Tuesday, March 24, 2015
“We phished you, now we'll use your email to phish all your friends.”
Uh oh. SLC Security reports:
While we can’t name any particular names at this time we have started seeing indicators of another related attack originating out of China aimed at US Healthcare entities. This time another well known affiliate of a previously breached healthcare entity appears to be attacking other Healthcare entities in California and Arizona.
Read more on Vulnerable Disclosures.
[From the article:
… it appears as though a new malware variant is being sent via Phishing emails and they are coming from other healthcare entities so it appears as legitimate traffic which may be problematic as they may be assumed to be trusted entities.
Exactly the correct steps, slightly out of the correct sequence?
Lorraine Bailey reports:
Credit-reporting giant TransUnion charges $10 before it places security freezes on the files of people dealing with identity theft, a class claims in Federal Court.
Jon Niermann, the lead plaintiff in the March 18 action, says he learned about TransUnion’s “illegal” policy after he became a victim of identity theft.
Read more about his complaint on Courthouse News.
[From the article:
He notes that Texas law "allows CRAs to charge a 'reasonable fee,' not to exceed $10.00, for placing a security freeze, [but] does not make the CRAs' duty to place the security freeze within five business days conditional on the payment of the charge, nor does it allow CRAs to delay placing the security freeze until after the charge is paid," the complaint states, abbreviating credit-reporting agencies.
Shocking! A government that is preparing to defend its citizens. Who would have thought that possible?
But they’re polite while they’re stealing data and destroying infrastructure, right?
Ryan Gallagher reports:
Canada’s electronic surveillance agency has secretly developed an arsenal of cyber weapons capable of stealing data and destroying adversaries’ infrastructure, according to newly revealed classified documents.
Communications Security Establishment, or CSE, has also covertly hacked into computers across the world to gather intelligence, breaking into networks in Europe, Mexico, the Middle East, and North Africa, the documents show.
Read more on The Intercept.
The survey results are interesting but are unlikely to result in any laws that reduce the amount of data a typical data broker accumulates.
Boston parents overwhelmingly agree that schools should demand restrictions on data mining from internet companies
A survey of parents with school-age children in Boston shows parents see many benefits from in-school internet access, with more than 80 percent stating that in-school internet access helps students develop the necessary skills to gain employment and participate in the global economy. However, a majority of parents are unaware that technology companies may be tracking their children’s internet use at school. This demonstrates the importance of and need for stronger protections to prevent student data mining and online tracking in Boston schools.
… The findings are based on a survey conducted between January 2015 and February 2015 of parents with school-age children in Boston. For more detailed results, please visit: http://bit.ly/1O7xntD
“Hey look! We're doing something!” The question, as always is what.
FTC Starts Up New Tech Research Office
The Federal Trade Commission is launching a new research office to do deeper dives into privacy, new payment methods and the Internet of Things (among other things), the FTC announced in a pair of blog posts on Monday (March 23).
The new Office of Technology Research and Investigation (OTRI) is a successor to the FTC’s Mobile Technology Unit, which was created in 2012 to handle consumer issues related to mobile devices, including children’s privacy and mobile shopping data-use policies.
But the OTRI has a broader mandate and is hiring more technologists (its predecessor only had one) to examine privacy and security issues related to “connected cars, smart homes, algorithmic transparency, emerging payment methods, big data, and the Internet of Things,” according to FTC Chief Technologist Ashkan Soltani.
While that’s a broad mandate, the FTC has already gotten started in some of those areas — for example, in January the FTC issued a report on privacy and security issues involving the Internet of Things.
But exactly how much the OTRI will be able to do beyond researching these areas isn’t clear. In general, the FTC is limited to pursuing companies that misrepresent what they do or engage in false advertising. As a result, the FTC’s privacy enforcement actions have largely consisted of going after retailers who have violated their own published privacy policies. (The one exception to that is marketing online to children, which is covered by the Children’s Online Privacy Protection Act. That puts much more stringent limits on what information website operators can collect from children under age 13, and how it must be handled.)
That means the new OTRI can investigate security and privacy issues, but there’s some question as to what else it can do beyond issuing reports. And as the Washington Post notes, the FTC is facing a potential turf war with the Federal Communications Commission over “net neutrality” and related privacy issues.
This might be a “doing something” worth the doing.
Hamish Barwick reports:
The NSW Information and Privacy Commission (IPC) has unveiled an e-learning portal to help organisations in the state deal with privacy complaint handling and other privacy issues.
The e-learning portal is free and currently provides access to two e-learning modules- privacy complaint handling and Government Information Public Access (GIPA) Act: Access training for decision makers.
Read more on Computerworld.
[Register here: http://www.ipc.nsw.gov.au/e-learning
It would be a worthless law.
Should Governments Ban Ballot Selfies?
Would Hitler have wanted people to post who they voted for? Would Benito Mussolini have tweeted photos with voters? Would Francisco Franco have Instagrammed a ballot with a check next to his name? These are the questions I was asking myself after listening to a recent NPR story on the controversy brewing around “ballot selfies.”
For my Computer Security students.
Cybersecurity and Information Sharing: Legal Challenges and Solutions
CRS – Cybersecurity and Information Sharing: Legal Challenges and Solutions. Andrew Nolan, Legislative Attorney. March 16, 2015.
… While considerable debate exists with regard to the best strategies for protecting America’s various cyber-systems and promoting cybersecurity, one point of general agreement amongst cyber-analysts is the perceived need for enhanced and timely exchange of cyber-threat intelligence both within the private sector and between the private sector and the government.
… this report examines the various legal issues that arise with respect to the sharing of cybersecurity intelligence, with a special focus on two distinct concepts: (1) sharing of cyber-information within the government’s possession and (2) sharing of cyber-information within the possession of the private sector.
With regard to cyber-intelligence that is possessed by the federal government, the legal landscape is relatively clear: ample legal authority exists for the Department of Homeland Security (DHS) to serve as the central repository and distributor of cyber-intelligence for the federal government. Nonetheless, the legal authorities that do exist often overlap, perhaps resulting in confusion as to which of the multiple sub-agencies within DHS or even outside of DHS should be leading efforts on the distribution of cyber-information within the government and with the public.
… With regard to cyber-intelligence that is possessed by the private sector, legal issues are clouded with uncertainty. A private entity that wishes to share cyber-intelligence with another company, an information sharing organization like an Information Sharing and Analysis Organization (ISAO) or an Information Sharing and Analysis Centers (ISAC), or the federal government may be exposed to civil or even criminal liability from a variety of different federal and state laws.
… concerns may arise with regard to how the government collects and maintains privately held cyber-intelligence, including fears that the information disclosed to the government could (1) be released through a public records request; (2) result in the forfeit of certain intellectual property rights; (3) be used against a private entity in a subsequent regulatory action; or (4) risk the privacy rights of individuals whose information may be encompassed in disclosed cyber-intelligence.
The report concludes by examining the major legislative proposal—including the Cyber Intelligence Sharing and Protection Act (CISPA), Cybersecurity Information Sharing Act (CISA), and the Cyber Threat Sharing Act (CTSA)—and the potential legal issues that such laws could prompt.”
My students have convinced me this could be more important than a resume. Especially the social networking bit.
A 101 Guide To Building Your Personal Brand
… Developing and building your personal brand is an important part of deciding how you want to be known in your workplace, industry and life. Below are four important steps you can take to start building your personal brand today.
(Related) Perhaps if the campaign is mostly on social networks we might see fewer TV ads? Nah.
Ted Cruz’s Monday morning announcement that he was running for president sent a jolt through political circles — and their Facebook friends.
The Texas Republican senator’s announcement sparked 5.7 million comments, likes and other conversations among 2.2 million people on the global social network on Monday, according to Facebook. That’s more than 30 times the average number of people who have talked about Cruz in the last three months.
… Cruz, who has significant appeal among conservatives, has found a winning message on some social media sites.
In fact, he first announced his new campaign on Twitter, hours before giving his Monday morning speech.
For my geeky students.
How to Create an iPhone Game From Scratch