Exclusive: SWIFT discloses more cyber thefts, pressures banks
on security
SWIFT, the global
financial messaging system, on Tuesday disclosed new hacking attacks on its
member banks as it pressured them to comply with security procedures instituted
after February's high-profile $81 million heist at Bangladesh Bank.
In a private letter to
clients, SWIFT said that new cyber-theft attempts - some of them successful - have surfaced since June, when it
last updated customers on a string of attacks discovered after the attack on
the Bangladesh central bank.
"Customers’
environments have been compromised, and subsequent attempts (were) made to send
fraudulent payment instructions," according to a copy of the letter
reviewed by Reuters. "The threat is
persistent, adaptive and sophisticated - and it is here to stay." [Are they saying they can’t prevent these
attacks? Bob]
The disclosure suggests that cyber thieves may have
ramped up their efforts following the Bangladesh Bank heist, and that they
specifically targeted banks with lax security procedures for SWIFT-enabled
transfers.
… All the
victims shared one thing in common: Weaknesses in local security that attackers
exploited to compromise local networks and send fraudulent messages requesting
money transfers, according to the letter.
… (For a graphic [Video, actually. Bob]
on how hackers made off with millions, click tmsnrt.rs/29WrMai)(Related)
http://www.bespacific.com/collapsew3c-workshop-report-blockchains-and-the-web/
Collapse W3C Workshop Report: Blockchains and the Web
by Sabrina
I. Pacifici on Aug 30, 2016
On August 26, 2016, “W3C published the report of the W3C Blockchains and the
Web workshop held on 29-30 June, 2016, in Cambridge, Massachusetts, USA. Participants at the workshop found many topics
for possible standardization or incubation, including various aspects of
identity and proof-of-existence, as well as smaller blockchain primitives that
could increase interoperability across different distributed ledgers... The organizers strove to have representation by
different classes of stakeholders within the larger blockchain community,
loosely organized around technology stacks and applications. The technology stacks include Bitcoin,
Ethereum, Hyperledger, and others. Applications
include identity and asset management, smart contracts, and infrastructure
around a decentralized Web (IPFS). The workshop was deliberately aimed at
non-payment uses for blockchains, since W3C already has an existing Web
Payments activity where payments-related technology is discussed…”
This is a new way to profit from security problems, so I
want to find out what actually happened. This does not seem to be a final
resolution. Who should step in? The SEC might find this questionable, for
example.
Study finds flaws in criticism of St. Jude cyber security
University of Michigan
researchers on Tuesday said their own experiments undermine recent allegations
of security flaws in St. Jude Medical Inc's pacemakers and other implantable medical
devices.
Shares of St. Jude fell 5
percent on Thursday after short-selling firm Muddy Waters and its business
partner, cyber security company MedSec Holdings Inc, alleged finding
significant security bugs in the company's Merlin@home device for monitoring
implanted heart devices. They said the
flaws could potentially enable others to remotely speed up the heart devices or
drain their power.
The university said its
researchers came "to strikingly different conclusions" after
generating the conditions reported by Muddy Waters.
… "We're
not saying the (Muddy Waters) report is false; we're saying it's inconclusive
because the evidence does not support their conclusions," said Kevin Fu,
University of Michigan associate professor of computer science and engineering
and director of the Archimedes Center for Medical Device Security.
… Muddy
Waters issued a statement saying the firm was not surprised that the result of
the research was inconclusive.
"We deliberately did
not publish detailed information on the vulnerabilities, exploits or attacks on
the devices in order to avoid giving the play book to potential
attackers," the statement said. "If
anything, this proves that we were responsible with our disclosure."
Smack! Take that,
FBI!
Chris Bing reports:
FBI Director James Comey wants to
see private businesses report data breach incidents and other detected
cyber intrusions directly to the Bureau more than they are already doing
so.
[…]
The FBI director explained that
the Bureau’s strategy to increase cooperation will center on four
missions: partner outreach and education, establishing trusted relationships,
working to minimize the disruption felt by both a company’s employees and
customers, and keeping all investigations private by securely holding and not
disclosing internal enterprise data publicly.
Read more on FedScoop.
Pardon me while I spit.
What kind of “partnership” is it, Mr. Comey, if when the
FBI is notified of a hack, it refuses to reach out to alert the hacked entity? If FBI field offices take the position that
their role is to take in information, but that they do not alert entities of
breaches that they learn about, why should anyone inform the FBI of cybercrimes
they learn about?
Don’t know what I’m talking about, Mr. Comey? Get the phone recordings from your Baltimore
field office from last night. It will
become quite clear.
By lawyers, for lawyers?
Remember the lawsuit against Yahoo! for scanning
non-users’ emails for advertising purposes? David Kravets writes:
Days ago, a Silicon Valley
federal judge signed off (PDF)
on a settlement (PDF).
The lawyers
won, they were awarded $4 million (£3 million), and the public got nothing. What’s more, the settlement
allows Yahoo to continue to scan e-mails without non-Yahoo users’ consent.
(Yahoo Mail customers have granted consent
to the scanning as a condition of using the service.) The major change the lawsuit produced was that
Yahoo is agreeing to scan the e-mail while it’s at rest on its servers instead
of while the mail is in transit. This,
according to the settlement, satisfies the California
Invasion of Privacy Act (CIPA) claims. The deal spells out that Yahoo only has to do
this for three years, but Yahoo said it would continue with the new scanning
protocol after the three years expire.
Read more on Ars
Technica.
After encrypting any data that you want to keep secure,
create a text file that says: “As promised, here is the gibberish created by my
new “random number and text” generator. Please
keep this confidential as you analyze it for true randomness.” Append your encrypted file, then re-encrypt
the whole thing. If you are required to
decrypt, you can do so immediately and “prove” you have nothing to hide.
Orin Kerr writes:
Back
in June, I blogged at length about a pending Third Circuit case that
considers the Fifth Amendment limits on ordering a suspect to decrypt his hard
drives. The court recently
announcedthat it will hear oral argument in the case on Sept. 7 before
Judges Jordan, Vanaskie and Nygaard.
Read more on The
Volokh Conspiracy.
For both Computer Security and Disaster Recovery.
Data Breach Aftermath and Recovery for Individuals and
Institutions
by Sabrina
I. Pacifici on Aug 30, 2016
Anne Johnson and Lynette I. Millett, Rapporteurs; Forum on
Cyber Resilience Workshop Series; National Academies of Sciences, Engineering,
and Medicine: “In January 2016, the National Academies of Sciences,
Engineering, and Medicine hosted the Workshop on Data Breach Aftermath and
Recovery for Individuals and Institutions. Participants examined existing technical and
policy remediations, and they discussed possible new mechanisms for better
protecting and helping consumers in the wake of a breach. Speakers were asked to focus on data breach
aftermath and recovery and to discuss ways to remediate harms from breaches. This
publication summarizes the presentations and discussions from the workshop.”
An interesting collection of Data Science links, if
nothing else…
Get started in data science: 5 steps you can take online for
free
(Related) Even more…
A Gentle Intro to Data Science with 5 Udemy Courses
Something the Criminal Justice students can use?
How Private Investigators Use the Internet to Track You
Purr-spective? Check the date on this article. It isn’t April 1st. This is real?
Acer is
going all in on pets, whose population is growing faster than humans’
At a conference today in Berlin before the consumer trade
show IFA, Acer CEO Jason Chen announced that his company had identified
“petware” or “petwear” (could be either, I guess) as a $20 billion market
opportunity for the Taiwanese computing company.
“We all know that the pet population is growing,” Chen
said. “The global pet population is
growing so rapidly, in the U.S., the pet numbers are 2X the baby numbers.”
To address this market, Chen said Acer had acquired crowdfunded Pawbo to launch a new hub
of connected pet products. He did not
say how much Acer paid.
If there is a way to tweak the
system, Kim Dotcom will find it.
Kim Dotcom's extradition hearing live stream makes legal
history but no drama
The live streaming of Kim Dotcom’s extradition hearing in
a New Zealand
high court kicked off on Wednesday with warped pictures, delayed audio and
dwindling viewership as the day wore on.
Megaupload
founder Dotcom is fighting an extradition order to the United States, where he
is wanted on online piracy charges.
On Tuesday, his lawyers were granted permission to live stream the court
proceedings on YouTube, on the condition that it would be deleted at the
conclusion of the case (estimated to be in six to eight weeks’ time) and that
the video would air after a 20-minute delay in case any evidence was
suppressed. Comments on the live stream
have also been disabled.
Dotcom’s court case is the first in
New Zealand ever to be live streamed.
Interesting that Congress had this research
done.
CRS – How Can the Results of a Presidential Election Be
Contested?
by Sabrina
I. Pacifici on Aug 30, 2016
CRS Reports & Analysis Legal Sidebar – How Can the Results of a Presidential Election Be
Contested?, August 26, 2016.
“In the midst of the presidential campaign season, the
possibility of election fraud has been raised. This discussion briefly examines how the
results of a presidential election may be contested. Although it has national impact, the
presidential election is in essence 50 state and District of Columbia elections
for presidential electors, held on the same day throughout the country. Therefore—and consistent with the states’
traditional authority over the administration of elections within their
jurisdictions—states have the initial responsibility for resolving challenges,
recounts, and contests to the results of a presidential election. Specifically, the Electoral Count Act of 1887,
as amended, contemplates that contests and challenges to the vote for
presidential electors are to be initially handled in the states. Codified in part at 3 U.S.C. § 5 , the law
provides that if a contest or challenge in a state to the election or
appointment of presidential electors is resolved in that state before the sixth
day prior to the meeting of the electors, such determination shall be “conclusive”
and shall “govern” when Congress counts the electoral votes as directed by the
Twelfth Amendment. The Supreme Court has
referred to this as the “safe harbor” provision. This year, the presidential electors are
scheduled to meet on December 19. Six
days prior is December 13, which therefore, will be the last day for the states
to make a final determination in order for it to be conclusive when Congress
counts the votes…”
Amusement?
Washington Post publishes searchable document archive for new
book on Trump
by Sabrina
I. Pacifici on Aug 30, 2016
Via WaPo – “Trump Revealed, a biography of the Republican
presidential nominee published August 23 [2016] by Scribner….The
archive is searchable and navigable in a number of ways. It is meant as a resource for other
journalists and a trove to explore for our many readers fascinated by original
documents.”
Back to school time is App list
time.
60 Awesome iPhone & iPad Apps for Students Heading Back
to School
Even cheaper than a used book sale!
6000+ Children's Books Available for Free
The University of Florida's Digital Collections offers a huge library of
digitized children's books. Thanks
to Open Culture I discovered this collection this afternoon
and immediately started to browse through it. The books that you will find in the collection
consist of works that are in the public domain.
You can search for books according to topic, language, publisher, genre,
and publication date.
All of the children's books in the collection can be read
online. Reading the books online could
be a bit difficult for some as there is a border with menus surrounding each
page of the books. To avoid that, you
can print all of the books for free. The
printed version does not display anything but the book as it was scanned.
… The children's book
available through the UFDC aren't books that your students or their parents
are likely to see on bookstore shelves. The value of this collection is that it could
introduce parents and students to books that they might enjoy reading together
and wouldn't have otherwise found.
Does this sum up communications in the digital age, or
merely TL;DR?
No comments:
Post a Comment