Saturday, December 01, 2018

They will know where you are, who you communicate with and probably what you say. Sort of like all the current WiFi services.
Chinese firm's plan for free Wi-Fi worldwide may trigger security concerns
A Chinese technology firm's plan to provide free Wi-Fi service worldwide through an ambitious constellation of satellites has the potential to trigger security concerns in many countries.
Shanghai-based LinkSure Network, which specialises in mobile internet connectivity, unveiled the first of the 272 satellites that it plans to send to space earlier this week.
… The security concerns from free Wi-Fi plan are heightened by China's plans to put in place a navigational satellite system rivalling US GPS.
… Some global technology giants like Google, SpaceX, OneWeb and Telesat have already announced similar projects to use satellites to provide free internet access.




Something to stir up discussion.
Elie Mystal writes:
Like many people of certain age, I fear inviting an Amazon Cylon into my home to record my every move simply because I’m too lazy to turn on my stereo. Unlike most people, I have sound legal reasons for distrusting Alexa that buttress my irrational fears of robots.
I do not want a voice-activated recording device in my home, because I do not know what the state might do with that information.
To justify his reluctance (and he certainly doesn’t need to justify it to me, because I’m already there), Mystal cites a New Hampshire case previously mentioned on this blog:
Strafford County Superior Court Justice Steven M. Houran ordered Amazon to turn over recordings that may have captured the death of two women, and implicated Timothy Verrill, a suspect charged in their deaths.
The order was made on probable cause grounds, which has some legal analysts concerned. From Legal Tech news:
Andrew Ferguson, who teaches law at the University of the District of Columbia, explained that Internet of Things (IoT) enabled evidence “presents hard decisions for judges because analog rules do not necessarily make sense in a digital world.”
“In essence, the judge conflated probable cause, that a crime occurred with probable cause, that evidence of that crime will be on the device. This is both understandable, because judges have routinely granted such warrants for homes or cars or computers, but also probably a stretch if you think about what the probable cause standard should be,” Ferguson said.
However, he warned, just because a crime has been committed does not mean that all the smart devices associated with the suspects should be searched because of the possibility of helpful evidence. “I think the judge’s court order fails to understand exactly how Amazon Echos work, and is based on a hope for possible evidence as opposed to a reasonable certainty that incriminating evidence will be found.”
Read more on Above the Law.




Who thinks terrorists are idiots? Have we ever (will we ever) capture a real terrorist because they declare their intent on a customs form?
US Customs Form Asks, ‘Are You A Terrorist?’ — 70-Year Old Grandpa May Get Blacklisted For Mistakenly Saying Yes
A 70-year-old Scottish man may be barred from entering the United States on an upcoming vacation because he mistakenly answered yes to a customs form asking whether he was a terrorist.
Which begs the question of why the hell an actual terrorist would answer yes to such a question, but I digress.
… Stevenson isn’t the first to mess up the online form. Last month, a Scottish woman accidentally answered yes to the ESTA question, “Do you seek to engage in or have you ever engaged in terrorist activities, espionage, sabotage, or genocide?,” according to BBC.
Stevenson did try calling to get it fixed to no avail. He has one shot at correcting the record by making an appointment at the U.S. Embassy in London before his trip.




Looks like the numbers of my international students will go up.
H-1B visa shift may favor tech companies
The Trump administration proposed a change to the H-1B program Friday that could make it harder for Indian outsourcing firms to hire workers from overseas, while helping large Bay Area tech companies bring highly skilled foreigners to their headquarters.
The rule change tinkers with the lottery that determines who gets the 85,000 H-1B visas granted to for-profit companies every year.
Currently, a person with a master’s or doctoral degree from an American college or university has better odds of receiving a visa, because they’re eligible for a lottery just for people with U.S. advanced degrees that gives out 20,000 H-1B visas. If they miss their shot, they continue on to a lottery for the remaining 65,000 slots, for which individuals with either graduate or undergraduate degrees are eligible.
The Department of Homeland Security wants to switch the order of these lotteries, it said in a notice of the proposed rule change, which would — somewhat counterintuitively — improve the odds for those highly educated workers.
Changing the order would mean more highly skilled workers would compete for the same number of visas, reducing the likelihood that people without advanced degrees win in the general lottery. Those who studied in the United States and are more likely to be brought on at high-tech companies would still have a second chance in the smaller lottery dedicated to U.S. advanced degree holders.


Friday, November 30, 2018

Clearly security is not a top priority.
Marriott says data breach compromised info of up to 500 million guests
Marriott International said Friday that up to 500 million guests' information may have been accessed as part of a breach of its Starwood guest reservation database, potentially one of the largest breaches of consumer data ever.
The world's largest hotel chain said it first received an alert in September from an internal security tool of an attempt to access the database. As part of an investigation, the company discovered there had been unauthorized access since 2014 and that an "unauthorized party" had copied and encrypted information.
Marriott said it determined on Nov. 19 that the information was from its Starwood database.
… For about 327 million of the guests, it added, the information includes some combination of a name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
There are some customers who may have also had their credit card information taken. While that data would have been encrypted, Marriott said it can't rule out the information may have been decoded.
… The company also revealed the breach in a filing with the Securities and Exchange Commission, saying it did not expect the breach to hurt its business.


(Related) But considerably smaller…
Catalin Cimpanu reports:
As security experts predicted since last year, ElasticSearch servers –a technology for powering search functions– are becoming the next big source of massive data leaks.
The latest company to be added to the list of breach incidents caused by an exposed ElasticSearch server is Sky Brasil, one of the biggest subscription television services in Brazil.
For at least a week, and possibly more, Sky Brasil has left an ElasticSearch server exposed on the Internet without a password, ZDNet has learned from Fabio Castro, a security researcher based in Brazil.
Read more on ZDNet.




Far lass than a GDPR.
Amendments to data breach notification law in Colorado impact HIPAA-regulated entities
Passed during the 2018 state legislative session, House Bill 18-1128 went into effect on Sept. 1, changing Colorado’s law on the protection of personally identifying information and the procedure businesses must follow when that information is breached.
Although the changes to the law are relatively extensive, HIPAA-regulated entities are exempted from most of these changes.
The new law contains a “deemed compliance” provision stating that most HIPAA-regulated entities who comply with HIPAA’s rules and regulations are deemed also to be in compliance with the state law, with two important exceptions:
  1. HIPAA-regulated entities still must provide notice to individuals affected by a breach within 30 days.
  2. In certain circumstances, HIPAA-regulated entities must provide notice of a breach to the Colorado attorney general.




Kind of a backgrounder.
The Privacy Paradox Could Determine the Next Evolution of Privacy Regulation
… Prior to Buttarelli’s speech, the Privacy Paradox was generally defined as the fundamental inconsistency between people’s stated beliefs and intentions about privacy and their actual behaviors. In other words, it is the paradox of wanting privacy but behaving as if it didn’t matter. Thus, while people may have a deep distrust and uneasiness about granting Facebook and Google so many insights into their daily lives via a constant stream of data, they generally are willing to click any boxes or agree to any terms of service, as long as they can continue to use the service.
In thinking about the Privacy Paradox, most researchers fall into either one of two camps: either they believe that consumers are rational thinkers who perform a sort of cost-benefit analysis in order to determine what is the price they are willing to pay to give away their data, or they believe that consumers are filled with inconsistencies and biases and are largely inaccurate when coming up with the true price of their personal data.
… As Buttarelli also pointed out in his ICDPPC speech, people did not think about ethics when drafting the European General Data Protection Regulation (GDPR), and did not debate the various ways that morality or moral obligations should influence the actions of governments.
… What’s more, says Buttarelli, the next evolution of data privacy regulation must take into account scenarios involving privacy that today might be regarded as futuristic. For example, should humanoid robots also have a right to privacy? When machines instead of humans are doing the sentencing of criminals (a process that Buttarelli refers to as “algorithmic sentencing”), what data should be allowed in their decision-making processes?




What an interesting idea. I wonder why the CIA didn’t think of it first.
Is WikiLeaks a Russian Front?
Consider the ramifications of this article, via The Atlantic – The idea that the putative transparency group served as a connection between Moscow and the president’s associates is starting to become clearer – if it proves to be an accurate appraisal of an increasingly expanding potential exposure of corruption and malfeasance perpetrated by public and private citizens and groups around the world.
“Barely two years later, the idea of WikiLeaks serving as a medium for Russia to boost the Trump campaign seems more and more plausible—even likely. For some time, there has been substantial evidence of Russia’s involvement in attempts to influence the 2016 presidential election and to hurt the Democrat Hillary Clinton’s presidential bid, from an elaborate trolling and Astroturfing operation to simple theft of emails and hacking. Until recently, the connection between those Russian efforts and Trump allies has remained somewhat obscure and speculative. But recent developments have started to flesh out the picture. Russia used WikiLeaks as a conduit—witting or unwitting—and WikiLeaks, in turn, appears to have been in touch with Trump allies. The key remaining questions are what WikiLeaks knew and what Trump himself knew.
According to a draft document from Special Counsel Robert Mueller’s team, which is investigating Russian interference in the election, the conservative author Jerome Corsi tipped off Roger Stone, a Trump friend and former political adviser, that WikiLeaks would release a tranche of emails hacked from Clinton campaign chairman John Podesta. The tip came in August, weeks before the October release. Corsi provided the document to NBC News and then several other news organizations. As per his practice, Mueller has not commented…”




I get the feeling they are looking for something to support a new definition of monopoly.
Amazon Under Fire in Europe as Germany Adds Antitrust Probe
Amazon.com Inc.’s "double role" as Germany’s largest retailer and biggest online host for smaller stores is the target of an antitrust probe into the terms the company sets for other sellers, the German Federal Cartel Office said.
The investigation into Amazon’s biggest market outside the U.S. adds to European Union scrutiny of whether the company gathers information on rival sellers’ successes to help launch its own products. German regulators said they’d received "numerous" complaints from sellers.


Thursday, November 29, 2018

An all too common error. This happens when you follow “Worst Practices.” Or, more likely, “No Practices.”
Catalin Cimpanu reports:
An ElasticSearch server that was left open on the Internet without a password has leaked the personal information of nearly 57 million Americans for almost two weeks, ZDNet has learned.
The leaky server was spotted by Bob Diachenko, Director of Cyber Risk Research for cyber-security firm Hacken, during a regular security audit of unsecured servers indexed by the Shodan search engine.
Read more on ZDNet.




What makes these scams worth the effort? 6% of victims pay up!
That Virus Alert on Your Computer? Scammers in India May Be Behind It
You know the messages. They pop up on your computer screen with ominous warnings like, “Your computer has been infected with a virus. Call our toll-free number immediately for help.”
… Most people ignore these entreaties, which are invariably scams. But one in five recipients actually talks to the fake tech-support centers, and 6 percent ultimately pay the operators to “fix” the nonexistent problem, according to recent consumer surveys by Microsoft.




As one of the lawyers at a recent Privacy Foundation seminar quipped, “The EU took seven years to write the GDPR. California took seven days.” It shows.
FPF and DataGuidance Comparison Guide: GDPR vs. CCPA
The General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) and the California Consumer Privacy Act of 2018 (‘CCPA’) both aim to guarantee strong protection for individuals regarding their personal data and apply to businesses that collect, use, or share consumer data, whether the information was obtained online or offline.
… As highlighted by this Guide, the two laws bear similarity in relation to their definition of certain terminology; the establishment of additional protections for individuals under 16 years of age; and the inclusion of rights to access personal information.
However, the CCPA differs from the GDPR in some significant ways, particularly with regard to the scope of application; the nature and extent of collection limitations; and rules concerning accountability.


(Related) Another way to measure the significance of the GDPR.
UK fine against Uber for 2016 data breach would be 200 times bigger in 2018
Uber’s widely publicized data leak from two years ago has finally resulted in a fine from the UK Information Commissioner’s Office. The penalty would have been 203 times the amount if the leak had occurred this year, after the GDPR era took effect in May.
“The Information Commissioner’s Office (ICO) has fined ride sharing company Uber £385,000 for failing to protect customers’ personal information during a cyber attack,” reads the announcement. In US dollars, that figure translates into around $492,000.




I admit that I never understood James Joyce. Perhaps this will help?
Understanding Great Works: a new research tool on JSTOR
Understanding Great Works (Beta) is a free research tool from JSTOR Labs that fosters student engagement with classic literature by connecting passages in primary texts with journal articles and book chapters on JSTOR that cite those lines. Building on the success of the Understanding Shakespeare tool, Understanding Great Works encompasses several key works of British literature such as Frankenstein and Pride and Prejudice, the King James Bible, as well as all Shakespeare sonnets and plays. These initial texts have been selected in collaboration with Studies in English Literature and JSTOR Labs plans to add new ones monthly; we invite you to vote for the texts you’d like to see next. Understanding Great Works is a powerful starting point for research within the primary source; the tool makes it easy to find academic analysis for literary texts and encourages close reading. The literary texts are open access on JSTOR, but an institutional or individual access account may be required to view the full text of the linked journal articles and book chapters.
Understanding Great Works is integrated on the JSTOR platform and easily accessible from the “Tools” menu on the top of each page. The tool is being released in a beta status, which indicates that the tool is publicly available but we are actively testing and updating the features. A companion LibGuide is also available. If you experience any problems with the site or have feedback, we encourage you to contact us at labs@jstor.org.”




Not really ‘anything,’ but lots of things. Tools for my students.




Other useful stuff.


Wednesday, November 28, 2018

Imagine what a criminal-minded AI could have done!
Hackers Made Millions Using Infected PCs in Click Fraud Scheme
On Tuesday, the US Justice Department and Google announced they had shut down the click fraud operation, which was raking in tens of millions of dollars for the hackers behind it.
Dubbed "3ve" (pronounced Eve), the click fraud involved cybercriminals taking over Windows PCs, and secretly automating them to visit certain websites to generate the fake clicks over online ads. The operation was so large that 3ve was able to produce between 3 billion to 12 billion ad clicks per day.
… Kovter was spread via spam email attachments and compromised websites, which tricked victims into downloading fake Chrome, Firefox and Flash updates. An estimated 700,000 Windows computers were actively infected at any given time by the malware.
… In a white paper, both companies wrote that 3ve was "one of the most widespread ad fraud operations ever uncovered." To pull in more revenue, the hackers created thousands of counterfeit webpages of popular domains. Infected computer would then download the fabricated webpages, and engage in the click fraud.
Doing this allowed the hackers to fool advertisers into thinking their ads had been served on the top websites. According to the Justice Department, the scheme was so successful it forced businesses to pay more than $29 million for ads that were never viewed by real human users.




This could be really interesting.
Sensitive Facebook documents could be published 'within the next week'
… The documents may contain evidence that Facebook knew about the issue as early as 2014.
Parliament seized the documents over the weekend from the founder of app development company Six4Three while he was visiting London.
… A California court, which has had the same documents under seal in the US, has asked Facebook to reassert this week why they should remain sealed.




Auditing is my field. It is good to see Harvard catching up.
… For example, the EU’s General Data Protection Regulation (GDPR) requires that organizations be able to explain their algorithmic decisions. The city of New York recently assembled a task force to study possible biases in algorithmic decision systems. It is reasonable to anticipate that emerging regulations might be met with market pull for services involving algorithmic accountability.
… An auditor should ask other questions, too: Is the algorithm suitably transparent to end-users? Is it likely to be used in a socially acceptable way? Might it produce undesirable psychological effects or inadvertently exploit natural human frailties? Is the algorithm being used for a deceptive purpose? Is there evidence of internal bias or incompetence in its design? Is it adequately reporting how it arrives at its recommendations and indicating its level of confidence?


(Related)
Joe Cadillic writes:
BriefCam’s “Transforming Video into Actionable Intelligence” allows law enforcement and retailers to secretly identify people by their gender, body size, color, direction, speed and more.
BriefCam’s Video Synopsis version V allows police and retail stores to use surveillance cameras to identify individuals and cars in real-time.
“BriefCam is the industry’s leading provider of Video Synopsis® solutions for rapid video review and search, real-time alerting and quantitative video insights. By transforming raw video into actionable intelligence.”
What is really disturbing about the video, is no one knows where it is being used and by whom. BriefCam’s limited disclosures, claim it is being used by top law enforcement agencies and governments but that’s it.
Read more on MassPrivateI.




Perspective.
The future of the internet is Indian
… As the world's second-largest online population, Indians are bound to have an outsized influence, says Kant. And unlike Chinese internet users, they're using global platforms.
"The largest number of citizens on Twitter will be Indians, the largest number of citizens on Facebook will be Indian," he said.
A Bollywood music label, T-Series, could soon have more subscribers on YouTube than any channel in the world.




Scooter franchises?
For a small fee, entrepreneurs can now manage their own fleet of Bird e-scooters
Bird announced today that it will sell its electric scooters to entrepreneurs and small business owners, who can then rent them out as part of a new service called Bird Platform.
The company will provide the independent operators with scooters, which they are given free rein to brand as they please, as well as access to the company’s marketplace of chargers and mechanics, in exchange for 20 percent of the cost of each ride.


Tuesday, November 27, 2018

Even when the difference is (one more) zero, bad things can happen.
Texas ATM mistakenly dispenses $100 bills instead of $10s
An ATM in the Houston area has been shut down and was temporarily guarded by law officers after mistakenly dispensing $100 bills instead of $10s and word of the glitch got out on social media.
… A bank statement Monday says a vendor incorrectly loaded $100 bills in place of $10 bills. Bank of America also says customers will be able to keep the additional dispensed money.




Russia is taking bits of the GDPR. Not the Privacy bits, but the “fine based on revenue” bit.
Russia opens civil case against Google over search results
Russia has launched a civil case against Google, accusing it of failing to comply with a legal requirement to remove certain entries from its search results, the country’s communications watchdog said on Monday.
… It said Google had not joined a state registry that lists banned websites that Moscow believes contain illegal information and was therefore in breach of the law.
… Three sources familiar with the matter told Reuters on Monday that Russia planned to impose stiffer fines on technology firms that fail to comply with Russian laws.
The plans for harsher fines are contained in a consultation document prepared by the administration of President Vladimir Putin and sent to industry players for feedback.
The legislation, if it goes ahead, would hit global tech giants such as Facebook and Google, which -- if found to have breached rules - could face fines equal to 1 percent of their annual revenue in Russia, according to the sources.




A student backgrounder infographic. (Right Click, Save Image As)
Over on MassPrivateI, Joe Cadillic has posted a depressing infographic from SecurityBaron that we should look at.




Perspective.
Why American auto companies no longer want to sell actual cars
… The Big Three automakers — which includes GM, along with Ford and Fiat Chrysler — are all moving toward larger vehicles in the U.S. because they bring larger profits. And to help the growing trend of SUV and pickup sales, gas prices are low.
“You know, carmakers always say they build what people want. But they never mention the fact that they spend billions to tell them what they want," Dan Neil, an automotive columnist for the Wall Street Journal, told Marketplace earlier this year.

Ford

Ford announced earlier this year that it plans to stop selling most of the cars it manufactures, and will "transition" to only two vehicles in North America: its Mustang and a new Focus Active crossover set to come out next year.
General Motors
GM said that it will discontinue U.S. production of the Chevrolet Volt, Cruze and Impala, along with the Buick LaCrosse, the Cadillac XTS and the Cadillac CT6, which has only been on sale in the U.S. since 2016. (However, production and sales of the CT6 will continue in China.)
Fiat Chrysler
Fiat Chrysler already announced plans to end its car production in the U.S. back in 2016.
It ceased the production of its Chrysler 200 and Dodge Dart cars, the only two cars it made in the U.S., with the goal of focusing on pickups and SUVs for its Ram and Jeep brands.




Always something new to learn.
Amazon makes its machine learning courses available for free
Amazon announced today that it’s making its range of machine learning courses available to all developers signed up to its AWS platform for free.
… Aside from this course for folks interested in ML, Amazon also released a tool last year called Sagemaker to help developers build and deploy machine learning applications more easily.
Looking for more? Amazon’s cloud competitor, Google, partnered with Coursera to launch a free crash course and a paid specialization course on machine learning recently. Microsoft also has a similar paid program to train developers on the topic.
You can check out all of Amazon’s machine learning courses here.


Monday, November 26, 2018

GDPR will clearly mess with a lot of statistics.
Telecompaper reports:
The Belgian Data Protection Authority reported a sharp increase in the number of data breaches reported to the regulator since the EU’s General Data Protection Regulation took effect in May, at 317 compared to 13 in 2017. The health, insurance, government, telecom and financial sectors were the top sources of the notifications.
The regulator said the increase is due to the notification obligation being extended to all sectors, compared to only telecoms before the GDPR took effect.
Read more on Telecompaper.


(Related)
Hunton writes:
On November 19, 2018, The Register reported that the UK Information Commissioner’s Office (“ICO”) issued a warning to the U.S.-based The Washington Post over its approach to obtaining consent for cookies to access the service.
The Washington Post presents readers with three options to access its service: (1) free access to a limited number of articles dependent on consent to the use of cookies and tracking for the delivery of personalized ads; (2) a basic subscription consisting of paid access to an unlimited number of articles that is also dependent on consent to the use of cookies and tracking; or (3) a premium subscription consisting of paid access to an unlimited number of articles with no on-site advertising or third party ad tracking for a higher fee.
[From the article:
Responding to a complaint submitted by a reader of The Register, the ICO concluded that since The Washington Post has not offered a free alternative to accepting cookies, consent cannot be freely given and the newspaper is in contravention of Article 7(4) of the EU General Data Protection Regulation (“GDPR”).
… The ICO has issued a written warning to The Washington Post to ensure access to all three subscription levels without users having to consent to the use of cookies.




You have to look carefully for evidence that ‘someone’ was messing with the 2018 elections.
The problem with social media has never been about bots. It’s always been about business models
Quartz – “Researchers have found that as many as 15% of Twitter accounts are bots, which drive two-thirds of the links on the site. But not all bots are bad. There are bots that make the internet more beautiful, more useful, even kinder. Here at Quartz, we have a whole department dedicated to making informative newsbots. The issue is not that automated accounts exist; it’s that they can be—and have been—weaponized.
“In the run-up to the 2018 midterms, bots were used to disenfranchise voters, harass activists, and attack journalists,” says Sam Woolley, the director of the digital lab at the Institute for the Future. “But at a fundamental level, Facebook and Twitter are dis-incentivized from doing anything about it.” The problem with social media always comes back to business models. Platforms have never had an incentive to punish accounts that worsen the experience for so many of their users; it’s just that—until recently—they didn’t have a strong enough incentive to eradicate the bad behavior either…”




Something to share with my students.
Framing Algorithms – Competition Law and (Other) Regulatory Tools
Picht, Peter Georg and Loderer, Gaspare, Framing Algorithms – Competition Law and (Other) Regulatory Tools (October 30, 2018). Max Planck Institute for Innovation & Competition Research Paper No. 18-24. Available at SSRN: https://ssrn.com/abstract=3275198 or http://dx.doi.org/10.2139/ssrn.3275198
“As other fields of law, competition law is put to the test by new technologies in general and algorithmic market activity in particular. This paper takes a holistic approach by looking at areas of law, namely financial regulation and data protection, which have already put in place rules and procedures to deal with issues arising from algorithms. Before making the bridge and assessing whether the application of any such tool might be fruitful for competition law, the paper discusses important competition cases regarding algorithms, including the Google Shopping, Lufthansa and Facebook case. It concludes with some policy recommendations.”
[From the Introduction:
Success in creating AI would be the biggest event in human history. Unfortunately, it may also be the last, unless we learn how to avoid the risks.1
Two pricing algorithms, competing to sell a genetics textbook, strategized their interaction so ‘cleverly’ that they ended up – not quite – selling the book for USD 23 million a copy.




What? You thought no one would ever do this?
Genome-edited baby claim provokes international outcry
A Chinese scientist claims that he has helped make the world's first genome-edited babies — twin girls who were born this month. The announcement has provoked shock, and some outrage, among scientists around the world.
He Jiankui, a genome-editing researcher from the Southern University of Science and Technology of China in Shenzhen, says that he implanted into a woman an embryo that had been edited to disable the genetic pathway that allows a cell to be infected with HIV.




No doubt Putin expects his pal Trump to treat this like the Khashoggi killing. If you deny that it happened, you don’t have to do anything about it.
Tension escalates after Russia seizes Ukraine naval ships
Russia has fired on and seized three Ukrainian naval vessels off the Crimean Peninsula in a major escalation of tensions between the two countries.


Sunday, November 25, 2018

What would happen if the hackers attacked all the hospitals in a given area. How far can emergency patients be transported for care? How would you move all intensive care patients?
Linda Comins of The Intelligencer is reporting:
Emergency squad patients are being diverted away from Ohio Valley Medical Center and East Ohio Regional Hospital this weekend because the hospitals’ computer system has been attacked by Ransomware.
Karin Janiszewski, director of marketing and public relations for OVMC and EORH, confirmed Saturday afternoon that a Ransomware attack had occurred. The incident began Friday night.
Read more on The Intelligencer.




What procedure 1) would have prevented this, and 2) should have been spelled out in the contract?
Bill Dolan reports:
The Lake Ridge School Corp. has had another financial setback only weeks after voters declined to provide more tax revenue to the struggling institution.
The school district recently lost a legal battle with a New York bank to recover more than $120,000 stolen two years ago by an offshore computer hacker.
School Superintendent Sharon Johnson-Shirley said this week she still believes Bank of New York Mellon should have reimbursed the school district.
However, U.S. District Court Judge Theresa Springmann dismissed her lawsuit against the bank, ruling earlier this month that the bank cannot be held responsible under its contract with the school corporation.
Read more on NWI Times.
[From the article:
The fraud occurred Oct. 12, 2016, when the bank's employees followed instructions contained in what they thought was a legitimate email from the school district to pay $120,882 to several people listed as project contractors.
Court documents filed by the bank state they later discovered, "the pay affidavit was fraudulent and had been submitted by someone who had allegedly hacked into (a school official's) email while she was on vacation." [I wonder if they learned about that on social media? Bob]
"It was wire fraud from overseas," Johnson-Shirley said. "The FBI said it had to do with someone in Africa somewhere.
… She said the school district since has put security measures in place to prevent future hacking incidents. [Barn door. Horse. Bob]




It might be worth gathering ‘Best Practices’ in order to teach a class on GDPR breach responses to my Computer Security masters students.
Here’s a more detailed analysis of the GDPR fine of 20,000€ levied against a German flirting site, knuddels.de. Dr. Henrik Hanssen and Dr. Stefan Schuppert write:
In the first fine issued by a German data protection authority under the European General Data Protection Regulation (“GDPR”), on 21 November 2018 the authority of the German state of Baden-Württemberg (“LfDI”) imposed a fine of Euro 20,000 on a social media provider for a violation of its data security obligations under Art. 32 of the GDPR. The company’s very good cooperation with the LfDI was key to avoiding a higher level of fines.
Background
According to the press statement of the LfDI (in German), the Company contacted the LfDI with a data breach notification following a hacker attack in the summer of 2018. The attack resulted in the unauthorized access to and disclosure of personal data of around 330,000 users, including passwords and email addresses.
After becoming aware of the incident, the Company immediately informed its users about the attack in a comprehensive and fully transparent manner (as per Art. 34 GDPR). In the proceedings with the LfDI, following the notification of the data breach to the regulator (as per Art. 33 GDPR), the Company disclosed its data processing and company structures as well as its own security failures to the LfDI in an “exemplary manner.” During this investigation, the LfDI became aware that the Company had stored the passwords in plain text and in an unencrypted format, which helped facilitate the attack.
Read more of their analysis on Hogan Lovells Chronicle of Data Protection. The analysis concludes with a few take-home lessons, including the value of cooperation and transparency.
The latter is something that this site has been particularly critical about in reviewing the incident response of a number of U.S. entities when breaches are disclosed. Consider the recent disclosure by Amazon, who did not explain anything about the “technical error” that resulted in customers’ names and email addresses being exposed and who simply ignored my inquiries to @Amazon and @AmazonHelp.
As consumers, we have no idea for how long this “technical” problem occurred, whether bad actors may have scraped our data, and whether our email addresses could be linked to our wish lists or orders on the site.
Will EU regulators look at the Amazon incident and decide to make an example of Amazon in terms of obligations under Article 34 of the GDPR?
[From the Chronicle article:
The following lessons can be learned from the German enforcement action:
  • Having processes in place to promptly detect and report data breaches is paramount.
  • Be prepared to accept that notifying a personal data breach might open the door for further regulatory investigations, although this is less likely for minor breaches (in this case, passwords of 330,000 users were lost as a consequence of a malicious attack and the unencrypted storage of those passwords was a contributing factor).
  • Learn to manage the reputational impact. In its statement, the LfDI only mentioned that the enforcement involved a social media provider based in Baden-Württemberg (although the media quickly identified the provider behind the press release). From this, there is a positive message: by cooperating with regulators, it may still be possible to be portrayed as a “good corporate citizen” from a privacy perspective.




Getting serious.
UK Parliament seizes internal Facebook documents
The UK Parliament is determined to get to the bottom of Facebook's data privacy practices, whether or not Mark Zuckerberg is willing to testify. Digital Culture, Media and Sport committee (DCMS) chairman Damian Collins used an uncommon process to force the founder of software developer Six4Three to hand over internal Facebook documents while he was on a business trip to London. The files reportedly include details of Facebook data decisions that enabled the Cambridge Analytica scandal, including emails between executives and conversations with Zuckerberg.
… The files are already subject to an order from a California court, which would restrict them from being published in the US. Facebook has already called on the DCMS committee to both avoid reviewing the documents and to bring them back to either Facebook or its legal counsel. However, it's not certain that Facebook can actually force this since Parliament was acting under its own jurisdiction.




Perhaps we don’t have the correct mindset. We say criminal, others might say Intelligence Operatives. Would the US give up NSA employees?
Dennis Fisher reports:
A top United States law enforcement official called out Russia for not cooperating with cybercrime investigations on Russian citizens, and said the U.S. will continue to “identify nations that routinely block the fair administration of justice and fail to act in good faith”.
In a speech before the Interpol General Assembly on Sunday, Deputy Attorney General Rod Rosenstein said the U.S. has extradited 95 Americans to other countries to stand trial, but said other countries are not reciprocating, particularly when it comes to cybercrime. Rosenstein pointed specifically to the case of Alexsey Belan, a Russian who is under indictment in the U.S. for several major attacks, including an intrusion at Yahoo. The U.S, has issued two arrest warrants for Belan, who was allegedly hiding somewhere in Europe. and Interpol also issued a Red Notice requiring law enforcement agents to arrest him in any country. But Belan eventually made his way back into Russia, where Russian intelligence recruited him, Rosenstein said, and had him target U.S. companies, including Yahoo.
Read more on Decipher.




Perspective.
Over a third of online Black Friday purchases came from phones
If you spent Black Friday hunting for deals on your smartphone, you're not the only one. Adobe analysts have determined that just over a third (33.5 percent) of online Black Friday sales were completed on smartphones -- a large uptick from 29.1 percent just one year earlier. People were willing to splurge, too. There was over $2.1 billion in sales, a leap from the previous record ($1.4 billion) set on Cyber Monday, not Black Friday.
This comes on the back of a spike in Black Friday sales, with people spending $6.22 billion (a 23.6 percent increase over 2017).