Tuesday, April 25, 2017

Someday, management will begin to understand that encryption is relatively cheap. 
A recent HHS settlement that included a relatively small monetary penalty, $31,000, didn’t seem to get a lot of media attention.  Maybe today’s announced settlement stemming from a laptop theft that resulted in a steep monetary penalty will get attention?  From HHS:
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI).  CardioNet has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.5 million and implementing a corrective action plan.  This settlement is the first involving a wireless health services provider, as CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.
In January 2012, CardioNet reported to the HHS Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home.  The laptop contained the ePHI of 1,391 individuals. OCR’s investigation into the impermissible disclosure revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft.  Additionally, CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented.  Further, the Pennsylvania –based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.
“Mobile devices in the health care sector remain particularly vulnerable to theft and loss,” said Roger Severino, OCR Director.  “Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk.  This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”
The Resolution Agreement and Corrective Action Plan may be found on the OCR website at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/cardionet
More than five years from report of the theft to HHS settlement?  It would be great if HHS had the resources to investigate and pursue more cases in a way that resolves them more quickly.

My students would never do this.  I’m almost positive.  
The University of Professional Studies, Accra (UPSA) has sacked 22 of its students who hacked into the school’s computer system to manipulate their results.
A notice of dismissal from the university said it took the decision after meeting on the issue at an emergency meeting on Wednesday, 15th February, 2017 by the Academic Board.
The affected students are to leave with school campus with immediate effect.
Source: Ghana/ClassFMonline.com/91.3FM.  Although the students were dismissed for hacking, other coverage suggests that there was one hacker, hired and paid by the other students.
Unlike the U.S., where FERPA might prevent disclosure of some of the details, there’s apparently less such prohibition in Ghana, as The Citizen’s Ghana published the names and pictures of some of the 22.

Does Russia really prefer Le Pen, the Trump-like candidate?  
French Presidential Candidate Targeted by Russia-Linked Hackers
A notorious cyber espionage group linked to the Russian government has targeted the political party of French presidential candidate Emmanuel Macron, according to a report published on Tuesday by Trend Micro.
   Macron’s campaign has confirmed for The Wall Street Journal that staffers received phishing emails, but claimed the hacking attempts had failed.  The National Cybersecurity Agency of France (ANSSI) also confirmed the attacks, but refused to comment on their origin, Reuters reported.
   According to Trend Micro, the En Marche phishing site was set up in mid-March.  The security firm also discovered a phishing domain apparently set up to target the Konrad-Adenauer-Stiftung (KAS) political foundation in Germany.  The KAS phishing site, named kassap.de, was created in early April.

For my Computer Security students.  It’s not always preparation for Cyber War.  Sometimes it’s just about the money.  (Ignore the specifics, concentrate on the strategy.)
China's hand caught in the cookie jar
China’s hand in the cookie jar?  Nation state or corporate espionage?  Some themes change and others stay the same, this theme continues to morph as the China, its state-owned enterprises and conglomerates with ties to the government continue to vacuum up global technologies.
Why?  Obtaining the fruits of the labors of other’s research and development via subterfuge and skullduggery is much more cost efficient than conducting principal research directly
   Those who have poo-pooed the efficacy of security awareness programs, should take heed.
Siemens did not detect the theft of the intellectual property via sophisticated data loss prevention technologies.  They may have used those technologies to verify the employee’s activities, but it was one employee noting something was not quite right and reporting it in an appropriate and actionable manner.  Self-policing at its best.
If an employee does not exceed their professional brief, that is their normal and natural access necessary to conduct their duties, it is near impossible to detect their having broken trust with their employer, except through their non-technical behavior, which is observable by colleagues.

How valuable would this data be?
I started covering Aadhaar years ago on PogoWasRight.org as a data protection mega-disaster waiting to happen.  Those early posts are no longer available online, but I’ve continued to watch for news on its implementation and concerns.  And while India’s government keeps reiterating that everything is secure and fine, I keep seeing breach/leak reports.  So I was pleased to see that Nikhil Pahwa has compiled a list of Aadhaar leaks.
I realize that when we’re talking about a database with more than 1 BILLION individuals’ records, small leaks – even 1 million – may seem like a drop in the bucket, but I still fear it’s only a matter of time before we read about a breach that will dwarf the headline-grabbing Yahoo! breach.

An interesting thought. 
The Threat to Critical Infrastructure - Growing Right Beneath Our Eyes
Nation-States do Not Fear Reprisal and are Likely to use ICS Artacks as a Component of Geo-Political Conflict
   The “red lines” that conventional wisdom once held would prevent disruptive or destructive attacks against critical infrastructure have now been crossed numerous times, and we can safely assume they will be again. 
The notion of cold-war era “Mutually Assured Destruction” as a deterrent force has dimmed and nation-states, jihadists and even cyber-criminals have taken notice.
   Nation-states do not fear reprisal and are likely to use ICS attacks as a component of geo-political conflict.  Alarmingly, offensive cyber tools are becoming commonplace, lowering the bar for rogue nations, jihadists and hacktivists to get into the ICS attack game.  And, cyber-criminals are figuring out that ICS networks are critical and therefore valuable, meaning it is only a matter of time until we see major ransomware trends in ICS.

Trade in your Smartphone for an Artificially Intelligent phone? 
If this continues, one day my husband will be considered far-sighted for refusing to give up his little old flip phone.
Bernie Suarez writes:
The march towards an Orwellian future where every form of human behavior is being monitored by AI-driven appliances and electronics is quickly becoming a reality.  This was the plan from the start and as we can see the ruling elite have not slowed down one bit in their attempt to create this kind of world.
It is thus no surprise that Samsung is releasing a new smart phone this week called the S8 and S8+ that has a software called “Bixby” which will be studying your behavior in real-time and will be reacting, responding and “learning” from you accordingly.
The new Samsung S8 smart phone represents one of the first portable devices released to the general public in which the owner will be officially creating a 2-way relationship with the machine.
Read more on Activist Post.

Interesting.  I’ll ask my students if anyone would like to go for a ride…
Waymo’s self-driving minivans are now offering rides to real people in Arizona
Starting today, residents of the greater Phoenix metropolitan area can sign up to go for a ride in a self-driving minivan.  As often as they want.  For free.
Waymo, the self-driving car startup spun off from Google late last year, announced today that it’s offering its services to members of the public for the first time.  Waymo is calling it an “early rider program,” intent on cataloguing how on-demand, driverless cars will factor into people’s everyday lives.  Interested participants can sign up on the company’s website, and Waymo will select riders depending on the the types of trips they want to take and their willingness to use the self-driving service as their primary mode of transportation.  

Making language irrelevant?  Making it possible for everyone to read the ads? 
Google adds support for more Indian languages to Gboard, Maps, Translate; to leverage neural machine learning
   Having a smartphone is a boon in the digital age, but is the language becoming a barrier for the majority of Indians from tapping the fullest potential of a smart device or internet in general?
Internet giant Google sees an opportunity of growth in the vernacular segment.  While it has already added Indian language support to some of its services, the company today announced further expansion to the number of Indian languages supported.  It also revealed plans to leverage machine learning to further improve its services with the Indian languages.  Starting today, Google‘s products including Maps, Translate, Chrome, and Gboard will support over 30 Indian languages.
   It is estimated that by 2021, Hindi speaking users will overtake English speaking Internet users.  Furthermore, 9 out of 10 users in the next four years are likely to be Indian language users.

No comments: