“The 2X4 is just to get
the mule's attention.”
Organized hackers
in Ukraine and Russia stole more than $1 million from a public
hospital in Washington state earlier this month. The costly
cyberheist was carried out with the help of nearly 100 different
accomplices in the United States who were hired through work-at-home
job scams run by a crime gang that has been fleecing businesses for
the past five years.
Last Friday, The
Wenatchatee World broke the news of the heist, which struck Chelan
County Public Hospital No. 1, one of several hospitals
managed by the Cascade Medical Center in
Leavenworth, Wash. The publication said the attack occurred on Apr.
19, and moved an estimated $1.03 million out of the hospital’s
payroll account into 96 different bank accounts, mostly at banks in
the Midwest and East Coast.
On
Wednesday of last week, I began alerting the hospital that it had
apparently been breached. Neither
the hospital nor the staff at Cascade Medical returned repeated
calls. I reached out to the two entities
because I’d spoken with two unwitting accomplices who were used in
the scam, and who reported helping to launder more than $14,000
siphoned from the hospital’s accounts.
Maybe if insurers decline to cover
losses if they find out that someone tried to warn the entity and the
entity ignored or failed to respond to the attempted alerts, it would
help?
(Related)
A great headline for
Computer Security managers to pass along to management...
A few weeks ago I noted
that William Jennings Bryan Dorn VA
Medical Center in South Carolina was
notifying over 7,000 patients of a breach involving a stolen
laptop. Now two of the veterans affected have filed
a lawsuit over the breach. Additional details on the lawsuit,
which was filed April 12, can be found here.
Mandatory BYOD! This could be really
interesting.
"Half
of all employers will require workers to supply their own mobile
devices for work purposes by 2017, according to a new Gartner
study. Enterprises that offer only corporately-owned smartphones or
stipends to buy your own will soon become the exception to the rule
in the next few years. As enterprise BYOD programs proliferate, 38%
of companies expect to stop providing devices to workers by 2016 and
let them use their own, according to a global survey of CIOs by
Gartner. At the same time, security remains the top BYOD concern.
'What happens if you buy a device for an employee and they leave the
job a month later? How are you going to settle up? Better to keep
it simple. The employee owns the device, and the company helps to
cover usage costs,' said David Willis, a distinguished analyst at
Gartner."
Attention everyone downstream! This
damn breach could lead to a dam breach! (Sorry, I couldn't resist)
Think of this as “Targeting Information”
Hacker
Breached U.S. Army Database Containing Sensitive Information on Dams
A hacker compromised a U.S. Army
database that holds sensitive information about vulnerabilities in
U.S. dams, according to a news report.
The
U.S.
Army Corps of Engineers’ National Inventory of Dams contains
information about 79,000 dams throughout the country and tracks such
information as the number of estimated deaths that could occur if a
specific dam failed. It’s accessible to government employees who
have accounts. Non-government users can query the database but
cannot download data from it.
… “The U.S. Army Corps of
Engineers is aware that access to the National Inventory of Dams
(NID), to include sensitive fields of information not generally
available to the public, was given to an unauthorized
individual in January 2013 who was subsequently determined
to not to have proper level of access for the information,” Pierce
said in a statement to the publication. “[U.S. Army Corps of
Engineers] immediately revoked this user’s access to the database
upon learning that the individual was not, in fact, authorized full
access to the NID.”
All users had been sent an e-mail
notification to this effect, which apparently told them that their
account username had been changed to their e-mail address and
included the new password in plaintext that the Corps
did not ask users to change. [Not particularly well thought out...
Bob]
Although the website provides links to
reset the password if a user forgets it, the links
were not working when Wired visited the site.
Unnamed U.S. officials told the Free
Beacon that the breach was traced to “the Chinese government or
military cyber warriors,” but offered no information to support the
claim.
Attention Ethical Hackers! This should
not impact our “Online Games for Fun and Profit” class.
Use
a Software Bug to Win Video Poker? That’s a Federal Hacking Case
… The question: was it a criminal
violation of federal anti-hacking law for Kane and a friend to
knowingly take advantage of the glitch to the tune of at least
half-a-million dollars? Prosecutors say it was. But in a win for
the defense, a federal magistrate found last fall
that the Computer Fraud and Abuse Act doesn’t apply, and
recommended the hacking charge be dismissed. The issue is
now being argued in front of U.S. District Court Judge Miranda Du,
who’s likely to rule this month.
Under reporting the number of victims
seems to be an Internet Meme. Makes it seem like they don't know
what is happening in their own computer system.
Could this be the start of
a trend?
Section 1. Section
3 of the act of December 22, 2005 (P.L.474, No.94), known as the
Breach of Personal Information Notification Act, is amended by adding
subsections to read:
Section 3.
Notification of breach.
(a.1) Notification
by State agency.–If a State agency is the subject
of a breach of security of the system, the State agency
shall provide notice of the breach of security of the system required
under subsection (a) within seven days following discovery of the
breach. Notification shall be provided to the Office of Attorney
General within three business days following discovery of the breach.
A State agency under the Governor’s jurisdiction shall also
provide notice of a breach of its security system to the Governor’s
Office of Administration within three business days following the
discovery of the breach. Notification shall occur regardless of the
existence of procedures and policies under section 7.
(a.2) Notification
by county, school district or municipality.–If a county, school
district or municipality is the subject of a breach of security of
the system, the county, school district or municipality shall provide
notice of the breach of security of the system required under
subsection (a) within seven days following discovery of the breach.
Notification shall be provided to the district attorney in the county
in which the breach occurred within three business days following
discovery of the breach. Notification shall occur regardless of the
existence of procedures and policies under section 7.
(A.3) STORAGE
POLICY.–
(1) THE OFFICE OF ADMINISTRATION SHALL DEVELOP A POLICY
TO GOVERN THE PROPER STORAGE BY STATE AGENCIES OF DATA WHICH INCLUDES
PERSONALLY IDENTIFIABLE INFORMATION. THE POLICY SHALL ADDRESS
IDENTIFYING, COLLECTING, MAINTAINING, DISPLAYING AND TRANSFERRING
PERSONALLY IDENTIFIABLE INFORMATION, USING PERSONALLY IDENTIFIABLE
INFORMATION IN TEST ENVIRONMENTS, REMEDIATING PERSONALLY IDENTIFIABLE
INFORMATION STORED ON LEGACY SYSTEMS AND OTHER RELEVANT ISSUES. A
GOAL OF THE POLICY SHALL BE TO REDUCE THE RISK OF FUTURE BREACHES OF
SECURITY OF THE SYSTEM.
(2) IN DEVELOPING
THE POLICY UNDER PARAGRAPH (1), THE OFFICE OF ADMINISTRATION SHALL
CONSIDER SIMILAR EXISTING POLICIES IN OTHER STATES, BEST PRACTICES
IDENTIFIED BY OTHER STATES AND RELEVANT STUDIES AND OTHER SOURCES AS
APPROPRIATE. THE POLICY SHALL BE REVIEWED AT LEAST ANNUALLY AND
UPDATED AS NECESSARY.
Section 2. This
act shall take effect in 60 days.
You have to go through all
the efforts to match the video captured images to drivers license and
other databases, but sometimes you get lucky and someone calls 911.
Boston
carjack victim talks about narrow escape
… Three nights after
the bombing, Danny was sitting in his new Mercedes when a man came
from behind the car, put his hand through the open window and opened
the door from the inside before pointing a gun only inches from his
head.
Danny did not know it was Tamerlan
Tsarnaev. His attacker asked him if he had been following the news
of the bombings.
“I said, "Yes, of course,’’’
Danny told Lauer. “Then he said, ‘I did that. And I just killed
a policeman in Cambridge.’’’
… With the car stopped at a gas
station, Danny made his move to escape. When Dzhokhar left his
vehicle to go to an A.T.M. and pump gas, Danny unbuckled his seatbelt
with his left hand, opened the door with his right hand and ran from
the car with Tamerlan still sitting in it.
“I took off,’’ he said.
“(Tamerlan) tried to grab me. He was trying to grab me. It was
very close. I can feel it.”
Danny ran to another gas station and
called 911, telling police they could locate the
suspects through his car’s satellite system and the iPhone he left
behind.
I'm not sure what (or who)
OccupyCorporatism is, but they seems to hate everyone. Also, the
headline does not match the article.
Susanne Pesel reports:
The Bill and
Melinda Gates Foundation (BMGF) have funded the
Measures
of Effective Teaching Project (MET) which brings together
volunteers and researchers “to build and test measures of effective
teaching to find out how evaluation methods could best be used to
tell teachers more about the skills that make them most effective and
to help districts identify and develop great teaching.”
[...]
The BMGF have also
invested $5 billion [also reported as $5 million...
Bob] into having CCTV cameras installed in all classrooms
across the nation allegedly “for every teacher in every classroom
in every district to be filmed in action so they can be evaluated
and, maybe, improve.”
This initiative
would
facilitate
“videotaped lessons, classroom observations by trained
observers, student satisfaction surveys, and value-added calculations
based on test scores.”
His proposals are so problematic that
it’s hard to even know where to start responding to his ideas, but
if you want to create an environment where kids feel emotionally safe
to learn, to question, and to take risks in their thinking, constant
surveillance is counter-indicated.
Hummm
May 01, 2013
Google
Transparency Report
"Transparency is a core value at
Google. As a company we feel it is our responsibility to ensure that
we maximize transparency around the flow of information related to
our tools and services. We believe that more information means more
choice, more freedom and ultimately more power for the individual.
In
this report,
we disclose:
Real-time and historical traffic
to Google services around the world;
Numbers of removal requests we
receive from copyright owners or governments;
Numbers of user data requests we
receive from government agencies and courts.
To learn more about the laws
governing our disclosure of user data and reforms to those laws that
we think are important, visit
http://digitaldueprocess.org/.
We hope this report will shine some light on the appropriate scope
and authority of government requests to obtain user data around the
globe."
Think about it. How hard
could it be if you know an individual's ZIP code, birth date and sex?
From the MIT Technology
Review:
One of the biggest
questions in biology is the nature versus nurture debate, the
relative roles that genetic and environmental factors play in
determining human traits.
In 2006, George
Church at Harvard University and a few others started the Personal
Genome Project (PGP) to help answer this question. The goal is to
collect genomic information from 100,000 informed members of the
public along with their health records and other relevant phenotypic
data. The idea is to use this information to help tease apart the
relative contributions of genetic and environmental factors.
The
project does not guarantee privacy for those who sign up.
Indeed, the participants can reveal as much information as they like,
including their ZIP code, birth date and sex.
However, the
data is ‘de-identified’ in the sense that the owners names and
addresses are not included in their profiles on the PGP website and
this generates a veneer of privacy.
Today, Latanya
Sweeney and colleagues at Harvard show that even this
is practically useless in keeping owners identities private.
They say a relatively simple comparison of the list of PGP
participants with other databases such as voter lists reveals the
identity of a significant number of them with remarkable accuracy.
Could be an interesting
case to watch...
Mozilla
Takes Aim at Spyware That Masquerades as Firefox
Mozilla’s lawyers are sending a nasty
gram to a U.K. company that writes spyware for government snoops.
The problem is that
FinSpy masquerades as FireFox on the PC, according to
researchers at The Citizen Lab, a University of Toronto-backed
project that investigates technology and human rights. That violates
Mozilla’s trademark, the browser-maker said in a statement. “As
an open source project trusted by hundreds of millions of people
around the world, defending Mozilla’s trademarks from this abuse is
vital to our brand, mission and continued success.”
Mozilla says it’s sending the U.K.
company that makes FinSpy, Gamma International, a cease-and-desist
letter later today “demanding that these practices be stopped
immediately.” Gamma International couldn’t immediately be
reached for comment. FinFisher is the name of Gamma’s command and
control server software that collects the surveillance data. It also
makes FinSpy, the spyware that runs on the PC.
Gamma International markets its
software as a “remote monitoring” program that government
agencies can use to take control of computers and snoop on data and
communications. In theory, it could be legitimately used for
surveillance efforts by crime fighting agencies, but in practice, it
has popped up as a spy tool unleashed against dissident movements
operating against repressive regimes
Ethical Hackers: If I can
“Control” it, I can hack it... (Might even work if your phone is
stolen?)
… If you leave your
phone at home while leaving for work, you are fretting about missing
important text messages and phone calls. There is nothing to do in
such a situation but to go back home and fetch your phone.
… Thankfully there is now a
smartphone application that provides an effective solution for this
predicament that does not involve you going back home to get your
phone. This application is called Phonnix.
Phonnix is a free to use
smartphone application for devices that are running Android.
… If you left your
phone at home, then all you need to do is ensure that it has Internet
connectivity – either through your carrier’s data plan or through
a plain Wi-Fi network. It is then possible to log into the app using
a web browser on your computer.
From then onwards you are able to send
and receive text messages in the browser instantly. Missed calls
notifications can also be instantly received. Integration with
Facebook is possible which delivers all this information to your
favorite social network and makes it possible for you to receive
incoming calls there. Commands can be sent to the phone to forward
your calls to another phone number.
Something for our Graphic
Design students?
LinkedIn
Now Lets You Add a Visual Portfolio to Your Profile
LinkedIn now lets users
add visual content like photos, presentations and videos to their
profile pages — a feature that has been in high demand with
creative professionals like designers and photographers.
Might be handy if you have
friends or relatives in places that suffer mad bombers or natural
disasters.
… Well, regardless of
the fatality numbers, any major crisis that shuts down communication
systems or travel ends up breaking off a fairly large population of
people from the outside world. This isn’t just the case when
there’s some kind of violent attack, but it even more commonly
occurs following things like earthquakes, hurricanes and other
natural disasters. When social infrastructure fails, family and
friends out side of the danger zone really start to get nervous when
they can’t get in touch with their loved ones. Add on top of that
the fact that the news media starts immediately reporting the
increase in body count, and you’ve got a situation of all-out
panic.
… Google Person Finder
is offered as a free service for the general public, as well as
emergency responders, to use following a catastrophe.
…
The way it works is
relatively simple, and there are some additional features that you
can embed on your own website, which I’ll get to later in this
article. When you first go to the Google
Person Finder page, you’ll see a list of current active events
for which the Person Finder is currently active.
… Inside of an event
page, you’ll find two large link boxes. You’ll also see the
current database size underneath those links.
… Two links:
“I’m
looking for someone”
“I
have information about someone” link