Thursday, March 19, 2015

Interesting precedent.
Target hack victims could get up to $10,000
Target is proposing to pay customers who suffered from a 2013 data breach up to $10,000 each in damages.
The proposal is part of a $10 million offer by Target to settle a class action lawsuit. Victims able to prove they were harmed by the breach, which affected up to 110 million customers, will be eligible for up to $10,000 each.
… In addition, Target (TGT) is required to improve its data security, including the designation of a chief information security officer. The company must also provide security training to its employees.
… Under the terms of the proposed settlement, Target customers who can prove they were damaged by the data breach will get the first shot at the $10 million. For example, victims will be reimbursed for unauthorized credit card charges, bank fees or costs related to replacement IDs -- so long as they are documented.
After those claims are paid, any remaining settlement funds will be evenly distributed to class members without documentation.

… While it's yet to be formally signed off, the settlement documentation is thorough—enough to include a draft of the form that victims will fill in to make a claim

Not what you want your breach victims to hear. However the audit states (kind of) that Premera does have adequate security management. We will have to wait to see if anything the auditors found is related to the breach.
Mike Baker reports:
Three weeks before hackers infiltrated Premera Blue Cross, federal auditors warned the company that its network-security procedures were inadequate.
Officials gave 10 recommendations for Premera to fix problems, saying some of the vulnerabilities could be exploited by hackers and expose sensitive information. Premera received the audit findings April 18 last year, according to federal records.
Read more on Seattle Times.
I’m waiting for someone to discuss whether if OCR had been more actively auditing covered entities, the Anthem and Premera breaches would have occurred.
[From the article:
The auditors also found that several servers contained software applications so old that they were no longer supported by the vendor and had known security problems, that servers contained “insecure configurations” that could grant hackers access to sensitive information, and that Premera needed better physical controls to prevent unauthorized access to its data center.
[The audit report:

Another example of words you don't want your breach victims (or their lawyers) to hear. Also interesting, the words you don't hear form Anthem.
Sarah Ferris reports:
Leaders of the Senate’s health committee are accusing insurer giant Anthem of failing to inform millions of people who may have been affected by a massive data breach last month.
Committee chairman Lamar Alexander (R-Tenn.) and ranking member Patty Murray (D-Wash.) said Wednesday that 50 million customers who may have been impacted by the cyberattack still have not been informed.
Read more on The Hill.
And count me among the 50 million who still have not received a notification letter, so I’m not exactly unbiased here.
[From the article:
A spokesperson for Anthem defended the company's response to the data breach. Because the company expected a lengthy process to inform all of the impacted customers, it set up a website and a hotline for customers. [That has nothing to do with notification. Bob]
"Over the last few days, we have also accelerated our member notification mailings. Approximately 2.4 million letters are mailed daily. [Clearly not starting six weeks ago, so when did it start and how many letters have been mailed? Bob] We are working continuously to complete that process as soon as possible," the company wrote in a statement.

This could be interesting. I wonder if the ACLU will take the argument nationwide?
Cyrus Farivar reports:
According to a judicial ruling issued Tuesday, the Erie County Sheriff’s Office (ECSO) in Northwestern New York state must turn over a number of documents concerning its purchase and use of stingrays. The 24-page order comes as the result of a lawsuit brought by the New York Civil Liberties Union (NYCLU) and marks a rare victory in favor of transparency of “cell-site simulators,” which are often shrouded in secrecy.
Read more on Ars Technica.

Apparently flying a drone while drunk (DWI – Droneing While Impaired?) is not a crime in DC? Also provides my Ethical Hackers with guidance: Do you surveillance, cut the connection, get drunk.
No charges for man accused of crashing drone at White House
… The U.S. Attorney’s office for the District of Columbia said on Wednesday that a Secret Service investigation of the incident found the pilot of the craft — reported to be an employee of a federal intelligence agency who had been drinking — lost control of the flying machine around 3 a.m. on January 26.
… “A forensic analysis of the drone determined that it was not operating under the direction of its controller when it crashed at the White House,” the U.S. Attorney’s office said. [Is that why there were no charges? Bob]
… Despite the decision by the U.S. Attorney’s office, the Federal Aviation Administration is reviewing the incident and may impose an action of its own.
… In response, the manufacturer of the $1,000, 2-pound Phantom quadcopter instituted new restrictions to prevent the machine from flying around downtown Washington.

(Related) Drones for cheap...
SKEYE Nano Drone on Sale For 41% off – Now Just $34.99

At the bottom of a slippery slope?
Elizabeth Goitein and Faiza Patel write:
The Foreign Intelligence Surveillance (FISA) Court is no longer serving its constitutional function of providing a check on the executive branch’s ability to obtain Americans’ private communications. Dramatic shifts in technology and law have changed the role of the FISA Court since its creation in 1978 — from reviewing government applications to collect communications in specific cases, to issuing blanket approvals of sweeping data collection programs affecting millions of Americans.
Under today’s foreign intelligence surveillance system, the government’s ability to collect information about ordinary Americans’ lives has increased exponentially while judicial oversight has been reduced to near-nothingness. This report concludes that the role of today’s FISA Court no longer comports with constitutional requirements, including the strictures of Article III and the Fourth Amendment. The report lays out several steps Congress should take to help restore the FISA Court’s legitimacy.
Read the Brennan Center report:

I sometimes wonder what planet the French are from. Clearly their brains function quite unlike human brains.
Glyn Moody writes:
Techdirt has been charting for a while France’s descent from a bastion of enlightenment values to a country that seems willing to give up any freedom in the illusory hope of gaining some security. According to a story in Le Figaro, even worse is to come in the shape of a new law (original in French, found via @gchampeau):
[the proposed law] wants to force intermediaries to “detect, using automatic processing, suspicious flows of connection data”. Internet service providers as well as platforms like Google, Facebook, Apple and Twitter would themselves have to identify suspicious behavior, according to instructions they have received, and pass the results to investigators. The text does not specify, but this could mean frequent connections to monitored pages.
Read more on TechDirt.

I'm just saying...
Feds acknowledge power to act on Web rates
Federal regulators on Wednesday acknowledged that new net neutrality regulations could allow the government to interfere with how much companies charge for Internet service.

Clearly, I'm out of touch. Do we need 1 hour delivery? It suggests to me that we can no longer plan ahead. Why Miami and Baltimore? Do those cities lead the pack when ordering fast delivery?
Amazon expands one-hour delivery to Miami and Baltimore
… Amazon (AMZN, Tech30) said that its service, Prime Now, expanded to "select Baltimore and Miami zip codes" on Thursday and will soon expand to wider neighborhoods in those cities.
Amazon said the service is available to Prime members (costing $99 a year) and can be accessed through an app on iOS and Android devices. One-hour delivery costs $7.99 and two-hour delivery is free. The service is available from 8 a.m. to 5 p.m., seven days a week.

Interesting article, but now I have even more questions.
Why the U.S. does nothing in Ukraine
The ongoing war in Ukraine recently passed the first anniversary of the highly dubious referendum that split Crimea off from Ukraine and eventually saw it attached to Russia.
… For a recent paper, Krickovic and I interviewed a number of foreign policy experts here in Moscow to understand the extent of Russian strategic interests. The interview subjects clearly indicated that the war in Ukraine is a symptom of greater dissatisfaction with the post-Cold War international order. As Evgeny Lukyanov, the Deputy Secretary of Russia’s Security Council, has said, “We need to sit down [with the United States] and renegotiate the entire post-cold War settlement.” [Russia calls it a “settlement,” the US calls it a collapse. Bob]
… This places Obama in a different position relative to formulating strategy regarding a rising challenger like China that needs to be accommodated or challenged because the latter is dissatisfied with the international distribution of benefits. Russia is instead a declining challenger (by its own standards) that offers the United States a third policy course of maintaining the status quo and waiting to negotiate later from a position of greater strength.

An article for my next Computer Security class.
Common Mobile Application Security, Privacy Challenges
Last fall, the Gartner analyst firm predicted that through 2015, 75 percent of mobile applications would fail basic tests related to security and enterprise policy.
A separate survey from Frost & Sullivan of 300 enterprises found that 83 percent have at least one mobile app for employees to use on their devices, with roughly one-in-three having 11 or more.
Both these surveys underscore a basic reality for IT - the adoption of mobile apps has made secure development practices critical.
"Mobile application security is one of the fastest growing problem areas for developers and ultimately C-Level executives today,"

Skills for my students.
Learning Google Script: 5 Best Sites & Tutorials to Bookmark
… Google Apps Script is perhaps one of the most useful tools you can have in your technological toolbelt. It allows you to tie Google services together in a way that’s reminiscent of IFTTT. But it’s way more than that.
It’s an IDE (Integrated Development Environment), that runs in the browser. No installs necessary. Google Apps Script also offers a platform to run your code on, much like the ScraperWiki Platform, or Amazon Web Services, or Heroku does. The most obvious advantage of this is that it allows you to run your code from the cloud, and to be able to work from a variety of devices. It’s truly platform agnostic.

Timers for the toolkit?
6 Useful Timers and Clocks For Your Computer or Phone

No comments: