Thursday, March 17, 2016

In today's business environment, the ONLY report of multi-million dollar transactions is a paper printout? This looks very well planned for a hack foiled by a misspelling.
Broken printer costs Bangladesh $100mn in cyber heist
… It took the regulator nearly four days to discover the problem and ask banks across the globe to halt payments to the hackers after the central bank's joint director Zubair bin Huda had noticed a glitch with a printer on February 5. The printer was set up to automatically print all SWIFT wire transfers.
"Since such glitches happened before, we thought it was a common problem just like any other day," Huda said in the complaint.
He then tried and failed to print out the messages manually from the SWIFT system.
The theft happened on Friday, a weekend in Muslim Bangladesh, so the official says he left the office and asked his colleagues to help fix the problem.
After the system was rebooted more than 24 hours later, the employees managed to print the receipts. They revealed dozens of questionable transactions to the Philippines, Sri Lanka and elsewhere.
The receipts showed the Federal Reserve Bank of New York had sent back queries to Bangladesh Bank against 46 payment orders in different messages.

Man in Manila gets $30 million cash from cyber heist; Bangladesh central bank governor quits
Bangladesh's central bank governor resigned on Tuesday over the theft of $81 million from the bank's U.S. account, as details emerged in the Philippines that $30 million of the money was delivered in cash to a casino junket operator in Manila.
The rest of the money hackers stole from the Bangladesh Bank's account at the New York Federal Reserve, one of the largest cyber heists in history, went to two casinos, officials told a Philippines Senate hearing into the scandal.
… Bangladesh Bank is also working with anti-money laundering authorities in the Philippines, where it suspects the stolen $81 million arrived in four tranches.
The Philippines' Rizal Commercial Banking Corp (RCBC) (RCB.PS) said last week it was investigating deposits amounting to just that sum, which were made at one of its branches.
CCTV cameras at the branch were not functioning when the money was withdrawn, RCBC's anti-money laundering head, Laurinda Rogero, told the Senate hearing.
The president of a foreign exchange broker called Philrem Service Corp, Salud Bautista, told the Senate that her firm was instructed by the bank branch to transfer the funds to a man named Weikang Xu and two casinos.
She said that $30 million went to Xu in cash. Guingona has said Xu was ethnic Chinese and a foreigner, but he was not sure if he was a Chinese national.

Still not a huge breach, but another case of an organization unable to quickly determine what happened.
Well, I may have to walk back some of my praise for outdoor gear company Bailey’s after I first read and reported on a payment card breach they discovered and disclosed.
The firm has updated its breach disclosure after subsequently discovering that the breach did not begin in September, 2015, and it wasn’t 15,000 affected. According to their updated notification, the breach began in December, 2011 and affected 250,000.
They still get brownie points for transparency, but lost a few points for having a breach go undetected for so many years.

Beware of hackers sending phishing emails warning of hackers sending phishing emails!
TASS reports:
Hackers attacked dozens of Russian banks by sending letters on behalf of FinCert on Tuesday, March 15, Kaspersky Lab said in a report on Wednesday.
FinCert is a structure of the Central Bank, which warns financial institutions of cyber threats.
“On March 15, dozens of Russian banks became targets of cyberattacks by means of sending malicious messages to electronic addresses of their employees. The peculiarity of this attack was that cybercriminals posed as FinCert, a special department of the Central Bank, created about a year ago to inform Russian banks on security incidents in the financial sector,”- according to the report.
Read more on TASS.
[From the article:
The malefactors registered the domain name, which allowed them to send letters from the addresses similar to the current address of FinCert.
Their letters contained alleged security files which in reality were malicious software. The download of the files allowed attackers to gain access to the information system of the banks.
The newsletters were sent as addressed mails – each letter started with the name of a specific recipient. Cybercriminals had collected a special database of contacts, presumably on the basis of the materials of industry conferences or official documents of a number of banks.

Another government entity going after poor security planning. A trend I approve!
First: refresh your memory of a 2011 breach involving Accretive Health, a business associate of North Memorial Hospital.
Then read HHS’s press release how that breach just cost North Memorial Hospital $1.55 million, and why:
$1.55 million settlement underscores the importance of executing HIPAA business associate agreements
North Memorial Health Care of Minnesota has agreed to pay $1,550,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to enter into a business associate agreement with a major contractor and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information.
[Much omitted Bob]
In addition to the $1,550,000 payment, North Memorial is required to develop an organization-wide risk analysis and risk management plan, as required under the Security Rule. North Memorial will also train appropriate workforce members on all policies and procedures newly developed or revised pursuant to this corrective action plan.
The Resolution Agreement and Corrective Action Plan can be found on the HHS website at:

A warning for my vets.
Free phone scam targets veterans
… The FTC has posted a warning for veterans who are approached by someone offering a cell phone and service for free. And to make the scammer seem even more legitimate, they set up shop in booths outside of VA facilities.
Here’s the scam: a couple months after a veteran signs up, they will get a letter notifying them that they need to send their personal information. Additionally, they are asked to send documentation proving their income meets the low-income requirements.

A warning for me.
American Express Warns Cardholders of Data Breach
American Express informed customers last week that their payment card information may have been compromised after a third party service provider suffered a data breach.
Information associated with current or previously issued American Express cards, including account numbers, names and expiration dates, might have been obtained by unauthorized parties, Amex said in a data breach notice submitted to California’s attorney general.
It’s worth pointing out that the breach is dated December 7, 2013 on the website of California’s attorney general. [No date on the Amex notice Bob] The name of the affected service provider, which Amex says is engaged by numerous merchants, has not been made public.
This breach is another example of a broken chain of custody with confidential data. AMEX protects it, but then relinquishes control to another party that has weak controls which the bad actors know how to exploit.
... “As an AMEX card user myself, one of the things that I have done is turn on the immediate notification when a purchase is made with the card or when the card is not present. Members can choose the amount limit on the transaction and the type of notification (text, email, etc.) It gives users immediate notification, as well as some level of peace of mind,” Blake added.

For my Disaster Recovery students. Two systems in case one fails?
Apple said to move part of cloud business from AWS to Google
Apple has moved some of its iCloud and services data from Amazon Web Services to Google's cloud platform, in what is seen as a bid by the iPhone maker to diversify its cloud service providers, according to reports.
The move comes even as the company is building its own new data centers, leading to speculation whether the shift is only temporary.

The big “out?” “The NSA wouldn't give me use a secure device, so I secured my own email”
NSA dismissed Clinton request for ‘secure’ BlackBerry
Federal intelligence officials rebuffed an early effort by Hillary Clinton’s top aides to provide her with a “secure ‘BlackBerry-like’” device to use while serving as secretary of State, according to new emails released Wednesday.
Emails released as part of an open records lawsuit from conservative legal watchdog Judicial Watch show that the National Security Agency (NSA) rebuffed requests from the State Department in February of 2009 to find a replacement for Clinton’s mobile device.
… It’s unclear from the emails how the matter was ultimately resolved.

Politics overrides all that Law School training?
The Law is Clear: The FBI Cannot Make Apple Rewrite its OS
Every once in a while, President Obama removes his Law Professor in Chief hat and puts on his I Get Terrifying Briefings Every Day hat.
… The problem for the president is that when it comes to the specific battle going on right now between Apple and the FBI, the law is clear: twenty years ago, Congress passed a statute, the Communications Assistance for Law Enforcement Act (CALEA) that does not allow the government to tell manufacturers how to design or configure a phone or software used by that phone — including security software used by that phone.
CALEA was the subject of intense negotiation — a deal, in other words. The government won an extensive, specific list of wiretapping assistance requirements in connection with digital communications. But in exchange, in Section 1002 of that act, the Feds gave up authority to “require any specific design of equipment, facilities, services, features or system configurations” from any phone manufacturer. The government can’t require companies that build phones to come to it for clearance in advance of launching a new device. Nor can the authorities ask a manufacturer to design something new — like a back door — once that device is out.

Perhaps this would keep you from starting your car with your smartphone and call you an Uber ride instead?
Machine-Learning Algorithm Identifies Tweets Sent Under the Influence of Alcohol
… Today, these guys show how they’ve trained a machine to spot alcohol-related tweets. And they also show how to use this data to monitor alcohol-related activity and the way it is distributed throughout society. They say the method could have a significant impact on the way we understand and respond to the public health issues that alcohol and other activities raise.

WeChat still unstoppable, grows to 697m active users
WeChat, Tencent’s popular messaging app, is still growing fast. It added nearly 200 million monthly active users (MAUs) in the past year.
… Tencent did not disclose how many of WeChat’s users are in mainland China versus other areas. But it’s clear that WeChat is focused on mainland China from the number of the app’s features that are limited just to its home nation, such as online and in-store payments via the WeChat Pay feature.

For my Data Management students to consider.
Can an App-only E-commerce Model Succeed in India?

Tools & Techniques
How to Make a Screencast Tutorial for YouTube
One of the most popular types of YouTube video is the screencast — the desktop tutorial that shows you how to do almost anything, from making better use of the Windows 10 shell, to something simple like switching your desktop theme.
If you’ve ever considered making such a video, you’ll be happy to know that they’re remarkably straightforward to produce, so much so that YouTube even offers a tool to help you make it happen

Gack! We are too lazy to learn Cursive now that we can thumb our messages into a smartphone – and now this?
Nike’s first official self-tying sneakers go on sale this year
Nike made a number of new product announcements at a glitzy event in New York yesterday, but perhaps the most exciting revelation was that the company is finally bringing a pair of self-tying sneakers to market — just like in that movie.
While Nike has teased prototypes and versions of the shoe from Back to the Future 2 in the past, with the HyperAdapt 1.0, the American sports apparel giant is finally bringing a pair of the futuristic wonders to market for anyone to buy. The sneakers sport “adaptive lacing” technology, which can automatically adjust the snugness of the shoe. “When you step in, your heel will hit a sensor and the system will automatically tighten,” said Tiffany Beers, Nike’s senior innovator, in a press release. “Then there are two buttons on the side to tighten and loosen. You can adjust it until it’s perfect.”

It might be fun to read these lines and see how many of my students recognize them. But then again, it might just be depressing. (and why does Douglas Adams rate two mentions?)
Do You Remember These First Lines From Famous Books?
If you’ve ever attempted to learn to write a book, one of the very early lessons you were told is that you need to hook to reader right away. Many of the best pieces of literature start off with an opening line that’s so memorable and engaging that you can’t help but keep going.
It’s with that in mind that we take a peek at this awesome infographic that shows off some of the most compelling opening lines in literature’s long history.
How many of them do you remember from the first time you read the books?

No comments: