Monday, January 16, 2017

Interesting that a process to detect bogus Swift documents was not implemented immediately after the Bangladesh incident. 
Sugata Ghosh & Sangita Mehta report:
Indian banks are waking up to a new kind of cyber attack.  Hackers recently infiltrated the systems of three government-owned banks -two head headquartered in Mumbai and one in Kolkata -to create fake trade documents that may have been used to raise finance abroad or facilitate dealings in banned items.
The banks in question discovered that their SWIFT systems -the global financial messaging service banks use to move millions of dollars and documents across borders every day -have been compromised to create fake documents.
Read more on ET Tech.
[From the article: 
“It's possible that some banks may not be aware that an outsider has crawled into the system.  Since there is no immediate loss of money, a bank may take a long time to sense that its SWIFT system has been hacked and misused,“ said a cyber security professional.
Since June 2016, SWIFT systems of four Indian banks have been targeted.  In the first case (involving another Mumbai-based public sector bank), the bank had a narrow escape after a large American bank to which hackers had tried to transfer funds suspected that something was amiss.
If the hackers had their way, the local lender would have lost $150 million ­ about twice the size of the hit taken by the Bangladesh central bank whose chief stepped down after the cyber heist a year ago.

(Related).  And timely!  For my Governance students. 
When an organization fails because of executive malfeasance, it generates a lot of attention.  But such situations are actually relatively rare.  It’s much more common, though less talked about, for organizations to fail because of ungoverned incompetence.  That is, someone does the wrong thing while trying to do the right thing, and organizational systems fail to catch it and contain it.

For the Computer Security part of my Data Management class.  How do you secure your data against rogue employees?
Jessica Sier reports:
Online fashion house Showpo is suing one of its former graphic designers and fledgling online retailer Black Swallow for reputational damage and loss of sales alleging the woman stole the entire customer database and passed it on to her new employer.
In documents filed with the Federal Court, Showpo claims 24-year-old Melissa Aroutunian exported its 306,000-strong customer database before she left the company in September last year and passed it on to Black Swallow, which it claims then used the list to market itself as an affiliate of Showpo, using similar branding.
Read more on The Age.

The solution is simple: turn your hand around and lower the index finger.
It seems that now we can’t even make a non-obscene gesture like flashing the “peace” sign without risk of having our biometric information surveilled and captured. reports:
Fingerprint recognition technology is becoming widely available to verify identities, such as when logging on to smartphones, tablets and laptop computers.
Bu the proliferation of mobile devices with high-quality cameras and social media sites where photographs can be easily posted is raising the risk of personal information being leaked, reports said.
The NII researchers were able to copy fingerprints based on photos taken by a digital camera three metres (nine feet) away from the subject.

I think we’re doing much the same thing with our Computer Science and IT classes.
Law School Case Study: UC-Hastings’ Startup Legal Garage
by Sabrina I. Pacifici on Jan 15, 2017
“In Thomson Reuters’ examination of methods that modern law schools can use to help enable their students to become more “practice ready,” we identified four law schools already integrating practice-ready skills into their curriculums.  In the following series of case studies, we explore how those schools are shaping law students and law firms.”

Speaking of law firms and security…  (We’ll ignore Hillary Clinton for the moment.) 
A New Focus on Law Firm Cybersecurity
by Sabrina I. Pacifici on Jan 15, 2017
“Law firms have long held a hallowed position in the corporate world, as the preeminent keeper of confidences.  But the frequency with which law firms are falling victim to data breaches and hacks should leave clients questioning their firm’s data security.  Due to their trusted position in the business world, law firms have become a prime target for cyber criminals, and without adequate data security confidential client information can fall into the hands of a wide variety of bad actors. 
Consider the following hypothetical about a top global firm.  It has attorneys working with companies and individuals in virtually every industry in the world.  These attorneys are privy to a wide variety of highly sensitive and confidential financial information — information that would be of great value to cyber-criminals.  A senior mergers and acquisitions partner chose to use his smartphone for both work and personal use.  As a senior partner, no one was willing to require the need to segregate data and users.  The senior partner regularly let his son use the smartphone to surf the Internet and download games.  One day, the son downloads a game which has malware code attached to it.  The malware infiltrated the firm’s email server.  This silent intrusion allowed a cyber-criminal to monitor all emails in the senior partner’s practice group.  The cyber-criminal was able to access confidential financial information, which allowed him to engage in insider trading, making millions of dollars off of the information, and causing serious harm to the firm’s client by driving up the price of the stock.  While the above hypothetical may seem like a doomsday scenario, it can happen, as revealed in a recent indictment in the Southern District of New York.  The indictment alleged that three criminals gained access to a top law firm’s email server through undisclosed means.  On multiple occasions, these criminals were able to gain confidential inside information about pending M&A deals.  The criminals were then able to trade on that information, making more than $4 million before being caught.  The criminals were charged with insider trading, wire fraud, and violations of the Computer Fraud and Abuse Act.  While the facts are little known for how the criminals in the above case broke into the firm’s mail servers, it’s likely that the criminals exploited a lawyer with access to the email server — a much easier pathway — rather than attacking the system directly.”

Tools and Techniques for my Computer Forensics students. 
Cartapping: How Feds Have Spied On Connected Cars For 15 Years
The rapid spread of connected devices that can listen and locate has been a boon for law enforcement.  Any new technology hooked up to the web has the potential to become a surveillance device, even if it's original purpose was benign, as shown in a 2016 Arkansas murder investigation where Amazon was asked to hand over audio from a suspect's Echo.
But such information and much more, I've learned, has long been retrievable from cars.  Indeed, court documents reveal a 15-year history of what's been dubbed "cartapping," where almost real-time audio and location data can be retrieved when cops order vehicle tech providers to hand it over.

We’re not talking Computer Security here, we’re talking Marketing.
How to make sure the future connected car is secure
Often dubbed a “data center on wheels,” the connected car is one of the fastest-growing markets in the ecosystem that makes up the Internet of Things (IoT).  The convergence of IoT and in-vehicle technologies, like remote diagnostics, on-board GPS, collision avoidance systems, and 4G LTE Wi-Fi hotspots, has paved the road for new and exciting opportunities in this industry.  In fact, the connected car market is expected to reach $155 billion by 2022, while 75 percent of the estimated 92 million cars shipped globally in 2020 will be built with internet connectivity.
As the market grows, the biggest opportunity for profit comes from the ongoing services that can be offered and the ongoing revenue that subscriptions to these services can create.  Although this is where the value lies, many consumers who purchase connected cars have been hesitant to “turn on” their connected services.  Recent statistics tell the story.  A 2016 Spireon survey showed that consumers are interested in connected cars (especially those with safety features), but 54 percent said they have not actually used connected car features.

My students reached the same conclusion.
How Electric Vehicles Could End Car Ownership as We Know It
   in the past few years, with the convergence of better battery technology, lighter materials and smaller, more powerful electric motors, entirely new kinds of transportation have bloomed.  The electric powertrain, unlike that of the internal combustion engine, scales smoothly from tiny to huge, powering everything from 10-pound electric skateboards to 20-ton electric buses.
This Cambrian explosion of new vehicles enables two other revolutions: self-driving technology, and the shift from vehicle ownership to transportation as a service.

Best Practices often come from a careful examination of Bad Practices.
DOJ Announces Findings of Investigation into Chicago Police Department
by Sabrina I. Pacifici on Jan 15, 2017
“The Justice Department announced…that it has found reasonable cause to believe that the Chicago Police Department (CPD) engages in a pattern or practice of using force, including deadly force, in violation of the Fourth Amendment of the Constitution.  The department found that CPD officers’ practices unnecessarily endanger themselves and result in unnecessary and avoidable uses of force.  The pattern or practice results from systemic deficiencies in training and accountability, including the failure to train officers in de-escalation and the failure to conduct meaningful investigations of uses of force.  The city of Chicago and the Justice Department have signed an agreement in principle to work together, with community input, to create a federal court-enforceable consent decree addressing the deficiencies found during the investigation.”

Interesting because Judge Lamberth has been known to point out ‘bad lawyering’ in rather scathing language.  I can’t wait!

No comments: