Jennie Trejo reports:
Allergy, Asthma & Immunology of the
Rockies, P.C. (AAIR), a full-service allergy clinic, found evidence of
ransomware on its computer systems on May 16.
[…]
Kari Hershey, an attorney for
AAIR, said the disturbance was first noticed when they had trouble accessing a
few of the documents.
[…]
“They weren’t able to track
exactly what the hackers did, but what they did find was a draft of the ransom
letter on the system,” Hershey said. “The
way it was explained to me is that it essentially looked like the hackers were still testing out the ransomware.”
Because the ransomware was still
in its early stages, there is no evidence that any of the information on the
system has been copied or used in any way, although it did pass through a
password protected firewall. Hershey
said they would expect to know if sensitive information was harvested by this
point in the investigation.
“Having said that, there was a breach of the system. Just out of an abundance of caution, we do
want people to sign up for an identity theft protection program. That way if they do have a problem they can
get help.”
Read more on the Post
Independent.
The incident was reported to HHS as affecting 6,851
patients.
For my Computer Security students – at least those who
drive to school.
Automotive cybersecurity; what we don't hack will probably be
used to kill us
… Just imagine
your own car traveling at speed and having your ability to steer, alter speed,
and brake, taken away and then being ransomed to regain control.
Think this impossible? Last year, Wired
wrote about a couple of hackers remotely disabling a Chrysler Jeep
Cherokee while it was heading down a freeway at 70 miles per
hour.
… The
subsequent paper by Miller and Valasek, Remote Exploitation of an Unaltered Passenger Vehicle,
goes into to even more detail on how the hack was engineered
… Should
you want to know more about automotive hacking, you might like to check out the
recently published The Car Hacker’s Handbook: A Guide for the
Penetration Tester by Craig Smith.
Together, a userid and password are intended to identify
an individual. Sharing them for any
reason defeats the purpose.
Court decision raises issues about sharing passwords
An appeals court has ruled that a former employee of a
company, whose computer access credentials were revoked, had acted “without
authorization” in violation of the Computer Fraud and Abuse Act, when he and
other former employees used the login credentials of a current employee to gain
access to data on the employer’s computers.
The opinion of the court is likely to be controversial as
it is expected to have implications on commonplace sharing of passwords by
husbands, co-workers and friends even for innocuous purposes.
One of the three judges, Stephen Reinhardt, dissented from
the majority opinion, stating that “people frequently share their passwords,
notwithstanding the fact that websites and employers have policies prohibiting
it.”
The CFAA in his view “does not make the millions of people
who engage in this ubiquitous, useful, and generally harmless conduct into
unwitting federal criminals.”
This could be useful.
Microsoft Proposes Independent Body to Attribute Cyber
Attacks
Microsoft has published a paper that proposes a series of
recommended 'norms' of good industry behavior in cyberspace, and also a route
towards implementing and achieving those norms. Most of the norms are uncontentious and
self-evident - but one in particular (which is a form of 'responsible
disclosure') is less so. Furthermore,
the key feature in implementing these norms (the attribution of attacks to
attackers) is particularly troublesome.
From
Articulation to Implementation: Enabling progress on cybersecurity norms
was developed by a team led by Scott Charney, Microsoft's
Corporate Vice President for Trustworthy Computing.
Something subtle for my Computer Security students to
ponder.
How social media is changing what can be said, when and where
… When Dave closes
a deal he takes the team out for beers, treats his family to a nice dinner out
and brags about it on his social media accounts.
… Amy, in your
accounting department has a different social media presence
She blogs regularly on Tumblr and posts selfies on
Instagram while in pensive poses when problems overwhelm her.
Both Dave and Amy represent major risks for your company.
… Dave is a bit of
a braggart and read his tweets with interest. When he tweets about beating his toughest
competitor in a sales presentation and landing a big contract, the investors buy.
Dave has
given them insider information and doesn't even know it.
… Employees who
follow Amy's social media accounts sense that there's something wrong. They see her stress level increasing, note the
workload on her desk and worry about their own future. Productivity drops. Rumors start. Bad things happen.
… Both Dave and
Amy have innocently been doing what millions of people do every day - they have
been posting about their personal lives on their social media accounts. But what they haven't realized - and what may
affect your company - is that what they write, post or repeat on social media
can cause employee problems, productivity issues and even financial damage.
It's because your company doesn't have a social media
policy. In today's world you need to be
aware of, or perhaps even control, what is said on your employee's Facebook,
Twitter, Instagram or even Pinterest accounts.
Interesting, thoughtful and amusing.
Did The FBI End Clinton’s Email Problems Or Make Them Worse?
IT Architecture.
The future of company devices may be ‘as-a-Service’
… The ability to
deploy only assets as needed based on workload is a big one. This means a company has the ability to flex
up, adding devices as needed when its workforce grows. More importantly, however, is the ability to
flex down. The problem with the
traditional PC procurement model is companies that decrease the size of their
workforce due to seasonal changes, layoffs, or the like, have to deal with the
surplus of PCs (and sunk costs) that result. In a DaaS model, the provider takes back those
devices, potentially redeploying them with another client.
I wonder if it would recognize all the hand gestures I
learned back in New Jersey? If so, would
it try to run me down?
Google's robot cars recognize cyclists' hand signals — better
than most cyclists
No comments:
Post a Comment