Probably not the best way to
describe your security.
New
York Times abruptly eliminates its "director of information
security" position: "there is no need for a dedicated focus
on newsroom and journalistic security"
Runa
Sandvik (previously
)
is a legendary security researcher who spent many years as a lead on
the Tor Project; in 2016, the New
York Times hired
her as "senior director of information security" where she
was charged with protecting the information security of the Times's
newsroom, sources and reporters. Yesterday, the Times
fired
her,
eliminating her role altogether, because "there is no need for a
dedicated focus on newsroom and journalistic security."
… If you
are a source contemplating going to the Times with a story that could
land you in physical, economic, or legal jeopardy, this is really
sobering news: can you trust a news entity with your safety when it
has eliminated the only person charged with defending it?
So, what do
they cover?
AIG
Is the Latest Insurer to Back Away from Cyber Insurance Coverage
…
In
many ways, the case involving SS&C Technologies and AIG should be
black and white, and not gray. In 2016, SS&C Technologies was
involved in a major cyber attack in which Chinese hackers managed to
dupe the company out of $5.9 million. Spoof emails purporting to
come from one of the company’s clients – Tillage Commodities Fund
– instructed the company to make six wire transfers to an unknown
bank account holder in Hong Kong. This is the classic type of
business
email compromise (BEC) scam,
in which a third party hacker poses as someone else via email in
order to ensure that funds move into the hacker’s bank account.
So, theoretically, this is exactly the type of incident that should
have been covered under the AIG cyber insurance policy.
But
there’s just one little problem here – SS&C Technologies
acknowledged that the funds were “stolen” and not “lost,” and
that automatically transformed the cyber incident into a criminal
act. In short, says AIG, Chinese criminals stole the $5.9 million
from a client account, and therefore, the cyber insurance policy no
longer applies. According to AIG, the cyber insurance policy only
covers losses from traditional cyber attacks (e.g. a DDoS attack
taking down the company’s servers for days), and not from brazen
criminal attacks. Thus, as AIG eventually told a court in the
Southern District of New York, it should not be found guilty of
“breach of contract.” An event involving a company victimized by
suspected Chinese criminals simply is not covered by a cyber
insurance policy.
… Moreover,
as more details of the case emerge, it’s clear that SS&C
Technologies failed to have even the most basic form of cybersecurity
defenses in place. For example, one request from the hackers to wire
$3 million into a Hong Kong bank account simply included a brief
introduction (“How was your weekend?”), followed by details of
where to wire the money. Other emails appeared to be coming from a
clearly spoofed email address, with the name of the client misspelled
as “Tilllage” instead of “Tillage.” Other emails included
awkward syntax, grammatical errors, and nonsensical sentence
construction. short, it was the sort of shoddy, second-rate
phishing email that is all too common these days. Surely, anyone
with a modicum of common sense would have seen through this scam,
right?
And,
to make things even more damaging from the perspective of AIG, was
the fact that SS&C failed to comply with its own internal policy,
which clearly stated that any wire bank transfer needed to be
authorized by four different people. This is exactly the sort of
basic cyber defense that could have prevented the fraudulent
transaction from taking place – at some point, wouldn’t a senior
executive or top manager see through these obvious cyber shenanigans
and stop the wire transfer from taking place? Thus, from the
perspective of AIG, SS&C Technologies failed to exercise even a
modicum of care and responsibility. How could SS&C Technologies
even argue that the funds were “lost” and not “stolen”?
(Related)
The victims should talk.
Ocala
city loses over $500,000 due to spear-phishing attack
According
to Ocala.com,
the incident occurred when a scammer sent a phishing email to a city
department.
… The
employee mistook the email to be legitimate and inadvertently
transferred $640,000 to a fraudulent bank account set up by the
scammer.
… In
light of the incident, the city has planned to conduct an internal
investigation to know the methods and scope of a phishing attack.
Later, it will make changes in policy to avoid such attacks in the
future.
Security
that kills? I suspect they installed security that was initially
rejected as too impactive. When you have a breach, you “gotta do
something!”
Ransomware
and data breaches linked to uptick in fatal heart attacks
Imagine
a scenario where you have a medical emergency, you head to the
hospital, and it is shut down. On a Friday morning in September,
this hypothetical became a reality for a community in northeast
Wyoming.
Campbell
County Health reported
a systemwide crippling of
their computers that affected its flagship hospital and nearly 20
clinics located in the city of Gillette. For eight hours, the
hospital’s emergency department was forced to transfer patients
even though the next nearest hospital was located 70 miles away.
…
New
research finds that at hospitals that experienced a data breach, the
death rate among heart attack patients increased in the months and
years afterward. This increased mortality doesn’t appear to be due
to the perpetrators themselves — the hackers are not controlling
the allocation of medications or doctors. Rather the issue may lie
with how health care systems adjust their cybersecurity after an
attack, according to a study published
in October’s issue of Health Services Research.
… Cybersecurity
remediation at hospitals appears to be slowing down doctors, nurses
and other health professionals as they offer emergency cardiac care,
based on this new study.
After
data breaches, as many as 36 additional deaths per 10,000 heart
attacks occurred annually at the hundreds of hospitals examined in
the new study.
Looks
costly. I don’t think they like it either.
Increased
Surveillance is Not an Effective Response to Mass Violence
This
week, Senator Cornyn introduced the RESPONSE
Act,
an omnibus bill meant to reduce violent crimes, with a particular
focus on mass shootings. The bill has several components, including
provisions that would have significant implications for how sensitive
student data is collected, used, and shared. The most troubling part
of the proposal would broaden the categories of content schools must
monitor under the Children’s
Internet Protection Act (CIPA);
specifically, schools
would be required to “detect online activities of minors who are at
risk of committing self-harm or extreme violence against others.”
Unfortunately,
the
proposed measures are unlikely to improve school safety;
there is little evidence that increased monitoring of all students’
online activities would increase the safety of schoolchildren, and
technology cannot yet be used to accurately predict violence. The
monitoring requirements would place an unmanageable burden on
schools, pose major threats to student privacy, and foster a culture
of surveillance in America’s schools. Worse, the RESPONSE
Act mandates
would reduce student safety by redirecting resources away from
evidence-based
school
safety measures.
Lots of
detail.
US
prisons and jails using AI to mass-monitor millions of inmate calls
New
technology driven by artificial intelligence (AI) is helping prison
wardens and sheriffs around the country crack unsolved crimes and
thwart everything from violence
and
drug smuggling to attempted suicides – in near real time, in some
cases – through digitally mass-monitoring millions of phone calls
inside the nation’s sprawling prison and jail systems.
Despite
legally-mandated warnings preceding every prison phone call that the
conversation is being recorded and monitored, inmates still regularly
reveal astonishing amounts of incriminating information, according to
technology company records provided to ABC News and interviews with
law enforcement and corrections
officials using
the systems in multiple states.
Alcohol
sniffers in cars, bomb sniffers at airports, the uses are limitless.
Google
researchers taught an AI to recognize smells
Their
algorithms can identify odors based on their molecular structures.
…
As Wired
points out,
there are a few caveats, and they are what make the science of smell
so tricky. For starters, two people might describe the same scent
differently, for instance "woody" or "earthy."
Sometimes molecules have the same atoms and bonds, but they're
arranged as mirror images and have completely different smells.
Those are called chiral pairs; caraway and spearmint are just one
example. Things get even more complicated when you start combining
scents.
Yes, on some
technical issues. No, based on personalities.
Why
An Amazon-Oracle Merger Is A Very Real Possibility
Per
Trefis analysis, a merger of Amazon
and
Oracle
could
unlock significant value. While the idea may sound very ambitious,
in order to keep itself at the top of the cloud technology
food-chain, Oracle may be the best acquisition Amazon could ever
make.
Useful?
Open Access
Resources for Legal Research
Via
Lyonette Louis-Jacques, The
University of Chicago | D’Angelo Law Library – “In
honor of International Open Access Week, our library created an “Open
Access Resources for Legal Research”
LibGuide.
These are some representative free law sources. The focus is on
U.S. law, but there’s a foreign and international law section.”