Following a “correct” but inadequate process. Would it have
killed them to make a phone call?
$1.7
million still missing after North Carolina county hit by business
email compromise scam
… According
to a notice
published
on the Cabarrus County government’s website, problems began in
November 2018 when Cabarrus County Schools received an email claiming
to come from Virginia-based Branch and Associates, which was working
on the construction of West Cabarrus High, a new school for the
district.
The email
claimed that Branch and Associates had changed their bank account
details, and requested that future payments on the school
construction project were sent to the new account.
To its credit,
Cabarrus County says that
its staff followed the correct processes – requesting
that forms and documentation (including an electronic funds transfer
(EFT) form signed by the bank) were submitted to make the change.
One week
later, Cabarrus County received the documentation from the criminals,
and saw nothing to raise any concerns.
Then, on
December 21 2018, Cabarrus County electronically transferred
$2,504,601 into what they believed was Branch and Associates’ bank
account.
… Soon
afterwards, the bank and law enforcement were informed, as were the
county’s insurers, and an investigation determined that Cabarrus
County’s computer systems had not been hacked or compromised, but
instead a socially engineered business email compromise scam had been
successfully pulled off using
a bogus email address.
In response
Cabarrus County halted all future payments via electronic transfer
until account details could be verified. This
process, alongside a redesign of the county’s vendor system, took
three months.
A new perspective for Computer Security.
Cyber Kill
Chain Reimagined: Industry Veteran Proposes "Cognitive Attack
Loop"
The
Cyber
Kill Chain is
dead. Long live the Cognitive Attack Loop. This is the thesis of
Tom Kellermann's (Chief Security Officer at Carbon Black and former
cyber commissioner for President Obama) new paper, 'Cognitions of a
Cybercriminal'.
The
problem with the Cyber Kill Chain framework created (and trademarked)
by Lockheed
Martin is
that it has a beginning and an end. While this was an accurate
reflection of cyber-attacks when it was first devised, it no longer
applies, Kellermann says. The burglary approach of cybercriminals to
enter, steal and leave has changed to long-lasting home invasion.
The modern cybercriminal does not just leave -- he wants to stay,
quietly hidden. Breaking the kill chain no longer works; because the
criminal is still in the home.
… There
are three primary phases to this loop: reconnoiter and infiltrate;
maintain and manipulate; execute and exfiltrate – but there is no
assumed exit. Each of these primary phases has numerous sub-phases,
such as privilege, persistence and evasion within the maintain and
manipulate phase; and exfiltration, destruction and disinformation in
the final phase. But there is no end to this loop. If the attackers
have not been detected, they will remain. They could start again at
some point in the future – or, in the case of the Russian
state/hacker alliance, simply pass the access keys to a Russian
intelligence agency.
In
this sense, Kellermann's paper (PDF
)
is a call to action, that he intends to repeat at Black Hat and
Defcon.
Lots
of people are helping us to stay current.
The
Future of Data Privacy in the United States
Analyzing
the state of privacy regulation, including the CCPA, Nevada’s
privacy law, and bills introduced in New York and Washington State
… With
laws passed in California and Nevada and bills planned in many other
states, companies should expect to be impacted within the coming
months.
This
article breaks down the crucial parts of each state’s privacy
regulation law/bill — including who they cover, when they take
effect, penalties, how to achieve compliance as well as why states
took the reins before the federal government to protect consumer’s
personal data.
Farewell
encryption?
This
article points
out that Facebook's planned content moderation scheme will result in
an encryption backdoor into WhatsApp:
In Facebook's vision,
the actual end-to-end encryption client itself such as WhatsApp will
include embedded content moderation and blacklist filtering
algorithms. These algorithms will be continually updated from a
central cloud service, but will run locally on the user's device,
scanning each cleartext message before it is sent and each encrypted
message after it is decrypted.
The company even noted
Facebook's
model entirely bypasses the encryption debate by
globalizing the current practice of compromising devices by building
those encryption bypasses directly into the communications clients
themselves and deploying what amounts to machine-based wiretaps to
billions of users at once.
Once this is in place, it's easy for the
government to demand that Facebook add another filter – one that
searches for communications that they care about – and alert them
when it gets triggered.
So
now I have a National ID Number? Unlike my social security number,
which can
not(???)
be used as ID, this one is only used as ID?
Shaun
Grannis,
John
D. Halamka,
and
Ben
Moscovitch have
an opinion piece on STAT that begins:
It isn’t every day that the House of Representatives takes bipartisan action to reverse a policy that’s been in place for two decades. But that’s what happened last month, when Democrats and Republicans alike voted for a measure designed to address a perennial problem that undermines medical record-keeping, puts patients at risk, and costs our health care system billions of dollars every year.
Specifically, the House voted to repeal a 21-year ban on funding for a national patient identifier — a unique number or code comparable to a Social Security number that would be assigned to each and every American. As envisioned, this identifier would make it easier for health care providers to access accurate medical records anywhere, anytime — whether the patient is making a routine office visit in Boston or lying unconscious in a San Francisco emergency room.
Read
more on STAT
We’ll
figure out this GDPR thing some day. Meanwhile…
ICO
Launches Public Consultation on New Data Sharing Code of Practice
On
July 16, 2019, the UK’s Information Commissioner’s Office (“ICO”)
released a new draft
Data sharing code of practice (“draft
Code”), which provides practical guidance for organizations on how
to share personal data in a manner that complies with data protection
laws. The draft Code focuses on the sharing of personal data between
controllers, with a section referring to other ICO guidance on
engaging processors.
Can lawyers use AI ethically. Is there a “duty
to use” AI?
PART II :
AI Tools for Solo and Small Law Firms
Generally, today’s AI tools for solo and small
law firms break down into three categories: (1) legal research and
issue spotting; (2) law practice automation and marketing tools and
(3) substantive legal issues arising out of the use of algorithmic,
AI-driven platforms in legal matters ranging from criminal defense,
employment, insurance, custody defense and others that solo and small
firm lawyers tend to handle.
Tools & Techniques. Very interesting and
very, very carefully worded.
IT’S
SENTIENT
At the final session of the 2019 Space Symposium
in Colorado Springs, attendees straggled into a giant ballroom to
listen to an Air Force official and a National
Geospatial-Intelligence Agency (NGA) executive discuss, as the panel
title put it, “Enterprise Disruption.” The presentation stayed
as vague as the title until a direct question from the audience
seemed to make the panelists squirm.
… “When will the Department of Defense have
real-time, automated, global order of battle?” they asked.
… an
initiative called Sentient has relevant capabilities. A product of
the National Reconnaissance Office (NRO), Sentient is (or at least
aims to be) an omnivorous
analysis tool,
capable of devouring data
of all sorts,
making sense of the past and present, anticipating the future, and
pointing satellites toward what it determines will be the most
interesting
parts
of that future.
Share with everyone! Gary Alexander tipped me off
to the CyberheistNews
newsletter.
Q2 2019
Top-Clicked Phishing Email Subjects from KnowBe4 [INFOGRAPHIC]
… Aside from social media-related messages,
general subject lines related to password management were highest on
the list. In-the-wild attacks ... found greatest success when they
asked for action from the recipient.
No comments:
Post a Comment