Friday, July 26, 2013

Someone in New Jersey “gets it.” I have no idea how that happened. (Do you suppose they only targeted New Jersey Internet users?)
Alexi Friedman reports:
The state Division of Consumer Affairs today announced a settlement with an online advertising company that agreed to pay $1 million for having circumvented consumers’ privacy settings by allowing millions of targeted ads to reach unsuspecting New Jersey web users.
State officials said the ads imbedded “cookies” into computer hard drives, essentially creating tracking devices that collected data of page views and search patterns. The unauthorized activity, which involved 215 million targeted ads and untold number of people, lasted from June 2009 to February 2012, when a Wall Street Journal article detailed similar placement of cookies by other companies.
In the case of today’s settlement with New York City-based PulsePoint, the company only targeted consumers using Apple’s Safari web browser, officials said.

(Related) Clearly, someone here “gets it” too, they just use “it” for evil.
Clare Mellor reports:
Service Nova Scotia is breaching the privacy rights of licensed drivers by not letting them know they can opt out of a program in which their personal information is shared with a registered charitable organization, says the province’s freedom of information and protection of privacy review officer.
Dulcie McCallum says government needs to give people the choice to opt out of a program in which it shares registered drivers’ names and addresses with the War Amps key tag program
Read more on Herald News.

This is not a new breach. We do not have a new record. My Ethical Hackers will enjoy the details of the Hacking Process spelled out in the indictment.
David Voreacos reports:
Four Russians and a Ukrainian were charged for their role in the largest hacking and data breach scheme in U.S. history, according to Paul Fishman, the U.S. attorney in New Jersey.
The five conspired in a “worldwide scheme that targeted major corporate networks, stole more than 160 million credit card numbers and resulted in hundreds of millions of dollars in losses,” Fishman said today in a statement. The men worked with Albert Gonzalez, a hacker serving 20 years in prison, according to the indictment unsealed in federal court in New Jersey.
Read more on Bloomberg Law.
Update: here’s a redacted copy of the indictment (pdf). It lists corporate victims: NASDAQ, 7-Eleven, Carrefour S.A., Hannaford Bros., Heartland Payment Systems, Wet Seal, Commidea Ltd., Dexia Bank Belgium, Jet Blue, Dow Jones, “Bank A” in the UAE, Euronet, Visa Jordan (part of Visa Inc.), Global Payment Systems, Diners Singapore (part of the Diners Club owned by Discover Financial Services), and Ingenicard U.S. This is the first I’m hearing about some of these, even though some were quite large breaches.

Economic Impact of Cybercrime and Cyber Espionage
Center for Strategic and International Studies July 2013: “The wide range of existing estimates of the annual loss—from a few billion dollars to hundreds of billions—reflects several difficulties. Companies conceal their losses and some are not aware of what has been taken. Intellectual property is hard to value. Some estimates relied on surveys, which provide very imprecise results unless carefully constructed. One common problem with cybersecurity surveys is that those who answer the questions “self-select,” introducing a possible source of distortion into the results. Given the data collection problems, loss estimates are based on assumptions about scale and effect—change the assumption and you get very different results. These problems leave many estimates open to question.”

Majority of Public Companies Indicate Cyber Attack Would Cause “Serious Harm”
News release: “A majority of the U.S. listed Fortune 500 firms are following the U.S. Securities and Exchange Guidelines by providing some level of disclosure regarding cyber exposures, with more than half indicating their firms would face “serious harm” or be “adversely impacted” due to a cyber-attack, according to a recent report by Willis North America, a unit of Willis Group Holdings, a leading global risk advisor, insurance and reinsurance broker. The Willis Fortune 500 Cyber Disclosure Report … are the results of an effort launched last year to track organizations’ response to SEC Guidance issued in October 2011, asking U.S. listed companies to provide extensive disclosure on their cyber exposures. The report found that 88% of the Fortune 500 are following SEC Guidelines as of April 2013 and providing “some level” of disclosure regarding cyber exposures. However, some companies within particular industries that would seem to have exposures, were silent, Willis said. Among those silent were: an insurance company, a pharmaceutical company, a restaurant chain and a health care firm – “all of which would seem to have some level of cyber risk when compared to the disclosures of their peers,” the report said.”

It appears that this is based on “Best Practices” (as one would expect from Stanford). Notify early, even if you are not yet done with your investigation. User feedback may help you scope the problem.
Billy Gallagher reports:
Stanford University urged network users to change their passwords late Wednesday evening, explaining that it “is investigating an apparent breach of its information technology infrastructure.”
Randall Livingston, Stanford’s chief financial officer, emailed the entire Stanford community, noting that Stanford does “not yet know the scope of the intrusion.
Read more on TechCrunch.
Alerts linked from the university’s home page

If not a “Best Practice” at least amusing...
Telecompaper reports:
French internet host OVH informed its customers on 22 July that the private data of a few hundreds of thousands of European private and business customers had been compromised by a hacker. Founder and CEO Octave Klaba wrote to subscribers that the internal network of its headquarters in Roubaix was breached when a hacker gained access to one of the system administrators’ e-mail accounts. Using this e-mail access, the perpetrator was able to break into to another employee’s internal VPN and then to the account of a system administrator who handles back-office functions. [Not sure how that chain of hacks would work... Bob]
Read more on Telecompaper.
The Register provides additional details, here. I love the line in OVH’s advisory:
“In short, we were not paranoid enough so now we’re switching to a higher level of paranoia. The aim is to guarantee and protect your data in the case of industrial espionage that would target people working at OVH.”
Sometimes, yes, they are out to get you(r) data.

Even the government is starting to gather (and use?) Best Practices...
Privacy Best Practices for Social Media
“One of the Federal Government’s most important missions is to provide citizens, customers, and partners with easy access to government information and services. As society increasingly relies on social media as a primary source for information, it is clear that these platforms have an important role to play in the Federal Government’s communication strategy, including its move toward a digital, open government. Social media allows an agency to post messages in places where people regularly interact, and ensures it reaches interested audiences–including audiences known to the agency a s well as those that are unknown. In addition, social media enhances the Federal Government’s situational awareness by enabling agencies to learn about problems and issues being discussed by different audiences, and allowing agencies to react, respond, and assist the public more efficiently and effectively. Government agencies also may use social media to fulfill their operational missions, for example, detecting and preventing benefit fraud and abuse.”

For my students considering a run for office?
New Tool Puts Congressional District Statistics at Your Fingertips
“The U.S. Census Bureau has released My Congressional District, the first interactive tool geared exclusively toward finding basic demographic and economic statistics for every congressional district in the U.S. This Web app uses the latest annual statistics from the American Community Survey, providing the most detailed portrait of America’s towns and neighborhoods. Users can sort through statistics in five key categories upon selection of a specific district in the application. Summary level statistics covering education, finance, jobs and housing, as well as basic demographic information, can quickly be displayed, downloaded and shared with others. A major feature of the My Congressional District app is the ability to embed a selected 113th congressional district on a user’s own webpage. The embedded district will display the latest statistics from the American Community Survey, allowing visitors to quickly view statistics for any of the 435 congressional districts and the District of Columbia.”

Develop Apps for a phone that isn't available yet.
Install Earth’s latest smartphone OS on your desktop computer – if you’re a Firefox user it’s just a couple of clicks away.
Curious about FirefoxOS, which is for sale now? That makes sense: this open source, royalty-free operating system is bound to pop up on phones all over the planet eventually, but odds are a phone running it is not yet available in your country right now. Don’t worry: you can still give it a spin on your computer – all you need is a single Firefox extension. With it you can run a virtual version of FirefoxOS, and find out whether Mozilla’s smartphone operating system is right for you, this is your chance to find out.

Google is helping the shift from cable to Internet...
… The Chromecast connects wirelessly to the user’s smartphone, tablet, or laptop, and can play video and music from these devices right on their television. With support for both iOS and Android, such devices double as a media source and a remote control for playback.

Interesting App?
Understand and uncover the identity of your location with a tap
Sitegeist is a mobile application that helps you to learn more about your surroundings in seconds. Drawing on publicly available information, the app presents solid data in a simple at-a-glance format to help you tap into the pulse of your location. From demographics about people and housing to the latest popular spots or weather, Sitegeist presents localized information visually so you can get back to enjoying the neighborhood. The application draws on free APIs such as the U.S. Census, Yelp! and others to showcase what’s possible with access to data. Sitegeist was created by the Sunlight Foundation in consultation with design firm IDEO and with support from the John S. and James L. Knight Foundation. It is the third in a series of National Data Apps.”

For my Vets...
Student Characteristics and Outcomes Vary across Schools
Highly VA-funded schools generally had more positive outcomes than other VA-funded schools. Compared to other schools, highly VA-funded schools generally had higher retention rates (percentage of students returning to the same school from 1 year to the next) and graduation rates.

No comments: