Saturday, December 20, 2014

Oh, we’ve changed our minds again, have we? 
FBI Officially Fingers North Korea As Source Of Sony Breach
At first, the Federal Bureau of Investigation (FBI) wasn’t so certain that North Korea was the responsible party for the massive cyberattack on Sony.  Earlier this month, FBI cyber division assistant director Joe Demarest simply stated, “There is no attribution to North Korea at this point.” 
Today, however, there is no doubt that North Korea was behind the attack.
   The FBI released a statement this afternoon concluding that it "now has enough information to conclude that the North Korean government is responsible for these actions.” 
   While Sony will have to deal with the aftermath of the hack and the controversy surrounding its decision to cancel the film in the days, weeks, and months to come, the FBI is at least letting American corporations know that it has their backs should such an incident occur in the future. 
“The FBI stands ready to assist any U.S. company that is the victim of a destructive cyber attack or breach of confidential business information,” the FBI added.  “Working together, the FBI will identify, pursue, and impose costs and consequences on individuals, groups, or nation states [A new role for the FBI?  Bob] who use cyber means to threaten the United States or U.S. interests.”

(Related)  But we don’t seem to stick to the FBI’s “official” version.  Probably no Chinese sanctions. 
Sony hack: China may have helped North Korea, US states
China may have helped North Korea carry out the hacking attack on Sony Pictures, a US official has told Reuters.  
The official, who spoke on condition of anonymity, said the conclusion of the US investigation was to be announced later by federal authorities.  
The Chinese embassy in Washington later stated that China does not support "cyber illegalities".  

(Related)  Perhaps we should take them up on their offer, since we don't seem to know what we're doing.  Actually, it might be a great opportunity to learn what they are capable of – but I doubt they'd actually do it. 
North Korea Seeks Joint Investigation Into Sony Hack With U.S.
North Korea’s government said it had nothing to do with the hacking of Sony Corp.’s computer systems and called on the U.S. to hold a joint investigation into the incident. 
North Korea can prove its innocence and warned of “grave consequences” if the U.S. fails to take up its offer, the country’s foreign ministry said in an e-mailed statement today cited by the state-run Korea Central News Agency.  “As the U.S. is spreading groundless allegations and slandering us, we propose a joint investigation,” the ministry said.  

Just in case you thought we learned anything from Sony…  Don’t release any information during peak shopping season.  Upgrade your security after the hack (Add this expense to the cost of the hack, making it an “Extraordinary Item” on the Annual Report?)  DO NOT mention the T J Hooper or any “duty to use technology to reduce risk.” 
Staples hack exposes 1.2 million credit cards
After a two-month wait, Staples on Friday evening announced hackers broke into its computers and stole data on 1.16 million shoppers' credit cards and debit cards. 
Staples first announced it was investigating a potential data breach in the Northeast in October.  Staples released details of its investigation on Friday, just as the holiday shopping season comes to a close.  
The breach affects those who shopped at a small fraction of Staples (SPLS) stores nationwide between July 20 and Sept. 16 this year.  Cybercriminals now know a shopper's name, card number, its expiration date and card verification code.
The breach affected 115 of the company's approximately 1,400 office supply stores in the United States.  A web page has been set up noting which stores were affected.  
   Staples is also offering free identity protection, identity theft insurance and a free credit report.  
That might be a good public relations move for the company, but in reality, it's useless gesture.  It doesn't take the valuable stolen data out of criminal's hands.  Criminals now know your name and bank, which is useful information when paired with other personal data available on the black market.   
Staples apology is a familiar template for any company that loses your data: "Staples is committed to protecting customer data and... has taken steps to enhance the security of its point-of-sale systems, including the use of new encryption tools."
It's unclear why Staples hadn't installed these protections sooner, given that the Target hack in late 2013 was a wake-up call for the retail industry.  
Staples now joins the lengthy list of companies whose payment systems were attacked by hackers in the past 12 months: Albertson's, Home Depot (HD), Michaels (MIK), Neiman Marcus, P.F. Chang's, Target (TGT)and SuperValu (SVU).

For your Computer Security manager: This is (probably) what breached Sony.  Can you afford to ignore it?  If you said “Yes,” pretend you are on the witness stand and explain it to the jury.   
Indicators of Compromise for Malware Used by Sony Hackers
Just hours after the FBI and President Obama called out North Korea as being responsible for the destructive cyber attack against Sony Pictures, US-CERT issued an alert, describing the primary malware used by the attackers, along with indicators of compromise.
While not mentioning Sony by name in its advisory, instead referring to the victim as a “major entertainment company,” US-CERT said that the attackers used a Server Message Block (SMB) Worm Tool to conduct the attacks. 
According to the advisory, the SMB Worm Tool is equipped with five componments, including a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool. 

This also has ties to the Sony breach.  Did the MPAA induce the Mississippi AG to file this subpoena?  (If not, why the quick back-down?) 
Google lawsuit forces MPAA-backed attorney general to retreat
Remember that post Google put up this week that accused the MPAA of trying to resurrect the spirit of SOPA with the help of state prosecutors (that included evidence based on some of Sony Pictures' leaked emails)?  It just turned into a lawsuit -- and it's already having an affect.  The search giant has updated the page to explain that it's asking federal courts to dismiss a subpoena Attorney General Jim Hood sent to Google back in October.  That 72-page document asserted that he believed that Google has violated the Mississippi Consumer Protection Act, and had failed to take actions to prevent crimes committed by using its services.  Now that Google is suing, Hood made a statement via the New York Times, calling for a "time out" and saying he will call the company to "negotiate a peaceful resolution of the issues affecting consumers." 

Perspective.  Would this apply to Big Brother too? 
Because of HIPAA constraints, I can’t provide a lot of details, but when a teenaged patient was in my office with a parent, the teen complained that the parent had required the teen to download an app that enabled the parent to track the teen. 
“What do you think about parents tracking teens that way?” my patient asked me in front of the parent. 
“I think it’s an invasion of privacy,” I immediately answered. 
The teen’s parent was very unhappy with that answer, but I stand by it.  If you can’t trust your teen to tell you the truth about where they’re going, then you have a problem that a tracking app will not solve. 
And if your justification is that you’re worried about their safety, then is your anxiety their problem or your problem?  I’ve often heard parents say, “Well, I wouldn’t let them go out if I didn’t have the peace of mind from knowing that I can tell where they are.”  So wait: you would keep your teen a prisoner in their home because you’re worried?  Seriously?  Unless your teen poses a threat to themselves or others, do you really want to convey that you don’t trust them?  Even though they’ll be moving out or going off to college in a year or two?  Will they suddenly become responsible then?  Will the world suddenly become a safer place? 
What are you teaching them now? 
There are alternative ways to communicate with your teen and to develop trust.  Start when they’re young and build a relationship with them whereby they know they need to call you and let you know where they will be – and that they need to be there or call you in advance if they are about to change their plans/location.  My kids learned early on to be responsible about letting me know where they’d be, and in turn, I almost never told them that they couldn’t go somewhere.  I got peace of mind from our arrangement.  What they got was a sense of responsibility and the absence of guilt most of their friends who lied to their parents had. 
It really isn’t that difficult, folks.  Don’t rely on privacy-invasive technology as a substitute for good communication and parent/child relationships. 

At least they didn’t call it “The Matrix.” 
Orin Kerr writes:
Regular readers will recall the mosaic theory of the Fourth Amendmentintroduced by the DC Circuit in United States v. Maynard, by which law enforcement steps that aren’t searches in isolation can become searches when aggregated over time.  For the most part, judges have been pretty skeptical of the mosaic theory.  For example, in the recent oral argument in the Fourth Circuit in United States v. Graham, on whether the Fourth Amendment protects historical cell-site data, the mosaic arguments didn’t gain a lot of traction for the defense. 
In this post, however, I want to focus on two recent federal district court decisions that cut against this trend and adopted the mosaic theory. 
Read more on WaPo Volokh Conspiracy.

“Papers, Citizen!  Without papers, you don’t exist in the eyes of your government.” 
Beginning in 2015, many federal facilities will require a “Real ID” for entry where identification is required.  Several states have opted out of the Real ID Act, a federal mandate to modify the design of state drivers licenses, raising questions about the ability of people in those states to access federal buildings and board commercial aircraft.  EPIC, supported by a broad coalition, opposed the Real ID regulations, arguing that many of the required identification techniques, such as facial recognition and RFID tags, compromise privacy and enable surveillance.  EPIC, joined by technical experts and legal scholars, also provided detailed comments to the Department of Homeland Security about the program and later issued a L6[report:  “REAL ID Implementation Review: Few Benefits, Staggering Costs” (May 2008).  For more information see:  EPIC: National ID and the Real ID Act.

I see business opportunities here. 
Feds make path for Internet television
   Specifically, the rules would give companies operating over the Web or any other method of communication the same rights to buy rights to TV programming that companies such as Comcast and DirecTV currently enjoy. 

I’ll use the first one with my students. 
Strategic Humor: Cartoons from the January-February 2015 Issue

Never fails to amuse me. 
   According to an Inspector General audit of how it handles student loans, the Department of Education lacks “a coordinated plan for preventing borrowers from defaulting.”  [Imagine that  Bob] 
   Oh look. LAUSD students can start to take their iPads home.  I’m struck by this comment about the students getting their devices home safely: “School Police Chief Jose Santome estimated it would take 80 more officers to scale up the patrols to the district’s 800 campuses.” 
   The Class of 2015 – the writers whose work will enter the public domain * next year. (* Except in the US, where nothing will enter the public domain.) 

No comments: