Thursday, February 27, 2014

We've been hearing hint that retailers other than Target have been hacked. Could that be the source?
Jim Finkle reports:
A cybersecurity firm said on Tuesday that it uncovered stolen credentials from some 360 million accounts that are available for sale on cyber black markets, though it is unsure where they came from or what they can be used to access.
The discovery could represent more of a risk to consumers and companies than stolen credit card data because of the chance the sets of user names and passwords could open the door to online bank accounts, corporate networks, health records and virtually any other type of computer system.
Alex Holden, chief information security officer of Hold Security LLC, said in an interview that his firm obtained the data over the past three weeks, meaning an unprecedented amount of stolen credentials is available for sale underground.
Read more on Reuters.

Danny Yadron reports:
Verizon Communications Inc. is investigating possible security breaches at two unnamed retailers that appear similar to intrusions at other merchants late last year, a Verizon official said.
Bryan Sartin, director of the research, investigations, solutions, knowledge team at Verizon’s enterprise solutions unit, said the retailers involved in the newly discovered breaches haven’t yet disclosed them.
“We’ve been brought into other situations as the investigator,” Mr. Sartin said in an interview with The Wall Street Journal. “The findings already substantiate a very real link between these later situations and something that recently happened.”
The retailers involved in the newly discovered breaches were contacted by the U.S. Secret Service and then contacted Verizon’s investigative team last week, Mr. Sartin said.
Read more on WSJ.
So if there are two more large retail breaches, and 360M new credentials that Hold Security discovered on the black market, are the two reports connected? The Hold Security report didn’t mention payment card data, so it’s possible they’re not related, but then again, who knows?

Sometimes it's not what you bring to the table, but what you don't have to bring to the table. Old technologies are increasingly mired in regulation while newer, faster moving tech remains relatively bureaucrat free.
Facebook’s WhatsApp deal has unnerved phone companies
… Holding court on the fringes of the conference, Vittorio Colao, the chief executive of Vodafone, summed up the frustration caused by the regulators. He was asked about his views on ongoing mobile network mergers in Ireland and Germany, which are seen as test cases for a consolidation of European mobile networks.
He replied: “There is a guy [Zuckerberg] who has a billion users and has just bought half a billion users [WhatsApp] and I have to talk about Ireland.”
Colao’s favourite tactic in his long-running battle with European regulators is to cite the total number of government bodies Vodafone has to deal with across the continent: 187.
… In the meantime, European operators will continue to make poor returns compared with their American and Asian counterparts. They can only look on jealously as the likes of WhatsApp, which are relatively unencumbered by competition, radio spectrum, infrastructure and tax regulations, erode their revenues.
… It is the scale of the industry that led Zuckerberg to pay $19bn for WhatsApp. While the price has been raising eyebrows all week, most senior telecoms executives who rode the dotcom wave in the late 1990s and suffered the crash do not believe it is a bad bet.
WhatsApp is already eroding their texting revenues. In Barcelona its co-founder Jan Koum, made a billionaire seven times over by the deal, announced that within weeks it will introduce free voice calls to the app’s 465m users. All of this over the mobile internet infrastructure that is costing operators billions to build.

“Papers, comrade citizen.” I would expect the value of these checkpoints to drop very quickly as word gets out. There must be some value – why not tell the residents what it is? (How wide is the “border” anyway?)
Residents in Arizona town push to remove 'militaristic' border checkpoint
Residents of the southern Arizona town of Arivaca are monitoring a U.S. Border Patrol checkpoint to see how many arrests and drug seizures are made in a bid to remove longstanding interior checkpoints on the roads leading into the town.
Arivaca residents say they are regularly subjected to delays, searches, harassment and racial profiling at the checkpoints.
… A Border Patrol spokesman says the agency won't release data for individual checkpoints. The agency, which describes the checkpoint as temporary despite it being in place for several years, told The Los Angeles Times they have no plans to remove it.

If this is true...
NSA Mass Surveillance Useless, Former Bush Official Says
The National Security Agency's telephone-metadata collection program has been completely useless at preventing terrorist attacks, a prominent former government official said yesterday (Feb. 25).
Speaking on a panel at the RSA security conference here, former White House national-security official Richard Clarke refuted the government's claim that 55 possible terrorist incidents had been stopped by the metadata program, called Section 215 after the language in the USA Patriot Act that made it possible.

(Related) ...this would seem crazy.
Julian Hattem reports:
The National Security Agency (NSA) wants to extend the amount of time that it can hold on to people’s phone records.
In a court filing on Wednesday, the Justice Department said the spy agency needs to keep the metadata beyond its current five-year limit to deal with a handful of lawsuits challenging the legality of its controversial surveillance program.
Read more on The Hill.

If the cops can't search phones, will teachers continue to do it? (I'll bet you they will keep doing it!)
I wouldn’t say the court “expanded” cell phone privacy rights as much as properly recognized them.
Chuck Lindell reports:
Expanding the notion of privacy rights in the digital age, the state’s highest criminal court ruled Wednesday that police improperly searched a Huntsville student’s cell phone without a warrant, even though the device had been sitting in a jail property room.
The 8-1 ruling by the Court of Criminal Appeals rejected prosecutors’ arguments that officials may search any item that belongs to a jail inmate if there is probable cause to believe a law had been broken.
In its ruling Wednesday, the Court of Criminal Appeals rejected prosecution arguments that a cell phone is no different from other containers, such as a pair of pants or bag of groceries, that lack privacy protections and can be searched in jail.
The warrantless search of Granville’s cell phone violated the U.S. Constitution’s protection against unreasonable search and seizure — “the right of the people to be secure in their persons, houses, papers and effects” as guaranteed by the Fourth Amendment, the court ruled.
Read more on American-Statesman.

Do we know of any strategic (educational) need for “identification numbers?” Looks like the outside testing company is controlling this.
Trevon Milliard reports:
Every single child in Nevada public schools will soon be assigned an identification number and tracked in detail from preschool through high school to college under the combined efforts of a trio of state departments creating a super-data system.
The system will be completed by July 2015 and will track individual test scores and personal information including birth date, ethnicity, whether a student lives in poverty, speaks English as a second language or is classified as special education. It’s called the Statewide Longitudinal Data System — SLDS for short — and it has more than parents concerned.
Meanwhile in Kansas, Bryan Lowry reports bipartisan support for a state law to protect student data privacy:
Democrats and Republicans are backing a bill meant to protect electronic data compiled by schools from being misused.
Senate Education Committee gave unanimous support Tuesday to Senate Bill 367, known as the Student Data Privacy Act.
The bill would ensure that data collected on students can be shared only with parents and authorized personnel from school districts, the Board of Regents and state agencies. It [prevents? Bob] school districts from collecting biometric data, such as finger prints or DNA.

Too restrictive?
Wim Nauwelaerts, of Hunton & Williams writes:
In January 2014, the Belgian Privacy Commission published a set of guidelines on the privacy implications of using dashboard mounted cameras in vehicles (‘‘dash cams’’) and the processing of video footage and images captured by dash cams. The Privacy Commission decided to issue these guidelines in response to the increasing dissemination of dash cam videos and images through various media (including social media such as Facebook).
Its January 2014 guidance focuses on the three main purposes for which dash cams are often used, and sets out the dos and don’ts for each of these purposes.
[The “three main uses,” from the article:
Dash Cams as Evidence in Traffic Cases
Dash Cams for Recreational Use
Dash Cams and Portrait Rights

Well, it's a thought – and there's not a lot of thinking going on.
Michael Froomkin writes:
I just uploaded a draft of my new paper, Regulating Mass Surveillance as Privacy Pollution: Learning from Environmental Impact Statements to SSRN. Be the first on your block to read it!
Here’s the abstract:
US law has remarkably little to say about mass surveillance in public, a failure which has allowed the surveillance to grow at an alarming rate — a rate that is only set to increase. This article proposes ‘Privacy Impact Notices’ (PINS) — modeled on Environmental Impact Statements — as an initial solution to this problem.

No comments: