Thursday, November 03, 2011


Why would a branch store in California have data on all the company's customers? Sounds like an invitation to steal the data!
Aaron’s operations computer stolen during burglary, contained customers’ Social Security numbers
November 2, 2011 by admin
It never rains but it pours?
I had never heard of Aaron’s until earlier this year when they were sued for allegedly installing spyware on rent-to-own computers. But now I see their name again – this time, on a breach notification to the New Hampshire Attorney General’s Office.
According to the firm’s letter of October 18, a Fresno, California franchise was burglarized. Aaron’s was informed of the burglary on September 26, [no indication of when it actually occurred Bob] and by September 30, had determined that a computer stolen in the burglary contained customers’ names and Social Security numbers. According to their notification, 1,008 residents of New Hampshire were affected by the breach; the nationwide total was not provided. Reportedly, the computer contained information on the franchisee’s customers and (other) Aaron’s customers.
The firm sent out notifications to consumers the week of October 17, offering them free credit monitoring services even though it appeared the computer was likely stolen for its hardware value and not for the data. [That is a good way of saying it, however what they actually said in the New Hampshire letter was:
All of the circumstances indicate that this was a common petty theft and that there was no intent to obtain or distribute personal information on the computers. We also have no reason to believe that the information has been accessed by the thieves.”
I doubt that circumstances indicate intent or that their belief that the thieves didn't want the data is any more reliable than my belief that they did. Bob]


Confusing. Did the breach involve only one bank? Very unlikely. So are the other banks lying? Why would MasterCard not notify everyone? If it is a merchant breach, why only debit cards?
Update, Iowa – MasterCard issues local security alert
November 2, 2011 by admin
Bob Eschliman reports more on a recent breach disclosure in Iowa:
The MasterCard Fraud Management department has been notified of a security breach of a U.S. merchant’s network. A data security firm has been engaged to conduct an onsite forensic investigation. This alert discloses the payment account numbers of MasterCard accounts that were potentially exposed to compromise.
Preliminary investigations indicate that magnetic stripe data is at risk.
This alert contains account numbers used in transactions at the subject merchant from November 2, 2010 through April 20, 2011.
What I find intriguing is that no other bank in the area has indicated that they have been notified of the merchant breach.
That’s also a long time for the network to have been breached without the merchant realizing it, although sadly, it’s not particularly uncommon.
[From the Southwest article:
No information was believed to be stolen... [But that's wishful thinking, because... Bob]
… The letter stated the bank was not provided details of the security compromise
… This involved only debit card accounts.
… Baier indicated the compromise occurred with the data processor, not with Bank Iowa, and that the confidential information for all other accounts at the Clarinda bank are still safe. Bank president John Krummel said the data processor was MasterCard.
He provided a copy of the notice sent to the bank, with the affected account numbers redacted to protect customers’ privacy. The report stated:
The MasterCard Fraud Management department has been notified of a security breach of a U.S. merchant’s network. [i.e. NOT MasterCard Bob]
… Other banks in Clarinda said they were not notified for any security compromise.


“All your Facebook base belong to my bot”
Researchers Glean 250GB of Facebook User Data with New Socialbot
Facebook's "Immune System" might not be as robust as Zuckerberg believes. In fact, four researchers from the University of British Colombia have recently demonstrated just how easily a new breed of bot can infiltrate the FB system and harvest user data.
Socialbots, also known as "sock puppet" bots, are designed to mimic a human user. Those unsolicited Friend invites your receive from scantily-clad co-eds? Socialbots. And, once Friended, they obtain instant access to email addresses, phone numbers, and the rest of your personal details that you only share with your "Friends."
Researchers from UBC devised this eight-week test, employing a single botmaster and 102 bots, to infiltrate the Facebook network specifically because the team believed FB to have superior security measures compared to other social sites (*snicker*). Their ruse eventually garnered more than 3000 new—presumably human—friends with a network of nearly a million users. As for Facebook's "Immune System," only 20 bots were flagged and only because users reported them for spam.


Is “silent” the same as “private?” Can I have any expectation of privacy if I can be compelled to disclose that which I want to remain private? Is “forgone conclusion” (We know they exist and are here on your laptop) the same as “We know what they contain?” in which case would they need my key?
Does the Fifth Amendment Protect Your Encryption Key?
November 3, 2011 by Dissent
In a new article on an unresolved question, Joshua A. Engel writes, in part:
In cases starting to wind through state and federal courts, the government has sought to compel suspects and defendants to provide passwords and encryption keys. For example, in a Colorado case involving allegations of real estate fraud, the government seized several computers after executing search warrants at the defendant’s residence. The government obtained an additional search warrant to search a laptop, but was unable to read the encrypted contents. The government then sought an order compelling the defendant to provide or enter the password.
The Colorado case remains undecided, but other courts to address this issue have generally concluded that the provision of a password or encryption key is subject to the protections of the Fifth Amendment because the provision of this information is essentially an admission that the person had possession and control over, and access to, the computer, files, or data. A good illustration is found in In re Grand Jury Subpoena to Sebastian Boucher. U.S.D.C., D. Vt. No. 2:06-mj-91 (February 19, 2009).
Read more on LTN.


I would seriously disagree – if IT actually had a memory for “things we did before” they would remember integrating those pesky “Personal” computers they they ignored for years... Even Local Area Networks (LANs) were introduced to the organization by accounting (and other) departments over the objection of IT.
"Advice Line's Bob Lewis discusses the difficulties IT faces in embracing the kinds of consumer technologies business users are demanding they support. 'Let's assume the consumerization of IT is the big trend many think it is. But using consumer tech in a business environment is a very different matter from being satisfied with consumer tech in a business environment. One of IT's legitimate [I'd say: “irrational” Bob] gripes is that we're often asked to turn consumer-grade technology into business-grade technology with a wave of our magic wands. On top of the intrinsic technical challenges, there's this: IT doesn't have anything that even resembles a methodology for performing the business analysis we need to figure out what it means to put consumer tech to productive day-to-day use.'"


A “Buy my Security Product/Service” survey?
http://www.databreaches.net/?p=21297
What does the Unisys Security Index really tell us about consumer responses to a data breach?
November 2, 2011 by admin
I’m going to post a press release from Unisys with a warning: never confuse what consumers say they will do with what they actually do. [Amen Bob] I’ll meet you on the other side of the release:
Americans will go to great lengths to avoid identity theft, and many say they would take legal action against government or private organizations that compromise their personal data, according to new research conducted by Unisys Corporation.
Results from the bi-annual Unisys Security Index, which surveys more than 1,000 Americans for consumer views on a wide range of security concerns, indicated that more than three-quarters of respondents would stop dealing with an organization entirely in the event of a security breach, underlining the need to better protect customers’ personal data shared electronically.
Nearly 90 percent of all survey respondents said they would take some sort of action in the event of a data breach, ranging from conservative solutions like changing their passwords (87 percent) to those with more serious commercial implications, such as closing their accounts (76 percent) or taking legal action (53 percent).
Organizations that ignore security concerns also face public perception risks. Nearly 65 percent of U.S. survey respondents said they’d publicly expose a company that allows a breach. And in a world where communities such as Facebook and Twitter provide the opportunity to instantly broadcast dissatisfaction to a broad audience, this threat seems more real than ever before.
The Unisys study also revealed that more than half of surveyed Americans are willing to provide biometric data to secure their identities. This includes a willingness to provide biometric data at security checkpoints at airports (59.6 percent); when conducting financial transactions with banking institutions (56.9 percent); and when receiving government benefits or other services (53.0 percent).
Still, only 21.3 percent were willing to give their biometric data to social media sites, suggesting a perception that either these entities were less careful with their data, or that the risk was simply not worth the reward.
“The latest results of the Unisys Security Index suggest that organizations face very real business and financial implications for security breaches,” said Steve Vinsik, vice president, enterprise security, Unisys. “Given recent highly publicized breaches that have exposed large amounts of sensitive data, the results should be a wake-up call for organizations to take more proactive measures to protect customer data.”
The new findings follow the results of the May 2011 Unisys Security Index, in which 70 percent of respondents reported they were seriously concerned about identity theft.
The Unisys Security Index found similar responses in 11 other countries where the survey was performed. For example, 82 percent of citizens surveyed in the United Kingdom said they would close their accounts with an organization responsible for a breach of their private data. In Mexico, 62 percent said they would publicly expose the issue, and 86 percent of Brazilians surveyed said they would take legal action.
About the Unisys Security Index
The Unisys Security Index is a bi-annual global study that provides insights into the attitudes of consumers on a wide range of security related issues. Lieberman Research Group conducted the survey in Latin America, Europe and the U.S.; Newspoll conducted the research in Asia-Pacific. The Unisys Security Index surveys more than 10,000 people in 12 countries: Australia, Belgium, Brazil, Colombia, Germany, Hong Kong, Mexico, the Netherlands, New Zealand, Spain, the United Kingdom and the United States. For more information, visit www.unisyssecurityindex.com.
Okay, now most readers of my blog have been reading dire warnings about churn and reputation harm for years. And now we have 76% reporting that they would stop doing business with a company? Seriously? No way. They may bluster and tell that to pollsters, and maybe they even believe they would do it, but I want to see a survey of those who received breach notifications that shows that 76% stopped doing business with the firm. Did 76% of Sony PSE users stop using Sony? No. Has 76% of ANY business’s or bank’s customer or client base left them following a breach? No. Think TJX. Think any big breach. That statistic just does not stack up to the reality of what we see following a breach.
It’s time to stop asking people what they would do and ask more people what they have actually done.


Do you think this will spread to the US? Is a Policy enough to justify firing?
Apple was OK to fire man for private Facebook comments
November 3, 2011 by Dissent
Anna Leach reports:
Apple was right to fire an employee of one of its UK stores for saying rude things about the company on his Facebook wall, an employment tribunal in Bury St Edmunds ruled.*
The tribunal judge upheld Apple’s dismissal of the man for gross misconduct in a case which sets another precedent for social network users who like to bitch about work online.
The Apple Store worker had made derogatory comments about Apple’s brand and products on his Facebook wall. Although his posts were not public, one of his unfriendlier “friends” – also a colleague in the store – printed the comments out and showed them to their boss, who fired the man for misconduct.
Read more on The Register.
One of the key elements of the case was that Apple had a clear policy in place so it is not liked the employees weren’t forewarned about conduct on social media. The second key element was that even using “private” setting on Facebook does not protect the employee because it’s so easy for “friends” to copy and paste “private” messages that Facebook users/employees cannot really invoke Article 8 of the European Convention of Human Rights.
So how does that play out for students in schools, posting from their home on their own time? Freedom of expression seems to be shrinking as employers and schools establish policies and justify limiting speech off-hours.
Hmmm.


Oh, the horror!
November 02, 2011
New on LLRX.com - The Digital Death of Copyright's First Sale Doctrine
via LLRX.com - The Digital Death of Copyright's First Sale Doctrine: An important copyright case won't be argued in the Supreme Court, which on October 3, 2011 declined to review Vernor v. Autodesk, a Ninth Circuit Court of Appeals decision involving the applicability of copyright's first sale doctrine to transactions involving software and other digital information goods. Law professor Annmarie Bridy discusses the wide reaching impact of the first sale doctrine, without which there would be no free market for used books, CDs, or DVDs, because the copyright owner's right of distribution would reach beyond the first sale, all the way down the stream of commerce.


This is smart! A library that generates its own content! Probably lots of non-academic publications they could assist with...
November 01, 2011
Library Publishing Services: Strategies for Success - Research Report
Library Publishing Services: Strategies for Success, Research Report Version 1.0. James L. Mullins, Catherine Murray-Rust, Joyce Ogburn, Raym Crow, October Ivins, Allyson Mower, Mark P. Newton, Daureen Nesdill, Julie Speer, and Charles Watkinson. Libraries Research Publications. Paper 136.
  • "Over the past five years, libraries have begun to expand their role in the scholarly publishing value chain by offering a greater range of pre-publication and editorial support services. Given the rapid evolution of these services, there is a clear community need for practical guidance concerning the challenges and opportunities facing library-based publishing programs. Recognizing that library publishing services represent one part of a complex ecology of scholarly communication, Purdue University Libraries, in collaboration with the Libraries of Georgia Institute of Technology and the University of Utah, secured an IMLS National Leadership Grant under the title Library Publishing Services: Strategies for Success. The project, conducted between October 2010 and September 2011, seeks to advance the professionalism of library-based publishing by identifying successful library publishing strategies and services, highlighting best practices, and recommending priorities for building capacity."


Perspective. Siri the Google killer? Voice interface has been discussed for years as simplest way to communicate with your computer. (Decades in the SciFi literature)
"Gary Morgenthaler, a recognized expert in artificial intelligence and a Siri board member, says that Apple now has at least a two-year advantage over Google in the war for best smartphone platform. 'What Siri has done is changed people's expectations about what's possible,' says Morgenthaler. 'Apple has crossed a threshold; people now expect that you should be able to expect to speak ordinary English — and be understood. Siri has cracked the code.' The threshold, from mere speech recognition to natural language input and understanding, is one that Google cannot cross by replicating the technology or making an acquisition adds Morgenthaler. 'There's no company out there they can go buy.' Morgenthaler's comments echo the recent article in Forbes Magazine, 'Why Siri Is a Google Killer' that says that Apple's biggest advantage over any other voice application out there today is the massive data Siri will collect in the next 2 years — all being stored in Apple's massive North Carolina data center — that will allow Siri to get better and better. 'Siri is a new interface for customers wanting to get information,' writes Eric Jackson. 'At the moment, most of us still rely on Google for getting at the info we want. But Siri has a foot in the door and it's trusting that it will win your confidence over time to do basic info gathering.'"


Perspective:
The End of an Era: Internet Explorer Drops Below 50 Percent of Web Usage


It seems you can get a bit carried away with this “Green” stuff... (Note to students: Wearing your jeans in sub-freezing weather is not the same as washing them!)
Stone-Washed Blue Jeans (Minus the Washed)
Levi Strauss suggests washing jeans rarely, if at all — the theory being that putting them in the freezer will kill germs that cause them to smell.


Geeky giggles!
Japan Pushes World’s Fastest Computer Past 10 Petaflop Barrier


Global Warming! Global Warming! Injecting politics always makes bad science.
Scientist who said climate change sceptics had been proved wrong accused of hiding truth by colleague
It was hailed as the scientific study that ended the global warming debate once and for all – the research that, in the words of its director, ‘proved you should not be a sceptic, at least not any longer’.
… But today The Mail on Sunday can reveal that a leading member of Prof Muller’s team has accused him of trying to mislead the public by hiding the fact that BEST’s research shows global warming has stopped.


Interesting business model: Get someone with no claim to fame other than being famous and have them pick (not just suggest) the products you buy. I never would have thought of that.
BeachMint’s BeautyMint Gets 500,000 Visitors In First 24 Hours (Thanks To Jessica Simpson)


When I saw this Infographic, I asked myself what percentage of this activity we were teaching our students about...
60 Seconds on the Internet [Infographic]

(Related) That wasn't depressing enough, so look at this one...
Infographic: The Mobile World In 60 Seconds

No comments: