Saturday, January 18, 2014

This is a pretty valuable set of data. (able to prescribe drugs) Who keeps data like this in this country and has anyone breached that data?
Associated Press reports that the personal information of all licensed medical doctors in Puerto Rico was acquired in a recent hack. They report that since the hack, doctors have been getting harassing emails, but it’s not clear from their reporting as to what information was accessed or acquired in the intrusion, other than the statement from Puerto Rico’s Association of Surgeons [I think AP meant College of Physicians and Surgeons - Dissent] that whoever stole the information can engage in identity theft and submit fake prescriptions.
The AP also did not report how many physicians had data in the database, but another AP report in April 2013 noted that the number of doctors in Puerto Rico had dropped from 11,397 to 9,950, according to the island’s Medical Licensing and Studies Board. I cannot find any website for the College of Physicians and Surgeons for Puerto Rico.
If anyone has additional information on this breach, please let me know.
Updated: With the clarity that extra caffeine brings, it dawned on me this morning that even if there are less than 10,000 physicians currently, we don’t know how far back their database goes, and there might be many more individuals whose data were in there.

A caution for academics, but a warning for owners/stewards/guardians/custodians of data – you must set security rules and ensure they are followed. (Why give up the data at all when you could run the analysis in-house and only disclose the summarized results?)
Brian Bakst of AP reports:
A University of Minnesota law professor has apologized to violent crime victims and witnesses after a computer with sensitive information of nearly 300 people was stolen from his office, but he said Friday that there’s no indication the thief has accessed the data.
Criminologist Barry Feld, a prominent juvenile justice scholar, was collecting data from closed case records for a study on law enforcement interrogation techniques when the laptop, a scanner and external hard drive were taken last February. His research, which required his team to sign confidentiality agreements before obtaining the data, has since been terminated.
Read more on Pioneer Press. Maura Lerner of the Star Tribune, who broke the story yesterday, noted the sensitivity and background of the individuals whose data were on the stolen devices:
All had been witnesses or victims in cases that were prosecuted in early 2005 in Hennepin and Ramsey County courts.
One victim, who had been raped as an 11-year-old, received Feld’s letter last week. Her mother told the Star Tribune that she was shocked by the data theft, and that she had no idea that her daughter’s information had been shared with a researcher. “I was aghast,” she said. It was particularly galling, she said, because the family had been unable to get some of that same information, such as witness testimony, when they requested it.
Feld admitted that the data were not properly secured:
“I did not properly protect the data,” Feld told The Associated Press in a phone interview Friday. The incident was first reported by the Minneapolis Star Tribune.
A police report said the equipment wasn’t locked and was stolen from under a desk in the office Feld shares with several research assistants. University police made no arrests in the case nor have they had any leads, according to a school spokesman.
Not only were the data not properly secured, it would appear that there was no backup or master index, as it took from last February until now for them to reconstruct a list of who needed to be notified.
All in all, this sounds like a total failure. I would love to see the contract or agreement the professor signed with the county to gain access to the research materials. Did the agreement require him to not just maintain confidentiality but to actually deploy reasonable and commercially available security protocols? If not, why not? Perhaps some enterprising reporter in Minnesota might want to investigate whether the state and county are requiring adequate security for access to personal and sensitive information.

“Now we can say we've done something. We made a speech!” Looking at the President's speech on “NSA reforms” I see that nothing specific has been proposed. (What a surprise) On the other hand, perhaps that is the correct response to all the kerfuffle. Vague words and phrases like:
… we will review
… we will reform
… a panel of advocates from outside government to provide an independent voice in significant cases [Definition of “significant” to follow Bob]
… I’m asking the attorney general and DNI to institute reforms
… amend how we use national security letters
… ordering a transition
… we will only pursue phone calls that are two steps removed from a number associated with a terrorist organization, instead of the current three [Sounds good, unless you think everyone on the calling tree is part of the organization? Bob]
… develop options

(Related) Compare my review with the EFF's 3.5/12
Read EFF’s explanation for the scores they gave President Obama for his NSA reform plan here.

Yes, let’s just declassify dump two dozen FISC orders right before a holiday weekend (sigh). From IC on the Record:
The documents being released today comprise orders from the FISC approving the National Security Agency’s (NSA) collection and use of telephony metadata under Section 501. These orders provide additional information regarding the controls imposed by the FISC on the processing, dissemination, security and oversight of telephony metadata acquired under Section 501. This includes the Court’s imposition of additional controls in response to compliance incidents that were discovered by NSA and then reported to the FISC. These orders are available at the website of the Office of the Director of National Intelligence (, and ODNI’s public website dedicated to fostering greater public visibility into the intelligence activities of the Government (
Access the orders here.

Do you see why I recommend breach victims, even big ones with huge legal departments, call in some Professional Help? This was not good customer service even before the breach. Where were the managers?
Target Refused To Process Fraud Claim Unless Customer Gave Up Sensitive Info
How comfortable would you feel giving Target all your sensitive information right now?
Michael Baxter of Somerville has an answer: “I have no confidence in their security there.”
Baxter and his wife got a call Wednesday.
“They identified themselves as the Target fraud detection department, and there was a suspicious transaction of over $1,200,” Baxter told WBZ-TV. [Is this an indication that the stolen cards are being used already? Bob]
They called the number on their statement and confirmed it was true. They are among as many as 110 million customers affected by Target’s pre-holiday credit card breach.
But what happened next made Baxter feel like a victim all over again.
Target sent him a questionnaire to fill out and return to process his claim.
It asks for sensitive information like Social Security number, driver’s license number, address, phone numbers, credit card number, children’s names, and more.
… When he refused, the customer service representative told him they could not process his claim without it.
“I wasn’t getting anywhere, so I asked for a manager. That took four or five minutes. The supervisor came on the line and she was even more aggressive with it.”
When we contacted Target, the company changed its tune.
“Our policy is to investigate all fraud claims even if the form is not filled out,” said spokesperson Molly Snyder. “And filling out the form is not a requirement. However, if we don’t have the form filled out it makes our investigation more difficult.”

Cybercrime firm says uncovers six active attacks on U.S. merchants
A cybercrime firm says it has uncovered at least six ongoing attacks at U.S. merchants whose credit card processing systems are infected with the same type of malicious software used to steal data from Target Corp.
… He said payment card data was stolen in the attacks, though he didn't know how much.
… Komarov, an expert on cybercrime who has helped law enforcement investigate previous attacks, told Reuters on Friday that retailers in California and New York were among those compromised by BlackPOS. Reuters was unable to confirm the retailers' names. [If they are ONLY in New York or ONLY in California, they can't be very large. Bob]

Why I love living in Colorado...
Hunting Licenses to Shoot at Drones: What Could Possibly Go Wrong?
Phil Steel of Deer Trail, Colorado
… has proposed that his town adopt an ordinance that would allow residents to take up to three shots at drones flying over the town at fewer than 1,000 feet (more if your life is in danger). The measure, which has divided the town of 550, will be voted on at the ballot box in April. Until then, Steel is selling his own licenses, for $25 each, [Wish I had thought of it! Bob] to anyone who wants, though they "have no legal value," Matt Pearce reports in the Los Angeles Times.

Be careful what you brag about?
Eriq Gardner reports that Hulk Hogan has lost a round in his litigation over Gawker publishing excerpts from a private sex tape they acquired. Hogan failed to get a federal court to grant an injunction prohibiting its publication, but then found a state judge who granted his motion for an injunction. Today, a Florida appeals court overturned the injunction, explaining that given Hogan’s own public comments about his affair, that this was a matter of public concern and protected by the First Amendment.

If the court decides they do need a warrant, will that apply to teachers as well? (See yesterday's blog) How about border guards?
David Kravets reports:
The Supreme Court today agreed to decide the unsolved constitutional question of whether police may search, without warrants, the mobile phones of suspects they arrest.
The justices did not immediately schedule a hearing in the most important digital rights issue the high court has decided to review this term.
Read more on Wired. See also the coverage on Blog of Legal Times.

You don't need to be a student to find this useful.
Make Windows Start Faster: 10 Non-Essential Startup Items You Can Safely Remove

For my “Raiders of the lost files” (my Ethical Hacking students) DOCs, PDFs, ePUBS – the booty is endless!
– is your personal web crawler. It can crawl into any website and find what you really want (video clips, images, music files, etc). FoxySpider displays the located items in a well-structured thumbnail gallery for ease of use. Once the thumbnail gallery is created you can view, download or share (on Facebook and Twitter) every file that was fetched by FoxySpider.
With FoxySpider you can:
  • Get all photos from an entire website
  • Get all video clips from an entire website
  • Get all audio files from an entire website
  • Well, actually get any file type you want from an entire website

For my Twit students.
– is a Twitter Analytics tool. It gives you stats such as who mentions you and how many times, & number of retweets. You can also analyze another Twitter user’s profile and obtain the same information. What’s even better is that you can search for keywords on Twitter, with who mentioned those words and how they fit into popular hashtags.

For my programming students. (Useful for learning a new language, convert a program you wrote in an old language.)
– is an online web-based cross-platform source code converter that supports codes such as C#, Visual Basic .Net, Java, Ruby, Iron Python, and Boo. The free plan will allow you 8 conversions daily, and 2,048 characters per conversion. To remove all restrictions, just share Varycode on Facebook or Twitter.

For my researching students...
30 Search Engines Perfect For Student Researchers
When you need to research something, where do you start? Most of us answer this question with “Google“, and “Wikipedia“. But if you’re researching online with Google and Wikipedia as your main tools, you’re only hitting the tip of the iceberg. While these offer some great basic information on a huge variety of subjects, if you want to delve deeper, you need a wider variety of sources to choose from.
The handy infographic below takes a look at different methods of online research, and gives a flowchart flush with a number of different web search options for you to try out.

My weekly laugh...
Congress has passed the 2014 "omnibus appropriations legislation." Among other things, a win for open access to publicly-funded research: it requires that “federal agencies with research budgets of at least $100 million per year will be required provide the public with free online access to scholarly articles generated with federal funds.” The bill also removes restrictions that prevented the NSF from funding political science. There’s more money for the NIH and more money for the Pell Grant.
… Senator Patty Murray (D-WA) and Representative Jared Polis (D-CO) have introduced the Investing in States To Achieve Tuition Equity (IN-STATE) Act of 2014, which provides incentives for states to offer in-state tuition and need-based aid for undocumented students. [Could my nephew claim to be undocumented (who wants to admit they are from New Jersey) and get in state tuition? Bob]
… Early this week, The LA Times reported that the Los Angeles School District was surveying how much other districts had paid for their technology. Because, ya know, I guess they didn’t think to do any due diligence before agreeing to the outrageous $768 per iPad price-tag.
… Whatever the investigation into pricing, it didn’t stop the school board from earmarking $115 million to buy more iPads to make sure everyone has one in time for “standardized testing scheduled for this spring.” Priorities.
You can now rent textbooks at Staples (or via at least).
… The US News & World Report has released its rankings of the Best Online Programs.
… The Berkman Center for Internet and Society have released a number of reports on student privacy, including this one that talks with youth about their thoughts on tech usage at school. Spoiler alert: they know how to bypass your web filters.

Friday, January 17, 2014

I'm not sure how you would program the site to do this. Random Number generator, I guess. Should be as simple as backing out the last “Update” but I suspect it will be more complicated. The website is still down.
Jon Camp reports:
Navy veteran Sylvester Woodland said he couldn’t believe what he was seeing Wednesday night when he logged onto the Veteran Affairs’ E-Benefits website.
It gave me a different person’s name, each and every time I came back,” Woodland said. At first I thought it was just a glitch, but the more I thought about it, I said, wait a minute, this is more than a glitch, this is a breach.”
Woodland was on the VA’s E-Benefits website trying to track down his own history for a bank loan. Instead, windows kept popping up displaying other veterans’ medical and financial information.
“When you click on these hyperlinks here, it takes you to the bank account, the direct deposit, bank account, last four, what bank is it for,” Woodland said. “I’ll bet he has no idea that I’m sitting here in my house with his information.”
Read more on ABC.

A Guide to stealing 110 Million items? They never say this was used on Target, but that's how it is being reported.
Report to Government on Massive Theft of Credit Card Data From Retail Customers
by Sabrina I. Pacifici on January 16, 2014
KAPTOXA POS Report Overview – “iSIGHT Partners, working with the U.S. Secret Service, has determined that a new piece of malicious software, KAPTOXA (Kar-Toe-Sha), has potentially infected a large number of retail information systems. This software can find, store, and then transmit sensitive information such as credit card and PIN numbers. These findings are part of a need-to-know joint report released today by the Department of Homeland Security, USSS, FS-ISAC and iSIGHT Partners. The use of malware to compromise payment information storage systems is not new. However, it is the first time we have seen this attack at this scale and sophistication. Importantly, this software contains a new kind of attack method that is able to covertly subvert network controls and common forensic tactics, concealing all data transfers and executions that may have been run, rendering it harder to detect. Many retail organizations may not know that they have been infected, or that they have already lost data.”

A bit confusing because the PDF states that they no longer do Criminal Record checks, but then states that they do report prior convictions.
B.C.’s Information and Privacy Commissioner Elizabeth Denham invites public submissions on her investigation into the use of police information checks. Interested citizens or groups are welcome to answer the questions the Commissioner has posed in this consultation letter. In addition, or alternatively, the public can provide our Office whatever views they may have on the subject including any particular experiences they have had with police information checks. We would appreciate receiving these responses by email to no later than February 21, 2014.
Read the background and more about this issue here (pdf)
[From the PDF:
There is an increasing trend towards the use of police information checks as a screening tool for employers to assist in determining the suitability of a prospective employee or volunteer. While these individuals consent to the conduct of the check before it takes place, it is unlikely that an individual who refuses a check will still be considered for an employment or volunteer position.

A bit geeky and still incomplete.
A Closer Look at the Target Malware, Part II
Yesterday’s story about the point-of-sale malware used in the Target attack has prompted a flood of analysis and reporting from antivirus and security vendors about related malware. Buried within those reports are some interesting details that speak to possible actors involved and to the timing and discovery of this breach.

Yes, I can reach your appliances, but I can't use them to empty your bank account. Or can I?
The Internet Of Things Has Been Hacked, And It's Turning Nasty
Don't say we didn't warn you. Bad guys have already hijacked up to 100,000 devices in the Internet of Things and used them to launch malware attacks, Internet security firm Proofpoint said on Thursday.
It's apparently the first recorded large-scale Internet of Things hack. Proofpoint found that the compromised gadgets—which included everything from routers and smart televisions to at least one smart refrigerator—sent more than 750,000 malicious emails to targets between December 26, 2013 and January 6, 2014.
… Pinging one device brought up a login screen that said: Welcome To Your Fridge. She typed in a default password—something like “admin” or "adminadmin," Knight said—and suddenly had access to the heart of someone's kitchen.
… “Embedded operating systems deployed in firmware tend to be old, not patched very frequently, and there are known vulnerabilities to virtually all of them,” Knight said.

Fire up the Gulfstream, I'm heading to Brussels! Oh, wait. I don't have a private jet. Darn! Anyone want to make a large donation to my Blog? NOTE: I get in free, so all I need is the jet.
You are kindly invited to the seventh edition of the ‘Computers, Privacy & Data Protection’ (CPDP) conference, to be held on 22-24 January 2014 in Brussels, Belgium. The conference will include panels covering all current debates in the field: the data protection reform in the European Union, PRISM, big data, privacy by design, cloud computing, biometrics, and e-health and will have special sessions on impact assessments, Roma empowerment in the digital era and other topics. Over 60 panels are scheduled.
Read more of the press release on
[From the article:
For more information about:
Members of the press with an official press card can register free of charge as "press on invitation"

What if that file of random looking characters is a file of random looking characters? How does one prove that gibberish is not encrypted evidence? (Because apparently the police need not prove it isn't)
Clink! Terrorist jailed for refusing to tell police his encryption password
A convicted terrorist will serve additional time in jail after he was found guilty of refusing to supply police with the password for a memory stick that they could not crack.
Syed Farhan Hussain, 22, from Luton, was handed a four-month sentence at the Old Bailey on Tuesday after a jury took just 19 minutes to deliver the guilty verdict.
Judge Richard Marks QC sentenced him for not complying with a notice to give up his password. The refusal was contrary to section 53 of the Regulation of Investigatory Powers Act 2000, the UK's wiretapping law.
Police had issued Hussain with the notice under section 49 of RIPA to force him to let the cops into his USB stick.
The judge said Hussain's deliberate refusal to comply with a police notice and hand over his password was a very serious matter because it served to frustrate a police investigation, the BBC reports.

Imagine deleting (or forcing the deletion) of video showing teachers breaking the law. Really bad idea. Wouldn't the Best Practice be to hold the phone until Mom or Dad can see what the school wants to delete? Or is the school saying, “We don't need no stinking parents?”
Luke Hammill reports:
It’s been almost two months since controversy erupted at Hillsboro’s R.A. Brown Middle School over staff reviewing and deleting video on students’ cell phones. In its first work session since the holiday break, the Hillsboro School Board reacted Tuesday evening by examining its search and seizure policies.
Hungerford said the relevant court cases have given conflicting rulings about how broad searches can be, but school officials must have “reasonable suspicion” that a student violated school rules in order to search him, and the search must be “reasonable in scope.” For instance, if a student is reasonably suspected of stealing a football, Hungerford said, a teacher cannot make him empty his pockets.
He said he doesn’t think it’s a good idea for school officials to ever delete material off of a student’s phone. Hungerford also recommended that in a sensitive situation – he gave the example of students texting each other photos of an exam – teachers or administrators should direct students to delete the photos themselves, and then discipline them for insubordination if they don’t comply.
Read more on Oregon Live.

Oh my, Justin Bieber's privacy has been violated! Seriously, is this now normal police procedure?
Cops searching Justin Bieber's seized cell phone for egging clues
Police investigating vandalism allegations against Justin Bieber are searching his cell phone for clues after seizing the mobile during a raid of his California home on Tuesday (14Jan14).
Cops descended on the Baby hitmaker's Calabasas mansion after a neighbour complained to authorities last week (09Jan14), when the singer was reportedly discovered hurling eggs at his front door.
Detectives took Bieber's iPhone away as evidence during the search, and tech experts at the Los Angeles County Sheriff's Office are currently scanning the device for any potentially incriminating photos, text messages or other material.
… Officers are also studying surveillance footage taken from Bieber's pad, which was equipped with a "well operated" security system.

Justin Bieber is worried about what cops are going to find on his cell phone, but we're told his issues involve nakedness and drugs ... not so much eggs.
Law enforcement sources tell us ... when they searched Justin's house Tuesday, they seized his cell phone ... took it right out of his hot little hands. Sources say cops are interested in texts that could incriminate him. Cops want to see if he texted someone after the fact and bragged about the egging. One law enforcement source called it a "text high 5."
Sources tell us ... he's concerned more about drug discussions and references. Even if cops find drug references, Justin's in the clear given there's no physical evidence -- nonetheless J.B. is afraid it will leak out.
We're told he's also concerned that there are naked photos in his phone, although we don't know if they're action shots, selfies, etc.
And we're not even going to mention bad grammar.

Will this force the addition of a “working” light? Perhaps a little flag?
Ticket for driving in Google Glass dismissed
It may have been the most anticipated traffic court date ever.
Southern California resident Cecilia Abadie appeared in San Diego traffic court on Thursday for speeding and for wearing Google Glass while driving. It is considered the first time someone has been cited for wearing the face-mounted technology while driving.
Commissioner John Blair threw out both charges, stating there wasn't enough evidence to prove beyond a reasonable doubt that the Google Glass was turned on at the time. It is only illegal to wear the device while driving if it is operational.
… "It doesn't necessarily answer the question everybody wanted: Is it legal to drive down the road wearing Google Glass while it's operating?" said William Concidine of My Traffic Guys. Concidine and his partner, Gabriel Moore, are the traffic ticket attorneys who defended Abadie in court on Thursday.

Amusing. I guess you grab anything for a bit of attention when you are fund raising... (This links to the AMA session)
Hi Reddit,
I am Daniel Ellsberg, the former State and Defense Department official who leaked 7,000 pages of Top Secret documents on the Vietnam War to the New York Times and 19 other papers in 1971.
Recently, I co-founded the Freedom of the Press Foundation. Yesterday, we announced Edward Snowden, NSA whistleblower, will be joining our board of directors!
Here’s our website:
I believe that Edward Snowden has done more to support and defend the Constitution—in particular, the First and Fourth Amendments—than any member of Congress or any other employee or official of the Executive branch, up to the president: every one of whom took that same oath, which many of them have violated.
Ask me anything.

Perspective. At the start of each Quarter, I ask if there are any SciFi readers in my classes. I'm happy to find one in 25. Owners of eBook readers is about 1 in 15.
E-Reading Rises as Device Ownership Jumps
The percentage of adults who read an e-book in the past year has risen to 28%, up from 23% at the end of 2012. At the same time, about seven in ten Americans reported reading a book in print, up four percentage points after a slight dip in 2012, and 14% of adults listened to an audiobook.
Though e-books are rising in popularity, print remains the foundation of Americans’ reading habits. Most people who read e-books also read print books, and just 4% of readers are “e-book only.”

Something we could get at our school?
Yale students made a better version of their course catalogue. Then Yale shut it down.
A pair of Yale students and brothers, Peter Xu and Harry Yu, built a site that let students plan out their schedules while comparing class evaluations and teacher ratings for the past three semesters. Thousands of Yale students used it, apparently finding it a better resource than similar sites run by the university. But this week, as the "shopping period" where students are able to try out classes and finalize their schedules began, Yale not only blocked the Web site from campus networks, labeling it "malicious," but forced the brothers to take it down or face disciplinary action.

For my Students. The only concern I have is that $2.99 is $2.99 too much. But then, I didn't spend $300-$500 for an iPad.
Collect, Extract & Organize Research Fast With Summary Pro for iPad
… Web annotation services like Diigo (one of my favorites) and the clipping features provided by Evernote are great for collecting, organizing, and reviewing research, but Summary Pro streamlines the note clipping process and helps keep your research organized.
Summary Pro includes an in-built web browser
… As you browse and read articles and documents, you can tap on one of three cutting tools (rectangle, circle, or free hand) and select content you want to clip and save.
Next, swipe the selection to the left and it gets saved in a folder.
Summary Pro ($2.99)

Too cool for my students? A great way to remind myself of all that Jazz I listened to as a kid.
The History of Popular Music, According to Google
Google unveiled a new way to look at the history of music today, Music Timeline.
Drawing on the songs that reside in the collections of millions of Google Play users, the company created a visualization of the popularity of various artists and genres from 1950 to today.

Thursday, January 16, 2014

How does a (very) large corporation allow second rate communication with its customers? Also this confirms that Target had files online that did not involve card transactions.
Target issues apology letter - but includes some awful security advice
A Naked Security reader just emailed us to say, "I received a message from Target about the breach. It talks about customers, and people who shopped at the company's stores, and names me in the breach. But I've never acutally shopped at Target."
The concerned reader also pointed out that the statement was published on Target's website back on 13 January 2014, but the email she received only arrived on 16 January 2014.
… It certainly seems, from our reader's confusion, that "guests" (who lost details like name, address and phone number) include people who have had something to do with Target, somewhere, somehow, but who have never actually have bought any products there recently, or even at all.
… Secondly, if I were Target, I would not have said this:
Never share information with anyone over the phone, email or text, even if they claim to be someone you know or do business with. Instead, ask for a call-back number.
If you don't know and trust someone who calls you, why would you trust any phone number or web URL they might give you?

(Related) For my Computer Security students (and my Ethical Hackers) May be a bit too geeky for everyone else.
A First Look at the Target Intrusion, Malware
Last weekend, Target finally disclosed at least one cause of the massive data breach that exposed personal and financial information on more than 110 million customers: Malicious software that infected point-of-sale systems at Target checkout counters. Today’s post includes new information about the malware apparently used in the attack, according to two sources with knowledge of the matter.
… Armed with this information, thieves can create cloned copies of the cards and use them to shop in stores for high-priced merchandise. Earlier this month, U.S. Cert issued a detailed analysis of several common memory scraping malware variants.

(Related) You'll need a database the size of Facebook (almost) to list everyone that is involved in this breach. If there are other big retailers involved, why not tell customers who they are?
States Probe Neiman Marcus Breach as Bank Sues Target
Neiman Marcus Group Ltd. is being investigated by states including Connecticut and Illinois over the theft of customer credit-card data by hackers, and a bank sued Target Corp. for its data breach during the holiday season.
Connecticut Attorney General George Jepsen and Illinois Attorney General Lisa Madigan, whose offices are already leading a multistate investigation in the Target breach, are also looking into the hack of Dallas-based Neiman Marcus, which said on Jan. 10 that some unauthorized purchases may have been made with credit cards.
… Other states involved in the Target probe include Florida, Iowa, Massachusetts and Pennsylvania, spokespersons for those states’ attorneys general confirmed yesterday.
Democratic U.S. Senators Claire McCaskill of Missouri and Jay Rockefeller of West Virginia today made public a letter they sent jointly to Target on Jan. 10 requesting a briefing on the data breach from the retailer’s information security officials.
… Schneiderman said in a statement yesterday that his office’s Consumer Protection Bureau is also looking into reports of security breaches at other retailers and called on those companies, which weren’t identified in the statement, to offer free consumer protections to customers.
Friedman declined in a phone interview to name the other retailers and wouldn’t comment when asked if Neiman Marcus is one of them.

As goes the EU, so goes the world? Would this fly in California?
In a disappointing decision yesterday (Jones v. United Kingdom), the European Court of Human Rights upheld the immunity of states and state officials from civil suits for torture in foreign courts. In doing so, it may have written an obituary for one of the most heralded of all human rights cases: the U.K. House of Lords’ 1999 Pinochet decision, which stripped criminal immunity from Chile’s former head of state for some of the murders and tortures committed during his dictatorship.

Who can protect my Ethical Hackers? Would a neutral party, with enough clout to get anyone's attention, be able to stop this nonsense? Should they contact the “victim” through a lawyer?
Kashmir Hill reports an all-too-common scenario, this one involving security researcher Kristian Erik Hermansen:
1. White-hat hacker discovers vulnerability, tries to notify responsible party.
2. White-hat hacker gets nowhere despite numerous attempts to contact responsible party.
3. White-hat hacker discloses publicly.
4. Responsible party pays attention but is more focused on covering up problem.
5. The FBI threatens the white-hat hacker.
Bah. How many times have I written that every site should have a clearly posted/dedicated number to call or email to report security problems? Maybe if sites took my sage advice, we wouldn’t have so many of these situations.
Read Kash’s report on Forbes.

Interesting way to show that $32.5 million isn't a big deal.
Apple coughs up 7 hours of profit to refund kids' $32.5m app buying spree
… In some cases, a parent could authorize a child's in-app purchase, which was charged to the adult's credit card, and not realize that for the next 15 minutes, further purchases could be made without parental intervention – giving the kid a large window of time to buy plenty of expensive stuff.
… The $32.5m settlement will not hamstring Apple (net income last year: $37bn). Based on the company's financial figures for the year to October 2013, the company raked in sales of $170.9bn. So today's refund payout is worth about 6,000 seconds of Apple's time in terms of annual revenue, or about an hour and forty minutes. Or 7.6 hours of annual profit.

For my Ethical Hackers. Justifying your enormous budget...
Mathematical Model Predicts When Hackers Will Strike
… Researchers at the University of Michigan believe they have calculated the optimum time for a cyber attack.
The model, from student Rumen Iliev and political science professor Robert Axelrod, focuses heavily on timing: Wait until the attack will cause the most destruction, but not too long so that the vulnerability hackers are exploiting has been fixed.
… Though presented from the perspective of the offense—the hacker looking for the best moment to exploit a vulnerability—the findings are equally relevant to those companies and agencies hoping to fend off a future attack

Okay, maybe not some of the work my Ethical Hackers do, but generally I favor “Public!” (And links to the work on student resumes)
Public vs. Private – Should Student Work Be Public On the Web?
… School administrators, who are rightfully risk-adverse, often immediately say that no public posting is allowed. By decree, access to any student work must be limited to only those approved and with passwords.
Teachers, afraid of potential headaches due to students saying something inappropriate, bullying, or not having total control also get nervous about allowing students to publish freely online.
And, I’m very mindful of the fact that the privacy feature built into Edublogs is one of the number one reasons why schools choose our service. My answer to the privacy question isn’t really good for business.
But, when you look at all the benefits that publishing to the web can bring to student learning, the answer is most definitely yes.
No matter the age or experience, we believe that blogs are meant to be public.

I like lists, even though I rarely post about potential legislation.
Jeff Kosseff writes:
From electronic surveillance to healthcare privacy to drones, Congress is planning to consider a wide range of privacy legislation this year. The Edward Snowden leaks about the National Security Agency and the recent data breaches at retailers are likely to keep privacy and data security on the top of many lawmakers’ agendas. After the jump is a summary of twenty pending privacy-related bills to keep an eye on during the remainder of the 113th Congress.
Read more on Covington & Burling Inside Privacy

Quite a list, but for some reason it does not include the hyperlinks.
Cybersecurity: Authoritative Reports and Resources, by Topic
by Sabrina I. Pacifici on January 15, 2014
CRS – Cybersecurity: Authoritative Reports and Resources, by Topic - Rita Tehan, Information Research Specialist, January 9, 2014
“This report provides references to analytical reports on cybersecurity from CRS, other government agencies, trade associations, and interest groups. The reports and related websites are grouped under the following cybersecurity topics:
  • policy overview
  • National Strategy for Trusted Identities in Cyberspace (NSTIC)
  • cloud computing and FedRAMP
  • critical infrastructure
  • cybercrime, data breaches and data security
  • national security, cyber espionage, and cyberwar (including Stuxnet)
  • international efforts
  • education/training/workforce
  • research and development (R&D)
In addition, the report lists selected cybersecurity-related websites for congressional and government agencies, news, international organizations, and organizations or institutions.”

Wednesday, January 15, 2014

...and the suits go on, la de da de da de da....
Target Faces Nearly 70 Lawsuits Over Breach
Still reeling from the hit to its reputation from last month’s massive data breach, Target Corp. faces nearly 70 class-action lawsuits.
… Gregory Little, an attorney at White & Case LLP who defends companies against class actions, said retail companies are at “significant risk” of facing class actions as large data breaches become more common. “As technology makes it easier to harm larger numbers of individuals, there is greater likelihood that class actions are going to be brought,” said Mr. Little.
… Some small banks are also seeking damages from Target for the costs they are incurring because of the breach. Alabama State Employees Credit Union, which leads a class action case of affected banks, said in its complaint that it has been “swamped by customers and its members needing to close accounts” to prevent fraudulent activity, forcing the small bank to spend time and money creating new cards and refunding lost deposits.

Target's Payment Processors Could Face Hefty Fines Due to Data Breach
Payment processing firms that have been assisting retailer Target, which recently suffered a major data breach, could face millions of dollars in fines and costs due to the issue.
Target's partners could face consumer lawsuits and fines that payment networks such as Visa Inc and MasterCard Inc often levy after cyber security incidents, Reuters has reported.
… Reuters noted that a similar hacking in the mid-2000s at retailer TJX Companies resulted in penalties of $880,000 (£536,000, €644,000) for Fifth Third Bancorp of Ohio, which processed transactions for TJX.
Any electronic purchase from a store like Target involves several companies. They include the banks that issue credit or debit cards, the "merchant acquirer" who handles the payment for the store when the card is swiped and companies such as Visa and MasterCard who operate the networks through which payment request and confirmation are sent.

(Related) Target must calculate that with 110,000,000 records compromised, they might as well offer monitoring to all of their 110,000,002 customers. Great PR target.
JPMorgan’s Dimon: Target breach is a wake-up call
More Target-sized security breaches will happen if banks and retail stores don’t start working together to further protect customers’ data, JPMorgan Chase’s CEO Jamie Dimon said Jan. 14.
JPMorgan has replaced 2 million credit and debit cards as a result of the Target breach, Dimon said. That number is expected to rise. JPMorgan is the world’s largest issuer of credit cards.
… “Target has taken the extraordinary step to offer free credit monitoring to all of its customers, not just those affected by the breach. This is an opportunity Target customers may want to take advantage of, depending on individual circumstances,” Wasden said.

As I've been saying...
In case you missed it earlier today, the Senate Judiciary Committee held a hearing on the Report of the President’s Review Group on Intelligence and Communications Technologies (the PRGICT Report), where the Group members testified regarding their proposed reforms and recommendations for U.S. national security surveillance programs. If you were unable to catch the hearing today, a full video is available on C-SPAN (unfortunately, an embeddable version is not yet available, but we’ll update this post accordingly once one is up).
… In the C-SPAN video at around the 20:50 mark, Senator Leahy asks Morell whether Americans should be concerned about Section 215, given that only metadata is collected under the program. Here was Morell’s response:
“I’ll say one of the things that I learned in this process, that I came to realize in this process, Mr. Chairman, is that there is quite a bit of content in metadata. When you have the records of phone calls that a particular individual made, you can learn an awful lot about that person. And that’s one of the things that struck me. There is not, in my mind, a sharp distinction between metadata and content. It’s more of a continuum.”

I would never for a second believe that France was not already doing this. Are they now worried about appearances?
Winston Maxwell writes:
France’s December 18, 2013 law on military spending contains two provisions that facilitate the collection of data by the French military and intelligence services. The first provision relates to the collection of passenger name records (PNRs). Under the new law, airlines are required to send PNRs to authorities in accordance with a yet to be adopted government decree. The data may be held for up to five years and may not contain sensitive data (i.e., data relating to the passenger’s racial or ethnic origin, religious or philosophical beliefs, political opinions, trade union membership, health, or sexual orientation. The French data protection authority, the CNIL, was consulted in connection with these new PNR provisions).
The second and more controversial government data collection provision is article 20 of the December 18 law that permits French intelligence and security agencies to collect metadata from telecom operators and hosting providers, including in real time.
Read more on Hogan Lovells Chronicle of Data Protection.

Might be an interesting seminar topic again, if the rules have changed.
Erica Gann Kitaev writes:
One hot area of data privacy litigation over the past several years has been data breach class actions brought under the California Confidentiality of Medical Information Act (“CMIA”),[1] which provides that a person may recover $1,000 “nominal” damages against a healthcare provider who has negligently “released” the person’s medical information. Until recently, no California appellate court had directly analyzed what constitutes a “release” of medical information under the CMIA. The court in The University of California v. Superior Court (Platter)[2] addressed this question for the first time in 2013 and held that the mere loss of possession of computer equipment containing medical information was not sufficient to constitute a release of the information itself.
Read more about notable cases of 2013 and their implications on Data Privacy Monitor.

Looks like a job for Ethical Hacker Man!
Court ruling overturns Net Neutrality, threatens online access, experts warn
Thanks for watching that YouTube video! That will be 50 cents, please.
Sound unrealistic? It's actually a distinct possibility, after a Federal appeals court on Tuesday struck down an FCC ruling meant to prevent an Internet service provider -- the company you pay for online access -- from prioritizing some website traffic over others.
And because that rule was wiped off the books, those ISPs are suddenly able to do just that. With service providers suddenly able to charge based on the type of content you watch or the sites you visit, it's easy to imagine a system like that of today's cable television market. Want HBO? It's an extra $5. Want our streaming video package, with YouTube, Hulu,, and more? That's $5 too.
Don't pay and you can't watch. Period.
… “A broadband provider like Comcast might limit its end-user subscribers’ ability to access The New York Times website if it wanted to spike traffic to its own news website,” the ruling notes.

“We don't need no stinking jurisdiction/authorization/budget/management!” After all, we're all chasing the same people, right?
Jennifer Lynch writes:
Customs & Border Protection recently “discovered” additional daily flight logs that show the agency has flown its drones on behalf of local, state and federal law enforcement agencies on 200 more occasions more than previously released records indicated.
Last July we reported, based on daily flight log records CBP made available to us in response to our Freedom of Information Act lawsuit, that CBP logged an eight-fold increase in the drone surveillance it conducts for other agencies. These agencies included a diverse group of local, state, and federal law enforcement—ranging from the FBI, ICE, the US Marshals, and the Coast Guard to the Minnesota Bureau of Criminal Investigation, the North Dakota Bureau of Criminal Investigation, the North Dakota Army National Guard, and the Texas Department of Public Safety.
Read more on EFF.

Department of Horrendous Spending? A 30% increase so far.
Rising Costs and Delays in Construction of New DHS Headquarters
by Sabrina I. Pacifici on January 14, 2014
Reality Check Needed: Rising Costs and Delays in Construction of New DHS Headquarters at St. Elizabeths. U.S. House of Representatives Committee on Homeland Security, January 2014, Prepared by Majority Staff of the Committee on Homeland Security.
“Rep. Jeff Duncan (R-SC), Chairman of the Subcommittee on Oversight and Management Efficiency, released a…report examines the Department of Homeland Security’s (DHS) planning process for its new headquarters and details how taxpayer dollars have been spent on the project to date. Originally founded in 1852 as a government-run hospital for the mentally ill, St. Elizabeths is a national historic landmark. In 2006, the hospital was chosen as the future site of a consolidated headquarters complex for DHS, in an effort to build cohesiveness among Department components. The project has received $1.3 billion in funding to date and only the U.S. Coast Guard headquarters complex has been completed. The 26-page report reviews the potential areas of cost growth, selection and planning issues, and the effects of green initiatives and the site’s historic status on construction costs, among other concerns. Specifically, the report found that it remains unclear how active DHS officials were in choosing the site of their future headquarters. Furthermore, DHS has pushed final completion to fiscal year 2026, 10 years beyond the original schedule, and delays in construction have increased costs by 30% – about $1 billion. The report questions why DHS has not conducted a major reassessment nor considered a new approach to headquarters consolidation…” The expanded use of technology has changed the paradigm of the workspace requirements by allowing a greater emphasis on working from home as a way to reduce square footage requirements. This allows for more shared work spaces… With statements made by senior leadership, the morale concerns, the $1 billion cost increase, and slippage of the completion date to FY 2026, the Committee questions why there has not been a major reassessment of the headquarters consolidation project now with a ten year extension to the project’s deadline and why DHS has not considered a new approach to headquarters consolidation.”
[From the report:
When it was originally proposed and approved, the St. Elizabeths project had a price tag of $3.45 billion; however, in the Department’s most recent update on the project, DHS and GSA submitted cost projections of $4.5 billion with a completion date of 2026.

Tools for techies?
4 Best Tools For Creating Screenshots Compared