Robbing an ATM just got much more interesting!
Hackers steal millions from ATMs without using a card
Taiwan is trying to figure out how hackers managed to
trick a network of bank ATMs into spitting out millions.
Police said several people wearing masks attacked dozens
of ATMs operated by Taiwan's First Bank on Sunday. They spent a few minutes at each of the
machines before making off with the equivalent of $2 million stashed in a
backpack.
They didn't use bank cards but rather appeared to gain
control of the machines with a "connected device," possibly a
smartphone, the police said in a statement Thursday. Authorities are now hunting the thieves, who
they say came from Russia and eastern Europe.
… Prosecutors said
the machines were infected with three different malware files that instructed
them to "spit out cash" and then deleted evidence of the crime. They described the case as the first of its
kind in Taiwan.
If nothing else, this is a great “targeting” tool.
Maxthon Browser Sends Sensitive Data to China
Security experts have discovered that the Maxthon web browser collects
sensitive information and sends it to a server in China. Researchers warn that the harvested data could
be highly valuable for malicious actors.
Developed by China-based Maxthon International, the
browser is available for all major platforms in more than 50 languages. In 2013, after the NSA surveillance scandal
broke, the company boasted about its focus
on privacy and security, and the use of strong encryption.
Researchers at Fidelis Cybersecurity and Poland-based
Exatel recently found that Maxthon regularly sends a file named ueipdata.zip
to a server in Beijing, China, via HTTP. Further analysis revealed that ueipdata.zip
contains an encrypted file named dat.txt. This file stores information on the operating
system, CPU, ad blocker status, homepage URL, websites visited by the user
(including online searches), and installed applications and their version
number.
While
dat.txt is encrypted, experts easily found
the key needed to decrypt it, giving them access to the information.
Exatel researchers demonstrated how a
man-in-the-middle (MitM) attacker could
intercept
the data as it travels from the client to the Maxthon server in China.
Should you expect to be hacked? At least create a way for someone to let you
know when it happens.
From LeakedSource:
Shortly after the hack of
MuslimMatch.com, Shadi.com another dating site was hacked
around July 10th, 2016. LeakedSource has
obtained and added a copy of this data to its ever-growing searchable
repository of leaked data.
This data set contains 2,035,020
records. Each record contains an email
address and one password. Passwords were
stored with no hashing or encryption (plaintext).
Read more on
LeakedSource.
I searched Shadi.com for some message to its members. Finding none – and also finding no way to contact them about a security breach,
I used their customer support ticket system to send them a notification and an
inquiry. If I get a response, this post
will be updated.
Should you expect your data to be kidnapped and held for
ransom?
I hate it when I tweet something but forget to post it. In today’s installment of “Smacking Myself in
the Forehead,” I remember to tell readers that HHS has issued a new guidance on
ransomware and HIPAA.
A recent U.S. Government
interagency report indicates that, on
average, there have been 4,000 daily ransomware attacks since early 2016
(a 300% increase over the 1,000 daily ransomware attacks reported in 2015).1 Ransomware exploits human and technical
weaknesses to gain access to an organization’s technical infrastructure in
order to deny the organization access to its own data by encrypting that data. However, there are measures known to be
effective to prevent the introduction of ransomware and to recover from a ransomware
attack. This document describes
ransomware attack prevention and recovery from a healthcare sector perspective,
including the role the Health Insurance Portability and Accountability Act
(HIPAA) has in assisting HIPAA covered entities and business associates to
prevent and recover from ransomware attacks, and how HIPAA breach notification
processes should be managed in response to a ransomware attack.
You can find the guidance
here
(pdf).
A few points of note about the guidance:
While the question as to whether an incident is a reportable
incident under HIPAA is fact-specific (see below), a ransomware incident is, undoubtedly, a security incident under HIPAA:
The presence of ransomware (or
any malware) on a covered entity’s or business associate’s computer systems is
a security incident under the HIPAA Security Rule. A security incident is defined as the
attempted or successful unauthorized access, use, disclosure, modification, or
destruction of information or interference with system operations in an
information system. See the definition
of security incident at 45 C.F.R. 164.304. Once the ransomware is detected, the covered
entity or business associate must
initiate its security incident and response and reporting procedures. See 45 C.F.R. 164.308(a)(6).
But do you need to report it under HIPAA? From the guidance:
A breach under the HIPAA Rules is
defined as, “…the acquisition, access, use, or disclosure of PHI in a manner
not permitted under the [HIPAA Privacy Rule] which compromises the security or
privacy of the PHI.” See 45 C.F.R. 164.402.6.
When electronic protected health
information (ePHI) is encrypted as the result of a ransomware attack, a breach
has occurred because the ePHI encrypted by the ransomware was acquired (i.e.,
unauthorized individuals have taken possession or control of the information),
and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.
Unless the covered entity or
business associate can demonstrate that there is a “…low probability that the
PHI has been compromised,” based on the factors set forth in the Breach
Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the
applicable breach notification provisions, including notification to affected
individuals without unreasonable delay, to the Secretary of HHS, and to the
media (for breaches affecting over 500 individuals) in accordance with HIPAA
breach notification requirements. See 45 C.F.R. 164.400-414.
Although this guidance does not address the question of
whether HHS recommends paying any ransom, a previous
interagency
technical guidance does address this question:
There are serious risks to
consider before paying the ransom. We do not encourage paying a ransom. We
understand that when businesses are faced with an inability to function,
executives will evaluate all options to protect their shareholders, employees,
and customers. As you contemplate this choice, consider the following risks:
·
Paying a ransom does not guarantee an organization
will regain access to their data; in fact, some individuals or organizations
were never provided with decryption keys after having paid a ransom.
·
Some victims who paid the demand have reported
being targeted again by cyber actors.
·
After paying the originally demanded ransom, some
victims have been asked to pay more to get the promised decryption key.
·
Paying could inadvertently encourage this
criminal business model.
Those are all valid points and concerns, as I acknowledged
in another post this morning as to
whether
entities should pay ransom demands.
But there’s a difference between your
operations being affected and patient data being sold, so each case – and the
consequences – need to be carefully considered.
Should we believe the politicians?
State health employees fired after giving data to lawmakers
HELENA, Mont. (AP) — Montana health officials fired two
state employees for turning over personal information, including Social
Security numbers, of scores of childcare providers to three state legislators,
according to documents and interviews with people involved in the terminations.
… Hansen is
contesting his firing through his union, he told the AP. He declined to answer questions about the data
other than to say he turned it over after the legislators requested it from
him.
Chris Gallus, an attorney for Burnett, R-Bozeman, disputed
Hansen's account.
"He provided information that we did not request from
him, and (the information) had already been disposed of before the department
made any inquiry," Gallus said.
… Webb,
R-Billings, said he told Opper in a phone call that the claims in Opper's
letter were unfounded, but would not say whether he received information from
the former state employee.
"I've got lots of information that is not public
record from the department," Webb said. He declined to elaborate.
We were just waiting for the interest levels to go down.
John Riberio reports:
A Federal Aviation Administration
reauthorization bill that was passed by the Senate on Wednesday excludes key
privacy provisions, including a requirement that commercial and government
users of drones disclose whether they collect personally identifiable
information.
The bill, which is a compromise
short-term extension to ensure continued funding at current levels to the FAA,
next goes to President Obama to be signed into law, two days before the current
authorization is to expire. It was
earlier passed by the House of Representatives.
Read more on
Computerworld.
All (100%) of my students have SmartPhones.
From Quartz:
When it comes to privacy
controls, we may now have too much of a good thing. Smartphone owners must now make more than 100
privacy decisions about how how much data their apps can share on Apple’s iOs
and Google’s Android operating systems. That
number will only climb as privacy settings affect more of our devices and
software.
[…]
Tired of waiting for the tech
giants to fix the problem, Norman Sadeh’s team at Carnegie Mellon University
developed a personal privacy assistant app powered by machine learning. The app
learns your preferences by asking a few key questions about privacy,
and a machine learning algorithm uses this data to group users into distinct
profiles. The app can then make recommendations and give users a single dashboard
to manage their data and privacy settings.
Interesting graphic.
The Economist – The data of the dark web
by
Sabrina
I. Pacifici on Jul 14, 2016
The data of the dark web Jul 14th 2016 by THE DATA
TEAM
“SINCE the launch of the Silk Road five years ago,
dark-web markets have represented a shadowy and much-maligned corner of the
internet.
And the secretive nature of
such sites makes them difficult to study.
But last year a researcher using the pseudonym
Gwern Branwen cast some light on them.
Roughly once a week between December 2013 and
July 2015, programmes he had written crawled 90-odd cryptomarkets,
archiving a snapshot of each page .
The Economist has extracted data from the
resulting 1.5 terabytes of information for around 360,000 sales on Agora,
Evolution and Silk Road 2.
There are,
inevitably, flaws in the data. Mr Branwen’s scrapes probably missed some
deals….”
[From the
article:
In total the deals were worth around $50m. Of those MDMA
(ecstasy) sold the most by value while marijuana was the most popular single
product, with around 38,000 sales. Legal
drugs such as oxycodone and diazepam (Valium) were also popular. A third of sales did not belong in any of our
categories: these included drug kit such as bongs, and drugs described in ways
that buyers presumably understood, but we did not (Barney’s Farm; Pink Panther;
Gorilla Glue).
Read our full analysis of dark-web markets, the price of
online drugs and how competition is changing the narcotics industry
here.
Why this blogger blogs.
Sounds very familiar to me.
Don’t ask me why I agreed.
Maybe they caught me on an off-day.
Maybe I thought it would give me a chance to
reflect on where this site has been.
I
don’t know, as I usually avoid interviews.
But I agreed to do an interview with John
Norris of vpnMentor.com and you can read it all
here.
My international students didn’t understand the argument,
Microsoft wins landmark appeal over seizure of foreign emails
A federal appeals court on Thursday said the U.S.
government cannot force Microsoft Corp and other companies to turn over
customer emails stored on servers outside the United States.
The 3-0 decision by the 2nd
U.S. Circuit Court of Appeals in Manhattan is a defeat for the U.S. Department
of Justice and a victory for privacy advocates and for technology companies
offering cloud computing and other services around the world.
Circuit Judge Susan Carney
said communications held by U.S. service providers on servers outside the
United States are beyond the reach of domestic search warrants issued under the
Stored Communications Act, a 1986 federal law.
… Thursday's
decision reversed a July 2014 ruling by then-Chief Judge Loretta Preska of U.S.
district court in Manhattan requiring Microsoft to turn over the emails. It also voided a contempt finding against the
company.
… The case
is In re: Warrant to Search a Certain E-Mail Account Controlled and Maintained
by Microsoft Corp, 2ndU.S. Circuit Court of Appeals, No. 14-2985.
(Related)
Why Microsoft's Victory in Irish Email Case Matters
…
It is an
important ruling with major implications for international relations --
especially between the U.S. and Europe.
It
will make U.S. business conformance with the General Data Protection Regulation
(
GDPR) simpler, and make the
Privacy Shield stronger.
… The court's
decision does not mean that the government will never be able to obtain the
information it seeks. The most likely
outcome is that it will be forced to use the route it originally rejected as
too slow and cumbersome: the use of a Mutual Legal Aid Treaty (MLAT) that will
ensure judicial overview of the process.
(Related) On the
other hand…
If you read the European Commission’s announcement on
the EU-US Privacy Shield (summary here),
you may have come away with a more positive impression of its protections than is actually
warranted.
Here’s one of the critiques that have appeared in the past
few days. Klint Finley reports:
Companies like Facebook and Google can continue transferring
data from the European Union to their servers in the US under a new deal
between the two governments that privacy advocates still say isn’t good enough.
[…]
Under the Privacy Shield, US companies
will be able to “self-certify” that they follow the privacy principles outlined
in the framework. The agreement
establishes an “ombudsperson” in the US State Department who will address
privacy-related questions and complaints from people in the EU.
Privacy advocates say those
protections are inadequate and want to see the Privacy Shield quashed.
The ombudsperson will have limited power to
fix problems and won’t be all that independent since that person will report to
the Secretary of State, argues
Privacy International.
A game going viral.
Accessing everything on your phone.
People walking into traffic. What’s
next?
All around the world, authorities are worrying about Pokemon
Go
…
parallel to the
near-global obsession have been the concerns of, well, grown-ups around the
world worried about the app's effects.
These
include
security
flaws posed by the app itself, as well as myriad cases of robbers and other
assailants
exploiting
the game's mechanics to lure unsuspecting victims.
Then, there's the simple issue of propriety.
In Washington,
the
Holocaust Museum and
Arlington
National Cemetery have been compelled to put out stern notices, requesting
visitors to refrain from chasing around Pokemon while on the premises.
…
Police in the
Belgian port city of Antwerp, for example,
issued
a warning about the potential dangers of pedestrians playing the game.
"Players will only have eyes for their screen, and so
captivated will they be by the game that they may no longer be paying attention
to the traffic,” the police said. They
also warned of "criminals using the game as a means to hunt down victims
and steal from them."
In some corners of the Muslim world, the reaction to the
game took on a particular moral valence.
Earlier this week, my colleague Sudarsan
Raghavan
blogged
about the 2001 fatwa against the original Pokemon game, issued by an Egyptian
cleric, who said the game taught children gambling through the use of
"Masonic and Zionist symbols."
But now, the deputy chief of Cairo's Al-Azhar,
the most important scholarly institution of Sunni Islam, has declared Pokemon
Go to be as illicit as alcohol.
(Related) Wait
until the ad start attracting players. Ronald McPoke?
Pokémon Gamers Could Soon be Flocking to McDonald's
…
“There is a
second component to our business model at Niantic, which is this concept of
sponsored locations,” John Hanke, Chief Executive of
Niantic, the
development team of Pokémon Go, told the
Financial Times.
This component would draw Pokémon Go players to sponsored
locations by making them gyms or Pokéstops -- and it looks as if that component
is already in the works.
A 13-year-old student in Sydney, Australia,
Manmeet Gill,
decompiled the Android version of Pokémon Go and found a string that he
believes indicates a sponsorship with McDonald's.
The string hasn’t been activated for players
yet.
“I found the string as I was scrolling through the
metadata of the game,” Gill says. “It
alludes to the McDonald’s stores being some kind of Pokémon store. It also says
that it is a sponsorship.”
(Related) Just
because…
The 5 Most Ridiculous Pokémon Go Stories of the Week
For my Data Management and IT Architecture students.
Gallup – Successful Predictive Analytics Demand a Data-Driven
Workplace
by
Sabrina
I. Pacifici on Jul 14, 2016
- The global data push is stronger than ever
- Data-driven companies are more productive and
profitable
- Leaders need to develop and sustain a data-driven
culture
The data movement is growing exponentially, not only
regarding the sheer quantity of data but also in the ways companies use data
for strategic decision-making.
International Data Corporation estimates that
global data doubles in size every two years
and that by 2020, it will reach over 44 trillion gigabytes — increasing tenfold
from 2013.
In tandem with the data
explosion, a growing digital economy and advances in data science dramatically
amplify the analytic value of big data.
As
a result, companies can better connect data for greater predictive power and
high-impact insights.
Business use of
predictive analytics is on the rise because many companies recognize the
competitive advantage that data and analytics can offer to their
decision-making.
According to
one estimate, companies in the top
third of their industry for data-driven decision-making are 5% more productive
and 6% more profitable than their competitors.
Predictive analytics enable leaders to make
radical discoveries about their companies and dissect and solve complex
business problems, thereby enabling better business strategies and
performance….”
(Related) Again
both classes should read this article!
7 Questions to Ask Before Your Next Digital Transformation
For my IT Architecture students. What kind of infrastructure allows you to run
on any device, securely?
masterpass Aims To Take Commerce Anywhere
“Consumer expectations are changing, and they’re getting
higher.
Consumers don’t think about technology as technology; it just is,”
said
mastercard
Chief Innovation Officer Garry Lyons at the unveiling of mastercard’s new
digital payments strategy yesterday (July 14).
That strategy is one designed to enable
commerce anywhere that a consumer and a connected device happen to be.
And one that leverages mastercard’s
global acceptance network to power issuer-branded digital payments
credentials anywhere buyers and sellers want to do business, including the
“yet-to-be-imagined” connected devices that sit on the edge of that network.
Including refrigerators.
My Computer Security students must decrypt the
instructions for their encryption project.
I’ll add this article just to amuse them.
Don’t Believe These 5 Myths About Encryption!
For my gaming students. Perhaps we could host a game creation
contest?
How to Make a Video Game in a Week Using Buildbox
Buildbox is an
all-in-one game-making tool and asset package that is designed to be
user-friendly, even for people with no coding experience whatsoever.
With it, games can be conceptualized,
designed, and built in a matter of days or even hours.
I still want my students to create their own
textbook. One of these looks like a
viable tool!
Three Good Options for Creating eBooks in Your Web Browser
Creating a multimedia ebook can be a great way for
students to showcase examples of their best work. Writing a multimedia ebook can also be a nice
way for students to illustrate and or further explain portions of fiction and
non-fiction stories that they compose. The following three platforms make it possible
for students to create and publish multimedia ebooks in their web browsers.
Widbook
is a platform designed to help people collaboratively create multimedia books.
The service is part multimedia book authoring
tool and part social network.