Richard Chirgwin reports:
A water and electricity authority
in the US State of Michigan has needed a week to recover from a ransomware
attack that fortunately only hit
its enterprise systems.
Lansing’s BWL – Board of Water
& Light – first noticed the successful phishing attack on its corporate
systems on April 25, and has had to keep systems including phone servers locked
down since then.
The company says customer data
has not been stolen (only, as is the case in ransomware attacks, encrypted).
Read more on The
Register.
Last week, the FBI posted an alert
highlighting what we already knew: ransomware is on the rise. And not only is it hitting all sectors, it’s
hitting personal home computers.
What some may not know, and from the FBI’s alert:
And in newly identified instances
of ransomware, some cyber criminals aren’t using e-mails at all. According to FBI Cyber Division Assistant
Director James Trainor, “These criminals have evolved over time and now bypass
the need for an individual to click on a link. They do this by seeding legitimate websites
with malicious code, taking advantage of unpatched software on end-user
computers.”
If you think you or your organization have been the victim
of ransomware, contact your local FBI field office and report the incident to the
Bureau’s Internet Crime
Complaint Center.
Screwing up by the numbers?
Aha. I see Brian Krebs got some answers before I did
concerning a breach involving ADP. On
April 30, I had reported that Allegheny
College suspected that employee reports of W-2 data comprise were linked to a
breach involving ADP’s iPay. In an
email to this site earlier today, Rick Holmgren,
the college’s vice-president of Information Services and Assessment
said he still had no idea how unauthorized third parties were able
to register accounts on iPay. ADP,
contacted several times by DataBreaches.net yet, has yet to provide the
requested explanation.
Enter Brian Krebs to the rescue. Brian reports that
the criminals were able to steal wage and tax data from ADP by registering
accounts in the names of employees at “more than a dozen customer firms.”
ADP says the incidents occurred
because the victim companies all mistakenly
published sensitive ADP account information online that made those
firms easy targets for tax fraudsters.
Last week, U.S. Bancorp(U.S.
Bank) — the nation’s fifth-largest commercial bank — warned some of its
employees that their W-2 data had been stolen thanks to a weakness in
ADP’s customer portal.
…. A reader who works at the
financial institution shared a letter received from Jennie Carlson,
U.S. Bank’s executive vice president of human resources.
“Since April 19, 2016, we have
been actively investigating a security incident with our W-2 provider, ADP,”
Carlson wrote. “During the course of
that investigation we have learned that an external W-2 portal, maintained by
ADP, may have been utilized by unauthorized individuals to access your W-2,
which they may have used to file a fraudulent income tax return under your
name.”
The letter continued:
“The incident originated
because ADP offered an external online portal that has been
exploited. For individuals who had never used the external portal, a registration
had never been established. Criminals
were able to take advantage of that situation to use confidential personal
information from other sources to establish a registration in your name
at ADP. Once the fraudulent
registration was established, they were able to view or download your W-2.”
[….]
According to ADP, new
users need to be in possession of two other things (in addition to the
victim’s personal data) at a minimum in order to create an account: A custom,
company-specific link provided by ADP, and a static code assigned to the
customer by ADP.
The problem, Cloutier said, seems
to stem from ADP customers that both deferred that signup process for some or
all of their employees and at the same time inadvertently published online the
link and the company code. As a result,
for users who never registered, criminals were able to register as them with
fairly basic personal info, and access W-2 data on those individuals.
Read more on KrebsOnSecurity.com.
The problem being described appears different than the
problem being reported in connection with Greenshades clients.
As I’ve reported previously on this
site, Greenshades claims their clients’ employees had their
W-2 data compromised because
they used their DOB and SSN as their login credentials, [Aargh! Bob] and criminals who obtained
that information elsewhere were then able to login as the employees and
download their W-2 data. Other clients’
employees, they claim, likely fell for a phishing scheme directing them to a
fake Greenshades domain.
ADP and Greenshades are not the only payroll or W-2 vendors
whose clients have been reporting problems. As also noted previously on this site, Innovak
customers in Mississippi and Alabama have reported problems, and Stanford
University and its vendor, W-2 Express, are still investigating how over 700
Stanford employees had their W-2 data stolen.
How many other vendors have experienced compromises
remains unknown, as some entities reporting breaches of their employees’ W-2
data are not naming their vendors.
Might this be a good time for all vendors to review and strengthen
their authentication procedures?
Or screwing up wholesale.
(We don’t need no stinking encryption!)
EqualizeRCM Services is a vendor
providing billing and collection services to healthcare providers. In compliance with HIPAA, it has Business
Associate contracts with its clients, who provide it with the information
needed to fulfill its functions. The
firm has headquarters in Austin, Texas, and offices in Houston and Washington,
D.C.
On February 29, EqualizeRCM learned that a
laptop had been stolen
from an employee on February 25 or 26. A notification letter, signed by Janine
Anthony Bowen of LeClairRyan to the New Hampshire Attorney General’s Office,
does not indicate whether the laptop was stolen from the employee’s home, a
car, or some other location.
[ … ]
In a statement
posted on their web site on April 28, EqualizeRCM explained that
the information potentially
exposed may have included patient name, address, phone number, date of birth,
gender, insurance provider and policy number, health care provider information,
billing and diagnosis codes, medical record number, internal reference number,
date and type of service, the name of the treating facility, and other
administrative information.
Financial account information and Social Security numbers
were not impacted, and as of April 28, neither EqualizeRCM nor its clients were
aware of any misuse of the information. As
a precaution, however, EqualizeRCM is offering affected patients services
through AllClear ID.
[…]
In addition to offering remediation services, EqualizeRCM
is also reviewing its policies and procedures, implementing additional
safeguards to ensure information in its control is appropriately
protected, and “retraining employees on existing policies for the proper
handling of sensitive information.”
Are there billboards near potential target?
Joe Cadillic isn’t buying any protestations that the data are “anonymous.”
He writes:
Clear Channel Outdoor (CCO) has 675,000 billboards worldwide
most of which are tracking everyone’s smartphones and tablets. CCO’s ad program is a partnership between
AT&T and other companies that collect location
data from smartphones, company officials said.
CCO’s smartphone electronic
surveillance system is called “RADAR” which they insist,
anonymizes everyone’s data. But it does much more than that, it tracks
consumer’s real-world travel patterns and behaviors.
Read more on MassPrivateI.
Those who do not study technology are doomed to misunderstand
it? Frustrated (or technically ignorant)
judges will certainly repeat rulings like this one.
WhatsApp Goes Through Judicial Revolving Door in Brazil
A Brazilian court on Tuesday overturned a different
court's Monday order that blocked WhatsApp, the messaging site owned by
Facebook, amid a criminal investigation into drug trafficking in the state of
Sergipe.
The earlier judicial demand that WhatsApp provide data
considered critical to the investigation came soon after a ramp-up in
the level of encryption built into the app. Five major Internet service providers faced
hefty fines of about US$142,000 daily if they failed to comply with the order.
… The decision to
block WhatsApp was clumsy and disproportionate, said Katitza Rodriguez,
international rights director at the Electronic
Frontier Foundation.
… The order
surprised activists in Brazil, who considered the move out of step with the
spirit of the law, noted Javier Pallero, policy analyst at Access Now.
… Brazilian
lawmakers on Tuesday held hearings to consider a series of laws that could lead
to a severe crackdown on open technology and privacy, as part of Brazil's
Parliamentary Inquiry on Cybercrime.
Officials on Wednesday are expected to vote on seven
pieces of legislation that would give police warrantless access to IP
addresses, allow judges to block sites used for criminal purposes, and require
monitoring of content on sites and apps deemed offensive, according to EFF.
Just to be clear…
Law Affords More Protection to PINs Than Prints
… Although the
Fifth Amendment to the U.S. Constitution protects citizens from
self-incrimination, that protection doesn't extend to opening mobile phones
with a fingerprint, according to Paul Rosenzweig, a George Washington University
professorial lecturer in law.
"None of your physical characteristics are subject to
Fifth Amendment protection," he told TechNewsWorld.
"You don't have a right to refuse to stand in a
lineup," Rosenzweig said. "You
don't have a right to refuse an order to give your fingerprint to be compared
to fingerprints at a crime scene."
The Fifth Amendment protects only things that are
testimonial in nature.
Sometimes being the dominant player in a market can get
expensive. Would any insurance cover
this? If not, will they be able to
replace all these airbags before bankruptcy?
Takata's fight for survival gets even harder as airbag recall
widens
… “This is just
another step in the long decline of Takata,” said Jochen Siebert, managing
director of JSC (Shanghai) Automotive Consulting Co. “I just can’t see how Takata can survive this
disaster.”
An expanded safety campaign will deal a further blow to
President Shigehisa Takada, who has so far failed to contain a spiraling crisis
that’s wiped out 75 percent of his family company’s market value in the past
year. Last May, the airbag supplier set
the record for the largest automotive recall in U.S. history by agreeing to
almost double the number of vehicles called back to about 34 million.
Something for my Spreadsheet students to play “what if”
games with.
Traditional and Roth Individual Retirement Accounts (IRAs): A
Primer
by Sabrina I. Pacifici on May 3, 2016
CRS report via FAS – Traditional
and Roth Individual Retirement Accounts (IRAs): A Primer, John J.
Topoleski, Analyst in Income Security. April 27, 2016.
“In response to concerns over the adequacy of retirement
savings, Congress has created incentives to encourage individuals to save more
for retirement through a variety of retirement plans. Some retirement plans are employer-sponsored,
such as 401(k) plans, and others are established by individual employees, such
as Individual Retirement Accounts (IRAs). This report describes the primary features of
two common retirement savings accounts that are available to individuals. Although the accounts have many features in
common, they differ in some important aspects. Both traditional and Roth IRAs offer tax
incentives to encourage individuals to save for retirement. Contributions to traditional IRAs may be
tax-deductible for taxpayers who (1) are not covered by a retirement plan at
their place of employment or (2) have income below specified limits. Contributions to Roth IRAs are not
tax-deductible and eligibility is limited to those with incomes under specified
limits…”
For my geeks!
IBM Is Now Letting Anyone Play With Its Quantum Computer
Quantum computing is computing at its most esoteric. It’s an experimental, enormously complex,
sometimes downright confusing technology that’s typically the domain of hardcore academics and organizations like Google and NASA. But that might be changing.
Today, IBM unveiled an online service that lets anyone use
the five-qubit quantum computer its researchers have erected at a research lab
in Yorktown Heights, New York. You can
access the machine over the Internet via a simple software interface—or at
least it’s simple if you understand the basics of quantum computing.
For my Students! “Study
hard.” “Come to class on time.”
How to Add Subliminal Messages to Windows
Whether you want to train your unconscious mind while you work, perform a study
on whether these messages have an effect, or just play a few pranks on your friends’ computers, here’s how you
can add some subliminal message text to Windows.
A recording studio on your phone?
Moog’s New App Is a Spot-on Recreation of a Classic Synth
Five years ago, Moog Music
proved you could use the iPad as a real musical instrument when it released Animoog, a polyphonic
synthesizer app that made full use of the tablet’s touchscreen.
… The Moog Model
15 Synthesizer app is an iOS-powered recreation of the iconic Model 15 modular
synth from 1973. You can download it
now for $30. If you find that steep,
consider two things. One, this is a
pro-grade instrument that plays and sounds like the business. And two, a real Model 15 is
the size of a suitcase and tops $10,000; the iPad version delivers 90 percent
of the goods in something easily carried in your backpack.
(Related) I wonder
if any of my students have talent?
BandLab - Collaboratively Create Music Online
BandLab
is a free service that enables you to create music in your web browser or
through free Android and iOS
apps. In BandLab's you can create
soundtracks using any of the virtual instruments that are provided. You can also speak or sing to record a track. Within the BandLab editor you can mix your
tracks together to create a song. If you
have existing audio files on your computer, you can upload those to incorporate
into your BandLab creations.
BandLab is designed to allow you to collaborate with
others. To collaborate you first have to create a band in your BandLab profile
then invite other users to join your band.
No comments:
Post a Comment