A sneak attack on SWIFT.
Banco de
Chile admits losing $10 million in disk-wiping malware attack
Banco de Chile, the second largest bank in the
country,
released
a public statement confirming a major malware attack that breached
its computer systems on May 24, shutting down bank operations. The
hackers used a disk-wiping malware to cause the outage in order to
distract attention from their original target – the SWIFT money
transferring system.
…
According
to the bank’s CEO Eduardo Ebensperger, $10 million were stolen and
linked to accounts based in Hong Kong.
“We found some strange transactions on the Swift
system, and that’s when we realized that the virus wasn’t all of
it, but fraud was being attempted,” he confirmed in an interview
last week (translation).
Why is this so common in Chicago? Has it been
like this since the time of Mrs. O’Leary’s cow?
If there is a Keystone Cops equivalent of a k-12
data breach, a recent incident involving Chicago Public Schools may
be a strong contender.
Last week, this site
noted
a breach that seemed puzzling in its description. Since that
time, some informed parents have reached out to me to provide me with
more details about the incident.
It all started when Chicago Public Schools (CPS)
sent a letter to parents of students who were eligible to select
other schools for the 2018-2019 school year. The letter was intended
to instruct the parents how to review the schools that their child
was eligible for and how to indicate their choice.
Based on what was provided to DataBreaches.net by
Cassie Creswell, co-director of Raise Your Hand Action, a
Chicago-based public education advocacy group, it appears that
instead of the letter having an attachment, the letter (only)
contained a link to a file on Blackboard. That file contained 3,700
students’ and parents’ information. So every recipient who
clicked on the link in the email would have seen – and could have
downloaded – a file with thousands of students and parents’
information.
Why that
file should be up on Blackboard with absolutely no login required was
not explained by CPS in their breach notification letter.
According to Cressell, the fields were in the
following format:
First_Name Last_Name HomePhone
WorkPhone MobilePhone SMSPhone EmailAddress ReferenceCode
Building
The names are the student’s name, the phone
numbers and email are for the parent, and the reference code is the
child’s CPS student ID number, Creswell explained. The field
labeled “Building” contained a list of one or more types of
selective schools: AC, Regional Gifted Centers, Classical.
Frustratingly, it appeared that although CPS
fairly quickly realized that they had had a data breach, they didn’t
quite understand the nature of the breach. Initially, as their
notification letter suggested, they seemed to believe that parents
had actually received an attached file with 3,700 students’
information. Hence, they asked parents to basically “do the right
thing” and delete the attachment without looking at it.
But there was no attachment, and it took CPS more
than 4 hours to figure out that instead of asking parents to delete a
nonexistent attachment, they needed to remove the unsecured file from
Blackboard or otherwise lock it down.
So while CPS may have believed that they had
responded appropriately to the breach by asking parents to delete an
attached file, in actuality, the file remained where it had always
been – up on Blackboard. And any parents who hadn’t already
accessed that file when they first got an email from CPS might have
become curious and taken a look at the file in the more than 5 hours
it allegedly took CPS to actually secure the file.
To make matters even worse, there’s some
indication that this was not
the first time CPS had made this exact type of error.
DataBreaches.net was provided with a text copy of an email sent by
CPS on March 10, 2017 that contacted parents about selective
enrollment, and that supposedly contained an attachment, but actually
contained a link to a live file on Blackboard:
*File attachments:*
SEHS
Confirmation
Reminder.csv
This certainly appears to be the same scenario as
the recent breach, and DataBreaches.net has reached out to CPS to ask
them to confirm or deny whether this was the same kind of breach.
In a statement to DataBreaches.net, Creswell
summarized parental frustration and fears:
We are deeply concerned about yet another
improper sharing incident of student data in Chicago Public Schools.
The district’s response to being notified of the breach was
especially concerning because (1) it was clear that they initially
didn’t understand how the data had been shared (on the web vs as an
email attachment), and it took hours for them to disable the web
site. And (2) this is at least the second time that they’ve made
this exact mistake.
CPS has a $950K contract with Blackboard
Connect, but it seems that they haven’t received either the
training or the support needed to properly use this product, one
which interfaces with their own Student Information System.
This is just an error that’s come to
light publicly; what else is happening that the parents and the
public don’t even see?
As noted above, DataBreaches.net reached out to
CPS to ask them to confirm or deny that this was the second time that
parents had been given a link to a file on Blackboard instead of
being provided an attached form to complete. DataBreaches.net also
posed two additional questions to Tony Howard, Executive Director,
CPS Office of Access and Enrollment:
In terms of the current/most recent
incident: Who determined that a file should be uploaded to Blackboard
and made available without any login required? Was that an executive
decision or did some hapless employee just screw up or….?
and
Is someone going to reconfigure
connect.blackboard to require at least a password to access files on
it? I’m concerned that someone could have uploaded a spreadsheet
with hundreds of thousands of student names, IDs, and medical or SpEd
information or other sensitive info.
No response was immediately received, but that is
not surprising on a weekend and holiday. This post will be updated
if a reply is received.
So, now that we are free to react, how will they
react to our reaction?
Pentagon
Puts Cyberwarriors on the Offensive, Increasing the Risk of Conflict
The Pentagon has quietly empowered the United
States Cyber Command to take a far more aggressive approach to
defending the nation against cyberattacks, a shift in strategy that
could increase the risk of conflict with the foreign states that
sponsor malicious hacking groups.
Until now, the Cyber Command has assumed a largely
defensive posture, trying to counter attackers as they enter American
networks. In the relatively few instances when it has gone on the
offensive, particularly in trying to disrupt the online activities of
the Islamic State and its recruiters in the past several years, the
results have been mixed at best.
But in the spring, as the Pentagon elevated the
command’s status, it opened the door to nearly daily raids on
foreign networks, seeking to disable cyberweapons before they can be
unleashed, according to strategy documents and military and
intelligence officials.
… It is unclear how carefully the
administration has weighed the various risks involved if the plan is
acted on in classified operations. Adversaries like Russia, China
and North Korea, all nuclear-armed states, have been behind major
cyberattacks, and the United States has struggled with the question
of how to avoid an unforeseen escalation as it wields its growing
cyberarsenal.
Another complicating factor is that taking action
against an adversary often requires surreptitiously operating in the
networks of an ally, like Germany — a problem that often gave the
Obama administration pause.
Sounds fluffy to this old auditor. Are we going
to wait a year to find out if they have any impact?
Facebook
quietly made a huge concession to shareholders as it aims to avoid
another data disaster
… On Friday, Facebook quietly changed the name
of its audit committee — which is chaired by former White House
chief of staff Erskine Bowles — to the audit and risk oversight
committee.
The committee's responsibilities have also been
increased to encompass three major issues:
-
It will review
how Facebook "services
can be used to facilitate harm or undermine public safety or the
public interest."
This could be read as a reference to fake news and election
interference. [If that’s
what they meant, that what they would have said. Bob]
-
It will
investigate Facebook's "privacy
program"
following the Cambridge Analytica, in which the accounts of 87
million users were compromised.
-
Facebook's "cybersecurity
risk exposures"
will also be analysed by the committee.
Bowles' group of executives, which also include
Marc Andreessen, Kenneth Chenault, and Jeffrey Zients, will conduct
these reviews at least once
a year.
Something my students might do.
Legal
Analytics vs. Legal Research: What’s the Difference?
Law
Technology Today: “Legal analytics involves mining data
contained in case documents and docket entries, and then aggregating
that data to provide previously unknowable insights into the behavior
of the individuals (judges and lawyers), organizations (parties,
courts, law firms), and the subjects of lawsuits (such as patents)
that populate the litigation ecosystem. Litigators use legal
analytics to reveal trends and patterns in past litigation that
inform legal strategy and anticipate outcomes in current cases.
While every litigator learns how to conduct legal research in law
school, performs legal research on the job (or reviews research
conducted by associates or staff), and applies the fruits of legal
research to the facts of their cases, many may not yet have
encountered legal analytics. Data-driven insights from legal
analytics do not replace legal research or reasoning, or lawyers
themselves. They are a supplement, both prior to and during
litigation…”
If you don’t die on schedule, will they call for
a “Terminator?”
Google Is
Training Machines To Predict When A Patient Will Die
A woman with late-stage breast cancer came to a
city hospital, fluids already flooding her lungs. She saw two
doctors and got a radiology scan. The hospital's computers read her
vital signs and estimated a 9.3 percent chance she would die during
her stay.
Then came Google's turn. A new type of algorithm
created by the company read up on the woman – 175,639 data points –
and rendered its assessment of her death risk: 19.9 percent. She
passed away in a matter of days. [So
the correct number was 100%? Bob]
The harrowing account of the unidentified woman's
death was published by Google in May in research highlighting the
health-care potential of neural networks, a form of artificial
intelligence software that's particularly good at using data to
automatically learn and improve. Google had created a tool that
could forecast a host of patient outcomes, including how long people
may stay in hospitals, their odds of re-admission and chances they
will soon die.
What impressed medical experts most was Google's
ability to sift through data previously out of reach: notes buried in
PDFs or scribbled on old charts. The neural net gobbled up all this
unruly information then spat out predictions. And it did it far
faster and more accurately than existing techniques. Google's system
even showed which records led it to conclusions.
It turns out that the project in Software
Architecture was rather timely after all. Perhaps Facebook will hire
some of my students to point out the errors in their system?
A million
Indians testing Whatsapp payments; what 's the feedback like?
Almost one million people in India are "testing"
WhatsApp's payments service, and the company is working with the
Indian government,
NPCI
and multiple banks to further expand the feature to more users, a
company official said.
WhatsApp
payment service, which rivals the likes of Paytm, has been in
beta testing over the last few months.
… WhatsApp had received permission from
NPCI
to tie up with banks to facilitate financial transactions via
Unified Payments Interface (UPI).
Paytm
founder Vijay Shekhar Sharma had earlier this year alleged that
WhatsApp's UPI payment platform has security risks for consumers and
is not in compliance with the guidelines.
The Reserve Bank of India has mandated all payment
system operators to ensure that data related to payments is stored
only in India giving firms six months to comply with it.
… WhatsApp had stated that sensitive user data
such as the last 6 digits of a debit card and UPI PIN is not stored
at all.
While it admitted to using the infrastructure of
Facebook
for the service, it asserted that the parent firm does not use
payment information for commercial purpose.
Another shot at Amazon?
Google
places a $550 million bet on China's second-largest e-commerce player
… The two tech companies said they would work
together to develop retail infrastructure that can better personalize
the shopping experience and reduce friction in a number of markets,
including Southeast Asia.
For its part, JD.com said it planned to make a
selection of items available for sale in places like the U.S. and
Europe through Google Shopping — a service that lets users search
for products on e-commerce websites and compare prices between
different sellers.
… At the same time, JD.com also teamed up with
U.S. retail giant Walmart in the grocery business.
Reports
said Walmart opened a small high-tech supermarket in China where
consumers can use smartphones to pay for items that are mostly
available on its virtual store on online platform JD Daojia, an
affiliate of JD.com.
This link could be handy since we no longer teach
our students how to use PowerPoint.
Does this mean I will have to look at my students?
Huge
Flipgrid News! - All Features Now Free
Flipgrid
has been
acquired
by Microsoft. That's good news for the founders of Flipgrid and
great news for all of us who enjoy using Flipgrid. As of this
morning all Flipgrid features are now free for all users! If you are
a person who paid for a Flipgrid Pro account, you'll be getting a
prorated refund of your subscription.
Some of the features of Flipgrid that are now
available to all users include:
According to their
statement
Flipgrid will
continue to work and Chromebooks, iPads, iPhones, Android phones and
tablets, and in the web browser on your Windows or Mac computer.
If you haven't tried
Flipgrid,
take a look at my video to see what it's all about.
