Wednesday, May 04, 2016
So they can still generate electricity, but they can’t bill for it? Or pay their employees? Or their vendors?
Richard Chirgwin reports:
A water and electricity authority in the US State of Michigan has needed a week to recover from a ransomware attack that fortunately only hit its enterprise systems.
Lansing’s BWL – Board of Water & Light – first noticed the successful phishing attack on its corporate systems on April 25, and has had to keep systems including phone servers locked down since then.
The company says customer data has not been stolen (only, as is the case in ransomware attacks, encrypted).
Read more on The Register.
Last week, the FBI posted an alert highlighting what we already knew: ransomware is on the rise. And not only is it hitting all sectors, it’s hitting personal home computers.
What some may not know, and from the FBI’s alert:
And in newly identified instances of ransomware, some cyber criminals aren’t using e-mails at all. According to FBI Cyber Division Assistant Director James Trainor, “These criminals have evolved over time and now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.”
If you think you or your organization have been the victim of ransomware, contact your local FBI field office and report the incident to the Bureau’s Internet Crime Complaint Center.
Screwing up by the numbers?
Aha. I see Brian Krebs got some answers before I did concerning a breach involving ADP. On April 30, I had reported that Allegheny College suspected that employee reports of W-2 data comprise were linked to a breach involving ADP’s iPay. In an email to this site earlier today, Rick Holmgren, the college’s vice-president of Information Services and Assessment said he still had no idea how unauthorized third parties were able to register accounts on iPay. ADP, contacted several times by DataBreaches.net yet, has yet to provide the requested explanation.
Enter Brian Krebs to the rescue. Brian reports that the criminals were able to steal wage and tax data from ADP by registering accounts in the names of employees at “more than a dozen customer firms.”
ADP says the incidents occurred because the victim companies all mistakenly published sensitive ADP account information online that made those firms easy targets for tax fraudsters.
Last week, U.S. Bancorp(U.S. Bank) — the nation’s fifth-largest commercial bank — warned some of its employees that their W-2 data had been stolen thanks to a weakness in ADP’s customer portal.
…. A reader who works at the financial institution shared a letter received from Jennie Carlson, U.S. Bank’s executive vice president of human resources.
“Since April 19, 2016, we have been actively investigating a security incident with our W-2 provider, ADP,” Carlson wrote. “During the course of that investigation we have learned that an external W-2 portal, maintained by ADP, may have been utilized by unauthorized individuals to access your W-2, which they may have used to file a fraudulent income tax return under your name.”
The letter continued:
“The incident originated because ADP offered an external online portal that has been exploited. For individuals who had never used the external portal, a registration had never been established. Criminals were able to take advantage of that situation to use confidential personal information from other sources to establish a registration in your name at ADP. Once the fraudulent registration was established, they were able to view or download your W-2.”
According to ADP, new users need to be in possession of two other things (in addition to the victim’s personal data) at a minimum in order to create an account: A custom, company-specific link provided by ADP, and a static code assigned to the customer by ADP.
The problem, Cloutier said, seems to stem from ADP customers that both deferred that signup process for some or all of their employees and at the same time inadvertently published online the link and the company code. As a result, for users who never registered, criminals were able to register as them with fairly basic personal info, and access W-2 data on those individuals.
Read more on KrebsOnSecurity.com.
The problem being described appears different than the problem being reported in connection with Greenshades clients. As I’ve reported previously on this site, Greenshades claims their clients’ employees had their W-2 data compromised because they used their DOB and SSN as their login credentials, [Aargh! Bob] and criminals who obtained that information elsewhere were then able to login as the employees and download their W-2 data. Other clients’ employees, they claim, likely fell for a phishing scheme directing them to a fake Greenshades domain.
ADP and Greenshades are not the only payroll or W-2 vendors whose clients have been reporting problems. As also noted previously on this site, Innovak customers in Mississippi and Alabama have reported problems, and Stanford University and its vendor, W-2 Express, are still investigating how over 700 Stanford employees had their W-2 data stolen.
How many other vendors have experienced compromises remains unknown, as some entities reporting breaches of their employees’ W-2 data are not naming their vendors.
Might this be a good time for all vendors to review and strengthen their authentication procedures?
Or screwing up wholesale. (We don’t need no stinking encryption!)
EqualizeRCM Services is a vendor providing billing and collection services to healthcare providers. In compliance with HIPAA, it has Business Associate contracts with its clients, who provide it with the information needed to fulfill its functions. The firm has headquarters in Austin, Texas, and offices in Houston and Washington, D.C.
On February 29, EqualizeRCM learned that a laptop had been stolen from an employee on February 25 or 26. A notification letter, signed by Janine Anthony Bowen of LeClairRyan to the New Hampshire Attorney General’s Office, does not indicate whether the laptop was stolen from the employee’s home, a car, or some other location.
[ … ]
In a statement posted on their web site on April 28, EqualizeRCM explained that
the information potentially exposed may have included patient name, address, phone number, date of birth, gender, insurance provider and policy number, health care provider information, billing and diagnosis codes, medical record number, internal reference number, date and type of service, the name of the treating facility, and other administrative information.
Financial account information and Social Security numbers were not impacted, and as of April 28, neither EqualizeRCM nor its clients were aware of any misuse of the information. As a precaution, however, EqualizeRCM is offering affected patients services through AllClear ID.
In addition to offering remediation services, EqualizeRCM is also reviewing its policies and procedures, implementing additional safeguards to ensure information in its control is appropriately protected, and “retraining employees on existing policies for the proper handling of sensitive information.”
Are there billboards near potential target?
Clear Channel Outdoor (CCO) has 675,000 billboards worldwide most of which are tracking everyone’s smartphones and tablets. CCO’s ad program is a partnership between AT&T and other companies that collect location data from smartphones, company officials said.
CCO’s smartphone electronic surveillance system is called “RADAR” which they insist, anonymizes everyone’s data. But it does much more than that, it tracks consumer’s real-world travel patterns and behaviors.
Read more on MassPrivateI.
Those who do not study technology are doomed to misunderstand it? Frustrated (or technically ignorant) judges will certainly repeat rulings like this one.
WhatsApp Goes Through Judicial Revolving Door in Brazil
A Brazilian court on Tuesday overturned a different court's Monday order that blocked WhatsApp, the messaging site owned by Facebook, amid a criminal investigation into drug trafficking in the state of Sergipe.
The earlier judicial demand that WhatsApp provide data considered critical to the investigation came soon after a ramp-up in the level of encryption built into the app. Five major Internet service providers faced hefty fines of about US$142,000 daily if they failed to comply with the order.
… The decision to block WhatsApp was clumsy and disproportionate, said Katitza Rodriguez, international rights director at the Electronic Frontier Foundation.
… The order surprised activists in Brazil, who considered the move out of step with the spirit of the law, noted Javier Pallero, policy analyst at Access Now.
… Brazilian lawmakers on Tuesday held hearings to consider a series of laws that could lead to a severe crackdown on open technology and privacy, as part of Brazil's Parliamentary Inquiry on Cybercrime.
Officials on Wednesday are expected to vote on seven pieces of legislation that would give police warrantless access to IP addresses, allow judges to block sites used for criminal purposes, and require monitoring of content on sites and apps deemed offensive, according to EFF.
Just to be clear…
Law Affords More Protection to PINs Than Prints
… Although the Fifth Amendment to the U.S. Constitution protects citizens from self-incrimination, that protection doesn't extend to opening mobile phones with a fingerprint, according to Paul Rosenzweig, a George Washington University professorial lecturer in law.
"None of your physical characteristics are subject to Fifth Amendment protection," he told TechNewsWorld.
"You don't have a right to refuse to stand in a lineup," Rosenzweig said. "You don't have a right to refuse an order to give your fingerprint to be compared to fingerprints at a crime scene."
The Fifth Amendment protects only things that are testimonial in nature.
Sometimes being the dominant player in a market can get expensive. Would any insurance cover this? If not, will they be able to replace all these airbags before bankruptcy?
Takata's fight for survival gets even harder as airbag recall widens
… “This is just another step in the long decline of Takata,” said Jochen Siebert, managing director of JSC (Shanghai) Automotive Consulting Co. “I just can’t see how Takata can survive this disaster.”
An expanded safety campaign will deal a further blow to President Shigehisa Takada, who has so far failed to contain a spiraling crisis that’s wiped out 75 percent of his family company’s market value in the past year. Last May, the airbag supplier set the record for the largest automotive recall in U.S. history by agreeing to almost double the number of vehicles called back to about 34 million.
Something for my Spreadsheet students to play “what if” games with.
Traditional and Roth Individual Retirement Accounts (IRAs): A Primer
by Sabrina I. Pacifici on May 3, 2016
CRS report via FAS – Traditional and Roth Individual Retirement Accounts (IRAs): A Primer, John J. Topoleski, Analyst in Income Security. April 27, 2016.
“In response to concerns over the adequacy of retirement savings, Congress has created incentives to encourage individuals to save more for retirement through a variety of retirement plans. Some retirement plans are employer-sponsored, such as 401(k) plans, and others are established by individual employees, such as Individual Retirement Accounts (IRAs). This report describes the primary features of two common retirement savings accounts that are available to individuals. Although the accounts have many features in common, they differ in some important aspects. Both traditional and Roth IRAs offer tax incentives to encourage individuals to save for retirement. Contributions to traditional IRAs may be tax-deductible for taxpayers who (1) are not covered by a retirement plan at their place of employment or (2) have income below specified limits. Contributions to Roth IRAs are not tax-deductible and eligibility is limited to those with incomes under specified limits…”
For my geeks!
IBM Is Now Letting Anyone Play With Its Quantum Computer
Quantum computing is computing at its most esoteric. It’s an experimental, enormously complex, sometimes downright confusing technology that’s typically the domain of hardcore academics and organizations like Google and NASA. But that might be changing.
Today, IBM unveiled an online service that lets anyone use the five-qubit quantum computer its researchers have erected at a research lab in Yorktown Heights, New York. You can access the machine over the Internet via a simple software interface—or at least it’s simple if you understand the basics of quantum computing.
For my Students! “Study hard.” “Come to class on time.”
How to Add Subliminal Messages to Windows
Whether you want to train your unconscious mind while you work, perform a study on whether these messages have an effect, or just play a few pranks on your friends’ computers, here’s how you can add some subliminal message text to Windows.
A recording studio on your phone?
Moog’s New App Is a Spot-on Recreation of a Classic Synth
Five years ago, Moog Music proved you could use the iPad as a real musical instrument when it released Animoog, a polyphonic synthesizer app that made full use of the tablet’s touchscreen.
… The Moog Model 15 Synthesizer app is an iOS-powered recreation of the iconic Model 15 modular synth from 1973. You can download it now for $30. If you find that steep, consider two things. One, this is a pro-grade instrument that plays and sounds like the business. And two, a real Model 15 is the size of a suitcase and tops $10,000; the iPad version delivers 90 percent of the goods in something easily carried in your backpack.
(Related) I wonder if any of my students have talent?
BandLab - Collaboratively Create Music Online
BandLab is a free service that enables you to create music in your web browser or through free Android and iOS apps. In BandLab's you can create soundtracks using any of the virtual instruments that are provided. You can also speak or sing to record a track. Within the BandLab editor you can mix your tracks together to create a song. If you have existing audio files on your computer, you can upload those to incorporate into your BandLab creations.
BandLab is designed to allow you to collaborate with others. To collaborate you first have to create a band in your BandLab profile then invite other users to join your band.