Friday, November 14, 2014

So what do we call it? A “drive-by?” Even worse: Putin thinks this will stimulate the Russian economy.
Russian Tanks in Ukraine, but US Won’t Say ‘Invasion’
Thousands of Russian troops have crossed into eastern Ukraine in recent days, along with columns of tanks, artillery and air-defense systems, according to NATO’s top commander.
By nearly every definition – indeed, according to the Oxford dictionary – the act of armed forces crossing the border would constitute an invasion.
But the Obama administration has noticeably avoided using the word to describe Russia’s apparent action (Russia denies any of its troops or military equipment are in Ukraine). Instead, U.S. officials have resorted to terms like “incursion” or even more contorted rhetorical gymnastics.

If I was the suspicious type, which I have been trained to be, I might think this was a deliberate backdoor into Windows. Even so, it's amazing that it took 19 years for someone outside of the NSA to find it.
Microsoft fixes severe 19-year-old Windows bug found in everything since Windows 95
… IBM researcher Robert Freeman described the vulnerability as “rare, ‘unicorn-like’ bug found in code that IE relies on but doesn’t necessarily belong to.”
According to Freeman, the bug relies on a vulnerability in VBScript, which was introduced in Internet Explorer 3.0. Even today, the bug is impervious to Microsoft’s anti-exploitation tools (known as Enhanced Mitigation Experience Toolkit) and the sandboxing features in Internet Explorer 11.
The good news is that there’s no evidence of anyone actually exploiting this vulnerability in the wild, and doing so would be technically tricky. [Good hacking technique: erase the evidence! Bob]

For discussion n my Computer Security class.
The Veterans Administration has introduced a new snapshot element to their monthly reports to Congress, and it’s informative. For the month of October, they report:
  • Intrusion Attempts (Blocked): 12,148,205
  • Malware (Blocked/Contained): 206,564,180
  • Suspicious/Malicious Emails (Blocked): 71,598,834
  • Infected Medical Devices (Contained)** 27
  • Outgoing Unencrypted Emails (Blocked) 96
** Running total of medical device infections for which remediation efforts are underway
In terms of reported breach/incidents for the month, they report:
  • Lost and Stolen Devices: 52
  • Lost PIV Cards: 131
  • Mishandled Incidents: 128
  • Mis-mailed Incidents: 146
The incidents resulted in:
  • 229 Notifications
  • 536 Credit Protection Services Offered
The VA notes: “Of the total # of Veterans affected, 640 were in relation to protected health information incidents, reported to HHS in accordance with the HITECH Act.”
You can read details of the incidents in the full report.

Not a large beach, but the “third party” here is a law firm.
Heather Graf reports that Seattle Public Schools has notified parents of approximately 8,000 students of a breach involving their records. Most of the students involved are special education students.
According to King5 News, the notification states, in part:
“Late Tuesday night Seattle Public Schools learned that a law firm retained by the district to handle a complaint against the district inadvertently sent personally identifiable student information to an individual involved in the case. The district promptly removed the law firm from the case and is working to ensure that all improperly released records are retrieved or destroyed.”
The person to whom the records were mistakenly released contacted the district to report the breach.
You can read more on King5 News. There does not appear to be any notice up on the Seattle Public Schools web site at this time.
The district has reportedly notified the U.S. Education Department of the breach to seek their assistance in investigating how the breach happened. I’d be surprised if they got any real assistance of that kind, but I’d be happy to be wrong about that.
Most people know that students’ education records are protected under FERPA, but for special education students, another federal law, the Individuals with Disabilities Education Act (IDEA) also applies. IDEA has provisions requiring confidentiality of records. Unlike FERPA, however, IDEA is enforced by the state’s education agency, not the U.S. Education Department.
So what might the consequences of this breach be? The law firm who exposed the information got fired. That’s unusual, but I do think that needs to be headlined so that law firms get the message that their clients are serious about data protection. Other than that, I don’t really expect anything else. A complaint to USED under FERPA might result in an educative letter to the District without any other consequences, and a complaint to the state is unlikely to result in any consequences for the district.
Could the FTC initiate an investigation and/or enforcement action against the law firm? I cannot think of any data security cases involving law firms, can you?
In other words, this is likely to be just another day in the education sector.

I think, in some instances, she is correct.
Margo Schlanger has written a great article forthcoming in the Harvard National Security Journal about intelligence legalism, an ethical framework she sees underlying NSA surveillance. Margo makes the case that NSA and the executive branch haven’t been asking what the right surveillance practices should be, but rather what surveillance practices are allowed to be.
… In the model of legalism that Margo sees the NSA following, any spying that is not legally prohibited is also right and good because ethics is synonymous with following the rules. Her critique of “intelligence legalism” is that the rules are the bare minimum, and merely following the rules doesn’t take civil liberties concerns seriously enough.

Leaves much to be desired...
Marianne Le Moullec writes:
The Article 29 Working Party, which is composed of representatives of DPA’s from every European country, has recently rendered an opinion ( on data privacy issues surrounding the development of the “Internet of Things” (IoT), which includes wearable computing, quantified self devices, and domotics. Although such data is generated by “things” or devices, it is considered personal data because it may enable the life pattern of a specific individual to be discerned. After identifying the major privacy issues raised by such devices, the Article 29 Working Party made a series of recommendations to IoT stakeholders.
Read more on Proskauer Privacy Law Blog.

I'm going to go way out on a limb here and suggest that nothing written by lawyers is written for “users.” Everything is written with that court clash in mind.
Facebook writes new privacy policy for users, not lawyer
Facebook released proposed changes to its policy Thursday and created a tutorial to answer questions about privacy. But the changes don't do anything to alter what data Facebook collects.
… The proposed policy is 2,700 words, down from 9,000. Facebook will be taking comments and questions about the new policy for the next seven days. The announcement included a new "Privacy Basics" guide to help users understand who can see information that is posted.

Curious. This will be fun to implement.
Jeff Kosseff writes:
The Ninth Circuit recently issued two opinions addressing whether companies should require customers to explicitly agree to key provisions of user terms and other policies.
On Monday, a unanimous three-judge panel issued an opinion in Knutson v. Sirius XM Radio. In this case, the plaintiff purchased a Toyota that included a trial subscription to Sirius. About a month after his trial subscription began, he received a Welcome Kit that included a customer agreement with an arbitration clause.
The Knutson decision comes a few months after the Ninth Circuit’s opinion in Nguyen v. Barnes & Noble, Inc., in which the Ninth Circuit refused to enforce an arbitration clause on Barnes & Noble’s website’s terms of use. The terms were made available to users via a link at the bottom of each page of the website. But the site did not require users to affirmatively agree to the terms, such as by checking a box or clicking “I agree.”
Read more on Covington & Burling InsidePrivacy.

I think this judge is smart.
Court: Website domains can’t be seized
A federal court has ruled that country code domain names such as .us and .uk aren’t property and can’t be seized as part of a court process.
Victims of terrorism from Iran, Syria and North Korea had asked the U.S. District Court for the District of Columbia to force the nonprofit Internet Corporation for Assigned Names and Numbers (ICANN) — which handles domain names online — to hand over control of those countries’ domain names, which are .ir, .sy and .kp, respectively.
… This week, Judge Royce Lamberth tossed that argument out.
Country code top-level domains (ccTLDs) "are not property" that can be seized, he ruled, because they “cannot be conceptualized apart from the services provided” by the domain name managers.

Do they view this as an arms race? Will they insist on air-to-air missiles? How long before they go nuclear?
John Surico writes:
Imagine a small drone fluttering its way across the East River in New York City. Undetectable by radar, it’s headed toward midtown Manhattan, and equipped with a destructive arsenal of weapons. Or a chemical agent. Or explosives. Or on a collision course with a jetliner. A hovering warcraft that can take out hundreds, if not thousands, of American citizens, controlled by a not-too-distant terrorist organization, and ready to unleash death from above on suspecting New Yorkers.
Sounds terrifying, right? According to top New York Police Department brass, this kind of nightmare scenario could be in Gotham’s not-too-distant future.
Last week, CBS News reported that the largest municipal police force in the country is seriously considering weaponized drones as the newest security threat to terrorists’ favorite target.
Read more on Vice.

A tidbit from MakeUseOf's collection of short items.
MPAA Tells You Where To Watch TV
A new website has launched detailing where you can watch your favorite movies and TV shows online. And this particular one,, has been put together by the Motion Picture Association of America (MPAA), those crazy cats who protect the interests of Hollywood.
As you may expect, Where To Watch only features legal sources for movies and TV shows, such as Netflix and iTunes. It also doesn’t have any advertising, which should win it some imaginary Internet points. As Re/Code points out, its one failing is a lack of pay TV listings, which actually makes it perfect for cord-cutters.

“Information Governance,” the next big thing?
Symantec – Government agencies and private sector businesses are drowning in information
Navigating Information Governance – “In addition to managing the growing variety, velocity, and volume of data, they must:
  • Meet information transparency objectives
  • Respond quickly to eDiscovery requirements
  • Manage Freedom of Information Act (FOIA) requests and internal investigations
  • Comply with records management regulations
  • With data requirements skyrocketing, how can organizations leverage information governance to meet this tidal wave head on while ensuring data security?
To find out, Symantec recently surveyed 152 Federal government and 153 private sector attorneys, IT executives, FOIA agents, and records managers to examine barriers to and benefits of achieving true enterprise-wide information governance.” Today’s information governance is inadequate:
  • Nearly three-quarters of respondents’ organizations (74%) have a formal, enterprise-wide information governance strategy, but just one in five say it’s very effective
Data security is at risk:
  • Just 37% give their organizations an “A” for data protection, 28% for data discovery, and 26% for data management
  • Forty-four percent of respondents say that data security and protection is the single largest information governance-risk their organizations will face if not addressed
Organizations must make investments in technology and training:
  • Respondents believe their organization should take the following steps to ensure effective, enterprise-wide information governance programs: Improve training (46%), educate end users on the importance of records (46%), and improve technology (43%)
  • During the next two years, organizations say they are most likely to invest in security software, document management, data loss prevention, and backup..”

No comments: