Wednesday, January 12, 2022

Warfare has progressed(?) from lines of warriors with spears to shooting from concealment to bombing civilian targets and now to attacks which could impact every citizen. What is the proper response?

https://thehackernews.com/2022/01/fbi-nsa-and-cisa-warns-of-russian.html

FBI, NSA and CISA Warns of Russian Hackers Targeting Critical Infrastructure

Amid renewed tensions between the U.S. and Russia over Ukraine and Kazakhstan, American cybersecurity and intelligence agencies on Tuesday released a joint advisory on how to detect, respond to, and mitigate cyberattacks orchestrated by Russian state-sponsored actors.

To that end, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) have laid bare the tactics, techniques, and procedures (TTPs) adopted by the adversaries, including spear-phishing, brute-force, and exploiting known vulnerabilities to gain initial access to target networks.



Perhaps connecting everything on a single network isn’t the best plan?

https://gizmodo.com/new-mexico-jail-forced-into-lockdown-after-cyberattack-1848342078

New Mexico Jail Forced Into Lockdown After Cyberattack Incapacitates Cameras, Doors

A suspected ransomware attack in New Mexico has incapacitated services for an entire county, including the local jail—which frighteningly lost access to its camera feeds, facility databases, and automated doors.

Bernalillo County, which is the most populous in the state and includes its largest city, Albuquerque, was thrown into chaos last week when the cyberattack hobbled services across the government. The attack, which took place on Jan. 5, forced the closure of county offices, threatened databases, and caused major problems for the processing of everything from local property deals to marriage licenses, all of which rely on the county’s network.

Most dramatically, the county’s Metropolitan Detention Center lost access to some of its key security features—including its camera feeds and its automated jail doors. For obvious safety reasons, this forced the county to lock down the entire jail, forcing all of the prisoners into their cells for the foreseeable future.

The Verge reports that the lockdown also spurred a minor legal kerfuffle, as it put the county in potential violation of the terms of a 1995 lawsuit settlement concerning confinement conditions at the jail. That settlement mandated that prisoners be given certain privileges—such as guaranteed time outside of cells and access to communication devices, such as phones. Some of those privileges can’t be accommodated during the current circumstances and, as a result, the county was forced to file an emergency notice in federal court last week, asking the court to consider its outstanding “emergency” circumstances.



I wonder if these are the only hospitals in the entire country that do this?

https://www.pogowasright.org/mass-general-brigham-dana-farber-to-pay-18-4m-settlement-over-privacy-allegations/

Mass General Brigham, Dana-Farber to pay $18.4M settlement over privacy allegations

Jessica Bartlett reports:

Mass General Brigham and Dana-Farber Cancer Institute have agreed to pay a combined $18.4 million settlement over allegations that the institutions fed personally identifiable information about patients to Facebook, Google and other companies.
The class-action lawsuit was filed by two anonymous parties in Suffolk Superior Court in May 2019. The suit alleged that despite numerous privacy assurances on the websites of Massachusetts General Hospital, Brigham and Women’s Hospital and Dana-Farber, the three hospitals disclosed patient information to third-party websites and marketing companies.

Read more at Boston Business Journal.



There’s no reaction like overreaction.

https://thenextweb.com/news/eus-plans-to-tackle-child-sexual-abuse-material-csam-spark-surveillance-concerns

EU plans to tackle online child abuse spark surveillance concerns

The scale of child sexual exploitation and abuse online is increasing at an alarming rate. The Internet Watch Foundation (IWF) recently announced that it’s finding more finding 15 times as much child sexual abuse material (CSAM) online as it was a decade ago.

This content is particularly prevalent in Europe. According to a 2020 report by the IWF, most web pages hosting CSAM are based in the continent. In response, the European Union plans to introduce stricter rules on tech firms that host the material.

“I will propose legislation in the coming months that will require companies to detect, report, and remove child sexual abuse,” EU home affairs commissioner Ylva Johansson told Germany’s Welt am Sonntag on Sunday.

… the EU’s strategy seems to be to cast a dangerously wide net, proposing measures which might force service providers to scan each and every person’s private messages.”



Should we assume the patients want to be unidentified?

https://www.pogowasright.org/hospitals-could-gain-new-tools-to-id-unidentified-patients/

Hospitals could gain new tools to ID unidentified patients

I missed this one over the holiday week. Thankfully, Joe Cadillic didn ‘t miss it. Jesse Scheckner reported:

A bill filed in the Florida House this week would allow law enforcement agencies to help hospitals identify unidentified patients and empower social workers to make decisions about patients’ continued care.
HB 1021, which Republican Rep. Juan Fernandez-Barquin of Miami-Dade County filed Monday, would add language to Florida Statute clearing the way for the Florida Department of Law Enforcement and local police agencies to use available biometric tools to identify “otherwise unidentifiable” patients.

Read more at Florida Politics.



Will someone ask who failed to secure the data in the first place?

https://www.databreaches.net/a-missouri-reporter-is-still-getting-blamed-for-the-security-flaw-he-exposed/

A Missouri Reporter Is (Still) Getting Blamed For the Security Flaw He Exposed

Jack Gillum sought — and obtained — some records from Missouri Governor Parson’s office concerning the governor’s staff’s public statements and the governor’s intention to try to prosecute journalist Josh Renaud. Renaud’s crime: he discovered a vulnerability on a state website where by clicking the F12 key to view the source of a page, one could see teachers’ social security numbers exposed in plain text. Renaud verified his discovery and then notified the state, delaying publication until the state could secure the data.

Instead of thanking the reporter and his newspaper — as the state initially planned to do — the governor did an about-face and called the journalist a “hacker” and is pushing to have him prosecuted under a state law.

Nothing has changed since the story first made news in October. The governor continues to insist that the reporter is likely to be prosecuted, while most members of the press and researchers point out the dangerous situation that would result — where people will be afraid to disclose vulnerabilities to the state.

Yes, Missouri’s law has wording that might seemingly allow Missouri to prosecute anyone who gains access to others’ personal information without their authorization, but did the law really anticipate the governor going after those researchers or journalists who responsibly disclose or report on breaches or leaks?

Gillum’s article can be found on Bloomberg, here.

So…. what will Governor Parsons do when journalists report on ransomware incidents involving Missouri entities where data involving personal information has been dumped by threat actors and viewed and reported upon by journalists? Look at these provisions in their law:

(3) Discloses or takes data, programs, or supporting documentation, residing or existing internal or external to a computer, computer system, or computer network; or
[…]

(6) Receives, retains, uses, or discloses any data he knows or believes was obtained in violation of this subsection.

So does that mean reporting on a data dump from a criminal hack unlawfully “uses” or “discloses” data?

DataBreaches.net does not believe that investigating and reporting on cybercrime is a crime. See also today’s report on the ransomware attack on Carthage R-9 district.



If you thought you were done learning, you were wrong. (At least try the free ones.)

https://www.efinancialcareers.com/news/2022/01/top-machine-learning-courses

Goldman Sachs MD's guide to top machine learning courses

If you've started this year with aspirations to further your knowledge of such things as Python coding and machine learning, but you happen to have a full time job that demands most of your time, do not be discouraged.

One Goldman Sachs MD says he completed eight online training courses last year, while also fulfilling his role as head of engineering (strats, quants and technologists) in EMEA and APAC for the private investments arm of Goldman Sachs Asset Management.

Not all are machine learning-focused, but the first four in particular are directly relevant.

1. Machine Learning, by Stanford University and Coursera.
2.
Deep Learning Specialization, by DeepLearning.AI
3.
AWS Fundamentals Specialization, by aws.amazon.com
4.
Google Cloud Digital Leader Specialization, by cloud.google.com
5.
Scalability & System Design for Developers, by Educative.IO
6.
Python for Programmers, by Educative.IO
7.
Agile and JIRA, by atlassian.com
8.
Managing Remote Teams, by gitlab.com

McLennan's advice on online courses comes after Goldman posted a new developer blog  about the use of machine learning in its data lake. Among other things, it stresses the importance of explainable models. "For Machine Learning Engineers, it can become a full day's work to explain why a certain prediction was made by the model," says author Jaimita Bansal, a VP in data lake engineering.



Resources.

https://www.makeuseof.com/learn-programming-for-free/

The Top 9 Places to Learn Programming Online for Free



No comments: