- A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known
- A description of the types of unsecured PHI that were involved in the breach (i.e., full name, Social Security number, date of birth, home address, account number, diagnosis, or disability code)
- Any steps individuals should take to protect themselves from potential harm resulting from the breach
- A brief description of what the organization is doing to investigate the breach, to mitigate harm to the individuals, and to protect against any further breaches
- Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Website, or postal address if appropriate.
Saturday, May 10, 2014
Was this Target's idea or the banks?
Maury Glover reports:
It’s been months since hackers stole the credit and debit card information of millions of Target customers, but the effects are far from over. In fact, thousands of Minnesota credit card numbers are currently for sale.
In the wake of the breach, Target told customers not to cancel their credit cards during the busy holiday shopping season and urged them to monitor their accounts for a year — but Lanterman said that advice just gives hackers time for victims to let their guard down.
“Target’s advice not to cancel the cards actually helped the hackers because once you cancel the cards, the info is worthless,” Lanterman said.
According to Lanterman, that’s just one more way that Target’s handling of the situation has missed the mark.
Read more on MyFox9.com
Target CEO Exit Highlights Business Side of Security
The resignation of Target Corp. CEO Gregg Steinhafel earlier this week indicates a growing awareness among the C-suite and boards that security is intimately intertwined with business strategy and should be viewed as a board-level issue.
"Cyber-security is now a Board and C-level issue, but that wasn't always the case," [It was at every company I worked for... Bob] Shawn Henry, CSO of CrowdStrike and president of the company's services division. "Cybersecurity is no different than any other risk a company faces today."
… Nearly 80 percent of responders in a recent Websense/Ponemon survey (PDF) of 5,000 global IT security practitioners said their company's leaders did not equate losing confidential data with a potential loss of revenue.
How broad could this “Search” become?
Ellen Nakashima reports:
The Justice Department is seeking a change in criminal rules that would make it easier for the FBI to obtain warrants to hack into suspects’ computers for evidence when the computer’s physical location is unknown — a problem that officials say is increasing as more and more crime is conducted online with tools to conceal identity.
But the proposal, which was posted for public comment on a U.S. court Web site Friday, is raising concerns among privacy advocates who see it as expanding the power of federal agents to insert malware on computers, which they say could weaken overall Internet security.
Read more on Washington Post.
[From the article:
The proposed change would also make it easier for agents to use one warrant to obtain evidence on possibly hundreds or thousands of computers spread across the country when the machines have been secretly commandeered into “botnets” by criminals to conduct cyberattacks. [That might include one of my computers, if I fell for “bad guy spam.” Bob]
I have always liked how Dr. Cavoukian thinks!
White paper: Personal Control and Freedom Are Essential to Preserving Privacy in an Online World of Growing Surveillance
Individuals are beginning to lose effective control over their personal information in this era of ubiquitous mobile, social and cloud computing. The future of digital privacy may depend on changing the current online paradigm from “Use At Your Own Risk” to “My Data, My Rules” by providing individuals with greater control over their personal information. To explain how information systems may be engineered to enable privacy and control automatically — by default, Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, and Absio Corporation President and CEO, Dan Kruger have released a new white paper, Freedom and Control: Engineering a New Paradigm in the Digital World.
(Related) Because it's “public?”
Alex Boutilier reports:
Ottawa is creeping you on Facebook.
The government that characterized the long-form census as unduly intrusive is increasingly lifting Canadians’ personal information from their social networking websites, according to the federal privacy watchdog.
In a letter to Treasury Board President Tony Clement, interim privacy commissioner Chantal Bernier said an “increasing number” of government institutions are collecting publicly available personal information from sites like Facebook and Twitter “without any direct relation to a program or activity.”
“We are seeing evidence that personal information is being collected by government institutions from social media sites without regard for accuracy, currency and accountability,” Bernier wrote in the February letter obtained by the Star.
Read more on Toronto Star.
Eventually, someone will get it right.
Over on HealthITSecurity.com, Patrick Ouellette notes that American Health Information Management Association’s (AHIMA) recently published a Breach Management Toolkit.
The tool requires an AHIMA membership, but the Journal of AHIMA detailed what the tool has to offer providers and a sample of required elements within a data breach notification letter.
Patrick reports that the toolkit discusses five critical pieces of information that AHIMA says should be included in any breach notification letter. Their five critical pieces, as summarized by Patrick, are consistent with what I have been advising for years:
Leading the way into the wonderful world of exploding cellphones? (Even if it's just the dye packs the banks use.)
California passes ‘kill switch’ law, requiring smartphones to have a self destruct option
The Californian Senate has approved a revised version of the so-called kill switch bill, which requires all smartphones sold in the state to have anti-theft software installed. The controversial bill was rejected at the end of April, and was subsequently altered to make it more acceptable to manufacturers and networks. Apparently, key changes included a six month extension to the deadline for compliance, and tablets aren’t included in the rules.
The risk of trying to be the “next Silicon Valley.”
Report: 38 Studios default would force Rhode Island bonds to 'junk' status
Defaulting on the debt related to 38 Studios' bankruptcy would sink Rhode Island's bond rating to junk status and could harm the state's overall business climate, an independent analyst predicted in a report released Friday.
… The state's economic development agency is suing 38 Studios founder and former Red Sox pitcher Curt Schilling and others over the collapse of his video game company. It says the board was misled into approving the deal that helped lure the company from Massachusetts to Providence.
Someone has figured out this Privacy stuff.
Kids Are Using Bitcoin to Buy Fake IDs Online
(Related) And someone else has figured how to get more money? The test? “Can we spend it?”
US Political Groups Can Now Accept Bitcoin Donations
Why is this surprising? This is the “Government can do it better than you” party. (In fairness, I think they also considered letting the banks fail, but realized quickly that they couldn't find buyers.)
US considered nationalising banks: Former treasury secretary Timothy Geithner
(Related) Well, maybe they can't do everything better...
USPTO Clearly Cuckoo as Amazon Patents Photos with White Backgrounds
I'm not quite ready to pay $120 a year to read books I can get at the neighborhood library for free. Or am I missing something?
Is Oyster the Netflix of the online book world? Apparently it is for a lot of reading fans
Oyster, an online e-book subscription vendor, now has a half million titles in its catalog and is on a run in making top deals with big name publishers.
… The news illustrates more readers than ever are embracing online bookstores and e-reader devices such as Amazon's Kindle and the smartphones being embraced.
"Roughly half of our reading activity happens on phones," says Eric Stromberg, CEO of Oyster Books.
Oyster's library of 500,000 e-books are available for $9.99 a month, with titles from over 1,600 publishers. According to Oyster half of its subscribers are accessing its service using a smartphone during the day hours. Subscribers on weekends and nights tend to use the iPad.
My weekly laugh at education.
… Pearson has won the highly lucrative contract to develop and administer the tests for the Common Core testing consortium Partnership for Assessment of Readiness for College and Careers (PARCC). The states that are part of PARCC collectively educate about 15 million students. So let's see: 15 million times $29.50 per test... Pearson was the only organization to bid for the contract.
… The American Institutes for Research (AIR), another player in the testing industry, has filed a lawsuit arguing that the PARCC contract was awarded “in a process that was illegal, and structured in a way that wrongly benefited one company—Pearson.”
… Southern New Hampshire University’s College for America has done it: a $10,000 college degree. The school will offer a competency-based, self-paced bachelors degree in health care management and communications. More via Inside Higher Ed.
… Microsoft released a new add-on to Office aimed at educators called Office Mix which lets you add Khan Academy and CK12 resources to PowerPoints.
… Renaissance Learning has released its annual report on What Kids Are Reading. The report includes a list of the most popular books based on grade level.
Definitely something for my website class.
– when using images on the Internet, it is important to optimize them so they are of minimal size but maximum quality. Using Optimizilla, you can upload up to 20 files in JPEG and PNG formats. Click thumbnails in the queue to select images. Use the slider to control the compression level and mouse/gestures to compare images. Click ‘Save’ to download the result.
A tool for my students? Free and no sign-up needed. Encrypts in your browser before uploading.
– Encryption has become an extremely important topic online these days, so any tool which helps you encrypt your communications is very important. Encryption.to is a site which enables you to send encrypted messages with one click. If you sign up, you get an unique link encrypt.to/username, and your public key will be private at their non-public key server.
Something for my Math students before they are my Math students?
TenMarks Offers Their Summer Math Program to Parents for Free
TenMarks is a service that offers an online mathematics program designed to supplement your in-classroom mathematics instruction. This summer they are offering their summer mathematics program to families for free.
The TenMarks summer program begins with students taking an assessment. After taking the assessment an individualized program that adapts to his or her specific needs is created for the student. Each student’s summer curriculum is designed to review concepts from the past year, and get introduced to concepts for the year ahead. TenMarks offers real-time feedback to students and their parents. The feedback measures a student's progress toward a standard or goal. Based upon a student's responses to questions the program automatically adjusts to provide more or less of a type of question.
Friday, May 09, 2014
A bright future for government auditors!
Will a Government Settlement Improve Snapchat’s Privacy? Don’t Count on It
Snapchat just joined the F.T.C. club.
The company that makes the popular messaging app agreed on Thursday to a settlement with the Federal Trade Commission of charges that it deceived users when it said photos on the service would “disappear forever” after recipients viewed them.
In fact, the agency determined, access could be obtained to Snapchat’s photos through a set of relatively simple workarounds. Under the terms of the deal, Snapchat agreed to be monitored by an independent privacy auditor for the next 20 years.
Oh, of course!
Marco Tabini reports:
A newly-released document on Apple’s website outlines the company’s policies when it comes to sharing the personal information of iOS users with U.S. law enforcement.
According to the whitepaper, the company can help lawmen get their hands on a significant amount of information you share through iCloud, including your e-mail, iWork documents, calendars, and so on—provided, of course, that they come looking for it with a valid warrant.
Read more on Macworld.
Develop “Best Practices” Could be a great project for my Computer Security students teamed with some law school students. Anyone want to buy the pizza? (Students run on pizza.)
Anne L. Kim writes:
The rise of health apps has expanded the opportunities for individuals’ data to be used for research purposes, policy analysis, and so on. But what are the complexities involved with making sure people are “de-identified” from their own data, so their privacy can be protected? At an FTC workshop today on consumer-generated health data, panelists spent some time talking about whether there should be a uniform standard.
There isn’t a single definition of de-identification or one “rule that governs everybody,” according to Joy Pitts, chief privacy officer at HHS’ Office of the National Coordinator for Health Information Technology. (There is a Department of Health and Human Services document that offers guidance on where de-identification fits into the Health Insurance Portability and Accountability Act, or HIPPA, but there’s no set of industry best practices.)
Read more on Roll Call.
Implementing Best Practices and Reform Initiatives Can Help Improve the Management of Investments
If there is a silver lining to the series of high-profile targeted attacks that have made headlines over the past several months, it is that more enterprises are losing faith in the “magic bullet” invulnerability of their prevention-based network security defense systems.
That is, they are recognizing that an exclusively prevention-focused architecture is dangerously obsolete for a threat landscape where Advanced Persistent Threats (APTs) using polymorphic malware can circumvent anti-virus software, firewalls (even “Next Generation”), IPS, IDS, and Secure Web Gateways -- and sometimes with jarring ease. After all, threat actors are not out to win any creativity awards. Most often, they take the path of least resistance; just ask Target.
As a result of this growing awareness, more enterprises are wisely adopting a security architecture that lets them analyze traffic logs and detect threats that have made it past their perimeter defenses – months or possibly even years ago. It is not unlike having extra medical tests spot an illness that was not captured by routine check-ups. Even if the news is bad (and frankly, it usually is), knowing is always better than not knowing for obvious reasons.
“If we don't like it, it's not a law.”
China and International Law in Cyberspace
by Sabrina I. Pacifici on May 8, 2014
U.S.-China Economic and Security Review Commission Staff Report. May 6, 2014. China and International Law in Cyberspace by Kimberly Hsu, Policy Analyst, Security and Foreign Affairs with Craig Murray, Senior Policy Analyst, Security and Foreign Affairs
“The Chinese government states it intends to work with the “international community to promote the building of a peaceful, secure, open, and cooperative cyberspace.” Similarly, U.S. government policy is to “work internationally to promote an open, interoperable, secure, and reliable” cyberspace.1 While this semantic overlap in officially stated goals suggests strong similarities between China and the United States in their viewpoints on international law and norms in cyberspace, they are more different than similar. China’s participation in a 2013 UN report affirming the applicability of international law to cyberspace is a promising development. The same UN group will gather in 2014 to address some of the more challenging and divisive concepts regarding state responsibility and use of force in cyberspace. Any fractures in the debate at this meeting will likely reflect some of the major differences between the United States and China on cyberspace policy. These differences will likely endure as Beijing is presently unwilling to compromise on issues such as Internet sovereignty and information control, which it judges as critical to the maintenance in power of the Chinese Communist Party (CCP) regime.”
A most interesting tactic.
Math Shall Set You Free—From Envy
… Perhaps the oldest fair division method on the books—one which has been used by children from time immemorial—is the “I cut, you choose” method for dividing up, say, a cake between two people. One person cuts the cake into two pieces, and the other person gets to choose which piece to take.
… Fair Buy-Sell was devised in 2007 by Ring and Steven Brams, a professor of politics at New York University, and requires each partner to simultaneously propose a buyout price. If John proposes $110,000 and Jane proposes $100,000 then John, the higher bidder, will buy out Jane for $105,000. Unlike the shotgun clause, this method is equitable: Each participant ends up with something—either money or the business—at a price that is better than his or her offer. “Both participants always get a solution that’s better than what they proposed,” Ring says. And the business always goes to the partner who values it more.
Also, not for sale?
The Navy's New Super Secure E-Readers Are Called NeRDs. Is Reading Nerdy?
… Kindles, iPads, and other tablets/e-readers are currently forbidden on Navy vessels. They take up space, and, more importantly, can be a security threat because of connectivity points like wi-fi, expandable storage, and USB ports. So the Navy's General Library Program partnered with the digital content service Findaway World to create NeRD. The devices don't have Internet access, and their content is fixed.
The idea is that the Navy can expand the reading material it offers on ships and submarines for recreation, while also throwing in some texts for professional development that would be too big to fit in the small locker that’s usually allotted for books on Navy vessels.
Something to revisit. Students too.
Opera 21 Launches For Windows and Mac With Huge Speed Improvements
That's exactly how I remember Shakespeare! (Infographic)
A “How To” that my students should avoid.
How Inkjet Printers Are Changing the Art of Counterfeit Money
The U.S. government recouped more than $88 million in counterfeit currency last year, and more than half of it was made on regular old inkjet or laser printers.
That's according to Bloomberg, which tells the story of a woman who pleaded guilty to counterfeiting up to $20,000 in fake bills over a two-year period. She took $5 bills, soaked them in degreaser, scrubbed off the ink with a toothbrush, dried them with a hairdryer, then reprinted them as $50 and $100 on a Hewlett-Packard printer, the news service said.
While the counterfeiting business used to be specialized, these days it's easy for anyone with a printer to give it a try.
Dilbert illustrates the logic (illogic?) of the reciprocal statement!
Greetings from your government