Wednesday, September 14, 2011


A most intriguing topic...
Damages From Hannaford Bros. Data Breach Dominate 1st Circuit Debate
September 13, 2011 by admin
Sheri Qualters writes:
A debate about the damages available to some to 4.2 million customers of the Hannaford Brothers Co. supermarket company whose financial information was compromised during a data breach dominated an oral argument at the 1st U.S. Circuit Court of Appeals.
The Sept. 8 hearing in Anderson v. Hannaford Brothers Co. concerned the appeal of a May 2009 order by District of Maine Judge D. Brock Hornby that rejected most of the plaintiffs’ claims.
Read about some of the exchanges between the judge and attorneys during oral argument on Law.com.


“No good deed goes unpunished”
Two years later, Texas parent who reported a breach gets prosecutors off his back and his laptop returned
September 13, 2011 by admin
A Texas parent who reported a school district security breach involving sensitive student records spent the next two years facing federal charges and trying to get his laptop back
Back in August 2009, DataBreaches.net reported that a parent had his work and personal computers seized by the FBI after he reported a security breach to his child’s school district, Leander ISD, and the Texas Education Agency. The parent, Mark Short, had discovered a working login on the district’s web site for a vendor-maintained database of students’ educational records. Having not received all of his child’s records that he had requested under FERPA (the federal law that gives parents the right to inspect all of their children’s education records), Short explored the database enough to confirm that it contained additional records on his child as well as sensitive information on other students. Short then notified the district of their security lapse and filed a complaint with the state.
Rather than thanking him for alerting them to their security gaffe and FERPA noncompliance, the district reportedly referred the matter to law enforcement, who treated him as a criminal.
Short informed DataBreaches.net that his personal laptop was seized by FBI agents without a search warrant “under the guise of concluding the investigation.” Short claims that he was not informed that he could refuse, and that after the FBI hung on to the computer for one week and he started insisting on its return, the FBI first obtained and served him with a search warrant for the laptop they had already seized.
Short has kept DataBreaches.net apprised of the case over the past two years, and now reports:
Two years after the FBI seized my personal property and just two days before a scheduled hearing to force the return of my computer, the US District Attorney has decided to not prosecute and return my computer.
This is after I was offered plea agreements two or more times and refused. Then I would get threatened that I would face prosecution if I did not accept.
The entire situation has been costly for Short, who lost his job due to the FBI showing up his workplace and seizing his work computer. It also created significant family stress. Short tells DataBreaches.net:
This has been a huge “pain in the ass” in order to assert individual rights and force a return of personal property – potentially improperly obtained; however, the government has really exceeded their mandate in this case. For them to seize my computer, refuse to return it (even after two years) without even making a formal charge is insane.
I can see why some people would rather just give-in to the federal government and simply forfeit their personal property. However, I cannot do that and allow the continued erosion of individual constitutional rights and freedoms.
In the meantime, the school district that had failed to turn over all his child’s records and that had failed to adequately secure access to the outsourced records has incurred no penalty for noncompliance with FERPA’s requirement nor for the breach.
What’s wrong with this picture?


Do you suppose this will come to the US? How powerful is the advertising lobby?
Google Lets Wi-Fi Owners Opt Out of Registry
September 14, 2011 by Dissent
Kevin J. O’Brien reports:
Google defused a confrontation with European privacy regulators by announcing on Tuesday that it would give the owners of Wi-Fi routers worldwide the option of removing their devices from a registry Google uses to locate cellphone users.
The change was made less than four months after European regulators warned that the unauthorized use of data sent by Wi-Fi routers violated European law. Google and other companies use the signals from Wi-Fi routers as navigational beacons, helping them pinpoint the locations of nearby cellphone users.
Read more on the New York Times.


This has been a SciFi staple for years.
Your face — and the Web — can tell everything about you
September 13, 2011 by Dissent
Bob Sullivan has an absolutely chilling article on Red Tape that I wish were SciFi but isn’t:
Imagine being able to sit down in a bar, snap a few photos of people and quickly learn who they are, who their friends are, where they live, what kind of music they like … even predict their Social Security number.
Now, imagine you could visit one of those anonymous online dating sites and quickly identify nearly every person there, just from their photos, despite efforts to keep their online romance search a secret.
Such technology is so creepy that it was developed, and withheld, by Google — the one initiative that Google deemed too dangerous to release to the world, according to former CEO Eric Schmidt.
Too late, says Carnegie Mellon University researcher Alessandro Acquisti.
That genie is already out of the bottle,” he said Thursday, shortly before a presentation at the annual Las Vegas Black Hat hackers’ convention that’s sure to trouble online daters, bar hoppers and anyone who ever walks down the street.
Using off-the-shelf facial recognition software and simple Internet data mining techniques, Acquisti says he’s proven that most people can now be identified simply through a photograph of their face — and anyone can do the sleuthing. In other words, our faces have become our identities, and there little hope of remaining anonymous in a world where billions of photographs are taken and posted online every month.
Read more on Red Tape.


We have a “Software Security Engineering” class, which is really an eye opener for our students. Changes the way they think about building applications.
"Perhaps no segment of the security industry has evolved more in the last decade than the discipline of software security. At the start of the 2000s, software security was a small, arcane field that often was confused with security software. But several things happened in the early part of the decade that set in motion a major shift in the way people built software ... To get some perspective on how far things have come, Threatpost spoke with Gary McGraw of Cigital about the evolution of software security since 2001."

No comments: