What
strategic objective is being addressed by repeatedly crying “Wolf!??”
"Security pros and government
officials warn of a possible
cyber 9/11 involving banks, utilities, other companies, or the
Internet, InfoWorld reports. 'A cyber war has been brewing for
at least the past year, and although you might view this battle as
governments going head to head in a shadow fight, security experts
say the battleground is shifting from government entities to the
private sector, to civilian targets that provide many essential
services to U.S. citizens. The cyber war has seen various attacks
around the world, with incidents such as Stuxnet,
Flame,
and Red
October garnering attention. Some attacks have been against
government systems, but increasingly likely to attack civilian
entities. U.S.
banks and utilities have already been hit.'"
[One random Comment:
Well, how else are you going to
convince people that they should be spending huge sums of taxpayer
money to help private industry do the computer security work they
should have already done at their own expense?
But yes, it cheapens the meaning of the
real 9/11 when you use it to scare people into responding to
non-lethal threats. Apparently, banks and utilities have already
been hit, and nobody outside of those organizations even noticed.
That tells you how much of a non-threat it is.
They
keep sharing our secrets!
"Eighteen brands of security
camera digital video recorders are vulnerable to an attack that would
allow a hacker to remotely gain control of the devices to watch,
copy, delete or alter video streams at will, as well as to use
the machines as jumping-off points to access other computers behind a
company's firewall, according to tests by two security researchers.
And 58,000 of the hackable video boxes, all of
which use firmware provided by the Guangdong, China-based firm Ray
Sharp, [Coincidence,
I'm sure Bob] are accessible via the Internet.
Early last week a hacker who uses the handle someLuser found that
commands
sent to a Swann DVR via port 9000 were accepted without any
authentication. That trick would allow anyone to retrieve the
login credentials for the DVR's web-based control panel. To compound
the problem, the DVRs automatically make themselves visible to
external connections using a protocol known as Universal Plug And
Play, (UPnP) which maps the devices' location to any local router
that has UPnP enabled — a common default setting. ...Neither Ray
Sharp nor any of the eighteen firms have
yet released a firmware fix."
Just in time for Privacy Day...
January 28, 2013
Google’s
approach to government requests for user data
Google
Official Blog: "..January 28, is Data Privacy Day,
when the world recognizes the importance of preserving your online
privacy and security. If it’s like most other days, Google—like
many companies that provide online services to users—will receive
dozens of letters, faxes and emails from government agencies and
courts around the world requesting access to our users’ private
account information. Typically this happens in connection with
government investigations. It’s important for law enforcement
agencies to pursue illegal activity and keep the public safe. We’re
a law-abiding company, and we don’t want our services to be used in
harmful ways. But it’s just as important that laws protect you
against overly broad requests for your personal information...
Today, for example, we’ve added a new section
to our Transparency Report that answers many questions you might
have. And last week we released data
showing that government requests continue to rise, along with
additional details on the U.S. legal processes—such as subpoenas,
court orders and warrants—that governments use to compel us to
provide this information."
Bad
examples from good intentions? Does this suggest a lawyer who has
never handled a data breach lawsuit?
Steven J. McDonald is General Counsel
at Rhode Island School of Design and previously served as Associate
Legal Counsel at The Ohio State University. On Data Privacy Day,
he wrote a post on EDUCAUSE
on FERPA that unintentionally demonstrates how imprecise standards
are for data security and protection of student records. For
example, he writes:
electronic records
do raise unique security concerns, and FERPA does require us to
address them. Even then, however, the standard is the same as for
paper records: we must use “reasonable methods” to protect all
student records. Just as it is appropriate to lock the file cabinet
in which we maintain paper student records, it is appropriate to take
steps to prevent unauthorized access to and disclosure of our
electronic student records. How we do that, however, is largely up
to us. In the words of the Family Policy Compliance Office:
[T]he standard of
“reasonable methods” is sufficiently flexible to permit each
educational agency or institution to select the proper balance of
physical, technological, and administrative controls to effectively
prevent unauthorized access to education records, based on their
resources and needs.
and:
an educational
agency or institution may use any method, combination of methods, or
technologies it determines to be reasonable, taking into
consideration the size, complexity, and resources available to the
institution; the context of the information; the type of information
to be protected (such as social security numbers or directory
information); and methods used by other institutions in similar
circumstances. The greater the harm that would result from
unauthorized access or disclosure and the greater the likelihood that
unauthorized access or disclosure will be attempted, the more
protections an agency or institution should consider using to ensure
that its methods are reasonable.
Should consider using? But they don’t
have to, because there’s no law requiring them to if they don’t
see a real risk of compromise or they just don’t have the
resources.
And therein lies a big part of the rub.
If a district is totally negligent in its security and your child’s
education records are breached and their PII stolen or acquired,
FERPA provides no cause of action for you to sue your child’s
district.
But I totally disagree with his
statement:
Dealing with
electronic student records is thus really not terribly difficult, nor
terribly different from dealing with other electronic records. The
key is simply to think about these issues, rather than to just assume
that the system will take care of them. If you have a good general
data security program in place already, you’re probably in good
shape when it comes to student records.
How many k-12 districts have good
general data security programs in place? If you think they do, trot
on over to the sister site, DataBreaches.net, and start looking at
some of the audits I’ve posted over the years.
Does your district have a good security
program? If you want to find out, send
them the letter I published earlier today. [In
this blog, yesterday Bob]
Do
they write subpoenas in 140 characters?
From Twitter’s blog:
Last July we
released
our first Twitter Transparency Report (#TTR),
publishing six months of data detailing the volume of government
requests we receive for user information, government requests to
withhold content, and Digital Millennium Copyright Act-related
complaints from copyright holders.
Since then we’ve
been thinking about ways in which we can more effectively share this
information, with an aim to make it more meaningful and accessible to
the community at large. In celebration of #DataPrivacyDay,
today, we’re rolling out a new home for our transparency report:
transparency.twitter.com.
In addition to
publishing the second report, we’re also introducing more granular
details regarding information requests from the United States,
expanding the scope of the removal requests and copyright notices
sections, and adding Twitter site accessibility data from our
partners at Herdict.
Read more on Twitter.
No comments:
Post a Comment