Is
this really the best we can do?
Kavita Kumar reports:
Schnuck
Markets has agreed to a proposed class-action settlement stemming
from the breach of its computer systems in which an estimated 2.4
million payment cards were compromised.
The
preliminary settlement was presented to St. Louis Circuit Judge David
Dowd on Wednesday afternoon. He is expected to rule on it in the
coming weeks.
He
also is considering a motion to intervene in the case by a lawyer
pursuing one of the related federal lawsuits still pending. The
lawyer, Matt Armstrong, argued at the court hearing that the proposed
settlement may not be a good deal for consumers.
Read more on St.
Louis Post-Dispatch. This proposed settlement sounds like a
much better deal than most customers usually get in one of these
lawsuits as it includes reimbursement (at $10/hour) for up to three
hours for time spent dealing with the breach, reimbursement for bank
fees, late fees, etc., and instances of identity theft loss. Overall,
reimbursing customers $10/per customer doesn’t sound great, but it
is better than what we usually see.
A “Meta-Hack” for
my Ethical Hackers. Hack a providers system, let them install the
malware as part of their “Trusted” service.
Dan Goodin reports:
Maintainers
of the open-source PHP programming language have locked down the
php.net website after discovering two of its servers
were hacked to host malicious code designed to surreptitiously
install malware on visitors’ computers.
The
compromise was discovered Thursday morning by Google’s safe
browsing service, which helps the Chrome, Firefox, and Safari
browsers automatically block sites that serve drive-by exploits.
Read more on Ars
Technica.
(Related) Government
systems are good to hack. They are easily compromised and no one
seems to care.
Dana Liebelson reports:
With
Healthcare.gov plagued by technical difficulties, the Obama
administration is bringing in heavyweight coders and private
companies like Verizon to fix the federal health exchange, pronto.
But web security experts say the Obamacare tech team should add
another pressing cyber issue to its to-do list: eliminating a
security flaw that could make sensitive user information, including
Social Security numbers, vulnerable to hackers.
According
to several online security experts, Healthcare.gov, the portal
where consumers in 35 states are being directed to obtain affordable
health coverage, has a coding problem that could allow hackers to
deploy a technique called ”clickjacking,”
where invisible links are planted on a legitimate web page.
Read more on Mother
Jones.
California will surely
“fix” this.
Paul Paray comments on
the recent ruling in California involving statutory damages under the
CMIA in the event of a breach:
Insurers
providing privacy liability coverage were collectively breathing a
sigh of relief last week given a decision from the California Court
of Appeals. Interpreting the California Medical Information Act
(CMIA), the court in Regents
of the Univ. of Cal. v. Superior Court of Los Angeles County, No.
B249148 (Cal. Ct. App. October 15, 2013) significantly
limited the ability of plaintiffs to obtain nominal statutory damages
of $1,000 per patient under CMIA. For the past several years, CMIA
was pretty much the best game in town when it came to statutory
damages involving a data breach. Although enacted in 2008, CMIA was
only over the past several years successfully used by plaintiffs’
counsel to obtain settlements previously unattainable post-breach.
The CMIA “statutory damages” bonanza reaped by class counsel was
significant – the prospect of such damages allowed
counsel to overcome Article III and other “lack of injury”
arguments, potentially allowed for class certification
even with an otherwise uneven plaintiff pool, and created an early
incentive to settle on the part of a defendant – and its insurer –
given the potential size of an award.
It
is no surprise CMIA was the bane of a good number of network security
and privacy insurers – it led to significant settlements that would
not have otherwise occurred. The Regents decision is
noteworthy given it was the first appellate court to decide the
availability of CMIA statutory damages and rejected
the notion that mere negligence coupled with disclosure could trigger
statutory damages. This is a significant departure from
how the law was interpreted by the lower courts and instantly dried
up a good part of the statutory damages manna drunk by the
plaintiffs’ bar.
Read more on
InformationLawGroup.
Let me redundantly
reiterate my repetition: The NSA listens to EVERYTHING, which
part of everything do you not understand?
Actually, it goes back
much further than this...
Is this similar to the
Hawthorne Effect? Any attention you pay to employees improves
productivity? (Since the object of the monitoring, reducing theft,
didn't pan out.)
Are
secure communications business models illegal?
EFF has filed this
amicus brief (pdf) in support of Lavabit. Here is their press
release on it:
Federal
law enforcement officers compromised the backbone of the Internet and
violated the Fourth Amendment when they demanded private encryption
keys from the email provider Lavabit, the Electronic Frontier
Foundation (EFF) argues in a brief submitted yesterday afternoon to
the US Court of Appeals for the Fourth Circuit. In the amicus brief,
EFF asks the panel to overturn a contempt-of-court finding against
Lavabit and its owner Ladar Levison for resisting a government
subpoena and search warrant that would have put the private
communications and data of Lavabit’s 400,000 customers at risk of
exposure to the government.
For
nearly two decades, secure Internet communication has relied on
HTTPS, a encryption system in which there are two keys: A public key
that anyone can use to encrypt communications to a service provider,
and a private key that only the service provide can use to decrypt
the messages.
In
July, the Department of Justice demanded Lavabit’s private
key—first with a subpoena, then with a search warrant. Although
the government was investigating a single user, having access to the
private key means the government would have the power to read all of
Lavabit’s customers’ communications. The target of the
investigation has not been named, but journalists have noted that the
requests came shortly after reports that NSA whistleblower Edward
Snowden used a Lavabit email account to communicate.
“Obtaining
a warrant for a service’s private key is no different than
obtaining a warrant to search all the houses in a city to find the
papers of one suspect,” EFF Senior Staff Attorney Jennifer Lynch
said. “This case represents an unprecedented use of subpoena
power, with the government claiming it can compel a disclosure that
would, in one fell swoop, expose the communications of every single
one of Lavabit’s users to government scrutiny.”
EFF’s
concerns reach beyond this individual case, since the integrity of
HTTPS is employed almost universally over the Internet, including in
commercial, medical and financial transactions.
“When
a private key has been discovered or disclosed to another party, all
users’ past and future communications are compromised,” EFF Staff
Technologist Dan Auerbach said. “If this was Facebook’s private
key, having it would mean unfettered access to the personal
information of 20 percent of the earth’s population. A private key
not only protects communications on a given service; it also protects
passwords, credit card information and a user’s search engine query
terms.”
Initially,
Levison resisted the government request. In response, a district
court found Lavabit in contempt of court and levied a $5,000-per-day
fine until the company complied. After Levison was forced to turn
over Lavabit’s key, the certificate authority GoDaddy revoked the
key per standard protocol, rendering the secure site effectively
unavailable to users.
Since
Lavabit’s business model is founded in protecting privacy, Levison
shut down the service when it no longer could guarantee security to
its customers.
“The
government’s request to Lavabit not only disrupts the security
model on which the Internet depends, but also violates our
Constitutional protections against unreasonable searches and
seizures,” EFF Staff Attorney Hanni Fakhoury said. “By
effectively destroying Lavabit’s legitimate business model when it
complied with the subpoena, the action was unreasonably burdensome
and violated the Fourth Amendment.”
The
deadline for the government’s response brief is Nov. 12, 2013.
I’m proud to say I’m
a member of EFF. And if you value their advocacy for privacy and
civil liberties, why don’t you, too, throw them some money to
support their work? DONATE.
“Unconcerned with the
implications” is all too common in cases involving new
technologies.
Orin Kerr writes:
The
forthcoming Supreme Court issue of the Harvard Law Review will
feature an essay by NYU Law professor Erin Murphy on the Supreme
Court’s recent Fourth Amendment case on DNA searches, Maryland
v. King. Professor Murphy’s essay, License,
Registration, Cheek Swab: DNA Testing and the Divided Court,
argues that King is
likely to have an unexpectedly large impact on the future of Fourth
Amendment law.
In
Murphy’s view, King is significant less for what it said
than for what it didn’t say. Presented with the major implications
of DNA analysis in the parties’ briefs and the amicus briefs, the
Court didn’t address them. Instead, Justice Kennedy issued a
majority opinion that seemed unconcerned with those
implications.
Read more on Concurring
Opinions.
Worth
a listen...
The National
Constitution Center has posted an audio file of Orin Kerr and Marc
Rotenberg discussing warrantless surveillance with Jeffrey Rosen.
More information and access to the audio file on NCC, here.
I
don't worry. My Ethical Hackers would take credit for anything cool
I emailed (even more likely, they'd ignore my emails entirely)
Colleen Flaherty
reports on a number of cases where a professor’s email to students
wound up going viral. The AAUP may want to protect “academic
freedom” by treating emails as protected, but free speech advocates
think it’s fair game and fair use.
Read more on Slate.
Shouldn't
all email services be able to do this?
–
A Chrome extension to supercharge your Gmail with mxHero Toolbox, and
give power to your emails. Protect your privacy and send self
destructing email. Track clicks on attachments & URLs
with Click Track. Be reminded of important emails with Remind Later.
Delay email delivery with Send Later. Track critical email
responses with Reply Timeouts, & more.
For
my Computer Security (and Ethical Hacking) students
Red
Alert: 10 Computer Security Blogs You Should Follow Today
An alternative to
PowerPoint. However, you should watch this:
http://www.youtube.com/watch?v=gKMUBh2ZM-8
BEFORE you PowerPoint (or anything else)
How
Would The World Look Like Without PowerPoint? Projeqt Gives A Clue
You have to give a
second glance to a web application which is a 2013 Webby
Awards Honoree. Projeqt
walked the red carpet to claim not one but two nominations – Best
User Experience and Web Services and Applications. So,
it seems improper to just start this article and say it is a
PowerPoint alternative. It would be better to describe it – as the
application sees itself – as a creative storytelling tool.
Yet
another way to hassle my students. (Infographic)
Effective
Apps And Web Tools For BYOD Classrooms
No comments:
Post a Comment