Thursday, May 07, 2015

As I've been suggesting, healthcare offers some “low hanging fruit.” Here's proof.
The healthcare industry is experiencing a surge in data breaches, security incidents, and criminal attacks—exposing millions of patients and their medical records—according to the latest Ponemon Institute study, sponsored by ID Experts®, the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data. The study reveals that criminal attacks in healthcare are up 125 percent since 2010 and are now the leading cause of data breach. The findings also show that most healthcare organizations are still unprepared to address this rapidly changing cyber threat environment and lack the resources and processes to protect patient data. According to the FBI, criminals are targeting the information-rich healthcare sector because individuals’ personal information, credit information, and protected health information (PHI) are accessible in one place, which translates into a high return when monetized and sold. To learn more about the Fifth Annual Study on Privacy & Security of Healthcare Data, visit for a free copy.

(Related) And here's another in a long line of bad examples.
On March 18, attorneys for Summit Health, Inc. in Pennsylvania notified the Maryland Attorney General’s Office that on February 19, the hospital had learned [Translation: “We were told by someone else” Real computer security would have “discovered” or “detected” the breach. Bob] that some of its employees had fallen for a phishing attempt.
As a result of the successful phishing, employees’ information in the Lawson Employee Self-Service System, used to access payroll and benefits information, may have been accessed by unauthorized individuals. Included in that system was employees’ W-2 tax information, including income and Social Security numbers. Dependents’ information might also have been accessed.
Those employees who were affected were offered a year of credit monitoring with Experian.
The total number potentially impacted was not disclosed, but this seems to be another instance of healthcare entities being targeted by phishing attempts. In this case, it was employee information that was potentially compromised and not any patient information, but the problem is the same.

For my Computer Security students. It would be better to check email attachments yourself.
It seems Six Continents Hotels (InterContinental Hotel Groups) was notified earlier this year by the Secret Service that some of its hotels had suffered a data security breach. One of the hotels IHG subsequently notified was Cities Service (Holiday Inn Express & Suites in Sulphur, Louisiana). IHG alerted them on February 11, 2015.
When Cities Service investigated, they found a malicious email attachment had compromised their payment system and exposed 613 customers’ names, addresses, payment card numbers, and expiration date. The exposure period was October 13, 2014 until February 11, when they contained the breach.
Cities Service said it had no evidence of misuse, but offered those affected credit monitoring and fraud assistance services with IDT911.
… Here’s Cities Service’s notification to the New Hampshire Attorney General’s Office, but I’m wondering what the other impacted hotels were, how many there were, and whether we’ll see notifications from them. I don’t recall seeing any others related to this incident so far. You can find a listing of their chains and properties on IHG’s web site. There doesn’t seem to be any notice on their site that I can locate.

Is this Napoleon's law?
French secret tapes of Sarkozy ruled legal in inquiry
A French court has ruled that wire-tapped conversations between ex-President Nicolas Sarkozy and his lawyer can be used as evidence in an ongoing corruption investigation.
The decision is seen as a blow for the centre-right leader, who is likely to bid again for the presidency in 2017.
Mr Sarkozy is suspected of promising a sought-after position to a judge in return for information on another case.
But he was already being bugged as part of the earlier investigation.
That case against Mr Sarkozy, the UMP leader, was eventually dropped.

You can see why Google asked to be relieved of this search. Would Google's search make anything discovered automatically challengeable by the defense? (We teach students how to find the data needle in the Big Data haystack. Looks like they will have plenty of job opportunities with law enforcement when we graduate them.)
Orin Kerr, having thanked the supporters of his very short-lived campaign for President,* returns to the hard work of legal scholarship:
I’m working on a new law review article about the internal procedures that Internet providers follow when executing search warrants for content. Given that, I was particularly interested in this new decision from a magistrate judge in Alaska relieving Google of a duty to execute a warrant by combing through stored files for relevant content.
The case involves a search for evidence in e-mail accounts that were used to respond to a Craigslist advertisement about underage sexual activity.
Read more on The Volokh Conspiracy.
* is devastated that Orin, a candidate without a web site or a privacy policy, dropped out of the race, leaving us with the same stale candidates of yore.
[From the Alaska decision:
Specifically, for these narrow periods of time, the warrant directed Google to produce:
[T]he contents of electronic or wire communications held in the SUBJECT ACCOUNTS, including:
a) all electronic or wire communications with a minor or any person purporting to be a minor, or claiming to have access to a minor, or that otherwise involve the enticement of a minor to engage in sexual activity for which any person can be charged with a criminal offense (including email text, attachments, and imbedded files) in electronic storage by the PROVIDER, or held by the PROVIDER as a remote computing service (if any), within the meaning of Stored Communications Act;
… Google filed the instant motion in response to the published order.[3] Google contends it resisted the first warrant, not because of the narrow date-range limitation—in fact, Google represents that it "prefers date range limitations," and regularly responds to warrants for email content circumscribed by date range limitations.[4] Rather, Google asserts it objected to the first warrant because it required Google to inspect email content for relevancy and evidentiary value

(Related) Is the Ninth Circuit agreeing? Kind of? Would Google have stopped and asked for a new warrant? posted this summary and case, although I think John omitted an important “not” when he wrote “the least intrusive measures are required.” The opinion seems to indicate that the court held they were not required, citing Quon, unless I’ve misunderstood:
No special protocol required for a computer search warrant, but vigilance of the court is expected in review to protect against overreaching. Also, the least intrusive measures are required. United States v. Nessland, 2015 U.S. App. LEXIS 7360 (9th cir. May 4, 2015):
It did not specify “‘the precise manner’” of execution, but it was not required to do so. United States v. Grubbs, 547 U.S. 90, 98, 126 S. Ct. 1494, 1500-01, 164 L. Ed. 2d 195 (2006). The officers were searching for a particular type of photographic image and came across the images in question here, which were in plain view. See United States v. Wong, 334 F.3d 831, 838 (9th Cir. 2003). Thereupon, they stopped their search, and did not return to it until they obtained another warrant that covered the new type of images. See United States v. Giberson, 527 F.3d 882, 885, 889-90 (9th Cir. 2008). That approach did not violate Nessland’s rights. Indeed, this case is much like United States v. Schesso, 730 F.3d 1040 (9th Cir. 2013). There, as here, no special protocol was required, and the officers did follow the procedures set forth in the warrant application. Moreover, as here, there was no real risk of exposing other people’s data, and there was no sign of overreaching. Finally, even if some added protections could have been used here, the officers were not required to seek out and use the least intrusive means. See City of Ontario v. Quon, 560 U.S. 746, 763, 130 S. Ct. 2619, 2632, 177 L. Ed. 2d 216 (2010); Quon v. Arch Wireless Operating Co., 554 F.3d 769, 772-73 (9th Cir. 2009); see also Giberson, 527 F.3d at 889-90. While we are well aware of the need for vigilance, [citing CDT] we are satisfied that Nessland’s rights were not violated by the search.

This (to me) is a failure of the State Department audit team. I would want to ensure that security procedures were followed, particularly when someone new takes over. What did they change? Did the change improve security?
State Dept: Clinton's personal email use ‘not acceptable’
Former Secretary of State Hillary Clinton’s use of a personal email account run through a private server was "not acceptable" and happened without officials’ knowledge, [Only possible if no one wanted to know. Bob] a top State Department record-keeper said on Wednesday.
… “The actions that we’ve taken in the course of recovering these emails has made it very clear what the responsibilities are [But not who was responsible? Bob] with regard to record-keeping,” she added in remarks at a Senate Judiciary Committee hearing on government transparency.

Isn't this the candidate who said Presidential candidates had to understand technology?
NBC takes down Fiorina YouTube clip
… Hours after the former Hewlett-Packard CEO appeared on NBC’s “Late Night with Seth Meyers," the network blocked her campaign’s attempt to post a clip from the show on YouTube.
“This video contains content from NBC Universal, who has blocked it on copyright grounds,” an error message on the clip said on Wednesday morning.

Another predictable “conflict.” If I download the “blueprints” but don't own a 3D printer am I violating any gun laws? (Even in New York City?) If I have a 3D printer, but never download “blueprints” an I still a suspect in the eyes of the government? Isn't this exactly the same argument Phil Zimmerman made about PGP encryption? (Item 1)
The 3D-Printed Guns Fight Is On
Should 3D-printed guns be legal? It’s a question that isn’t easy to answer, because it pits the right to the freedom of speech against calls for stronger gun control. Two emotive subjects without much in the way of gray areas and compromise. Especially in the United States. Still, it’s an issue that needs deciding, and fast.
Why? Because the blueprints for a 3D-printed firearm are already out there on the Internet, and have been for two years thanks to Cody Wilson. He created the Liberator, a plastic pistol that anyone can piece together using 3D printing. The State Department demanded he remove the blueprints from the Internet, but two years on he’s challenging that demand.
According to Wired, Wilson’s advocacy group Defense Distributed has filed a lawsuit claiming the Directorate of Defense Trade Controls (DDTC) “violated their first amendment right to free speech.” The question is whether posting blueprints for a 3D-printed gun violates arms export controls or not. Suffice to say, it’s a highly complex issue.
The problem is that while it’s being discussed, hundreds of thousands of people are downloading the blueprints for Liberator, and the most enterprising of these people are actually evolving the design. It’s unlikely the 3D-printed firearms genie can ever be put back into the bottle, but we still need to decide what, if anything, we’re going to do about it from here on out.

Part of any Computer Security planning. If you can't stop employee access in a timely fashion, at least keep (and review) a log of the files the employee accesses.
According to a recent survey by IS Decisions, 75% of businesses leave themselves open to infosecurity breaches from former employees by not following strict post-employment processes to ensure employees no longer have access to information. has more on the survey.
Now add in the risks of employees who know they will be leaving their jobs and help themselves to your valuable data to help them set up their own business. This week’s case in point is Experian, who has sued a former marketing executive, alleging he stole trade secrets and poached former employees to start his own firm when he learned his position would be eliminated.

This can't be a small gang. Should be interesting to follow.
… Only after they’d ruled out a silly accounting error or a simple case of some errant animals did they call the law enforcement arm of the Texas and Southwestern Cattle Raisers Association. They reported what they’d feared from the start: 1,121 unbranded steer calves had been stolen, making it among the largest cattle thefts that anyone could remember.
The logistics of pulling off a heist of this size were straight out of “Where in the World is Carmen Sandiego?” Braum’s had found that the stolen calves weighed between 300 and 750 pounds, meaning that the combined lot would likely have tipped the scales at over 500,000 pounds. Texas Monthly’s John Nova Lomax estimated that it would have taken more than 30 cattle trailers, each 36 feet long, to haul off the animals, and it insulted logic to imagine that a fleet of massive farm vehicles would have evaded detection.

A Big Data (gathering) issue.
ARL Joins Hague Declaration for Changes to Intellectual Property Law, Equal Access to Knowledge
by Sabrina I. Pacifici on May 6, 2015
ARL – “More than 50 organizations around the world—including ARL—have signed the Hague Declaration on Knowledge Discovery in the Digital Age, which calls for immediate changes to intellectual property (IP) law and the removal of other barriers preventing widened and more equal access to data. Improved treatments for diseases, answers to global issues such as climate change, and billions in government savings are among the potential benefits to be gained, if the principles outlined in the Hague Declaration are adopted by governments, businesses, and society. The declaration asserts that copyright was never designed to regulate the sharing of facts, data, and ideas—nor should it. The right to receive and impart information and ideas is guaranteed by the Universal Declaration of Human Rights but the modern application of IP law often limits this right, even when these most simple building blocks of knowledge are used. “The rapidly changing digital environment, increased computing power, and the sheer quantity of data being produced make it essential for researchers and society to be able to use modern techniques and tools to help them make new discoveries. Research practices could be revolutionized and lives could literally be saved, if we can achieve better access to the knowledge contained within big data,” said Kristiina Hormia-Poutanen, president of LIBER, the Association of European Research Libraries, which has led work to develop the declaration. A new approach to knowledge discovery is critical at a time when society is facing a literal data deluge. The digital universe, or the data we create and copy annually, is doubling in size every two years and is expected to reach 44 trillion gigabytes by 2020. In addition to clarity around the scope of IP law, a skills gap and a lack of infrastructure must also be addressed if computers are to be better employed to extract and recombine data in order to identify patterns and trends. This process, known as content mining, is widely recognized as the only way to deal effectively with big data…”

Professor Soma at DU's Sturm College of Law shared this:
Guide to Big-Data Providers

Start planning. 2016 will be here this fall.
Hands on: Office 2016 preview focuses on data-gathering and collaboration in the cloud
… “We are moving from Office for us, to Office with others,” Microsoft chief executive Satya Nadella declared during Microsoft’s Build keynote last week.
Microsoft released the consumer preview of Office 2016 on Monday. You won’t find dramatic redesigns of its user interface—those are reserved for the universal Office apps that Microsoft has built or is building for its mobile platforms.
… Office 2016 also shifts how we interact with data in one important way: It actively encourages you to share data via the cloud, rather than files that you download and append to documents. The “death of downloading” hasn’t happened yet, but it seems nigh.

Get the Office 2016 Preview for home

For my students.
4 Ways to Install Ubuntu Linux on a Windows Computer

This website always has interesting (and timely) examples of statistics for my students. Also look at the chart on fumbles!
This afternoon the NFL released the results of an investigation into whether or not the New England Patriots intentionally deflated footballs below league standards.
… The report — especially the stat-sy appendix — went to great lengths to show that the difference in pressure between the Pats’ and Colts’ footballs was not due to chance.

You don’t need a stats degree to look at that table and see that something is amiss.

I really, really, really suggest my students grab one of these.
Rise and shine: 8 eye-opening alarm clock tips for iOS and Android

5 Social Alarm Apps to Help You Get out of Bed

No comments: