Tuesday, June 07, 2016

My Computer Security students have been following this breach.  We will still see facts dribbling out years after the event. 
Did New York Fed Miss Red Flags in $81 Million Bangladesh Bank Theft?
The blame game over who should be held responsible for the bank thefts via SWIFT continues. Ecuador's Banco del Austro (BDA) has already launched action against Wells Fargo for releasing $12 million to accounts largely in Hong Kong, claiming it failed to respond to red flags in the transactions.  Bangladeshi officials have blamed both SWIFT (for not ensuring that a new SWIFT system at the bank was secure) and the New York Federal Reserve Bank (for ignoring red flags in the transactions) for its own loss of $81 million.
   Now a new report from Reuters suggests that the Bangladesh Central Bank may have a point.  The New York Fed received a total of 35 fraudulent transfer requests.  It blocked all of them.  "On the day of the theft in February, the New York Fed initially rejected 35 requests to transfer funds to various overseas accounts, a New York Fed official and a senior Bangladesh Bank official told Reuters."
The requests were incorrectly formatted and omitted the names of the receiving banks.  Later the same day the hackers at the Bangladesh bank resubmitted all 35 transfer requests.  This time they were correctly formatted - but the New York Fed still blocked 30 of them.  Five were approved for a total of $101 million dollars.  One of these was subsequently reversed because of a spelling error; but the remaining four went through and resulted in the $81 million loss.
However, what Reuters describes as 'a source close to the bank' still has concerns.  The four approved transfers contained anomalies that should have raised flags.  "They were paid to individual recipients, a rarity for Bangladesh's central bank, and the false names on the four approved withdrawals also appeared on some of the 30 resubmitted requests rejected by the bank," reports Reuters.

In a commercial environment, the Board of Directors would have fired lots of senior managers and had this under control in a couple of months.  Congress is still trying to figure out what happened because they know HHS is lying to them. 
King & Spalding write:
On May 25, 2016, the House Energy and Commerce Subcommittee on Health held a hearing to examine the Department of Health and Human Services’ (“HHS”) cybersecurity responsibilities.  The hearing focused on legislation that would create a new office within HHS, the Office of the Chief Information Security Officer (“CISO”), consolidating information security within a single office at the agency.
The HHS Data Protection Act (H.R. 5068) was introduced by Representatives Billy Long (R-MO) and Doris Matsui (D-CA) on April 26.  The legislation would implement one of the key recommendations of an August 2015 report issued by the Energy and Commerce Subcommittee on Oversight and Investigations.  The report was the result of a year-long investigation focused on an October 2013 breach at the Food and Drug Administration (“FDA”), and was expanded to include information regarding security incidents at other HHS divisions.  Among the findings in the report was that the current organizational structure was at least partially responsible for information security incidents throughout HHS.
Read more on JDSupra.
And speaking of HHS responsibilities, this blogger (still) can’t see where an HHS Office of Child Support Enforcement incident  reported months ago has been added to HHS’s public breach tool.  Was this reported for inclusion in the breach tool?  If not, why not?  Was it the case that HHS did a risk assessment and determined that it didn’t need to be reported?  Even Congress appears to have had trouble getting some straight answers from HHS when they tried to investigate.  One of their questions was why HHS didn’t notify Congress within the one week period required by FISMA and why it took two months for HHS to notify Congress. In response:
An HHS spokeswoman said Tuesday that the agency complied with legal reporting requirements and notified Congress within a week after it believed a major incident may have occurred.

Something my Computer Security students need to read.
9 reasons why your security awareness program sucks

(Related) Also something for my Architecture students.  A department dedicated to looking at start-ups? 
J.P. Morgan’s CIO on the bank’s security game plan
   Question: How does J.P. Morgan think about fintech?
Deasy: We are actively scanning most fintechs.  We will evaluate a fintech and say we’re already building what they’re doing and what we’re building will be better.  Or we’ll look at something that is being built and decide it’s a great partnering opportunity.  And in some cases we may not only partner, we may become an investor.

This is the kind of nonsense that happens when they keep all their records on paper!  And they seem to suggest they have to do this one staffer at a time? 
State Dept. would need 75 years to compile Clinton emails
The State Department said it would take 75 years for the release of emails from top aides to Hillary Clinton while she was serving as secretary of State.
Lawyers said it would take that long to compile the 450,000 pages of records from former Clinton aides Cheryl Mills, Jacob Sullivan and Patrick Kennedy, according to a court filing from last week, which was first reported by CNN.
"Given the Department's current [Freedom of Information Act] (FOIA) workload and the complexity of these documents, it can process about 500 pages a month, meaning it would take approximately 16-and-2/3 years to complete the review of the Mills documents, 33-and-1/3 years to finish the review of the Sullivan documents, and 25 years to wrap up the review of the Kennedy documents -- or 75 years in total," the State Department said in the filing.
In March, the Republican National Committee (RNC) filed a pair of lawsuits requesting the release of emails and records from Clinton and her top aides during and after her time at the State Department.

All of my students have Office 365 through the University.  This may be useful. 
Microsoft Planner ready for showtime
Today marks the general availability of Microsoft Planner.  Over the next several weeks, Planner will roll out to all eligible Office 365 customers worldwide.  This includes Office 365 Enterprise E1–E5, Business Essentials, Premium and Education subscription plans.
All users with eligible subscription plans will automatically see the Planner tile appear in the Office 365 app launcher when it is available for them to use.  No specific action by Office 365 admins is needed.
The addition of Planner to the Office 365 lineup introduces a new and improved way for businesses, schools and organizations to structure teamwork easily and get more done.  With Planner, teams can create new plans; organize, assign and collaborate on tasks; set due dates; update statuses and share files, while visual dashboards and email notifications keep everyone informed on progress.

“Alexa, grade these papers for me!”  
How to Test Drive the Amazon Echo in a Browser
   If you don’t know anyone who owns an Echo, you can take Alexa for a spin by trying a new online demo of the service.  At Echosim.io, you can use Alexa on the web — not a perfect emulation, but a pretty good copy of the virtual assistant.
Just sign in with your Amazon account and agree to let the site use your microphone, and you’ll be able to press and hold a button to chat with Alexa.

No comments: