Friday, July 15, 2016

Robbing an ATM just got much more interesting! 
Hackers steal millions from ATMs without using a card
Taiwan is trying to figure out how hackers managed to trick a network of bank ATMs into spitting out millions.
Police said several people wearing masks attacked dozens of ATMs operated by Taiwan's First Bank on Sunday.  They spent a few minutes at each of the machines before making off with the equivalent of $2 million stashed in a backpack.
They didn't use bank cards but rather appeared to gain control of the machines with a "connected device," possibly a smartphone, the police said in a statement Thursday.  Authorities are now hunting the thieves, who they say came from Russia and eastern Europe.
   Prosecutors said the machines were infected with three different malware files that instructed them to "spit out cash" and then deleted evidence of the crime.  They described the case as the first of its kind in Taiwan.

If nothing else, this is a great “targeting” tool. 
Maxthon Browser Sends Sensitive Data to China
Security experts have discovered that the Maxthon web browser collects sensitive information and sends it to a server in China.  Researchers warn that the harvested data could be highly valuable for malicious actors.
Developed by China-based Maxthon International, the browser is available for all major platforms in more than 50 languages.  In 2013, after the NSA surveillance scandal broke, the company boasted about its focus on privacy and security, and the use of strong encryption.
Researchers at Fidelis Cybersecurity and Poland-based Exatel recently found that Maxthon regularly sends a file named to a server in Beijing, China, via HTTP.  Further analysis revealed that contains an encrypted file named dat.txt.  This file stores information on the operating system, CPU, ad blocker status, homepage URL, websites visited by the user (including online searches), and installed applications and their version number.
While dat.txt is encrypted, experts easily found the key needed to decrypt it, giving them access to the information.  Exatel researchers demonstrated how a man-in-the-middle (MitM) attacker could intercept the data as it travels from the client to the Maxthon server in China.

Should you expect to be hacked?  At least create a way for someone to let you know when it happens.
From LeakedSource:
Shortly after the hack of, another dating site was hacked around July 10th, 2016.  LeakedSource has obtained and added a copy of this data to its ever-growing searchable repository of leaked data.
This data set contains 2,035,020 records.  Each record contains an email address and one password.  Passwords were stored with no hashing or encryption (plaintext).
Read more on LeakedSource.
I searched for some message to its members.  Finding none – and also finding no way to contact them about a security breach, I used their customer support ticket system to send them a notification and an inquiry.  If I get a response, this post will be updated.

Should you expect your data to be kidnapped and held for ransom?
I hate it when I tweet something but forget to post it.  In today’s installment of “Smacking Myself in the Forehead,” I remember to tell readers that HHS has issued a new guidance on ransomware and HIPAA.
A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000 daily ransomware attacks reported in 2015).1  Ransomware exploits human and technical weaknesses to gain access to an organization’s technical infrastructure in order to deny the organization access to its own data by encrypting that data.  However, there are measures known to be effective to prevent the introduction of ransomware and to recover from a ransomware attack.  This document describes ransomware attack prevention and recovery from a healthcare sector perspective, including the role the Health Insurance Portability and Accountability Act (HIPAA) has in assisting HIPAA covered entities and business associates to prevent and recover from ransomware attacks, and how HIPAA breach notification processes should be managed in response to a ransomware attack.
You can find the guidance here (pdf).
A few points of note about the guidance:
While the question as to whether an incident is a reportable incident under HIPAA is fact-specific (see below), a ransomware incident is, undoubtedly, a security incident under HIPAA:
The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the HIPAA Security Rule.  A security incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.  See the definition of security incident at 45 C.F.R. 164.304.  Once the ransomware is detected, the covered entity or business associate must initiate its security incident and response and reporting procedures.  See 45 C.F.R. 164.308(a)(6).
But do you need to report it under HIPAA?  From the guidance:
A breach under the HIPAA Rules is defined as, “…the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” See 45 C.F.R. 164.402.6.
When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.
Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred.  The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400-414.
Although this guidance does not address the question of whether HHS recommends paying any ransom, a previous interagency technical guidance does address this question:
There are serious risks to consider before paying the ransom. We do not encourage paying a ransom. We understand that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers. As you contemplate this choice, consider the following risks:
·         Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after having paid a ransom.
·         Some victims who paid the demand have reported being targeted again by cyber actors.
·         After paying the originally demanded ransom, some victims have been asked to pay more to get the promised decryption key.
·         Paying could inadvertently encourage this criminal business model.
Those are all valid points and concerns, as I acknowledged in another post this morning as to whether entities should pay ransom demands.  But there’s a difference between your operations being affected and patient data being sold, so each case – and the consequences – need to be carefully considered.

Should we believe the politicians?
State health employees fired after giving data to lawmakers
HELENA, Mont. (AP) — Montana health officials fired two state employees for turning over personal information, including Social Security numbers, of scores of childcare providers to three state legislators, according to documents and interviews with people involved in the terminations.
   Hansen is contesting his firing through his union, he told the AP.  He declined to answer questions about the data other than to say he turned it over after the legislators requested it from him.
Chris Gallus, an attorney for Burnett, R-Bozeman, disputed Hansen's account.
"He provided information that we did not request from him, and (the information) had already been disposed of before the department made any inquiry," Gallus said.
   Webb, R-Billings, said he told Opper in a phone call that the claims in Opper's letter were unfounded, but would not say whether he received information from the former state employee.
"I've got lots of information that is not public record from the department," Webb said.  He declined to elaborate.

We were just waiting for the interest levels to go down.
John Riberio reports:
A Federal Aviation Administration reauthorization bill that was passed by the Senate on Wednesday excludes key privacy provisions, including a requirement that commercial and government users of drones disclose whether they collect personally identifiable information.
The bill, which is a compromise short-term extension to ensure continued funding at current levels to the FAA, next goes to President Obama to be signed into law, two days before the current authorization is to expire.  It was earlier passed by the House of Representatives.
Read more on Computerworld.

All (100%) of my students have SmartPhones. 
From Quartz:
When it comes to privacy controls, we may now have too much of a good thing.  Smartphone owners must now make more than 100 privacy decisions about how how much data their apps can share on Apple’s iOs and Google’s Android operating systems.  That number will only climb as privacy settings affect more of our devices and software.
Tired of waiting for the tech giants to fix the problem, Norman Sadeh’s team at Carnegie Mellon University developed a personal privacy assistant app powered by machine learning.  The app learns your preferences by asking a few key questions about privacy, and a machine learning algorithm uses this data to group users into distinct profiles.  The app can then make recommendations and give users a single dashboard to manage their data and privacy settings.
Read more on Quartz.

Interesting graphic. 
The Economist – The data of the dark web
by Sabrina I. Pacifici on Jul 14, 2016
The data of the dark web  Jul 14th 2016 by THE DATA TEAM
“SINCE the launch of the Silk Road five years ago, dark-web markets have represented a shadowy and much-maligned corner of the internet.  And the secretive nature of such sites makes them difficult to study.  But last year a researcher using the pseudonym Gwern Branwen cast some light on them.  Roughly once a week between December 2013 and July 2015, programmes he had written crawled 90-odd cryptomarkets, archiving a snapshot of each page .  The Economist has extracted data from the resulting 1.5 terabytes of information for around 360,000 sales on Agora, Evolution and Silk Road 2.  There are, inevitably, flaws in the data. Mr Branwen’s scrapes probably missed some deals….”
[From the article:
In total the deals were worth around $50m. Of those MDMA (ecstasy) sold the most by value while marijuana was the most popular single product, with around 38,000 sales.  Legal drugs such as oxycodone and diazepam (Valium) were also popular.  A third of sales did not belong in any of our categories: these included drug kit such as bongs, and drugs described in ways that buyers presumably understood, but we did not (Barney’s Farm; Pink Panther; Gorilla Glue).
Read our full analysis of dark-web markets, the price of online drugs and how competition is changing the narcotics industry here.

Why this blogger blogs.  Sounds very familiar to me.
Don’t ask me why I agreed.  Maybe they caught me on an off-day.  Maybe I thought it would give me a chance to reflect on where this site has been.  I don’t know, as I usually avoid interviews.  But I agreed to do an interview with John Norris of and you can read it all here.

My international students didn’t understand the argument, 
Microsoft wins landmark appeal over seizure of foreign emails
A federal appeals court on Thursday said the U.S. government cannot force Microsoft Corp and other companies to turn over customer emails stored on servers outside the United States.
The 3-0 decision by the 2nd U.S. Circuit Court of Appeals in Manhattan is a defeat for the U.S. Department of Justice and a victory for privacy advocates and for technology companies offering cloud computing and other services around the world.
Circuit Judge Susan Carney said communications held by U.S. service providers on servers outside the United States are beyond the reach of domestic search warrants issued under the Stored Communications Act, a 1986 federal law.
   Thursday's decision reversed a July 2014 ruling by then-Chief Judge Loretta Preska of U.S. district court in Manhattan requiring Microsoft to turn over the emails.  It also voided a contempt finding against the company.
   The case is In re: Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp, 2ndU.S. Circuit Court of Appeals, No. 14-2985.

Why Microsoft's Victory in Irish Email Case Matters
   It is an important ruling with major implications for international relations -- especially between the U.S. and Europe.  It will make U.S. business conformance with the General Data Protection Regulation (GDPR) simpler, and make the Privacy Shield stronger.
   The court's decision does not mean that the government will never be able to obtain the information it seeks.  The most likely outcome is that it will be forced to use the route it originally rejected as too slow and cumbersome: the use of a Mutual Legal Aid Treaty (MLAT) that will ensure judicial overview of the process.

(Related)  On the other hand…
If you read the European Commission’s announcement on the EU-US Privacy Shield (summary here), you may have come away with a more positive impression of its protections than is actually warranted.
Here’s one of the critiques that have appeared in the past few days.  Klint Finley reports:
Companies like Facebook and Google can continue transferring data from the European Union to their servers in the US under a new deal between the two governments that privacy advocates still say isn’t good enough.
Under the Privacy Shield, US companies will be able to “self-certify” that they follow the privacy principles outlined in the framework.  The agreement establishes an “ombudsperson” in the US State Department who will address privacy-related questions and complaints from people in the EU.
Privacy advocates say those protections are inadequate and want to see the Privacy Shield quashed.  The ombudsperson will have limited power to fix problems and won’t be all that independent since that person will report to the Secretary of State, argues Privacy International.
Read more on Wired.

A game going viral.  Accessing everything on your phone.  People walking into traffic.  What’s next? 
All around the world, authorities are worrying about Pokemon Go
   parallel to the near-global obsession have been the concerns of, well, grown-ups around the world worried about the app's effects.  These include security flaws posed by the app itself, as well as myriad cases of robbers and other assailants exploiting the game's mechanics to lure unsuspecting victims.
Then, there's the simple issue of propriety.  In Washington, the Holocaust Museum and Arlington National Cemetery have been compelled to put out stern notices, requesting visitors to refrain from chasing around Pokemon while on the premises.
   Police in the Belgian port city of Antwerp, for example, issued a warning about the potential dangers of pedestrians playing the game.
"Players will only have eyes for their screen, and so captivated will they be by the game that they may no longer be paying attention to the traffic,” the police said.  They also warned of "criminals using the game as a means to hunt down victims and steal from them."
In some corners of the Muslim world, the reaction to the game took on a particular moral valence.  Earlier this week, my colleague Sudarsan Raghavan blogged about the 2001 fatwa against the original Pokemon game, issued by an Egyptian cleric, who said the game taught children gambling through the use of "Masonic and Zionist symbols."  But now, the deputy chief of Cairo's Al-Azhar, the most important scholarly institution of Sunni Islam, has declared Pokemon Go to be as illicit as alcohol.

(Related)  Wait until the ad start attracting players.  Ronald McPoke? 
Pokémon Gamers Could Soon be Flocking to McDonald's
   “There is a second component to our business model at Niantic, which is this concept of sponsored locations,” John Hanke, Chief Executive of Niantic, the development team of Pokémon Go, told the Financial Times.
This component would draw Pokémon Go players to sponsored locations by making them gyms or Pokéstops -- and it looks as if that component is already in the works.
A 13-year-old student in Sydney, Australia, Manmeet Gill, decompiled the Android version of Pokémon Go and found a string that he believes indicates a sponsorship with McDonald's.  The string hasn’t been activated for players yet.
“I found the string as I was scrolling through the metadata of the game,” Gill says.  “It alludes to the McDonald’s stores being some kind of Pokémon store. It also says that it is a sponsorship.”

(Related)  Just because…
The 5 Most Ridiculous Pokémon Go Stories of the Week

For my Data Management and IT Architecture students. 
Gallup – Successful Predictive Analytics Demand a Data-Driven Workplace
by Sabrina I. Pacifici on Jul 14, 2016
  • The global data push is stronger than ever
  • Data-driven companies are more productive and profitable
  • Leaders need to develop and sustain a data-driven culture
The data movement is growing exponentially, not only regarding the sheer quantity of data but also in the ways companies use data for strategic decision-making.  International Data Corporation estimates that global data doubles in size every two years and that by 2020, it will reach over 44 trillion gigabytes — increasing tenfold from 2013.  In tandem with the data explosion, a growing digital economy and advances in data science dramatically amplify the analytic value of big data.  As a result, companies can better connect data for greater predictive power and high-impact insights.  Business use of predictive analytics is on the rise because many companies recognize the competitive advantage that data and analytics can offer to their decision-making.  According to one estimate, companies in the top third of their industry for data-driven decision-making are 5% more productive and 6% more profitable than their competitors.  Predictive analytics enable leaders to make radical discoveries about their companies and dissect and solve complex business problems, thereby enabling better business strategies and performance….”

(Related)  Again both classes should read this article!
7 Questions to Ask Before Your Next Digital Transformation

For my IT Architecture students.  What kind of infrastructure allows you to run on any device, securely?   
masterpass Aims To Take Commerce Anywhere
“Consumer expectations are changing, and they’re getting higher.  Consumers don’t think about technology as technology; it just is,” said mastercard Chief Innovation Officer Garry Lyons at the unveiling of mastercard’s new digital payments strategy yesterday (July 14).  That strategy is one designed to enable commerce anywhere that a consumer and a connected device happen to be.  And one that leverages mastercard’s global acceptance network to power issuer-branded digital payments credentials anywhere buyers and sellers want to do business, including the “yet-to-be-imagined” connected devices that sit on the edge of that network.
Including refrigerators.

My Computer Security students must decrypt the instructions for their encryption project.  I’ll add this article just to amuse them.
Don’t Believe These 5 Myths About Encryption!

For my gaming students.  Perhaps we could host a game creation contest? 
How to Make a Video Game in a Week Using Buildbox
Buildbox is an all-in-one game-making tool and asset package that is designed to be user-friendly, even for people with no coding experience whatsoever.  With it, games can be conceptualized, designed, and built in a matter of days or even hours.

I still want my students to create their own textbook.  One of these looks like a viable tool! 
Three Good Options for Creating eBooks in Your Web Browser
Creating a multimedia ebook can be a great way for students to showcase examples of their best work.  Writing a multimedia ebook can also be a nice way for students to illustrate and or further explain portions of fiction and non-fiction stories that they compose.  The following three platforms make it possible for students to create and publish multimedia ebooks in their web browsers.
Widbook is a platform designed to help people collaboratively create multimedia books.  The service is part multimedia book authoring tool and part social network.

No comments: