Tuesday, June 19, 2018

If it sounds too good to be true…
Adidas fans hit by phishing scam
Why users always fall for the lamest phishing scams is beyond comprehension, but hackers take advantage of this weakness and hide their scheming behind the usual fake prizes and too-good-to-be-true giveaways. This time, it was Adidas’ turn to feature in a major phishing scam that targeted users in specific regions.
A fake Adidas campaign promising free shoes instantly became popular through WhatsApp, and it’s not even the first time such a phishing scheme was used this year. To celebrate its 69th anniversary, the sports company was allegedly giving away 2,500 pairs of shoes to users who filled out a four-question survey.
All they had to do was click on a link to claim the prize and share it on WhatsApp with their contacts
… No matter how many times users tried to share the campaign, they had no way to confirm that the share actually went through. It was just part of the scam. The very detail that they couldn’t choose color or size should have been a hint that it wasn’t a legitimate campaign – either that or the misspelled company name in the spoofed link.
Users were promised free sneakers in exchange for $1 to claim them, but all they were left with was a recurring $50-per-month subscription fee. Through the scam, hackers got access to users’ payments and contact details. The subscription users are automatically signed up for the “organizejobs” service, which has been identified as a scam.

Not the best ‘Business Continuity’ example.
'We do not know when this is going to be fixed,' American says of CLT flight problems
American Airlines struggled to recover Monday from a recurring computer problem that left one of its key regional carriers unable to fly to or from Charlotte Douglas International Airport, stranding hundreds of passengers for the second time in a week.
The problem, airline spokeswoman Katie Cody said, traced back to the crew scheduling and tracking system at PSA Airlines, a wholly-owned subsidiary that operates flights under the American Eagle brand. The issue is with hardware at PSA's headquarters in Dayton, Ohio, and it's left the carrier unable to get flight crews and planes matched up. About 350 flights into and out of Charlotte have been canceled since Sunday, Cody said.
… PSA canceled about 70 flights on Sunday, a bit more than 10 percent of the total at Charlotte Douglas. A similar number were planned to be canceled Monday night, Cody said.
For PSA, it was the second time in a week trouble struck. A technical issue with the regional carrier caused more than 120 Charlotte flights to be canceled last week, on Thursday, and the issue continued into Friday morning.
The outage indicates there might not be a backup software system for crew scheduling at PSA, Harteveldt said. The problem also appears to be bigger than American first realized, he said.
“This is apparently a more complex problem than initially thought, and it could take several days, based on my understanding, potentially even a week, to really fix this,” he said.

What different? Only the excuses.
A U.S. Department of Health and Human Services Administrative Law Judge (ALJ) has ruled that The University of Texas MD Anderson Cancer Center (MD Anderson) violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties to OCR. This is the second summary judgment victory in OCR’s history of HIPAA enforcement and the $4.3 million is the fourth largest amount ever awarded to OCR by an ALJ or secured in a settlement for HIPAA violations.
MD Anderson is both a degree-granting academic institution and a comprehensive cancer treatment and research center located at the Texas Medical Center in Houston. OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted electronic protected health information (ePHI) of over 33,500 individuals. OCR’s investigation found that MD Anderson had written encryption policies going as far back as 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011, and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013. The ALJ agreed with OCR’s arguments and findings and upheld OCR’s penalties for each day of MD Anderson’s non-compliance with HIPAA and for each record of individuals breached.
MD Anderson claimed that it was not obligated to encrypt its devices, and asserted that the ePHI at issue was for “research,” and thus was not subject to HIPAA’s nondisclosure requirements. MD Anderson further argued that HIPAA’s penalties were unreasonable. The ALJ rejected each of these arguments and stated that MD Anderson’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized, but that it restated many times.”
The Notice of Proposed Determination and the ALJ’s opinion may be found on the OCR website at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/mdanderson/index.html
Previous coverage of the incidents referenced in this case can be found on DataBreaches.net here.

Will this rise to the level of a significant concern? Will surveillance technology find itself limited to small, closely held companies or even foreign companies?
Amazon shareholders call for halt of facial recognition sales to police
In a letter delivered to CEO Jeff Bezos late Friday, the shareholders, many of whom are advocates of socially responsible investing, say they're concerned about the privacy threat of government surveillance from the tool.
Amazon's technology, called Rekognition and introduced in 2016, detects objects and faces in images and videos. Customers, which include law enforcement in Orlando, Florida and Washington County, Oregon, can upload face databases to automatically identify individuals.
… The shareholders, which include the Social Equity Group and Northwest Coalition for Responsible Investment, are joining groups such as the ACLU in efforts to stop the company from selling the service — pointing out the risks of mass surveillance.
… "We are concerned the technology would be used to unfairly and disproportionately target and surveil people of color, immigrants, and civil society organizations," the shareholders write. "We are concerned sales may be expanded to foreign governments, including authoritarian regimes."
In a blog post earlier this month, Matt Wood, a general manager of artificial intelligence at Amazon Web Services, said Amazon's policy prohibits the use of its service for activities that are illegal, violate the rights of others, or may be harmful.

Plus ça change, plus c'est la même chose. What else could you expect when the “punishment” required a few days of pretending to be sorry and moving to a new office.
Cambridge Analytica staffers are on the job – working on 2020 campaign
Quartz: “Hang on to your data, dear Facebook friends. Cambridge Analytica—the political consultancy that collapsed into bankruptcy in May after a scandal about its nefarious information-collection methods—is apparently metamorphosing. The company that Marc Zuckerberg admitted targeted 87 million Facebook users’ data, and whose work could well have influenced elections in the US and UK, may be currently disgraced. But it also appears to be putting a new face on its same old data-gathering gig. The Associated Press (AP) on June 15 reported that top staffers from the fallen consultancy are back on the job at a newly-formed company with a name that’s eerily reminiscent of the last place they worked—Data Propria. As the name implies, the new company is similarly preoccupied with gathering information, specifically to target voters and consumers. Basically, it’s the same mission that Cambridge Analytica had. Matt Oczkowski—head of product at the predecessor firm—is leading Data Propria, which also employs Cambridge Analytica’s former chief data scientist, David Wilkinson, and others from the scandal-ridden company…”

(Related) What does political awareness have in common with digital savvyness?
Distinguishing Between Factual and Opinion Statements in the News
“The politically aware, digitally savvy and those more trusting of the news media fare better; Republicans and Democrats both influenced by political appeal of statements In today’s fast-paced and complex information environment, news consumers must make rapid-fire judgments about how to internalize news-related statements – statements that often come in snippets and through pathways that provide little context. A new Pew Research Center survey of 5,035 U.S. adults examines a basic step in that process: whether members of the public can recognize news as factual – something that’s capable of being proved or disproved by objective evidence – or as an opinion that reflects the beliefs and values of whoever expressed it. The findings from the survey, conducted between Feb. 22 and March 8, 2018, reveal that even this basic task presents a challenge. The main portion of the study, which measured the public’s ability to distinguish between five factual statements and five opinion statements, found that a majority of Americans correctly identified at least three of the five statements in each set. But this result is only a little better than random guesses. Far fewer Americans got all five correct, and roughly a quarter got most or all wrong. Even more revealing is that certain Americans do far better at parsing through this content than others. Those with high political awareness, those who are very digitally savvy and those who place high levels of trust in the news media are better able than others to accurately identify news-related statements as factual or opinion…”

(Related) Will anyone learn from these examples?
Cyber Attack Aims to Manipulate Mexican Election
On Wednesday June 13, in the run-up to Mexico's July 1 presidential election, a website operated by the rightist National Action Party (PAN) was taken off-line for several hours by a DDoS attack. The outage occurred at the time of a televised presidential debate, and just following a point at which the PAN candidate held up a placard with the website address claiming it held proof of potential corruption.
PAN secretary Damian Zepeda later suggested that front-running leftist candidate Andres Manuel Lopez Obrador (AMLO) was behind the attack
The source of the DDoS attack is unknown and possibly unknowable – but it is a reminder of the extent to which the internet can be used to influence or even control public opinion.
The accusations of Russian involvement in both the Trump election in the U.S. and the UK Brexit referendum are still fresh. Perhaps more directly relevant is the controversy over the DDoS attack on the FCC website just as it was gathering public comment on the (then) proposed elimination of the net neutrality rules.
The FCC claimed it had been taken off-line by a DDoS attack. Critics of the FCC plans have suggested it was purposely taken off-line to avoid registering mass public dissent over the FCC rules. If the Mexico event was a direct parallel to these claims, it could suggest that PAN couldn't prove the criticisms it was making, and took down the website itself.
This last possibility is not a serious proposal – but it illustrates the plausible deniability and difficulty of attribution that comes with cyber activity. The DDoS attack could have been delivered by Russia (because it has a history of interference); by AMLO (to prevent access to his competitor's website); by the U.S. (because it would almost certainly prefer a right-leaning to a left-leaning neighbor); or by PAN itself (as a false flag). Or, of course, none of the above -- a straightforward DDoS attack by cybercriminals.

I wonder what caused/allowed this?
KPMG's audit work unacceptable, says watchdog
The auditing work of one of the world's "Big Four" accounting firms has been sharply criticised by the industry's watchdog.
KPMG audits had shown an "unacceptable deterioration" and will be subject to closer supervision, the Financial Reporting Council said.
The FRC added all the Big Four - which also include PwC, EY and Deloitte - needed to reverse a decline.
KPMG said it was "disappointed" and was taking steps to improve audit quality.
… "There has been an unacceptable deterioration in quality at one firm, KPMG," the FRC said in a statement. "50% of KPMG's FTSE 350 audits required more than just limited improvements, compared to 35% in the previous year."
… "They must address urgently several factors that are vital to audit, including the level of challenge and scepticism by auditors, in particular in their bank audits. We also expect improvements in group audits and in the audit of pension balances."
… KPMG came in for criticism over its audit of collapsed construction firm Carillion earlier this year, and the FRC has opened an investigation into the group under the Audit Enforcement Procedure.
The auditor was also recently fined £3.2m by the watchdog over its audit of insurance firm Quindell. Last year, the FRC opened an investigation into KPMG's audit of the accounts of aero-engine maker Rolls-Royce.
… the accounting industry has faced a lot of criticism in the last few years over whether their verdicts on companies' accounts can be trusted.

No comments: