Monday, March 02, 2015

How to measure the risk?
There was a time when if an entity offered two years of free credit monitoring/credit restoration services to breach victims, that was considered unusual and commendable. And when the University of Maryland offered five years of credit monitoring services following a breach there, that was really surprising.
But as consumers have often noted, if your SSN and identity information are out there, you’re at risk for life. Criminals can just sit on the data until after the free credit monitoring expires and then begin using it with less risk. While your credit card number can expire or be replaced, your SSN is generally forever.
Could the Anthem breach may become a game-changer on remediation offered to breach victims? A number of state attorneys general are looking into the breach, and according to James Boffetti, Senior Assistant Attorney General of New Hampshire and Chief of the Consumer Protection and Antitrust Bureau, one issue they’re looking at is “the appropriateness of the remedies that Anthem is offering to people,” he said.
The Union Leader reports that Boffetti
said company officials have been “very responsive” to investigators. And Anthem has a dedicated website to provide information to affected customers about protecting themselves from identity theft (
But Boffetti said there is “a legitimate concern” about the length of protection Anthem is offering its customers. “I think that’s something that’s going to be discussed quite vigorously as this investigation goes on,” he said.
Although state attorneys general may pursue this aspect of the breach, I do not expect HHS/OCR to really do anything about the mitigation issue. HITECH provides a standard for mitigation, but no specifics when it comes to things like credit monitoring services. And, to date, I don’t think any of OCR’s less than two dozen resolution agreements involved mitigation. Last year, HHS/OCR was sent a complaint about alleged HIPAA and HITECH violations that does include a complaint about failure to adequately mitigate harm and the risk of harm. Whether OCR has done anything with that complaint is unknown to this complainant.

Just because they are headquartered in Moscow does not mean this is all propaganda.
Kaspersky Lab Reveals Detailed View of Most Advanced Hacking Operation Known
Via ars technica: “… In an exhaustive report published Monday at the Kaspersky Security Analyst Summit here, researchers stopped short of saying Equation Group was the handiwork of the NSA—but they provided detailed evidence that strongly implicates the US spy agency. First is the group’s known aptitude for conducting interdictions, such as installing covert implant firmware in a Cisco Systems router as it moved through the mail. Second, a highly advanced keylogger in the Equation Group library refers to itself as “Grok” in its source code. The reference seems eerily similar to a line published last March in an Intercept article headlined “How the NSA Plans to Infect ‘Millions’ of Computers with Malware.” The article, which was based on Snowden-leaked documents, discussed an NSA-developed keylogger called Grok. Third, other Equation Group source code makes reference to “STRAITACID” and “STRAITSHOOTER.” The code words bear a striking resemblance to “STRAITBIZARRE,” one of the most advanced malware platforms used by the NSA’s Tailored Access Operations unit. Besides sharing the unconventional spelling “strait,” Snowden-leaked documents note that STRAITBIZARRE could be turned into a disposable “shooter.” In addition, the codename FOXACID belonged to the same NSA malware framework as the Grok keylogger. Apart from these shared code words, the Equation Group in 2008 used four zero-day vulnerabilities—including two that were later incorporated into Stuxnet. The similarities don’t stop there. Equation Group malware dubbed GrayFish encrypted its payload with a 1,000-iteration hash of the target machine’s unique NTFS object ID. The technique makes it impossible for researchers to access the final payload without possessing the raw disk image for each individual infected machine. The technique closely resembles one used to conceal a potentially potent warhead in Gauss, a piece of highly advanced malware that shared strong technical similarities with both Stuxnet and Flame. (Stuxnet, according to The New York Times, was a joint operation between the NSA and Israel, while Flame, according to The Washington Post, was devised by the NSA, the CIA, and the Israeli military.)”

People seem to be getting the word, but not all follow Best Practices. Note that these Apps are a natural response to the government's insistence that they be able to decrypt any messages encrypted by the ISP.
Australian ministers used an encrypted messaging app to discuss getting rid of the prime minster
Australian ministers have reportedly been communicating through a secret social media app which sends private messages that can be anonymous, self-destructing and untraceable.
Encrypted peer-to-peer messaging app, Wickr, lets users transfer data, text and files through a secure exchange server.
Secret messages, pictures, videos, audios files and documents can be sent and received through the app, which does not collect personal information, and can be made to expire after a nominal period of time. Users can connect with others without uploading contact lists, chat with group of up to 10 people and “shred” their device of any deleted materials.
Earlier this year, following a series of leaked emails, American billionaire investor Mark Cuban decided to handle negotiations of a new deal over his free texting app Cyber Dust, which features texts that disappear after 30 seconds.
Despite the government’s push to force telcos to store metadata for security purposes, the Wickr app deletes geolocation and identifying information from sent media, meaning there’s no metadata trail available to capture.

For my Ethical Hackers: This is how a lot of “hacks” begin. Someone has a relatively trivial problem and realizes there is a simple “solution.”
How to Remove Password from PDF Files with Google Chrome
… Is there any software program available that can remove password protection from PDF files? One that doesn’t cost a dime and works on both Mac and Windows? Well the answer is yes and that too is already installed on your computer. It’s called Google Chrome.
Google Chrome has a built-in PDF reader* and a PDF writer and we can combine the two features to remove the password from any PDF document.

Should be interesting to debate.
The New York Times Room for Debate asks, Can a Genetic Test Be Anonymous?
Read the responses by:

Interesting metaphor.
Rights of Passage: On Doors, Technology, and the Fourth Amendment
Braverman, Irus, Rights of Passage: On Doors, Technology, and the Fourth Amendment (February 1, 2015). Law, Culture and the Humanities, 2015, DOI: 10.1177/1743872114520893 ; SUNY Buffalo Legal Studies Research Paper No. 2015-017. Available for download at SSRN:
The importance of the door for human civilization cannot be overstated. In various cultures, the door has been a central technology for negotiating the distinction between inside and outside, private and public, and profane and sacred. By tracing the material and symbolic significance of the door in American Fourth Amendment case law, this article illuminates the vitality of matter for law’s everyday practices. In particular, it highlights how various door configurations affect the level of constitutional protections granted to those situated on the inside of the door and the important role of vision for establishing legal expectations of privacy. Eventually, I suggest that we might be witnessing the twilight of the “physical door” era and the beginning of a “virtual door” era in Fourth Amendment jurisprudence. As recent physical and technological changes present increasingly sophisticated challenges to the distinctions between inside and outside, private and public, and prohibited and accepted visions, the Supreme Court will need to carefully articulate what is worth protecting on the other side of the door.”

Worth a read?
160,000 Facebook accounts are compromised per day, and the company loosens up your privacy settings every time they update the terms of service.
So claims Marc Goodman in his book, “Future Crimes: Everything is Connected, Everyone is Vulnerable and What We Can Do About It” (Doubleday).
Read more on NY Post.

For my students
How to Search Google Books, Scholar, and News Archive
Last week in my post about the Google News Newspaper Archive I mentioned the value of getting students to use search tools other than By using search tools like Google Books and Google Scholar students often find resources that they wouldn't have discovered had they simply used for their searches. The three videos embedded below provide overviews of how to use Google Books, Google Scholar, and the Google News Newspaper Archive.

Since my students are gathering and analyzing tweets, it might be useful to know what rules should be followed. (and perhaps suggest wording for our project document?)
How to Tweet Like a Cop
… In April 2014, the New York Police Department coined the hashtag #myNYPD on Twitter. The goal was to encourage New York City residents to tweet images or anecdotes of themselves interacting positively with police officers. It was meant to drive good will toward a department struggling with its image in the wake of a public thrashing at the hands of then-public advocate Bill de Blasio, who later became mayor on a platform that included criticism of the NYPD's controversial stop-and-frisk program.
#myNYPD backfired spectacularly. The hashtag was flooded with images of uniformed officers swinging cudgels at unarmed protesters. It was the department's first real taste of the vicious trolling so common on Twitter. Bill Bratton, de Blasio's pick for police commissioner, seemed unfazed. "I kind of welcome the attention," he said, calling the pictures "old news."
Even so, the department drew up a list of guidelines—best practices—for its employees who operate on Twitter. Newsweek obtained this Social Media Handbook through a Freedom of Information Law request.
… Read the full handbook below:

Includes some concepts that my students need to include in their project papers. (Hint. Hint)
Why Business That Use 'Big Data' Make More Money (Infographic)
… Big data is big news these days, because it has the potential to make a pretty profound impact on the bottom line for a business.
Collecting large quantities of information and analyzing it allows entrepreneurs to make better, more strategically beneficial business decisions. The infographic below was generated by the big data analytics platform Datameer to demonstrate how using data can result in smarter business decisions and more revenue for all sorts of companies.

...On the other hand?
Data Monopolists Like Google Are Threatening the Economy
The White House recently released a report about the danger of big data in our lives. Its main focus was the same old topic of how it can hurt customer privacy. The Federal Trade Commission and National Telecommunications and Information Administration have also expressed concerns about consumer privacy, as have PwC and the Wall Street Journal.
However, big data holds many other risks. Chief among these, in my mind, is the threat to free market competition.
… Federal government regulators must ask themselves: Should data that only one company owns, to the extent that it prevents others from entering the market, be considered a form of monopoly?
… Perhaps the time has come for a Sherman Antitrust Act – but for data. Unsure where you come down on this issue? Consider this: studies have shown that around 70% of organizations still aren’t doing much with big data. If that’s your company, you’ve probably already lost to the data monopolists.

No comments: