, a new Web tool that allows business owners and entrepreneurs to easily navigate and use key demographic and economic data to help guide their research into opening a new business or adding to an existing one. The Census Business Builder was developed with user-centered design at its core and incorporated feedback from customers and stakeholders, including small business owners, trade associations and other government agencies. The tool combines data from the American Community Survey, the economic census, County Business Patterns and other economic surveys to provide a complete business profile of an area. Business statistics include the number of establishments, employment, payroll and sales. American Community Survey statistics include population characteristics, economic characteristics and housing characteristics. The new tool also combines third-party consumer spending data with the Census Bureau economic and demographic data.”

Some might even work for my students.
The Best 20 Apps for Students to Get Through a Day of School

No comments: