Saturday, January 18, 2014

This is a pretty valuable set of data. (able to prescribe drugs) Who keeps data like this in this country and has anyone breached that data?
Associated Press reports that the personal information of all licensed medical doctors in Puerto Rico was acquired in a recent hack. They report that since the hack, doctors have been getting harassing emails, but it’s not clear from their reporting as to what information was accessed or acquired in the intrusion, other than the statement from Puerto Rico’s Association of Surgeons [I think AP meant College of Physicians and Surgeons - Dissent] that whoever stole the information can engage in identity theft and submit fake prescriptions.
The AP also did not report how many physicians had data in the database, but another AP report in April 2013 noted that the number of doctors in Puerto Rico had dropped from 11,397 to 9,950, according to the island’s Medical Licensing and Studies Board. I cannot find any website for the College of Physicians and Surgeons for Puerto Rico.
If anyone has additional information on this breach, please let me know.
Updated: With the clarity that extra caffeine brings, it dawned on me this morning that even if there are less than 10,000 physicians currently, we don’t know how far back their database goes, and there might be many more individuals whose data were in there.

A caution for academics, but a warning for owners/stewards/guardians/custodians of data – you must set security rules and ensure they are followed. (Why give up the data at all when you could run the analysis in-house and only disclose the summarized results?)
Brian Bakst of AP reports:
A University of Minnesota law professor has apologized to violent crime victims and witnesses after a computer with sensitive information of nearly 300 people was stolen from his office, but he said Friday that there’s no indication the thief has accessed the data.
Criminologist Barry Feld, a prominent juvenile justice scholar, was collecting data from closed case records for a study on law enforcement interrogation techniques when the laptop, a scanner and external hard drive were taken last February. His research, which required his team to sign confidentiality agreements before obtaining the data, has since been terminated.
Read more on Pioneer Press. Maura Lerner of the Star Tribune, who broke the story yesterday, noted the sensitivity and background of the individuals whose data were on the stolen devices:
All had been witnesses or victims in cases that were prosecuted in early 2005 in Hennepin and Ramsey County courts.
One victim, who had been raped as an 11-year-old, received Feld’s letter last week. Her mother told the Star Tribune that she was shocked by the data theft, and that she had no idea that her daughter’s information had been shared with a researcher. “I was aghast,” she said. It was particularly galling, she said, because the family had been unable to get some of that same information, such as witness testimony, when they requested it.
Feld admitted that the data were not properly secured:
“I did not properly protect the data,” Feld told The Associated Press in a phone interview Friday. The incident was first reported by the Minneapolis Star Tribune.
A police report said the equipment wasn’t locked and was stolen from under a desk in the office Feld shares with several research assistants. University police made no arrests in the case nor have they had any leads, according to a school spokesman.
Not only were the data not properly secured, it would appear that there was no backup or master index, as it took from last February until now for them to reconstruct a list of who needed to be notified.
All in all, this sounds like a total failure. I would love to see the contract or agreement the professor signed with the county to gain access to the research materials. Did the agreement require him to not just maintain confidentiality but to actually deploy reasonable and commercially available security protocols? If not, why not? Perhaps some enterprising reporter in Minnesota might want to investigate whether the state and county are requiring adequate security for access to personal and sensitive information.

“Now we can say we've done something. We made a speech!” Looking at the President's speech on “NSA reforms” I see that nothing specific has been proposed. (What a surprise) On the other hand, perhaps that is the correct response to all the kerfuffle. Vague words and phrases like:
… we will review
… we will reform
… a panel of advocates from outside government to provide an independent voice in significant cases [Definition of “significant” to follow Bob]
… I’m asking the attorney general and DNI to institute reforms
… amend how we use national security letters
… ordering a transition
… we will only pursue phone calls that are two steps removed from a number associated with a terrorist organization, instead of the current three [Sounds good, unless you think everyone on the calling tree is part of the organization? Bob]
… develop options

(Related) Compare my review with the EFF's 3.5/12
Read EFF’s explanation for the scores they gave President Obama for his NSA reform plan here.

Yes, let’s just declassify dump two dozen FISC orders right before a holiday weekend (sigh). From IC on the Record:
The documents being released today comprise orders from the FISC approving the National Security Agency’s (NSA) collection and use of telephony metadata under Section 501. These orders provide additional information regarding the controls imposed by the FISC on the processing, dissemination, security and oversight of telephony metadata acquired under Section 501. This includes the Court’s imposition of additional controls in response to compliance incidents that were discovered by NSA and then reported to the FISC. These orders are available at the website of the Office of the Director of National Intelligence (, and ODNI’s public website dedicated to fostering greater public visibility into the intelligence activities of the Government (
Access the orders here.

Do you see why I recommend breach victims, even big ones with huge legal departments, call in some Professional Help? This was not good customer service even before the breach. Where were the managers?
Target Refused To Process Fraud Claim Unless Customer Gave Up Sensitive Info
How comfortable would you feel giving Target all your sensitive information right now?
Michael Baxter of Somerville has an answer: “I have no confidence in their security there.”
Baxter and his wife got a call Wednesday.
“They identified themselves as the Target fraud detection department, and there was a suspicious transaction of over $1,200,” Baxter told WBZ-TV. [Is this an indication that the stolen cards are being used already? Bob]
They called the number on their statement and confirmed it was true. They are among as many as 110 million customers affected by Target’s pre-holiday credit card breach.
But what happened next made Baxter feel like a victim all over again.
Target sent him a questionnaire to fill out and return to process his claim.
It asks for sensitive information like Social Security number, driver’s license number, address, phone numbers, credit card number, children’s names, and more.
… When he refused, the customer service representative told him they could not process his claim without it.
“I wasn’t getting anywhere, so I asked for a manager. That took four or five minutes. The supervisor came on the line and she was even more aggressive with it.”
When we contacted Target, the company changed its tune.
“Our policy is to investigate all fraud claims even if the form is not filled out,” said spokesperson Molly Snyder. “And filling out the form is not a requirement. However, if we don’t have the form filled out it makes our investigation more difficult.”

Cybercrime firm says uncovers six active attacks on U.S. merchants
A cybercrime firm says it has uncovered at least six ongoing attacks at U.S. merchants whose credit card processing systems are infected with the same type of malicious software used to steal data from Target Corp.
… He said payment card data was stolen in the attacks, though he didn't know how much.
… Komarov, an expert on cybercrime who has helped law enforcement investigate previous attacks, told Reuters on Friday that retailers in California and New York were among those compromised by BlackPOS. Reuters was unable to confirm the retailers' names. [If they are ONLY in New York or ONLY in California, they can't be very large. Bob]

Why I love living in Colorado...
Hunting Licenses to Shoot at Drones: What Could Possibly Go Wrong?
Phil Steel of Deer Trail, Colorado
… has proposed that his town adopt an ordinance that would allow residents to take up to three shots at drones flying over the town at fewer than 1,000 feet (more if your life is in danger). The measure, which has divided the town of 550, will be voted on at the ballot box in April. Until then, Steel is selling his own licenses, for $25 each, [Wish I had thought of it! Bob] to anyone who wants, though they "have no legal value," Matt Pearce reports in the Los Angeles Times.

Be careful what you brag about?
Eriq Gardner reports that Hulk Hogan has lost a round in his litigation over Gawker publishing excerpts from a private sex tape they acquired. Hogan failed to get a federal court to grant an injunction prohibiting its publication, but then found a state judge who granted his motion for an injunction. Today, a Florida appeals court overturned the injunction, explaining that given Hogan’s own public comments about his affair, that this was a matter of public concern and protected by the First Amendment.

If the court decides they do need a warrant, will that apply to teachers as well? (See yesterday's blog) How about border guards?
David Kravets reports:
The Supreme Court today agreed to decide the unsolved constitutional question of whether police may search, without warrants, the mobile phones of suspects they arrest.
The justices did not immediately schedule a hearing in the most important digital rights issue the high court has decided to review this term.
Read more on Wired. See also the coverage on Blog of Legal Times.

You don't need to be a student to find this useful.
Make Windows Start Faster: 10 Non-Essential Startup Items You Can Safely Remove

For my “Raiders of the lost files” (my Ethical Hacking students) DOCs, PDFs, ePUBS – the booty is endless!
– is your personal web crawler. It can crawl into any website and find what you really want (video clips, images, music files, etc). FoxySpider displays the located items in a well-structured thumbnail gallery for ease of use. Once the thumbnail gallery is created you can view, download or share (on Facebook and Twitter) every file that was fetched by FoxySpider.
With FoxySpider you can:
  • Get all photos from an entire website
  • Get all video clips from an entire website
  • Get all audio files from an entire website
  • Well, actually get any file type you want from an entire website

For my Twit students.
– is a Twitter Analytics tool. It gives you stats such as who mentions you and how many times, & number of retweets. You can also analyze another Twitter user’s profile and obtain the same information. What’s even better is that you can search for keywords on Twitter, with who mentioned those words and how they fit into popular hashtags.

For my programming students. (Useful for learning a new language, convert a program you wrote in an old language.)
– is an online web-based cross-platform source code converter that supports codes such as C#, Visual Basic .Net, Java, Ruby, Iron Python, and Boo. The free plan will allow you 8 conversions daily, and 2,048 characters per conversion. To remove all restrictions, just share Varycode on Facebook or Twitter.

For my researching students...
30 Search Engines Perfect For Student Researchers
When you need to research something, where do you start? Most of us answer this question with “Google“, and “Wikipedia“. But if you’re researching online with Google and Wikipedia as your main tools, you’re only hitting the tip of the iceberg. While these offer some great basic information on a huge variety of subjects, if you want to delve deeper, you need a wider variety of sources to choose from.
The handy infographic below takes a look at different methods of online research, and gives a flowchart flush with a number of different web search options for you to try out.

My weekly laugh...
Congress has passed the 2014 "omnibus appropriations legislation." Among other things, a win for open access to publicly-funded research: it requires that “federal agencies with research budgets of at least $100 million per year will be required provide the public with free online access to scholarly articles generated with federal funds.” The bill also removes restrictions that prevented the NSF from funding political science. There’s more money for the NIH and more money for the Pell Grant.
… Senator Patty Murray (D-WA) and Representative Jared Polis (D-CO) have introduced the Investing in States To Achieve Tuition Equity (IN-STATE) Act of 2014, which provides incentives for states to offer in-state tuition and need-based aid for undocumented students. [Could my nephew claim to be undocumented (who wants to admit they are from New Jersey) and get in state tuition? Bob]
… Early this week, The LA Times reported that the Los Angeles School District was surveying how much other districts had paid for their technology. Because, ya know, I guess they didn’t think to do any due diligence before agreeing to the outrageous $768 per iPad price-tag.
… Whatever the investigation into pricing, it didn’t stop the school board from earmarking $115 million to buy more iPads to make sure everyone has one in time for “standardized testing scheduled for this spring.” Priorities.
You can now rent textbooks at Staples (or via at least).
… The US News & World Report has released its rankings of the Best Online Programs.
… The Berkman Center for Internet and Society have released a number of reports on student privacy, including this one that talks with youth about their thoughts on tech usage at school. Spoiler alert: they know how to bypass your web filters.

No comments: