Wednesday, October 27, 2010

This could be nothing. At least, they are not sure it is something. The servers were down over the weekend for “maintenance,” so this could be a problem introduced by those changes.

TX: HISD investigating how its computers were hacked

October 27, 2010 by admin

Erika Mellon reports:

Houston school district officials suspect their computer system was hacked over the weekend, leaving employees and students without access to the Internet, online classes and e-mail for two days.

The electronic blackout ended late Tuesday afternoon, but the district’s police department was continuing to work with the FBI to investigate the suspected cyber-attack. HISD officials said they had found no evidence so far that hackers had tampered with personal information, such as payroll data or students’ grades.

As one of the largest employers in Houston, the school district has loads of electronic data on its 30,000 workers and 202,000 students that could have been compromised.

Read more in the Houston Chronicle.


FBI Investigates Alert of Possible Hacking Attempt into HISD

When the district was alerted to the possible hacking attempt, [They did not detect it themselves? Bob] the IT team shut down the computer system, according to a statement from HISD. Police and administrative staff were notified early Monday morning.

Interesting question. If they had not informed the victims, how would they learn of the breach? Should the laws be modified to allow the police to “fight fire with fire?”

Did Dutch Police Break the Law Taking Down a Botnet?

October 26, 2010 by admin

Interesting article by Jeremy Kirk about how Dutch police may have broken the law in an attempt to get control of a botnet and to warn innocent users that their systems were infected:

Dutch police took unprecedented action in taking down a botnet on Monday: They uploaded their own program to infected computers around the world, a move that likely violated computer crime laws.

The program causes a computer’s Web browser to redirect to a special site set up by the Netherlands Police Agency, where users are informed their computer is infected with Bredolab, a password-stealing malicious software program.

Dutch police did that by taking command of 143 Web servers used to control computers infected with Bredolab. The servers belong to LeaseWeb, one of the top hosting providers in Europe, which was informed in August of the problem by police and other computer security experts, said Alex de Joode, LeaseWeb’s security officer.

Read more on PCWorld.

[From the ComputerWorld article:

The Armenian man had constructed a massive botnet, at one point infecting up to 29 million computers in countries including Italy, Spain, South Africa, the US and the UK.

"We wanted to take down the botnet," Prins said. "What we also wanted to do was make sure the botnet wouldn't switch over to other infrastructure under his control."

The Dutch police decided to use a tactic they have apparently used before, taking over the computers infected with Bredolab and directing them to servers not under the control of the Armenian. Fox IT helped with that by uploading a "good" bot developed by police [Are US computer cops also doing this? Bob] to those PCs, Prins said.

… So far, at least 100,000 computers have displayed the Web page, which also has a link where people can file a complaint about Bredolab. So far, 55 people have filled out the complaint form, according to the Dutch National Prosecutor's Office.

[From the PC World article:

The action by the Dutch police is likely a breach of the Computer Misuse Act, said Struan Robertson, a technology lawyer with Pinsent Masons. Since the territorial scope of the legislation is wide, in theory it could be used against somebody in the Netherlands hacking into a U.K. computer, he said.

"There is no defense in the Computer Misuse Act for unauthorized access to another computer being for noble purposes," Robertson said. " That said, I think it is important to note it is unthinkable that anyone would prosecute for this," Robertson said. "They were making the best of a bad situation."

But in an era where fake Web pages are rampant, it begs the question of whether people will believe that the warning is legitimate. Fraudsters could also simply copy the Web page, set up a new domain and create a site that actually infects people's computers with Bredolab or other malware.

(Related) The next botnet won't be as easily defeated.

The Rise of the Small Botnet

In September, law enforcement agencies in the US and Europe announced that they had cracked a major ZeuS botnet operation allegedly responsible for the theft of over $70 million.

Reports of such law enforcement crackdowns are increasingly common, but they represent merely the tip of the iceberg in addressing the real underlying problem. Botnets controlled by criminal enterprises all over the world continue to multiply at a steep rate, and it is now arguably the smaller, harder-to-trace operations that organizations should be the most worried about. Not only are smaller botnets cheaper and easier to build out and operate, but criminals have already realized that large-scale botnet activity attracts unwanted attention, and not just of law enforcement.

I vote “Hell Yes!”

Should HHS fine entities who experience repeated avoidable security failures?

By Dissent, October 26, 2010

I’m working on a breach post for later today but started mulling over the question of whether HHS needs to start fining covered entities who have repeat breaches where the entity did not seem to adequately harden their security after the first breach or to really learn from experience.

This is 2010. The excuse “we were in the process of encrypting” or “now we’re going to encrypt” seems inadequate. HIPAA went into effect in 1996. Why are some of these easily avoidable breaches still occurring? HHS has adopted an educative and corrective approach, but how many times do some entities need to be educated before the government starts hitting them with fines in addition to the other costs of a breach?

Do you think that it would help if HHS started handing out fines to repeat offenders? If so, what scenarios would you think should lead to fines? I’d nominate inadequately secured PHI on a device stolen off-premises as my first nomination. As a close second, repeated theft of devices from hospital premises where the data at rest were not adequately protected.

Your thoughts?

(Related) Should this also go beyond lip service?

Consent and privacy in HIT, redux

By Dissent, October 26, 2010

Julie Chang reported on a recent Texas Tribune interview with David Blumenthal, the national coordinator of Health Information Technology. Here’s the section dealing with privacy issues, and it follows on the heels of some great reporting by the Austin Bulldog, covered previously on this blog, that revealed how a lot of patient data is being sold for “research” purposes:

TT: The issue of privacy has been a hotbed of concern. There have been reports, even here in Texas, of patient electronic records being sold to research companies. How do you respond to concerns that electronic records will only increase the risk of violating patient privacy?

Blumenthal: Well, they shouldn’t be sold if people don’t give consent. We’re committed to having patients control the uses of their health data. Their consent is going to be vital.

Okay, stop right there. Isn’t that what some of us have been saying should be the requirement — consent — and not just “consent” but “informed consent?” And for our advocacy, we’ve been called privacy alarmists or just viewed as the enemy of progress.

TT: Whose responsibility is it to ensure that patient privacy is protected?

Blumenthal: It’s a collective responsibility. We, in the federal government, give our best judgment about what the preferred approach is to getting patient consent. I think we also need to enforce the existing laws that penalize people who don’t carefully guard patient information, and there are substantial penalties available. States have a responsibility because they have a lot of freedom to set local laws to make sure that they involve the public in creating those statutes and those regulations. Doctors and hospitals have to understand what patients want and need from them in the way of privacy in the electronic world.

Privacy is not his first strategic objective, but “Do no evil” is...

5 comments from Google's CEO on privacy

On Monday, for instance, Schmidt raised the latest privacy hubbub by saying that if people don't like having their homes photographed for Google Street View for the world to see, they can "just move."

… The comment wasn't the first controversial remark Schmidt has made regarding privacy. Here are others:

  • "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place," Schmidt said during an interview on CNBC in December 2009.

  • "We know where you are... with your permission. We know where you've been with your permission. We can more or less guess what you're thinking about," he said earlier this month, speaking at the Washington Ideas Forum and cited by The Atlantic.

  • "There is what I call the creepy line. The Google policy on a lot of things is to get right up to the creepy line and not cross it," Schmidt is quoted as saying by The Hill Web site last month during an event at the Newseum in Washington.

  • "I actually think most people don't want Google to answer their questions," he said. "They want Google to tell them what they should be doing next," he said, adding that at some point young adults will change their names so they can hide from youthful hijinks stored on social networks. He made the comments during an August interview with the Wall Street Journal.

  • "In a world of asynchronous threats, it is too dangerous for there not to be some way to identify you. We need a [verified] name service for people. Governments will demand it," Schmidt said at the Techonomy conference in April, according to a ReadWriteWeb blog by Marshall Kirkpatrick.

(Related) Tip number one: ignore the boss?

FamilySafetyCenter: Tips & resources on safe internet use for kids & family

FamilySafetyCenter is a portal put together by Google that contains lots of tips, answers, videos and articles to help provide a safe internet use for kids and family. In addition to a list of safety tools that are embedded in various Google services, the site has a detailed FAQ section on how Google handles various related issues.

Humor A Venn diagram of Privacy and the Internet...

It's almost Halloween – think of this as sneaking up on your employees and yelling, “Boo!” (Assuming your employees have serious heart conditions...) Perhaps they learned about changing policies without notice from their favorite Internet sites?

Drug Testing Poses Quandary for Employers

October 27, 2010 by Dissent

Katie Zezima and Abby Goodnough report:

The news, delivered in a phone call, left Sue Bates aghast: she was losing her job of 22 years after testing positive for a legally prescribed drug.

Her employer, Dura Automotive Systems, had changed the policy at its sprawling plant here to test for certain prescription drugs as well as illicit ones. The medication that Mrs. Bates was taking for back pain — hydrocodone, a narcotic prescribed by her doctor — was among many that the company, which makes car parts, had suddenly deemed unsafe.

Read more in the New York Times. Hat-tip, Privacy Lives.

The future of Copyright Law? When do we implement ACTA? Would any US ISP resist government “recommendations?”

Korea Kicking People Offline With One Strike

Posted by CmdrTaco on Tuesday October 26, @04:15PM

"While there's lots of talk of 'three strikes' laws in places like France, it may be worth looking over at South Korea, which put in place a strict new copyright law, required by a 'free trade' agreement with the US (which was the basis for ACTA). It went into effect in the middle of 2009, and now there's some data about how the program is going. What's most troubling is that the Copyright Commission appears to be using its powers to 'recommend' ISPs suspend user accounts based on just one strike, with no notice and no warning. The system lets the Commission make recommendations, but in well over 99% of the cases, the ISPs follow the recommendations, and they've never refused to suspend a user's account."

Gee, it must be election time again. We always see reports of election machine flaws before the election and whoever win quickly suppresses any investigation that might reveal how he won...

Voting Machines Selecting Default Candidates

Posted by CmdrTaco on Tuesday October 26, @10:47AM

"Some voters in Las Vegas have noticed that Democrat Harry Reid's name is checked by default on their electronic voting machines. By way of explanation, the Clark County Registrar says that when voters choose English instead of Spanish, Reid's Republican opponent, Sharron Angle, has her name checked by default."

Cable must move to the Internet or be replaced by Google?

Comcast Gives ‘TV Anywhere’ Another Nudge in Right Direction has programs from about 90 content partners, and Comcast customers also get access to the premium digital channels they pay. The array of programming is a smallish subset of 225 sources already available from Hulu, the web-based video service whose backers include NBC Universal, News Corp. (Fox) and Walt Disney (ABC), even though Hulu serves up much of the programming on Fancast. But unlike Hulu, Fancast includes programming from CBS.

Is this the business model that saves the publishing industry? Somehow, I doubt it.

Free E-Books, With a Catch — Advertising

Posted by timothy on Tuesday October 26, @10:48PM

"Barnes & Noble may kick off a fresh price war today for digital book readers, with its new Nook news. But the real news in digital publishing is a novel approach to the e-books themselves: Free books — with advertising. The basic idea is to offer publishers another way to reach readers and to give readers the chance to try more books — books that perhaps they wouldn't normally peruse if they had to pay more for them. Initially, Wowio specialized in offering digital versions of comic books and graphic novels, usually formatted as Adobe PDFs. So it was a natural step for the company to offer graphic ads that are inserted in e-books. 'We think we're creating a broader audience for some of these titles,' Wowio's CEO Brian Altounian told me. 'I think folks are going to download more books because they're saving the costs' of having to drive to the store or pay more for them. Would ads stop you from reading?"

The new color Nook goes for $249, and comes with a browser, games, Quickoffice, streaming music via Pandora, and an SDK; reader itwbennett links to an analysis of how well it stacks up as a tablet.

Interesting. Nothing in the article to explain why a second device is required.

Some Aussie High Schools Moving To Two Devices Per Child

Posted by timothy on Wednesday October 27, @01:55AM

"One laptop per child is so last year. Private secondary schools in New South Wales, Australia are in discussions to upgrade their wireless networks so they can handle the strain of supporting a two-to-one ratio — a laptop and tablet for every student."

No comments: