Wednesday, March 18, 2015

This suggests that Premera might have asked the question, “Could that happen to us?” If so, they are virtually unique. Who else has been hacked but has yet to ask that question?
Major US Health Insurer Hacked, Affecting 11 Million
Premera Blue Cross said Tuesday its computer network had been hacked, potentially exposing data from 11 million people, in the second recent such attack on a major US health insurer.
Premera said in a statement it discovered on January 29 "that cyberattackers had executed a sophisticated attack" to get into its computer network.
An investigation found that the initial attack occurred on May 5, 2014. The company said hackers may have been able to access members' name, dates of birth, social security numbers, email addresses, bank account data and medical claims information.
The announcement by Premera came six weeks after a similar disclosure from Anthem Blue Cross, which said as many as 80 million customer records may have been compromised.

Update on another health related hack. This is the downside of failure to pay ransom.
As they had threatened to do if Labio did not pay them €20,000, the hacker collective known as Rex Mundi has started dumping/disclosing identifiable patient data. The dump was announced on Twitter by the @RexMundi2015 account. confirmed that the records appear to be the results of lab tests performed on patients whose names, dates of birth, referring doctor, and test results are now publicly exposed.
As of the time of this posting, there is still no mention of the incident on Labio’s web site, and the firm has not yet responded to an inquiry from earlier today as to whether they have notified affected patients or intend to notify them.
Labio joins 16 other firms who have had their client or patient data revealed after refusing to pay Rex Mundi’s extortion demands. So far, none of the firms appear to be U.S. – based.
When asked what percent of firms do pay them, a spokesperson for Rex Mundi informed that over 50% of the entities they have hacked have paid the demanded monies to keep the hack quiet and to avoid having their clients’, employees’, or patients’ personal information publicly dumped.

"Ontogeny recapitulates phylogeny" It's not exactly true in biology, but it is true in Computer Security. We constantly find exactly the same security issues in each new generation of technology. (Perhaps I should hit the thesaurus to come up with a suitably obtuse phrase?)
Insecurity in the Internet of Things
Symantec – Insecurity in the Internet of Things – Mario Ballano Barcena, Candid Wueest, March 12, 2015.
… “The Internet of Things (IoT) market has begun to take off. Consumers can buy connected versions of nearly every household appliance available. However, despite its increasing acceptance by consumers, recent studies of IoT devices seem to agree that “security” is not a word that gets associated with this category of devices, leaving consumers potentially exposed. To find out for ourselves how IoT devices fare when it comes to security, we analyzed 50 smart home devices that are available today. We found that none of the devices enforced strong passwords, used mutual authentication, or protected accounts against brute-force attacks. Almost two out of ten of the mobile apps used to control the tested IoT devices did not use Secure Sockets Layer (SSL) to encrypt communications to the cloud. The tested IoT technology also contained many common vulnerabilities. All of the potential weaknesses that could afflict IoT systems, such as authentication and traffic encryption, are already well known to the security industry, but despite this, known mitigation techniques are often neglected on these devices. IoT vendors need to do a better job on security before their devices become ubiquitous in every home, leaving millions of people at risk of cyberattack.”

Interesting. Who gets the data?
Talking Barbie Says Hello, Parents Say Goodbye
… Mattel plans to bring out Hello Barbie in time for Christmas.
However, Campaign for a Commercial Free Childhood has organized an online petition calling on Mattel CEO Christopher Sinclair to stop production of the toy.
Here's how Hello Barbie works: A kid presses on the doll's belt buckle and speaks into a microphone in the doll's necklace. An artificial intelligence system processes and analyzes that speech in the cloud. Responses are then streamed back to the doll, who replies to the kid -- all over a secure WiFi connection to the Internet.
… Hello Barbie will use technology from San Francisco-based startup ToyTalk, which is also behind the Winston Show -- a kids' iPad game app that interacts with players -- and the SpeakaLegend mobile iOS app.
… ToyTalk's privacy policy is what has people stirred up.
Essentially, it says that using any of the company's services constitutes giving ToyTalk permission to collect, use and disclose personal information. Further, those who let others (say, children) use their account to access the service confirm they have the right to consent on their behalf to ToyTalk's collection, use and disclosure of their personal information.
… ToyTalk's data collection and use is not very different from what online sites do, really, except that the users are kids.

(Related) Perhaps everyone gets your data?
Siri Is Listening: Has iOS Privacy Been Blown Open?
Another week, another accusation of a major technology company spying on you. This week, it’s Apple’s turn, with the tech giant accused of recording everything – absolutely everything – you say to Siri, and passing it on to a third-party.
The allegations were made in a Reddit post by someone who goes by the name of FallenMyst. The pseudonymous poster purports to be a recent employee of Walk N’Talk Technologies, where her job is to listen to audio recordings of people using Siri, and rate how closely they match computer generated transcriptions.
… These latest allegations come not long after Samsung was pilloried for privacy-unfriendly behavior in their latest Smart TVs, where they listened to anything said in their vicinity, and then relayed them to a third-party.

I would like to sic my Business Intelligence students on these emails. Hillary has stated that there was nothing “classified” in the emails, so all we should get is the equivalent of a bunch of online pizza orders, but it might be amusing to map volumes to a timeline of the events the State Department should have been talking about.
Anti-secrecy groups demand feds review Clinton emails
A dozen anti-secrecy groups are demanding that the State Department and National Archives independently verify that all official emails from former Secretary of State Hillary Clinton are accounted for.
Citing fears of setting “a dangerous precedent for future agency appointees,” the organizations told Secretary of State John Kerry and Archivist David Ferriero to do checks of their own to ensure that all workplace emails sent or received by Clinton during her time in office are on federal servers — not her own personal machine.
“[T]he task of determining which emails constitute federal records should not be left solely to Mrs. Clinton’s personal aides,” the groups, including the Sunlight Foundation, the Electronic Frontier Foundation and, wrote in a letter on Tuesday.

Perhaps “Free” will trump an upgrade? Remains to be seen.
Microsoft says pirated versions of Windows will also get a free upgrade to Windows 10
… According to Microsoft's Terry Myerson, Windows 10 is a free upgrade for all Windows 7 and Windows 8.x users, regardless of whether your install is genuine or not. This looks to be a way to convince everybody to move to Windows 10, and if pirates also get a free upgrade why would they refuse?

Another article for my Data Management class.
The Quantified Workplace: Despite the Hype, Not All That Useful Yet

(Related) A little nerdy, but my statistics students will understand the problem. I suspect the impact in business could be quite significant.
The Extent and Consequences of P-Hacking in Science
Head ML, Holman L, Lanfear R, Kahn AT, Jennions MD (2015) The Extent and Consequences of P-Hacking in Science. PLoS Biol 13(3): e1002106.. doi:10.1371/journal.pbio.100210
“A focus on novel, confirmatory, and statistically significant results leads to substantial bias in the scientific literature. One type of bias, known as “p-hacking,” occurs when researchers collect or select data or statistical analyses until nonsignificant results become significant. Here, we use text-mining to demonstrate that p-hacking is widespread throughout science. We then illustrate how one can test for p-hacking when performing a meta-analysis and show that, while p-hacking is probably common, its effect seems to be weak relative to the real effect sizes being measured. This result suggests that p-hacking probably does not drastically alter scientific consensuses drawn from meta-analyses.”

Next, let's try for 100 times cheaper. (Interesting video)
3-D Printing Just Got 100 Times Faster
… Instead of printing objects by stacking thin layers on top of one another—a process that can take days, depending on what you’re printing—they built a device that produces a complete object from a pool of goop.

For my programming students.
Learn to Code with These 7 Courses from Microsoft and edX
edX is one of the biggest providers of Massively Online Open Courses (MOOCs), with over three million students, and over three hundred courses. They offer University-level professional education, at a fraction (or none) of the cost, and boast courses in everything from computer skills, to history, to hard science.
Hallowed institutions of learning, from MIT to Berkeley, the Smithsonian to the University of Delft, offer courses on the site, and now so too does Microsoft.
They’re offering seven instructor-taught courses, all starting between March and April. Here’s what’s on offer.

For my geeky students. Let's hope no one on the Death Star notices how much fun these are.
Star Wars + Drones = Dreams Come True

No comments: