I'm sure I've made this
point before, “Compliant” is not the same as “Secure.” Just
because you have taken “reasonable measures” to secure your data
does not mean that the bad actors will not take “completely
unreasonable” (Call it sophisticated or extreme) measures to get at
your data. Remember if it works against you, it might also work
against hundreds of other “compliant” organizations. Is it
unreasonable to expect an organization to know what
data is leaving its servers?
We
are writing to you because of an incident at Unique Vintage. On
September 14, 2013 we discovered a data security incident that
involved some of your personal information. Unique Vintage is
Payment Card Industry Security Standards Council (“PCI”)
compliant and implements the latest measures reasonably
possible to protect its customers’ sensitive information. However,
the very sophisticated data breach concerning this incident involved
malicious malware that was siphoning customer information from Unique
Vintage’s website from approximately January 2012 until
September 14, 2013. The information breached contained customer
names, email addresses, telephone numbers and credit card numbers.
Read more of Unique
Vintage’s consumer notification letter here
(pdf).
For my Ethical Hackers.
Time is money. All you have to do is beat the other guy...
Somebody
Stole 7 Milliseconds From the Federal Reserve
Last Wednesday, the Fed
announced that it would not be tapering its bond buying program.
This news was released at precisely 2 pm in Washington "as
measured by the national atomic clock." It takes 7 milliseconds
for this information to get to Chicago. However, several huge orders
that were based on the Fed's decision were placed on Chicago
exchanges 2-3 milliseconds after 2 pm. How did this happen?
CNBC
has the story here, and the answer is: we
don't know.
Several interesting
points...
If you haven’t
already bookmarked JustSecurity.org
for daily reading, do so now.
Julian Sanchez writes:
Between
Edward Snowden’s ongoing leaks and a series of frankly
unprecedented disclosures by the government itself, the public now
knows quite a bit about the NSA’s controversial telephony metadata
program, which makes use of the Patriot Act’s §215 to collect, in
bulk, nearly all Americans’ domestic call detail records from
telephone carriers. We know far less, however about the government’s
bulk collection of Internet metadata under
FISA’s pen register/trap-&-trace authority,
which supposedly
ceased in 2011—though some such collection
almost certainly continues in a more limited form.
Read more on Just
Security.
[From the article:
The crucial point here
is that the detailed “metadata” for a particular Internet
communication, past the IP layer, typically wouldn’t be processed
or stored by the ISP in the way that phone numbers and other call
data is stored by the phone company. From the ISP’s
perspective, all of that stuff is content.
(Related) Perhaps they
are reading a different constitution?
Nathan Freed Wessler
writes:
The
Drug Enforcement Administration thinks people have “no
constitutionally protected privacy interest” in their confidential
prescription records, according to a brief
filed last month in federal court. That disconcerting statement
comes in response to an ACLU lawsuit
challenging the DEA’s practice of obtaining private medical
information without a warrant. The ACLU has just filed its response
brief,
explaining to the court why the DEA’s position is both startling
and wrong.
Read more on the ACLU.
How many others should
join this quest?
Dropbox has filed an
amicus
brief in support of a consolidated brought in
the FISC by five tech giants seeking to be more transparent with the
public about government requests for user information.
You get one “Please,”
after that it's “or else.”
Rosalind English
writes:
R
(on the application of R) v Chief Constable [2013] EWHC 2864 (Admin)
24 September 2013 – read
judgment
The
High Court has ruled that it is not a breach of the right to private
life to request DNA samples from those who were convicted of serious
offences before it became commonplace to take samples for the
production of DNA profiles for the investigation of crime.
Read more about the
case and ruling on UK
Human Rights Blog.
[From
the article:
He refused to give the sample when it was sought initially, so he was
sent a letter requiring him to attend at a police
station to provide the sample on pain of arrest. He
applied for judicial review of this requirement, arguing that it was
an unlawful incursion on his right to privacy under Article
8.
In the light of the
fact that the claimant’s previous convictions had been for
manslaughter and kidnapping, the police had identified him as falling
within the criteria for a nationwide operation [Sort
of an informal, retroactive law? Bob] to ensure that
those convicted of homicides and/or sexual offences have a confirmed
DNA profile held on the National DNA Database.
For my Cloud Security
students.
UK
– Protecting Vulnerable Data Subjects
Protecting
Vulnerable Data Subjects: Findings from a Survey of EU Data
Protection Officials on the Use of Cloud Services in Organisations
– September 23, 2013
“The use of
commercial cloud services by public organisations in Europe is
growing. While the benefits of cloud computing are indisputable, the
public sector contains certain particularly sensitive or vulnerable
user populations whose privacy requires special protection.
Critical examples include civil servants employed by local or
national governments and – the subject of particular emphasis in
this report – children in schools.
The most widely used
cloud services today are typically free or very inexpensive
offerings designed as vehicles for online behavioural advertising
aimed at individual consumers. SafeGov.org
is concerned that by repurposing such advertising-driven services for
users within organisations, cloud providers may deliberately or
inadvertently expose these data subjects to online advertising,
profiling or other forms of personal information processing that
violate their rights under EU data protection laws. The risk is
particularly acute in the absence of constraints on the contractual
relations between data processors and data controllers that ensure
the rights to information and consent of the data subjects in these
organisational contexts.”
The pendulum has swung
a bit too far here.
A seventh-grade student
in Virginia Beach, Va., has been suspended from school for playing
with an airsoft gun with a friend in his front yard while waiting for
the school bus.
WAVY-TV reports that
13-year-old Khalid Caraballo will find out soon if he will be
expelled for "possession, handling and use of a firearm"
because the guns were fired at two others playing in Caraballo's
yard.
A neighbor saw Khalid
shooting the airsoft gun in his yard and called 911, telling the
dispatcher, "He is pointing the gun, and it looks like there's a
target in a tree in his front yard," the station reported.
… The
school's so-called "zero-tolerance" policy on guns extends
to private property, according to the report.
Khalid's mother,
Solangel Caraballo, said it's ridiculous that her son and his friends
were suspended because they were firing the airsoft gun on private
property.
"My son is my
private property. He does not become the school's property until he
goes to the bus stop, gets on the bus, and goes to school,"
Caraballo told the station.
… "The school
said I had possession of a firearm. They aren't going to ask me any
questions. They are going to think it was a real gun, and I was
trying to hurt someone," he said
Is
this what makes it a great investment? Definitely worth reading the
article.
Josh Harkinson writes:
Facebook
gets all the bad press, but the bigger threat to your online privacy
these days might be your Twitter account. Twitter knows you much
better than you may realize. And as it prepares for an IPO, it’s
taking steps that may allow it to profit from your data in ways that
would provoke howls of protest were Mark Zuckerberg to try the same.
Read more on Mother
Jones.
[From
the article:
Much of the data
Twitter collects about you doesn't actually come from Twitter.
Consider the little "tweet" buttons embedded on websites
all over the net. Those can also function as tracking devices.
Any website with a "tweet" button—from Mother Jones
to Playboy—automatically informs Twitter that you've
arrived.
… These moves might
seem quaint a year from now, when Twitter ranks as the most
sophisticated advertising platform in cyberspace. Earlier this
month, the company announced that it was acquiring MoPub, a middleman
that places ads within mobile apps. "The MoPub acquisition
allows Twitter to fundamentally change how mobile ads are purchased
and places them at the forefront of how mobile, Web, and social ads
interact," Antonio Garcia, a former Facebook employee and
creator of its FBX real-time ad exchange, wrote
on his blog last week. "This makes
Twitter the most interesting company in advertising right now."
(Related) Your own,
personal “stalker tool.”
– When you evaluate a
Twitter Profile, whether to follow them or to reach out to them as an
infuencer, you can’t get a good idea about them unless you manually
go through page after page of their tweets. Twibitz was created to
solve this problem by analyzing any public Twitter profile and
creating a snapshot of that user based on their profile and history.
Something to kick
around with my fellow Computer Security instructors...
Professionalizing
the Nation’s Cybersecurity Workforce? Criteria for Decision-Making
“This report examines
workforce requirements for cybersecurity and the segments and job
functions in which professionalization is most needed; the role of
assessment tools, certification, licensing, and other means for
assessing and enhancing professionalization; and emerging approaches,
such as performance-based measures. It also examines requirements
for the federal (military and civilian) workforce, the private
sector, and state and local government. The report focuses on three
essential elements: (1) understanding the context for cybersecurity
workforce development, (2) considering the relative advantages,
disadvantages, and approaches to professionalizing the nation’s
cybersecurity workforce, and (3) setting forth criteria that can be
used to identify which, if any, specialty areas may require
professionalization and set forth criteria for evaluating different
approaches and tools for professionalization. Professionalizing
the Nation’s Cybersecurity Workforce? Criteria for Decision-Making
characterizes the current landscape for cybersecurity workforce
development and sets forth criteria that the federal agencies
participating in the National Initiative for Cybersecurity
Education—as well as organizations that employ cybersecurity
workers—could use to identify which specialty areas
may require professionalization and to evaluate different approaches
and tools for professionalization.”
For my students who
research (it should be all of them!)
A
brief guide to discovering open access journals and articles on
ScienceDirect
News
release: “At Elsevier, we have been busy
scaling our open-access publishing program; we now
publish 56 open-access journals and host a further 91 on
behalf of our society and publishing partners. However, you may not
know how to navigate to these journals and articles. Here are some
tips to help you find this content easily.
1. Find a list of
open-access journals: You can navigate to our list of open access
journals from the ScienceDirect homepage by clicking the link for our
“Open Access Journal Directory” or bookmarking
http://www.sciencedirect.com/science/browse/all/open-access.
2. Find a list of all journals that have open-access articles: In addition to our 56 open access journals, we give authors the option to publish open-access articles in over 1,600 of our established journals. Find a list of these journals on the ScienceDirect homepage by clicking “View all publications with Open Access articles.” Once you are in the publication list, you can limit your results to open-access journals or journals that contain open-access articles by selecting the appropriate filter checkboxes.
3. Find a list of open-access articles: The easiest way to find relevant open-access articles is to search ScienceDirect. By keying in your search terms, you will be able to identify any relevant open-access articles in your search results by looking for the label “Open Access.” .
4. Search only for open access articles: If you would prefer to see filtered results that only show open-access articles, then you need to use the advanced search. In the advanced search, you can refine your search results to only show open-access articles by selecting the checkbox for Open Access Articles.”
2. Find a list of all journals that have open-access articles: In addition to our 56 open access journals, we give authors the option to publish open-access articles in over 1,600 of our established journals. Find a list of these journals on the ScienceDirect homepage by clicking “View all publications with Open Access articles.” Once you are in the publication list, you can limit your results to open-access journals or journals that contain open-access articles by selecting the appropriate filter checkboxes.
3. Find a list of open-access articles: The easiest way to find relevant open-access articles is to search ScienceDirect. By keying in your search terms, you will be able to identify any relevant open-access articles in your search results by looking for the label “Open Access.” .
4. Search only for open access articles: If you would prefer to see filtered results that only show open-access articles, then you need to use the advanced search. In the advanced search, you can refine your search results to only show open-access articles by selecting the checkbox for Open Access Articles.”
It looks like I'll get
to play with the school's 3D printer. I better start gathering some
3D tools. This one is more for display than printing.
The
Future Is Here: Sketchfab Puts 3D Models Right In Your Browser
With free, powerful 3D
modeling applications like Blender
and SketchUp,
creating high-quality 3D models is more affordable and doable than
ever before. Judging by the comments to my interview
with Rafael Grassetti, there’s lot of
interest in creating models and working in 3D. Sharing those models
with others, however, remains tricky. SketchUp has its 3D
Warehouse where users can share models, but the
warehouse requires you to log in — and you must share the actual
model, rather than a 3D render of it.
Sketchfab
is an interesting service that tries to solve this, by letting you
upload 3D models and embed them in beautifully rendered form anywhere
on the Web. No plug-ins are required to view your embedded models:
Just HTML5. Even if you’re not a 3D designer, the Sketchfab
website is a beautiful repository of inspiring designs, and is fun to
just cruise around in.
(Related)
Autodesk
and Circuits.io Launch New Electronics Design Tool 123D Circuits
Autodesk expanded its
offering of free 3D modeling tools last week by joining with
Circuits.io to launch a free electronics design tool called 123D
Circuits. 123D Circuits allows the user to either learn circuit
design or put their existing electronics knowledge to use by
designing virtual electronic circuits that can be simulated inside of
the software. It’s a web-based tool, so the user doesn’t need to
install any software to create virtual circuits.
… You can access
123D Circuits directly at the Circuits.io
website.
For my Ethical Hackers.
FREE
MANUAL! Take Control: The Android Rooting Guide
For my students.
http://www.makeuseof.com/tag/how-you-can-learn-a-new-language-while-browsing-the-web-with-lingua-ly/
How
You Can Learn A New Language While Browsing The Web With Lingua.ly
… The Internet has
helped to do away with the language tutor – websites like Duolingo
and Busuu
can easily tell you if you have an ear for new languages; and how you
can develop one. But once you get the basics right, you need to keep
practicing. That’s what inspired me to write the article on how to
learn
a new language with the help of Chrome.
Following in that wake,
I discovered Lingua.ly.
Lingua.ly is another innovative
language learning tool that helps you become
familiar with foreign words while browsing the Web.
… Lingua.ly
is a Chrome
extension. Think of it as your smart personal
language “tutor”. … Currently, you can learn Spanish,
French, Hebrew, Arabic, and English.
… After installing
the extension, just go to a webpage which is in the language of your
choice. .. On the webpage, click on the words you want to learn.
Lingua.ly automatically picks them up and displays the translation
for you to understand with the help of audio pronunciations and
definitions.
I'm teaching Statistics
again next Quarter. It's always useful to find a little inspiration
before I start.
Perhaps no one has done
more for the cause of data-driven decision-making in the minds of the
public than Nate Silver. His book, The
Signal and the Noise, explains the power of
statistical modeling to improve our predictions about everything from
the weather to sports to the stock market. Data
science is the hottest field to be in right now,
and Silver is its poster child.
1 comment:
Cybersecurity workforce development section provides capabilities to help organizations build a strong world-class cyber workforce.
Post a Comment