Saturday, April 11, 2015
For my Computer Security and Business Continuity students. It can happen to anyone. The trick is to realize that and plan for it. (Are some of these departments thinking, “They wouldn't dare attack us!”?
And yet more police departments pay ransom to unlock their systems. WCSH in Maine reports:
Lincoln County Sheriff Todd Brackett said four towns and the county have a special computer network to share files and records. Someone accidentally downloaded a virus, called “megacode”, that put an encryption code on all the computer data.
The Sheriff said it basically made the system unusable, until they paid a ransom fee of about $300 to the creator of the virus.
And those Midcoast departments aren’t the only law enforcement victims. The Houlton Police Department was also hit by the same or similar virus early this week, and it locked up all their files. Chief Terry McKenna said they, too, were forced to pay the ransom to get their computer data restored
Read more on WCSH.
So now that they’ve publicly admitted that they’ve paid ransom to unlock their files, are they more likely to get hit again? Can they really be sure their employees won’t fall for the next malware attempt?
There’s no doubt that this is a growing problem – or that at least departments are being more transparent in reporting it. Earlier this week, I noted the Tewksbury Police Department case in Massachusetts, but there have been others, too, as the Boston Globe reported:
Among other small-town police forces hit was the Swansea Police Department. It fell victim to the same threat in November 2013 and paid $750 to get its files back.
The police department in the Chicago suburb of Midlothian paid $500 in January. In Dickson County, Tenn., the sheriff’s office came under attack in October. Despite seeking aid from the FBI, [It's hard to prevent this after it happens. Bob] the agency ended up paying $572 in ransom.
Not all departments pay the ransom – and some, thankfully, don’t need to:
But in Durham, N.H., Police Chief Dave Kurz chose not to pay because the department had backed up the encrypted information and could work around the seized database.
“We had to clean essentially all the computers, but all of our data was prepared,” Kurz said.
Others refuse to pay but lose their data:
The four-member police force in Collinsville, Ala., was hit in June, with the hackers demanding $500 to free up a database of mugshots. Chief Gary Bowen dug in, refused to pay, and never got his department’s files back.
“There was no way we were going to succumb to what felt like terrorist threats,” Bowen said.
Obviously, it would be much better if more departments were as prepared as the Durham, NH police were. Because what are all these departments going to do when the attackers start asking for even more money? And what happens when the criminals start really hitting the k-12 systems? Will the districts pay ransom rather than be brought to their knees by locked files?
In related and helpful news, Charlie Osborne reports that Scraper ransomware has been broken, allowing for victims to circumvent payment and access their locked data.
This will (probably) be the last post on this subject. Note: Someone has to use “Worst Practices” so we are motivated to create “Best Practices.”
I continue to look for details on the case of a 14-year old middle school student who is facing two felony counts for allegedly hacking into his district’s network (see previous coverage of the case on this blog here and here).
In today’s installment of How Badly Can a District Screw Up InfoSecurity? Ashley Feinberg of Gawker reports:
Another devious, young techno-wiz was placed safely behind bars this past Wednesday after authorities say he deftly “hacked into his school’s secure computer network” by guessing the password (his teacher’s last name). The crime? Changing the desktop background to two dudes kissin’. The punishment? Arrest on felony charges.
The hacker wunderkind of Holiday, Florida’s Paul R. Smith Middle School, Domanik Green, explained that he uncovered the secret password by “watching the teacher type it in.” At which point, and like a young Julian Assange, he “logged into a teacher’s computer who [he] didn’t like and tried putting inappropriate pictures on his computer to annoy him.”
So he shoulder-surfed the password. Wait until you find out how long ago that happened. In an interview with yet another news station:
Green, interviewed at home, said students would often log into the administrative account to screen-share with their friends. They’d use the school computers’ cameras to see each other, he said.
Green had previously received a three-day suspension for accessing the system inappropriately. Other students also got in trouble at the time, he said. It was a well-known trick, Green said, because the password was easy to remember: a teacher’s last name. He said he discovered it by watching the teacher type it in.
So the district knew last year they had a problem. And what did they do to prevent recurrences? And what did they do to educate the students to understand the seriousness of their conduct?
And why did they issue one password to teachers two years ago, as ABC reports:
During a news conference, Sheriff Chris Nocco said approximately two years ago one password had been given to teachers, which somehow made it into the hands of a student, which was then passed on.
Nocco said the student had the password and was able to make remote access to the computer and was looking for porn.
Apparently a picture of two men kissing is “porn?” Oh well, that may be a whole other discussion.
“Surveillance is as surveillance does.” F. Gump
Joe Cadillic writes that as more and more smart meters and smart devices are deployed, the government will have access to more and more details of our private lives. And it’s the Department of Homeland Security that he’s particularly concerned about:
There’s even a ‘National Energy Sector Cyber Security Organization‘ funded by both the DOE and DHS. For those of you “in the know,” you know there’s really no difference between the DOE and DHS they’re one and the same. Click here, here & here to read more.
Need more proof ‘Smart Meters’ are controlled and monitored by DHS? Look no further than DHS’s ‘Control Systems Security Program' Where they admit to working with “control systems owners, vendors and law enforcement”.
“The Industrial Control Systems Cyber Emergency Response Team collaborates with international and private sector Computer Emergency Response Teams (CERTs) to share control systems-related security incidents and mitigation measures.”..
Read more on MassPrivateI.
From the “You ain't got no stinking privacy!” department: That argument should raise a few eyebrows, even in Philadelphia.
In Fighting Disclosure of Philly License Plate Reader Records, Officials Claim Every Driver is ‘Under Investigation’
Dustin Slaughter reports:
The City of Philadelphia does not want you to know in which neighborhoods the Philadelphia Police Department (PPD) is focusing their use of powerful automatic license plate readers (ALPR), nor do they want disclosed the effectiveness (or lack thereof) of this technology, as they continue to fight a Declaration public records request filed in January with MuckRock News.
City officials argue in their response that every metro driver is under investigation, in an effort to exempt so-called criminal investigatory records from release under PA’s Right-to-Know Act:
Read more on The Declaration.
This isn't a privacy issue, because the photos are “art”
Photographer Arne Svenson Who Took Pictures of Neighbors in Their Apartments With Telephoto Lens Wins New York Supreme Court Case
Hili Perlson writes:
A Supreme Court ruling in favor of photographer Arne Svenson brings troubling news for privacy advocates (already distraught by Edward Snowden’s Smashed Laptop Displayed at the V&A).
When his show “The Neighbors” opened at Julie Saul Gallery in 2013, it was met with outrage, followed by legal action.
Svenson had been taking pictures of New York residents inside their lower Manhattan apartments with a telephoto lens, thus confirming one of the biggest fears New Yorkers have concerning their privacy.
Read more on artnet.
[From the article:
However, conceding that Svenson's work is in fact art is what won the case for him, as the judges' verdict was based on Svenson's First Amendment rights as an artist.
… According to the HR, while New York laws prohibit the “non-consensual use of a person's name, portrait or picture for advertising or trade purposes," the laws also allow an exception for news media and so-called “matters of public concern."
I'm sure everyone will follow everything. (How many people service these accounts?)
Social Media Directory – DHS
by Sabrina I. Pacifici on Dec 27, 2014
“The Department of Homeland Security and its component agencies use numerous social media accounts to provide you with information in more places and more ways [the listing is quite long – what appears below is only a portion of the total]. The Department uses non-government sites to make information and services more widely available. Sometimes we are directly engaging with you on these sites, sometimes we use these services because we want to be where you already are. It’s important to remember that these are commercial sites and are not required to follow government standards.
[Lists omitted. Bob]
Social Networks / Anti-Social Networks. The definition often is very personal.
Divorce by Facebook: New York woman gets OK to file papers online
… Ellanora Arthur Baidoo has been trying to divorce her husband for several years, according to her attorney, Andrew Spinnell.
But, Spinnell said, he and his client haven't been able to find Victor Sena Blood-Dzraku to serve him the papers. Baidoo has been able to reach her husband by phone and "he has told her that he has no fixed address and no place of employment," according to court documents.
"He has also refused to make himself available to be served," the document said.
After exhausting other ways of serving him the papers, Spinnell filed an application asking for "service by alternate means," in this case, via social media.
In his decision, Justice Matthew Cooper said the "advent and ascendency of social media," means sites like Facebook and Twitter are the "next frontier" as "forums through which a summons can be delivered."
Yet another surprising user of social networks? Only if you believe that these elected officials actually type Tweets themselves. I have to think these guidelines are intended to prevent another disaster like the “Hillary's Emails” debacle.
Social Media in the House of Representatives: Frequently Asked Questions
by Sabrina I. Pacifici on Apr 10, 2015
CRS – Social Media in the House of Representatives: Frequently Asked Questions – Jacob R. Straus, Analyst on the Congress; Matthew E. Glassman, Analyst on the Congress. April 2, 2015.
“Recently, the number of Member offices adopting social media as an official communications tool has increased. With the increased use of social media accounts for official representational duties, the House has adopted policies and regulations regarding the creation, content, and use of third-party social media services. This report answers several questions about the regulation of social media accounts in the House of Representatives.
•How does the House define social media?
•How are social media accounts regulated in the House?
•What makes a social media account an official resource?
•Can Members use official funds for social media?
•Is some content prohibited on official social media accounts?
•Do the mass communications regulations apply to social media?”
An interesting application of Data Analytics that my students should be thinking about. (Can you “game” the system?)
Can People Analytics Help Firms Manage People Better?
… companies are starting to use data and sophisticated analysis in issues such as recruiting, compensation and performance evaluation because they believe it can help in better decision making.
The Wharton People Analytics Conference 2015 opens in Philadelphia today. Cade Massey, practice professor of operations and information management, and Adam Grant, professor of management and psychology, who lead Wharton’s people analytics initiative, spoke with Knowledge@Wharton about why a data-driven approach to managing people at work is gaining traction.
Laugh at education...
Hack Education Weekly News
… A “discussion draft” of a revision to FERPA was released to the US House of Representatives’ education committee.
Three similar bills recently introduced in the Minnesota legislature would require school districts to notify parents or guardians every time a fellow parent, guardian, or an adult student deems instructional material such as books or movies to be “sexually explicit or obscene and therefore harmful to minors.” Although the bills do not require discontinuing use of the disputed material, the most extreme version would force districts to publicly justify its retention in the curriculum. To make matters worse, all three bills would apparently allow complainants to remain anonymous.
… A crowdfunding campaign to robocall all New York parents, urging them to opt their children out of standardized testing. Gee, no issues with privacy or data brokering there.
… From the National Education Policy Center, a report called “On the Block: Student Data and Privacy in the Digital Age.” Education Week’s summary:
Its authors, Alex Molnar and Faith Boninger, both University of Colorado researchers, recommend that legal protections be extended beyond students’ formal educational records to include the wide range of student data – including anonymous information and “metadata,” such as what type of device a student is using or where they are accessing the Internet – that is now frequently collected and shared by ed-tech companies. The researchers also recommend that the legal burden to protect students’ information be shifted to include vendors, as well as schools and districts.
This could be useful for my students! What other software might be useful in your browser!
How to Run LibreOffice in Your Web Browser
LibreOffice has done it. They have made the full transition from a speculative branch of popular alternative office software Apache OpenOffice to genuine competitor. Their recent announcement that LibreOffice would be joining the swelling ranks of cloud based office software was met with excitement – there appears to be a massive amount of goodwill toward LibreOffice, and their growing ability to challenge Microsoft continues attract interest.
It isn’t ready just yet. It should be ready by the end of the year. It was originally conceived way back in 2011, alongside announcements for Android and iOS versions – both of which are also yet to appear, with the iOS version potentially never appearing. However, if you want – nay, demand LibreOffice in your browser before the end of the year, MakeUseOf has you covered. Read on, friend!
If you haven’t come across RollApp yet, it’s certainly worth a look. RollApp builds a cloud based virtual platform, allowing you to run applications within your web browser. Applications behave exactly how their desktop counterparts do, albeit with minute time differences, depending on your Internet connection.