Wednesday, November 11, 2015

Perfect timing. My next Computer Security class starts next week and I needed a good conversation starter. Confusing though, it's more about building the gamboling business than identity theft.
Charges Announced in J.P. Morgan Hacking Case
In one of the biggest cybercrimes in history, federal prosecutors say, three men stole data on more than 100 million people from a dozen companies’ computers and used a vast global network of accomplices to turn it into hundreds of millions of dollars in illegal profits.
Indictments unsealed Tuesday in Manhattan and Atlanta accused the men and hundreds of their accomplices of carrying out last year’s big data breach at J.P. Morgan Chase & Co. and a host of other crimes around the world—involving computer networks in South Africa and Brazil, money laundered through Cyprus and illegal credit-card payments processed in Azerbaijan.
Manhattan U.S. Attorney Preet Bharara on Tuesday said this “diversified criminal conglomerate” was “breathtaking” in the size and scope of its hacking.
… The schemes allowed Mr. Shalon and his accomplices to turn stolen information into hundreds of millions of dollars, including at least $100 million hidden in his Swiss and other bank accounts, prosecutors said.
… The investigation into the three men began when J.P. Morgan came forward “early on” to share information with the government, prosecutors said. That led investigators to uncover a broader network of criminal activity with computer hacking at its center.
… In addition to disguising payments and constantly obtaining new bank accounts, the men tried to evade detection by hacking into a company that assessed merchant risk for credit-card issuers, starting in 2012. The breach allowed the defendants to read employees’ emails and figure out how to sidestep the company’s efforts to monitor illegal payments, according to the indictment.

The Man Accused of Masterminding the Hacks That Shook Wall Street
… Shalon began building his criminal conglomerate in 2007 with Internet casinos and capped it off with stock and credit-card schemes years later, according to the 68-page indictment against Shalon and others in Manhattan.

Also for my Computer Security students.
Who Is The Biggest Security Threat? Turns Out, It’s You

Update: I would have guessed a lot higher.
BBC reports:
The cyber-attack on TalkTalk could cost it up to £35m in one-off costs, the company has said.
Following the hack, which divulged some users’ financial details, all customers of the telecoms group will be offered a free upgrade.
Read more on BBC. The company is still sticking to its position that customers who want out of their contract due to lack of trust will have to pay a contract termination fee unless they can show they were financially harmed by the breach.

(Related) Then again, maybe not.
Diana Goovaerts reports:
In its earnings report for the six months ended September 30, 2015, Experian posted a charge of $20 million stemming from its response to an October security breach that exposed the data of millions of T-Mobile customers.
According to the report, the “one-off costs” came from Experian’s response to the hack, which included notifying impacted individuals, offering them free credit monitoring services and informing the appropriate government agencies of the intrusion.
That reportedly doesn’t include costs associated with all the lawsuits filed against them over the breach.
Read more on Wireless Week.

Lots if questions. Did the hospital allow all their “financial services” employees full access to medical records? If this was a policy violation, did the hospital detect it and take appropriate action?
Kevin Grasha has an update on a breach previously noted on this site.
University of Cincinnati Medical Center can’t be sued after an employee leaked private medical records about a patient who had syphilis, a judge ruled Monday.
The patient, a woman in her early 20s, filed the lawsuit last year. A screen shot of the woman’s private medical records from the hospital was posted on the Facebook group, “Team No Hoes,” in September 2013. The records listed the woman’s diagnosis as “maternal syphilis.” She was pregnant at the time.
In a way, and even though the patient may appeal the ruling, this ruling is consistent with other cases where covered entities were found not liable for employees’ egregious conduct that were outside the employee’s scope of work duties. In this case, the employee was reportedly in the financial services department.
It is not known what, if any, action HHS/OCR has taken as a result of their investigation into the incident.
[From the article:
At a hearing Monday in Hamilton County Common Pleas Court, Judge Jody Luebbers ruled that the employee was not acting “within the scope of her employment” by leaking the records.
Ohio case law, Luebbers said, dictated that she drop the hospital from the suit.
“(The hospital) had a policy. It was violated,” she said. “It’s tragic … but that’s just how I see it.”
… The suit also names the woman’s former boyfriend and the former hospital employee, who was fired a week after the Facebook post. [Because of the emails and Facebook posts? Bob]

Politics: “It is better to look good than to be good.” (with apologies to Hernando Fernando)
Corinne Reichert reports:
The Australian Privacy Foundation has accused the Senate of being “dangerously naive” in thinking that opt-out e-health records could be secured against breaches of privacy.
Bernard Robertson-Dunn, a member of the Privacy Foundation who has also constructed IT systems for several government departments, said it is “patently absurd” for the Senate inquiry committee to think that Australian laws will do anything to deter criminals and cyber attacks from overseas.
Read more on ZDNet.
[From the article:
The Senate had ignored expert advice by changing the e-health records to be opt-out, according to the Privacy Foundation, with the likelihood of personal information being stolen and published in an attack similar to the Ashley Madison hack increasing with the more data that is stored.
"This is in spite of being told that it is insecure and a major threat to the privacy of most Australians, has little value to health professionals, and has all the appearance of primarily being an aid to law-enforcement and revenue-collection agencies," Robertson-Dunn said in a letter to senators.
Even lawful access to the medical information could constitute a "huge invasion of privacy", the Privacy Foundation argued, as anyone employed by a medical facility could access the health records of patients.

Mapping Attempts to Craft an Internet Bill of Rights
by Sabrina I. Pacifici on Nov 10, 2015
Towards Digital Constitutionalism? Mapping Attempts to Craft an Internet Bill of Rights. Lex Gil, Dennis Redeker, Urs Gasser. November 9, 2015. Available for download via SSRN.
“The idea of an “Internet Bill of Rights” is by no means a new one: in fact, serious efforts to draft such a document can be traced at least as far back as the mid-1990s. Though the form, function and scope of such initiatives has evolved, the concept has had remarkable staying power, and now—two full decades later—principles which were once radically aspirational have begun to crystallize into law. In this paper, we propose a unified term to describe these efforts using the umbrella of “digital constitutionalism” and conduct an analysis of thirty initiatives spanning from 1999 to 2015. These initiatives have great differences, and range from advocacy statements to official positions of intergovernmental organizations to proposed legislation. However, in their own way, they are each engaged in the same conversation, seeking to advance a relatively comprehensive set of rights, principles, and governance norms for the Internet, and are usefully understood as part of a broader proto-constitutional discourse. While this paper does not attempt to capture every facet of this complex political behavior, we hope to offer a preliminary map of the landscape, provide a comparative examination of these diverse efforts toward digital constitutionalism, and—most importantly—provoke new questions for further research and study. The paper proceeds in four parts, beginning with a preliminary definition for the concept of digital constitutionalism and a summary of our research methodology. Second, we present our core observations related to the full range of substantive rights, principles and themes proposed by these initiatives. Third, we build on that analysis to explore their perceived targets, the key actors and deliberative processes which have informed their character, and the changes in their substantive content over time. Finally, we look forward, identifying future directions for research in this rapidly changing policy arena and for the broader Internet governance community.”

Massive investment that could be made worthless if we keep trying to be the world's digital cops.
Microsoft is building data centres in Germany to protect European users from US spying
Microsoft is building a set of data centres in Germany which will, the company hopes, help fend of data requests from the US government, The Financial Times reports. The project is in conjunction with Deutsche Telekom.
Various big American companies, including Apple and Microsoft, have become involved in a legal spat with the US government over its rights to data access on non-US soil, namely in Europe. A lot of data for European customers was hosted in the US which, the government argued, allowed them access.
… Microsoft announced on Tuesday that the company is expanding its data centre presence elsewhere in Europe, spending $2 billion (£1.3 billion) on upgrading existing infrastructure in Ireland and the Netherlands and building entirely new centres in the UK.

Why does the government have so much trouble doing what thousands of companies do every day?
A decade into a project to digitize U.S. immigration forms, just 1 is online
Heaving under mountains of paperwork, the government has spent more than $1 billion trying to replace its antiquated approach to managing immigration with a system of digitized records, online applications and a full suite of nearly 100 electronic forms.
A decade in, all that officials have to show for the effort is a single form that’s now available for online applications and a single type of fee that immigrants pay electronically. The 94 other forms can be filed only with paper.

Our boy Kim is still using our own words against us. (Kim seems to be putting on weight.)
TPP text cited in Dotcom hearing
Lawyers for Kim Dotcom say the Trans Pacific Partnership (TPP) backs their view that internet service providers are protected from copyright infringement.
… The text showed internet service providers were protected from copyright infringement by their users.
It confirmed this protection was not conditional on service providers monitoring users, he said.

This is good. This could be troublesome. This could mean war. (Pick three)
Burma’s election leaves former patron China with uncomfortable questions
Burma’s historic general elections and signs of a landslide victory for backers of opposition leader Aung San Suu Kyi have raised some uncomfortable questions in giant northern neighbor China.
The first is how China’s Communist Party rulers will manage to get along with a civilian-led government in Burma after decades of wholeheartedly backing military rule in Burma.
But a second question, perhaps less expected, has bubbled up from Chinese people themselves in the past few days. If the Burmese can have democracy, some ask, why can’t we?

No comments: