Monday, June 18, 2018

A sneak attack on SWIFT.
Banco de Chile admits losing $10 million in disk-wiping malware attack
Banco de Chile, the second largest bank in the country, released a public statement confirming a major malware attack that breached its computer systems on May 24, shutting down bank operations. The hackers used a disk-wiping malware to cause the outage in order to distract attention from their original target – the SWIFT money transferring system.
According to the bank’s CEO Eduardo Ebensperger, $10 million were stolen and linked to accounts based in Hong Kong.
“We found some strange transactions on the Swift system, and that’s when we realized that the virus wasn’t all of it, but fraud was being attempted,” he confirmed in an interview last week (translation).




Why is this so common in Chicago? Has it been like this since the time of Mrs. O’Leary’s cow?
If there is a Keystone Cops equivalent of a k-12 data breach, a recent incident involving Chicago Public Schools may be a strong contender.
Last week, this site noted a breach that seemed puzzling in its description. Since that time, some informed parents have reached out to me to provide me with more details about the incident.
It all started when Chicago Public Schools (CPS) sent a letter to parents of students who were eligible to select other schools for the 2018-2019 school year. The letter was intended to instruct the parents how to review the schools that their child was eligible for and how to indicate their choice.
Based on what was provided to DataBreaches.net by Cassie Creswell, co-director of Raise Your Hand Action, a Chicago-based public education advocacy group, it appears that instead of the letter having an attachment, the letter (only) contained a link to a file on Blackboard. That file contained 3,700 students’ and parents’ information. So every recipient who clicked on the link in the email would have seen – and could have downloaded – a file with thousands of students and parents’ information.
Why that file should be up on Blackboard with absolutely no login required was not explained by CPS in their breach notification letter.
According to Cressell, the fields were in the following format:
First_Name Last_Name HomePhone WorkPhone MobilePhone SMSPhone EmailAddress ReferenceCode Building
The names are the student’s name, the phone numbers and email are for the parent, and the reference code is the child’s CPS student ID number, Creswell explained. The field labeled “Building” contained a list of one or more types of selective schools: AC, Regional Gifted Centers, Classical.
Frustratingly, it appeared that although CPS fairly quickly realized that they had had a data breach, they didn’t quite understand the nature of the breach. Initially, as their notification letter suggested, they seemed to believe that parents had actually received an attached file with 3,700 students’ information. Hence, they asked parents to basically “do the right thing” and delete the attachment without looking at it.
But there was no attachment, and it took CPS more than 4 hours to figure out that instead of asking parents to delete a nonexistent attachment, they needed to remove the unsecured file from Blackboard or otherwise lock it down.
So while CPS may have believed that they had responded appropriately to the breach by asking parents to delete an attached file, in actuality, the file remained where it had always been – up on Blackboard. And any parents who hadn’t already accessed that file when they first got an email from CPS might have become curious and taken a look at the file in the more than 5 hours it allegedly took CPS to actually secure the file.
To make matters even worse, there’s some indication that this was not the first time CPS had made this exact type of error. DataBreaches.net was provided with a text copy of an email sent by CPS on March 10, 2017 that contacted parents about selective enrollment, and that supposedly contained an attachment, but actually contained a link to a live file on Blackboard:
*File attachments:*
SEHS Confirmation Reminder.csv
This certainly appears to be the same scenario as the recent breach, and DataBreaches.net has reached out to CPS to ask them to confirm or deny whether this was the same kind of breach.
In a statement to DataBreaches.net, Creswell summarized parental frustration and fears:
We are deeply concerned about yet another improper sharing incident of student data in Chicago Public Schools. The district’s response to being notified of the breach was especially concerning because (1) it was clear that they initially didn’t understand how the data had been shared (on the web vs as an email attachment), and it took hours for them to disable the web site. And (2) this is at least the second time that they’ve made this exact mistake.
CPS has a $950K contract with Blackboard Connect, but it seems that they haven’t received either the training or the support needed to properly use this product, one which interfaces with their own Student Information System.
This is just an error that’s come to light publicly; what else is happening that the parents and the public don’t even see?
As noted above, DataBreaches.net reached out to CPS to ask them to confirm or deny that this was the second time that parents had been given a link to a file on Blackboard instead of being provided an attached form to complete. DataBreaches.net also posed two additional questions to Tony Howard, Executive Director, CPS Office of Access and Enrollment:
In terms of the current/most recent incident: Who determined that a file should be uploaded to Blackboard and made available without any login required? Was that an executive decision or did some hapless employee just screw up or….?
and
Is someone going to reconfigure connect.blackboard to require at least a password to access files on it? I’m concerned that someone could have uploaded a spreadsheet with hundreds of thousands of student names, IDs, and medical or SpEd information or other sensitive info.
No response was immediately received, but that is not surprising on a weekend and holiday. This post will be updated if a reply is received.




So, now that we are free to react, how will they react to our reaction?
Pentagon Puts Cyberwarriors on the Offensive, Increasing the Risk of Conflict
The Pentagon has quietly empowered the United States Cyber Command to take a far more aggressive approach to defending the nation against cyberattacks, a shift in strategy that could increase the risk of conflict with the foreign states that sponsor malicious hacking groups.
Until now, the Cyber Command has assumed a largely defensive posture, trying to counter attackers as they enter American networks. In the relatively few instances when it has gone on the offensive, particularly in trying to disrupt the online activities of the Islamic State and its recruiters in the past several years, the results have been mixed at best.
But in the spring, as the Pentagon elevated the command’s status, it opened the door to nearly daily raids on foreign networks, seeking to disable cyberweapons before they can be unleashed, according to strategy documents and military and intelligence officials.
… It is unclear how carefully the administration has weighed the various risks involved if the plan is acted on in classified operations. Adversaries like Russia, China and North Korea, all nuclear-armed states, have been behind major cyberattacks, and the United States has struggled with the question of how to avoid an unforeseen escalation as it wields its growing cyberarsenal.
Another complicating factor is that taking action against an adversary often requires surreptitiously operating in the networks of an ally, like Germany — a problem that often gave the Obama administration pause.




Sounds fluffy to this old auditor. Are we going to wait a year to find out if they have any impact?
Facebook quietly made a huge concession to shareholders as it aims to avoid another data disaster
… On Friday, Facebook quietly changed the name of its audit committee — which is chaired by former White House chief of staff Erskine Bowles — to the audit and risk oversight committee.
The committee's responsibilities have also been increased to encompass three major issues:
  1. It will review how Facebook "services can be used to facilitate harm or undermine public safety or the public interest." This could be read as a reference to fake news and election interference. [If that’s what they meant, that what they would have said. Bob]
  2. It will investigate Facebook's "privacy program" following the Cambridge Analytica, in which the accounts of 87 million users were compromised.
  3. Facebook's "cybersecurity risk exposures" will also be analysed by the committee.
Bowles' group of executives, which also include Marc Andreessen, Kenneth Chenault, and Jeffrey Zients, will conduct these reviews at least once a year.




Something my students might do.
Legal Analytics vs. Legal Research: What’s the Difference?
Law Technology Today: “Legal analytics involves mining data contained in case documents and docket entries, and then aggregating that data to provide previously unknowable insights into the behavior of the individuals (judges and lawyers), organizations (parties, courts, law firms), and the subjects of lawsuits (such as patents) that populate the litigation ecosystem. Litigators use legal analytics to reveal trends and patterns in past litigation that inform legal strategy and anticipate outcomes in current cases. While every litigator learns how to conduct legal research in law school, performs legal research on the job (or reviews research conducted by associates or staff), and applies the fruits of legal research to the facts of their cases, many may not yet have encountered legal analytics. Data-driven insights from legal analytics do not replace legal research or reasoning, or lawyers themselves. They are a supplement, both prior to and during litigation…”




If you don’t die on schedule, will they call for a “Terminator?”
Google Is Training Machines To Predict When A Patient Will Die
A woman with late-stage breast cancer came to a city hospital, fluids already flooding her lungs. She saw two doctors and got a radiology scan. The hospital's computers read her vital signs and estimated a 9.3 percent chance she would die during her stay.
Then came Google's turn. A new type of algorithm created by the company read up on the woman – 175,639 data points – and rendered its assessment of her death risk: 19.9 percent. She passed away in a matter of days. [So the correct number was 100%? Bob]
The harrowing account of the unidentified woman's death was published by Google in May in research highlighting the health-care potential of neural networks, a form of artificial intelligence software that's particularly good at using data to automatically learn and improve. Google had created a tool that could forecast a host of patient outcomes, including how long people may stay in hospitals, their odds of re-admission and chances they will soon die.
What impressed medical experts most was Google's ability to sift through data previously out of reach: notes buried in PDFs or scribbled on old charts. The neural net gobbled up all this unruly information then spat out predictions. And it did it far faster and more accurately than existing techniques. Google's system even showed which records led it to conclusions.




It turns out that the project in Software Architecture was rather timely after all. Perhaps Facebook will hire some of my students to point out the errors in their system?
A million Indians testing Whatsapp payments; what 's the feedback like?
Almost one million people in India are "testing" WhatsApp's payments service, and the company is working with the Indian government, NPCI and multiple banks to further expand the feature to more users, a company official said.
WhatsApp payment service, which rivals the likes of Paytm, has been in beta testing over the last few months.
… WhatsApp had received permission from NPCI to tie up with banks to facilitate financial transactions via Unified Payments Interface (UPI).
Paytm founder Vijay Shekhar Sharma had earlier this year alleged that WhatsApp's UPI payment platform has security risks for consumers and is not in compliance with the guidelines.
The Reserve Bank of India has mandated all payment system operators to ensure that data related to payments is stored only in India giving firms six months to comply with it.
… WhatsApp had stated that sensitive user data such as the last 6 digits of a debit card and UPI PIN is not stored at all.
While it admitted to using the infrastructure of Facebook for the service, it asserted that the parent firm does not use payment information for commercial purpose.




Another shot at Amazon?
Google places a $550 million bet on China's second-largest e-commerce player
… The two tech companies said they would work together to develop retail infrastructure that can better personalize the shopping experience and reduce friction in a number of markets, including Southeast Asia.
For its part, JD.com said it planned to make a selection of items available for sale in places like the U.S. and Europe through Google Shopping — a service that lets users search for products on e-commerce websites and compare prices between different sellers.
… At the same time, JD.com also teamed up with U.S. retail giant Walmart in the grocery business. Reports said Walmart opened a small high-tech supermarket in China where consumers can use smartphones to pay for items that are mostly available on its virtual store on online platform JD Daojia, an affiliate of JD.com.




This link could be handy since we no longer teach our students how to use PowerPoint.




Does this mean I will have to look at my students?
Huge Flipgrid News! - All Features Now Free
Flipgrid has been acquired by Microsoft. That's good news for the founders of Flipgrid and great news for all of us who enjoy using Flipgrid. As of this morning all Flipgrid features are now free for all users! If you are a person who paid for a Flipgrid Pro account, you'll be getting a prorated refund of your subscription.
Some of the features of Flipgrid that are now available to all users include:
  • Unlimited grids!
  • More time limit options
    • Set a time limit between fifteen seconds and five minutes.
  • Scheduled launch and freeze dates.
According to their statement Flipgrid will continue to work and Chromebooks, iPads, iPhones, Android phones and tablets, and in the web browser on your Windows or Mac computer.
If you haven't tried Flipgrid, take a look at my video to see what it's all about.
… Flipgrid already supports Microsoft Teams.


No comments: