Friday, October 25, 2013

Is this really the best we can do?
Kavita Kumar reports:
Schnuck Markets has agreed to a proposed class-action settlement stemming from the breach of its computer systems in which an estimated 2.4 million payment cards were compromised.
The preliminary settlement was presented to St. Louis Circuit Judge David Dowd on Wednesday afternoon. He is expected to rule on it in the coming weeks.
He also is considering a motion to intervene in the case by a lawyer pursuing one of the related federal lawsuits still pending. The lawyer, Matt Armstrong, argued at the court hearing that the proposed settlement may not be a good deal for consumers.
Read more on St. Louis Post-Dispatch. This proposed settlement sounds like a much better deal than most customers usually get in one of these lawsuits as it includes reimbursement (at $10/hour) for up to three hours for time spent dealing with the breach, reimbursement for bank fees, late fees, etc., and instances of identity theft loss. Overall, reimbursing customers $10/per customer doesn’t sound great, but it is better than what we usually see.

A “Meta-Hack” for my Ethical Hackers. Hack a providers system, let them install the malware as part of their “Trusted” service.
Dan Goodin reports:
Maintainers of the open-source PHP programming language have locked down the website after discovering two of its servers were hacked to host malicious code designed to surreptitiously install malware on visitors’ computers.
The compromise was discovered Thursday morning by Google’s safe browsing service, which helps the Chrome, Firefox, and Safari browsers automatically block sites that serve drive-by exploits.
Read more on Ars Technica.

(Related) Government systems are good to hack. They are easily compromised and no one seems to care.
Dana Liebelson reports:
With plagued by technical difficulties, the Obama administration is bringing in heavyweight coders and private companies like Verizon to fix the federal health exchange, pronto. But web security experts say the Obamacare tech team should add another pressing cyber issue to its to-do list: eliminating a security flaw that could make sensitive user information, including Social Security numbers, vulnerable to hackers.
According to several online security experts,, the portal where consumers in 35 states are being directed to obtain affordable health coverage, has a coding problem that could allow hackers to deploy a technique called ”clickjacking,” where invisible links are planted on a legitimate web page.
Read more on Mother Jones.

California will surely “fix” this.
Paul Paray comments on the recent ruling in California involving statutory damages under the CMIA in the event of a breach:
Insurers providing privacy liability coverage were collectively breathing a sigh of relief last week given a decision from the California Court of Appeals. Interpreting the California Medical Information Act (CMIA), the court in Regents of the Univ. of Cal. v. Superior Court of Los Angeles County, No. B249148 (Cal. Ct. App. October 15, 2013) significantly limited the ability of plaintiffs to obtain nominal statutory damages of $1,000 per patient under CMIA. For the past several years, CMIA was pretty much the best game in town when it came to statutory damages involving a data breach. Although enacted in 2008, CMIA was only over the past several years successfully used by plaintiffs’ counsel to obtain settlements previously unattainable post-breach. The CMIA “statutory damages” bonanza reaped by class counsel was significant – the prospect of such damages allowed counsel to overcome Article III and other “lack of injury” arguments, potentially allowed for class certification even with an otherwise uneven plaintiff pool, and created an early incentive to settle on the part of a defendant – and its insurer – given the potential size of an award.
It is no surprise CMIA was the bane of a good number of network security and privacy insurers – it led to significant settlements that would not have otherwise occurred. The Regents decision is noteworthy given it was the first appellate court to decide the availability of CMIA statutory damages and rejected the notion that mere negligence coupled with disclosure could trigger statutory damages. This is a significant departure from how the law was interpreted by the lower courts and instantly dried up a good part of the statutory damages manna drunk by the plaintiffs’ bar.
Read more on InformationLawGroup.

Let me redundantly reiterate my repetition: The NSA listens to EVERYTHING, which part of everything do you not understand?

Actually, it goes back much further than this...

Is this similar to the Hawthorne Effect? Any attention you pay to employees improves productivity? (Since the object of the monitoring, reducing theft, didn't pan out.)
In Praise of Electronically Monitoring Employees

Are secure communications business models illegal?
EFF has filed this amicus brief (pdf) in support of Lavabit. Here is their press release on it:
Federal law enforcement officers compromised the backbone of the Internet and violated the Fourth Amendment when they demanded private encryption keys from the email provider Lavabit, the Electronic Frontier Foundation (EFF) argues in a brief submitted yesterday afternoon to the US Court of Appeals for the Fourth Circuit. In the amicus brief, EFF asks the panel to overturn a contempt-of-court finding against Lavabit and its owner Ladar Levison for resisting a government subpoena and search warrant that would have put the private communications and data of Lavabit’s 400,000 customers at risk of exposure to the government.
For nearly two decades, secure Internet communication has relied on HTTPS, a encryption system in which there are two keys: A public key that anyone can use to encrypt communications to a service provider, and a private key that only the service provide can use to decrypt the messages.
In July, the Department of Justice demanded Lavabit’s private key—first with a subpoena, then with a search warrant. Although the government was investigating a single user, having access to the private key means the government would have the power to read all of Lavabit’s customers’ communications. The target of the investigation has not been named, but journalists have noted that the requests came shortly after reports that NSA whistleblower Edward Snowden used a Lavabit email account to communicate.
“Obtaining a warrant for a service’s private key is no different than obtaining a warrant to search all the houses in a city to find the papers of one suspect,” EFF Senior Staff Attorney Jennifer Lynch said. “This case represents an unprecedented use of subpoena power, with the government claiming it can compel a disclosure that would, in one fell swoop, expose the communications of every single one of Lavabit’s users to government scrutiny.”
EFF’s concerns reach beyond this individual case, since the integrity of HTTPS is employed almost universally over the Internet, including in commercial, medical and financial transactions.
“When a private key has been discovered or disclosed to another party, all users’ past and future communications are compromised,” EFF Staff Technologist Dan Auerbach said. “If this was Facebook’s private key, having it would mean unfettered access to the personal information of 20 percent of the earth’s population. A private key not only protects communications on a given service; it also protects passwords, credit card information and a user’s search engine query terms.”
Initially, Levison resisted the government request. In response, a district court found Lavabit in contempt of court and levied a $5,000-per-day fine until the company complied. After Levison was forced to turn over Lavabit’s key, the certificate authority GoDaddy revoked the key per standard protocol, rendering the secure site effectively unavailable to users.
Since Lavabit’s business model is founded in protecting privacy, Levison shut down the service when it no longer could guarantee security to its customers.
“The government’s request to Lavabit not only disrupts the security model on which the Internet depends, but also violates our Constitutional protections against unreasonable searches and seizures,” EFF Staff Attorney Hanni Fakhoury said. “By effectively destroying Lavabit’s legitimate business model when it complied with the subpoena, the action was unreasonably burdensome and violated the Fourth Amendment.”
The deadline for the government’s response brief is Nov. 12, 2013.
I’m proud to say I’m a member of EFF. And if you value their advocacy for privacy and civil liberties, why don’t you, too, throw them some money to support their work? DONATE.

“Unconcerned with the implications” is all too common in cases involving new technologies.
Orin Kerr writes:
The forthcoming Supreme Court issue of the Harvard Law Review will feature an essay by NYU Law professor Erin Murphy on the Supreme Court’s recent Fourth Amendment case on DNA searches, Maryland v. King. Professor Murphy’s essay, License, Registration, Cheek Swab: DNA Testing and the Divided Court, argues that King is likely to have an unexpectedly large impact on the future of Fourth Amendment law.
In Murphy’s view, King is significant less for what it said than for what it didn’t say. Presented with the major implications of DNA analysis in the parties’ briefs and the amicus briefs, the Court didn’t address them. Instead, Justice Kennedy issued a majority opinion that seemed unconcerned with those implications.
Read more on Concurring Opinions.

Worth a listen...
The National Constitution Center has posted an audio file of Orin Kerr and Marc Rotenberg discussing warrantless surveillance with Jeffrey Rosen. More information and access to the audio file on NCC, here.

I don't worry. My Ethical Hackers would take credit for anything cool I emailed (even more likely, they'd ignore my emails entirely)
Colleen Flaherty reports on a number of cases where a professor’s email to students wound up going viral. The AAUP may want to protect “academic freedom” by treating emails as protected, but free speech advocates think it’s fair game and fair use.
Read more on Slate.

Shouldn't all email services be able to do this?
– A Chrome extension to supercharge your Gmail with mxHero Toolbox, and give power to your emails. Protect your privacy and send self destructing email. Track clicks on attachments & URLs with Click Track. Be reminded of important emails with Remind Later. Delay email delivery with Send Later. Track critical email responses with Reply Timeouts, & more.

For my Computer Security (and Ethical Hacking) students
Red Alert: 10 Computer Security Blogs You Should Follow Today

An alternative to PowerPoint. However, you should watch this: BEFORE you PowerPoint (or anything else)
How Would The World Look Like Without PowerPoint? Projeqt Gives A Clue
You have to give a second glance to a web application which is a 2013 Webby Awards Honoree. Projeqt walked the red carpet to claim not one but two nominations – Best User Experience and Web Services and Applications. So, it seems improper to just start this article and say it is a PowerPoint alternative. It would be better to describe it – as the application sees itself – as a creative storytelling tool.

Yet another way to hassle my students. (Infographic)
Effective Apps And Web Tools For BYOD Classrooms

No comments: