Thursday, August 31, 2017

In addition to not noticing that their employees were gaming the system to “earn” higher bonuses, they apparently couldn’t even count how many times it had happened!
Wells Fargo: There were nearly 70 percent more potentially fake accounts opened than originally thought
   On Thursday, the bank said the review of 165 million retail accounts opened from January 2009 to September 2016 identified 3.5 million as potentially unauthorized.  That is up from the 2.1 million accounts originally identified in a narrower review that only covered 93.5 million accounts opened from May 2011 to mid-2015.

Didn’t they have backups?
Drew Tripp reports:
Dorchester School District 2 officials say no student or staff member’s identity information was stolen or compromised in a ransomware attack on the district’s computer network servers over the summer, but that some files were corrupted and lost, and the district was forced to pay a ransom to regain access to other data.
In a letter sent to parents and staff Wednesday, DD2 officials revealed its operating system and database were left disabled on 25 of the 65 servers for the district’s computer network after they were infected with a ransomware virus during the summer.
Read more on ABC4.

Just another “Thing” on the Internet of Things. reports:
The push to connect vehicles to one another and to the Internet has created a role for federal agencies to clarify its privacy protection role, the Government Accountability Office (GAO) concluded in a report released on Monday.  The government watchdog agency is worried that vehicles will continue to collect more and more data while federal standards continue to fall behind, failing to keep up with the pace of change in the industry.
GAO researchers contacted the sixteen automakers responsible for 90 percent of the cars and trucks sold in the United States and found that thirteen of them offered automobiles that connected to the Internet.  In 2014, GAO released a report focusing on the privacy of in-car navigation devices (view report), but this report focused specifically on systems that use a SIM card to connect to wireless data providers to provide services such as roadside assistance or automatic crash notification.
A copy of the report is available in a 3mb PDF file at the source link below.
Source: Vehicle Data Privacy (Government Accountability Office, 8/28/2017)

Too busy to follow all the rules?  Does that suggest the rules are poorly written or just time consuming?  Do we need the rules at all? 
From HHS, clarification during these difficult times:
In response to Hurricane Harvey, U.S. Department of Health and Human Services (HHS) Secretary Tom Price, M.D., declared a public health emergency in Texas and Louisiana and has exercised the authority to waive sanctions and penalties against a Texas or Louisiana covered hospital that does not comply with the following provisions of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule:
  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
  • The requirement to honor a request to opt out of the facility directory
  • The requirement to distribute a notice of privacy practices
  • The patient’s right to request privacy restrictions
  • The patient’s right to request confidential communications
Other provisions of the Privacy Rule continue to apply, even during the waiver period.
For more detailed information regarding HIPAA privacy and disclosures in emergency situations, click here.
For more detailed information regarding emergency situation preparedness, planning, and response, click here.
To utilize the Disclosures for Emergency Preparedness Decision Tool, click here.

Making Artificial Intelligence deliberately stupid?
Researchers Poison Machine Learning Engines
The more that artificial intelligence is incorporated into our computer systems, the more it will be explored by adversaries looking for weaknesses to exploit.  Researchers from New York University (NYU) have now demonstrated (PDF) that convolutional neural networks (CNNs) can be backdoored to produce false but controlled outputs.
Poisoning the machine learning (ML) engines used to detect malware is relatively simple in concept.  ML learns from data.  If the data pool is poisoned, then the ML output is also poisoned -- and cyber criminals are already attempting to do this.
   CNNs, however, are at a different level of complexity -- and are used, for example, to recognize and interpret street signs by autonomous vehicles.

A shame this is limited to rural areas…
Rural America Is Building Its Own Internet Because No One Else Will
   About 19 million Americans still don't have access to broadband internet, which the Federal Communication Commission defines as offering a minimum of 25 megabits per second download speeds and 3mbps upload speeds.  Those who do have broadband access often find it's too expensive, unreliable, or has prohibitive data caps that make it unusable for modern needs.  
In many cases, it's not financially viable for big internet service providers like Comcast and CharterSpectrum to expand into these communities
   Here, a look at three rural counties, in three different states, demonstrates how country folk are leading their communities into the digital age the best way they know how: ingenuity, tenacity, and good old-fashioned hard work.

Amusement for my Ethical hacking students.  Nice and secure, except for the override tool. 
The Hotel Room Hacker
   Onity didn’t patch the security flaw in its millions of vulnerable locks.  In fact, no software patch could fix it.  Like so many other hardware companies that increasingly fill every corner of modern society with tiny computers, Onity was selling a digital product without much of a plan to secure its future from hackers.  It had no update mechanism for its locks.  Every one of the electronic boards inside of them would need to be replaced.  And long after Brocious’ revelation, Onity announced that it wouldn’t pay for those replacements, putting the onus on its hotel customers instead.  Many of those customers refused to shell out for the fix—$25 or more per lock depending on the cost of labor—or seemed to remain blissfully unaware of the problem.
And so instead of Brocious’ research protecting millions of hotel rooms from larceny-minded hackers, it served up a rare, wide-open opportunity to criminals.

Something for our Criminal Justice students to dive into?
Bureau of Justice Statistics Arrest Data Analysis Tool
by on
Bureau of Justice Statistics Arrest Data  Analysis Tool: “This dynamic data analysis tool allows you to generate tables and figures of arrest data from 1980 onward.  You can view national arrest estimates, customized either by age and sex or by age group and race, for many offenses.  This tool also enables you to view data on local arrests.  Select National Estimates or Agency-Level Counts from the menu above.  Use the Annual Tables to view tables of arrest data broken down by sex, race, age, or juvenile and adult age groups.  Select Trend Tables by Sex or Trend Tables by Race to create customized tables of long-term trends. In National Estimates, you can also view figures of long-term trends by sex or by race and age-arrest curves for many offenses.  The underlying data are from the FBI’s Uniform Crime Reporting (UCR) Program.  BJS has expanded on the FBI’s estimates to provide national arrest estimates detailed by offense, sex, age, and race.  The Methodology tab describes estimation procedures and the limitations of the arrest data.  The Terms & Definitions tab explains the meaning or use of terms, including the FBI’s offense definitions.  You can download output to Excel format.  This User’s Guide provides everything you need to get started.”

No comments: