Saturday, April 05, 2014

Concern: Was this a warm up for the Target breach? Now who is liable?
I live in Texas, and there’s a regional retailer that has just announced a data breach that is believed to have affected more than half a million customers. The announcement is controversial because the company, Spec’s, supposedly knew about the theft of payment card data almost a year ago and is just now telling customers. As you might imagine, people affected by this breach are rather upset.
Let me lay out the details, as reported by the Houston Chronicle newspaper.
… On March 29, the Houston Chronicle reported that “a sophisticated computer scam” was perpetrated against the Spec’s retail payment system for a year and a half. The breach is believed to have started October 31, 2012, and continued as late as March of 2014. The article suggests that authorities within Spec’s knew early last year (2013) that the computer system had been compromised.
… According to a Spec’s spokesperson Jenifer Sarver, federal investigators had asked the retailer not to divulge any details during the ongoing investigation. Sarver said, “It took professional forensics investigators considerable time to find and understand the problem, then make recommendations for Spec’s to fully address and fix them.”


Poor security can haunt you even after you sell the company.
As I tweeted last night, Experian has sued the former owner/shareholder of Court Ventures over the mess Experian found itself in when it acquired Court Ventures and later learned that a criminal had been using a Court Ventures account to access a U.S InfoSearch database with information on over 200 million Americans.
Today, Jim Finkle of Reuters reports on Experian’s cross-complaint in Court Ventures v. Experian, a lawsuit filed in Superior Court of California in Orange County. In today’s example of Extreme Chutzpah, it seems Court Ventures had sued Experian, seeking release of the escrow account created when Experian purchased Court Ventures. For its part, Experian counter-sued because Court Ventures had been notified of indemnification claims arising from the Ngo case. The escrow account is only a small portion of what was an $18 million acquisition.
In Experian’s cross-complaint, they raise claims against Court Ventures and its co-founder and shareholder Robert Gundling for breach of warranty, breach of contract, express contractual indemnification, promissory fraud, intentional misrepresentation, and negligent misrepresentation.
In their cross-complaint, Experian claims that Court Ventures misrepresented the credit header data that the service enabled clients to obtain through it relationship with U.S. InfoSearch. Experian claims that Court Ventures represented the credit header data as a service that would enable investigators to find an individual’s address for trace purposes. In actuality, Experian claims, when they checked logs after the Secret Service contacted them, Court Venture clients – including Ngo – were able to input names and states and obtain the Social Security numbers of individuals with that name in that state. Parenthetically, I note this would be consistent with what Brian Krebs had reported that a single query often produced records on multiple individuals.
When Experian discovered that credit header data was being used to obtain Social Security numbers, they immediately cut off the service for all users – including Ngo.
In addition to the complaint that Court Venture did not verify Ngo (a/k/a Jason Low)’s bona fides as an investigator eligible to use the service, Experian’s cross-complaint also alleges that Court Ventures engaged in web scraping and other possibly illegal acts to obtain the records in its database, despite having assured Experian in the sales agreement that Court Ventures was in compliance with all laws and Experian would have no legal issues when it took over the business.
To date, and based on media reports by others, it appears that Experian has not notified any consumers about this breach and now claims that they don’t know whose data were stolen. That’s noteworthy because in December 2013, Tony Hadley of Experian informed Senator Rockefeller’s committee that Experian knew who these people (victims of Ngo’s activity) were and would protect them. Perhaps Senators Rockefeller and McCaskill should send another letter to Experian asking them to explain Mr. Hadley’s misrepresentations or errors.
Jim Finkle provides some additional details on the litigation on Reuters.


Articles like this do not make me comfortable that anyone is in control. Apparently DHS will give the local police money (grants) to purchase any toy that attract them and local politicians don't care enough to ask why they need it or how it works. Do they really believe they can turn this device on and instantly find missing children?
Joel Kurth and Lauren Abdel-Razzaq report:
Oakland County commissioners asked no questions last March before unanimously approving a cellphone tracking device so powerful it was used by the military to fight terrorists.
Now, though, some privacy advocates question why one of the safest counties in Michigan needs the super-secretive Hailstorm device that is believed to be able to collect large amounts of cellphone data, including the locations of users, by masquerading as a cell tower.
Read more on Detroit News.
[From the article:
The technology can track fugitives and find missing children, but privacy advocates said they worry because similar machines can collect data from innocent smartphone users.
… Oakland County, like other agencies, obtained Hailstorm using money from a U.S. Homeland Security grant.


On the other hand...
Allie Bohm writes:
On Monday, Utah became the first state to enact legislation simultaneously protecting location information and electronic communications content, regardless of age, from government access—ensuring that state and local law enforcement can only access that sensitive information when there is good reason to believe that it will reveal evidence of a crime, or in true emergencies.
Read more on ACLU’s blog.
[From the article:
This is notable for two reasons.
  • First, these are the primary two reforms we seek to the outdated federal law that governs our privacy in the digital age, the Electronic Communications Privacy Act (ECPA).
  • Second, Utah’s new law is also remarkable because of its breadth.


Once something gets on the Internet, you can never get it off, so make it searchable and only scholars will bother to read it. Or my students, writing about security.
Introducing the ACLU’s NSA Documents Database
by Sabrina I. Pacifici on April 3, 2014
By Emily Weinrebe, ACLU National Security Project: “The public debate over our government’s surveillance programs has reached remarkable heights since the first set of NSA disclosures in June 2013 based on documents leaked by Edward Snowden. Since then, additional disclosures by both the press and government have illuminated our government’s vast and invasive surveillance apparatus. These documents stand as primary source evidence of our government’s interpretation of its authority to engage in sweeping surveillance activities at home and abroad, and how it carries out that surveillance. The ACLU hopes to facilitate this debate by making these documents more easily accessible and understandable. Toward that end, today we are launching the NSA Documents Database. This tool will be an up-to-date, complete collection of previously secret NSA documents made public since last June. The database is designed to be easily searchable – by title, category, or content – so that the public, researchers, and journalists can readily home in on the information they are looking for. We have made all of the documents text-searchable to allow users to investigate particular key words or phrases. Alternatively, the filter function allows users to sort based on the type of surveillance involved, the specific legal authorities implicated, the purpose of the surveillance, or the source of the disclosure. For example, you can have the database return all documents that both pertain to “Section 215″ and “Internal NSA/DOJ Legal Analysis.” We will update the database with new documents as they become available to the public.”


Deep Learning allows this software to learn how to recognize faces. What's next? Could be a security feature – the camera sees your face and signs you in...
Facebook working on facial recognition technology that can spot users from the side
Facebook is known for being creepy due to all its privacy issues, but the social network might seem extra creepy with its new facial recognition technology. There's a strong hate for facial recognition, and we doubt Facebook's implementation will make it any more acceptable.
Facebook's facial recognition software is quite advanced, probably something only the military or the NSA has access to. According to a new report from Facebook, the technology researchers are looking into has the ability to recognize a person's face just as accurate as a human being. If this is real, then the social network is turning into a scary place, and only a drastic change in Facebook's privacy policy and options could allow such a software to move forward.
Bear in mind that Facebook has already implemented facial recognition in its software, you might have noticed it when tagging your friends or family in photos. However, this software is far from accurate, and many times require the user to figure out who person's are, manually.
The social network's new facial recognition software, now known as "DeepFace", is aimed at fixing the accuracy issue, along with recognizing a person even if their face is turned sideways.


So easy, even your three year old will be able to use it! Repeatedly! Voice or scan! Sign up for an invitation.
The free gadget that Amazon hopes will compel you to order more stuff — lots more stuff
Amazon just launched a slick-looking website for the Amazon Dash, a handheld gadget for adding products to your shopping list.
“Every member of the family can use Dash to easily add items to your AmazonFresh shopping list,” reads the site. Just aim the business end at the barcode on an empty peanut butter jar, press the scan button, and it retrieves the data from the code and beams it to the cloud. Next time you place an order with AmazonFresh, that peanut butter will already be on your shopping list.


I have to ask, it this had been done by ‎the Berkman Center at Harvard, would people applaud?
The Fall of Internet Freedom: Meet the Company That Secretly Built ‘Cuban Twitter'
The United States discreetly supported the creation of a website and SMS service that was, basically, a Cuban version of Twitter, the Associated Press reported Thursday. ZunZuneo, as it was called, permitted Cubans to broadcast short text messages to each other. At its peak, ZunZuneo had 40,000 users.
And what government agency made ZunZuneo? It wasn’t the CIA. No, it was the U.S. Agency for International Development, USAID, working with various private companies, including the D.C. for-profit contractor Creative Associates and a small, Denver-based startup, Mobile Accord.


This is “hacking” in its pure form. “What happens when I do this?”
5-year-old finds flaw in Xbox Live security
A 5-year-old San Diego boy has outwitted the sharpest minds at Microsoft — he's found a backdoor to the Xbox.
Kristoffer Von Hassel managed to log in to his father's Xbox Live account. When the password log-in screen appeared, Kristoffer simply hit the space button a few times and hit enter.
Robert Davies tells KGTV-TV (http://bit.ly/1hmrTan ) that just after Christmas he noticed his son playing games he supposedly couldn't access.
Davies, who works in computer security, says he reported the issue to Microsoft, which fixed the bug and recently listed Kristoffer on its website as a "security researcher."


For my fellow geezers..
Pew – Older Adults and Technology Use
by Sabrina I. Pacifici on April 4, 2014
Aaron Smith – April 3, 2014: “America’s seniors have historically been late adopters to the world of technology compared to their younger compatriots, but their movement into digital life continues to deepen, according to newly released data from the Pew Research Center. In this report, we take advantage of a particularly large survey to conduct a unique exploration not only of technology use between Americans ages 65 or older and the rest of the population, but within the senior population as well. Two different groups of older Americans emerge. The first group (which leans toward younger, more highly educated, or more affluent seniors) has relatively substantial technology assets, and also has a positive view toward the benefits of online platforms. The other (which tends to be older and less affluent, often with significant challenges with health or disability) is largely disconnected from the world of digital tools and services, both physically and psychologically. As the internet plays an increasingly central role in connecting Americans of all ages to news and information, government services, health resources, and opportunities for social support, these divisions are noteworthy—particularly for the many organizations and individual caregivers who serve the older adult population.”


For my students
Bypass Georestrictions By Changing Your Smartphone’s DNS Settings
DNS tunneling services allow you to access geo-restricted services just by changing your DNS server. In other words, you can watch American Netflix or Hulu by changing one setting. Services like UnoDNS and Unblock-Us aren’t just for your computer. They’ll work on smartphones, tablets, and even game consoles.


We are in the “education business” like the shoemaker's children.
… New York State has pulled out of inBloom (which according to Politico, leaves the data infrastructure organization with no customers). While some are hailing this as a victory for student privacy, Funnymonkey’s Bill Fitzgerald notes it’s “only good news for the other players in the space” – players like Pearson.
… “The University of Florida will pay Pearson Embanet an estimated $186 million over the life of its 11-year contract — a combination of direct payments and a share of tuition revenue — to help launch and manage the state’s first fully online, four-year degree program,” reports The Gainesville Sun. Phil Hill clarifies some of the numbers.
… Textbook publisher Cengage has emerged from bankruptcy.

No comments: