Wednesday, December 09, 2015

Stealing data is bad. Stealing data and then failing to secure it is even worse. (Would this case get tossed out in the Eleventh Circuit?)
Justin Baer reports:
Morgan Stanley suspected that Russian hackers stole client data from a former financial adviser who pleaded guilty to illegally accessing the bank’s computers and taking the information home with him.
Galen Marsh, who was fired from the Wall Street firm in January for viewing and copying account information on other advisers’ clients, pleaded guilty in September to one felony count of exceeding authorized access to a computer. But Mr. Marsh had always maintained that he wasn’t responsible for some of the client data appearing online on a text-sharing website, and that he didn’t offer to sell the information.
In a recent court document filed ahead of Mr. Marsh’s sentencing hearing, Mr. Marsh’s lawyers wrote that “based upon conversations with representatives of Morgan Stanley, we learned that hackers emanating from Russia were suspected of posting the information and offering to sell it online.”
Read more on WSJ.
[From the article:
According to court documents, Mr. Marsh allegedly made more than 5,000 unauthorized searches of confidential information on the firm’s computer systems using the identification numbers of other Morgan Stanley branches, groups and advisers, beginning in June 2011. He uploaded the data, which included client names, addresses, account numbers and investment information, to a personal server in his New Jersey home, the prosecutors alleged.
Mr. Marsh has argued he accessed the information to analyze how other advisers managed clients’ money. Morgan Stanley has said no clients lost money on the security breach.

Find a popular site. Use them to spread your malware.
Joseph C. Chen reports:
NOTE: This is a developing story. Please watch this space for updates as we continue to dig into the technical details of this attack.
The blog page of one of the leading media sites in the United Kingdom, “The Independent” has been compromised, which may put its millions of readers at risk of getting infected with ransomware. We have already informed The Independent about this security incident and are working with them to contain the situation. For their part, the news website staff was quick to respond and take action to mitigate the risk this event posed to the website itself and its user base.
It should be noted that only the blog part of the website–which uses WordPress–is impacted; the rest of The Independent’s online presence seem unaffected.
Read more on TrendMicro.

Interesting. A “Golden Parachute” for the average employee?
Scott Daugherty reports:
A Virginia Beach construction company claims a former employee stole trade secrets earlier this year and provided them to a competitor.
Unlike most such cases, however, officials with Atlantic Marine Construction Company aren’t arguing the employee stole their proposal sheets and other records before he was fired. Rather, the company claims Christopher McGrath, formerly of Virginia Beach, stole them after he was terminated via a widely available computer program he secretly installed on a work computer.
Read more on Virginian- Pilot.
[From the article:
The lawsuit said McGrath – Atlantic Marine’s now-former vice president in charge of construction – installed “Google Chrome Remote Desktop” on a work computer in February without authorization. He was fired in August for reasons not specified in the suit.
Following his termination, McGrath accessed Atlantic Marine’s computer network at least 16 times with the help of the program, the lawsuit said. According to the suit, Atlantic Marine believes McGrath viewed, copied and downloaded the company’s trade secrets each time he connected to the network.

Local. There's one in Greenwood Village. Notified in early November, still leaking customer data until December.
Ron Ruggless reports:
CM Ebar LLC, parent to the Elephant Bar restaurants, warned customers who used credit cards at the 29-unit chain between August and December that their data may have been breached, the company said Tuesday.
The casual-dining operator said it was alerted to the potential security breach on Nov. 3, and it has investigated and removed the suspected computer malware that lead to the possible incident.
A representative for CM Ebar said the possible data breach included 20 restaurants in California, three in Colorado, two in Arizona and one each in the remaining states where it operates. A complete list of the restaurants is available at a microsite dedicated to the incident.

So, outsource the last bit to a small company?
New EU cybersecurity rules neutered by future backdoors, weakened crypto
The European Union has drawn up a set of rules governing the security of the region's digital infrastructure. Under the framework provisionally agreed last night by Members of the European Parliament (MEPs) and the Luxembourg Presidency of the EU Council of Ministers, transport, energy and other key companies will have to ensure that the digital infrastructure that they use to deliver essential services, such as traffic control or electricity grid management, is resilient enough to withstand online attacks. Similarly, major digital marketplaces like eBay or Amazon, search engines, and cloud services will be required to ensure that their infrastructure is secure, and to report major incidents. Smaller digital companies will be exempt from these requirements.

Remember, “A wet bird never flies at night.” Not encrypted – encoded. Decoded it means, “How ignorant!”
Less than a week after the attacks in Paris — while the public and policymakers were still reeling, and the investigation had barely gotten off the ground — Cy Vance, Manhattan’s District Attorney, released a policy paper calling for legislation requiring companies to provide the government with backdoor access to their smartphones and other mobile devices. This is the first concrete proposal of this type since September 2014, when FBI Director James Comey reignited the “Crypto Wars” in response to Apple’s and Google’s decisions to use default encryption on their smartphones.

Spam from USPS? Was there really a demand for this? Why filter out most of their scans?
The US Postal Service Will Soon Email You Scans of Your Mail
The US Postal Service is rolling out a new service that emails you scans of the mail you’ll be getting in your mailbox each day.
The USPS has been testing the service, Informed Delivery, in some zip codes in Northern Virginia since 2014, and it will reach the New York City metro area, plus select areas of Connecticut, beginning this fall. USPS says expansion to other areas is being considered for 2016. For now, the Postal Service will only send you scans of letter-sized envelopes.
Once you sign up, USPS will email you a notification before 11 am daily, Monday through Saturday, containing grayscale images of just the front of your envelopes for up to ten pieces of mail.
… For now, the service won’t be available to businesses, and it won’t work for packages—USPS says customers should rely on its tracking and mail hold services instead for those types of mail.
… USPS actually already photographs every letter and package mailed in the United States—a practice it started after anthrax attacks in late 2001 killed five people, including two postal workers.

Should be very simple.
Federal Rules of Civil Procedure 2016 ePub
by Sabrina I. Pacifici on Dec 8, 2015
From Sarah Glassmeyer – “The Federal Rules of Civil Procedure just had a ton of revisions come into effect on December 1. Since the US Courts only publish this in a 170 page PDF, I thought I’d make it a little more user friendly and make an ebook (by which I mean an ePub, compatible with everything but Kindles) out of it. I also added in all of the new forms as jpegs, so they look the way that they are supposed to look. It was a massive pain in the tookus to do. You’re welcome. Anyway, here it is.” Thank you Sarah.

Find a book for Christmas break!
NPR’s Book Concierge – Guide To 2015’s Great Reads
by Sabrina I. Pacifici on Dec 8, 2015

For my App students in the Winter Quarter.
11 Apps and Sites for Learning to Code
… The MIT App Inventorn allows students to create and publish their own Android applications. The MIT App Inventor works in your web browser (Chrome is recommended). The only download that is required for App Inventor 2 is the optional emulator. The emulator allows people who don't have Android devices to text their apps on their desktops. If you have an Android device then the emulator is not required and you don't need to worry about installing it. MIT provides excellent support documentation and curriculum for classroom use for new users of App Inventor. Click here to read about a great app developed by students using the MIT App Inventor.

No comments: