Wednesday, September 23, 2015

Will the FTC add a fine of their own?
Sarah N. Lynch reports:
A St. Louis-based investment advisory firm will pay $75,000 to settle civil charges alleging it failed “entirely” to protect its clients from a July 2013 cyber attack that was later traced to China, U.S. regulators said on Tuesday.
The Securities and Exchange Commission said R.T. Jones Capital Equities Management did not even encrypt its customers’ data or install a firewall on its servers, and the hack compromised the personal details of about 100,000 people.
Read more on Reuters.
Previous coverage of their breach here. Note that at the time, we had no idea of how extensive the breach was in terms of numbers. This appears to be the first time we’re learning that 100,000 (and not hundreds) of people were affected.

Actions short of war... Inevitable. There's gold in them thar bits & bytes.
What Goes Around Comes Around: Russia Gets Hacked
… For more than two months, hacker attacks originating in China have bedeviled Russia's military and telecom sectors, researchers at Proofpoint revealed last week.
"We also observed attacks on Russian-speaking financial analysts working at global financial firms and covering telecom corporations in Russia, likely a result of collateral damage caused by the attackers' targeting tactics," wrote Thoufique Haq and Aleksy F, authors of the report.
The attacks began with carefully crafted emails designed to lure recipients into following a URL to a compressed archive file containing malicious software, or to open an infected Microsoft Word attachment, the researchers explained.
Once infected, a machine downloads a Remote Access Trojan, or RAT, called "PlugX."

(Related) Just because they're a Chinese company... (and because it's so easy!)
Michael Horowitz uncovered some tracking or monitoring software in ThinkPad that customers will want to know about. Using TaskScheduleViewer in Windows 7 Professional, Horowitz found a task called “Lenovo Customer Feedback Program 64”.
It was running daily. According to the description in the task scheduler: “This task uploads Customer Feedback Program data to Lenovo”.
I have setup my fair share of new Lenovo machines and can’t recall ever being asked about a Customer Feedback program.
The program that runs daily is Lenovo.TVT.CustomerFeedback.Agent.exe and it resides in folder C:\Program.Files.(x86)\Lenovo\Customer.Feedback.Program.
Other files in this folder are Lenovo.TVT.CustomerFeedback.Agent.exe.config, Lenovo.TVT.CustomerFeedback.InnovApps.dll and Lenovo.TVT.CustomerFeedback.OmnitureSiteCatalyst.dll.
According to Wikipedia, Omniture is an online marketing and web analytics firm, and SiteCatalyst (since renamed) is their software as a service application for client-side web analytics.
So, while there may not be extra ads on ThinkPads, there is some monitoring and tracking.
Read more on Computerworld.

(Almost) Too common to note.
The Canadian Press reports:
The B.C. government says a hard drive containing personal information and student records of 3.4 million residents in British Columbia and Yukon has been lost.
Technology Minister Amrik Virk says the unencrypted data from 1986 to 2009 also includes information about children in care, teacher retirement and graduation dates for cancer survivors.
The minister says the hard drive also contains decades worth of names, grades, postal codes and personal education numbers.
Read more on Globe and Mail.
Were these data unencrypted, as I fear? (Answer: YES). What physical security did the government have for this drive?
For a more detailed listing of the 437 GB of contents of this drive containing 8,766 folders with 138,830 files, see this release from the government.

Your tax dollars at work. This should be a consideration when budgeting your Computer Security.
Feds Award $500M Credit-Monitoring Contract Following OPM Breach

Not really exploding, but “self-destructing.” What great fun for my Ethical Hacking students.
Exploding Chip Could Thwart Cyberthieves
Researchers at Xerox PARC have developed a self-destructing mechanism for microchips embedded on a hardened glass surface.
The glass can self-destruct upon command and could be used to secure personal data such as health and banking records. It also can be used to destroy encryption keys stored on memory chips in standard consumer, enterprise and government electronic devices.
The research is part of the Defense Advanced Research Projects Agency's Vanishing Programmable Resources project.

I still don't have (need?) a smartphone.
In North Carolina, where the State Court of Appeals relied on Third Party Doctrine, the answer is no.
The Free Press reports:
Should you be suspected of a crime, the state Court of Appeals – in an opinion released Tuesday – ruled law enforcement can discover where you are through your mobile phone location without needing to obtain a search warrant.
Indeed, according to the court, obtaining such information isn’t construed as a search.
Read more on Government Technology.

An unintended consequence or a consequence of secrecy? This could have firms scrambling. (But doesn't every country do this?)
EU-US data flows using “Safe Harbour” may be illegal because of NSA spying
The "Safe Harbour" framework—which is supposed to ensure data transfers from the EU to the US are legal under European data privacy laws—does not satisfy the EU's Data Protection Directive as a result of the "mass, indiscriminate surveillance" carried out by the NSA. That's the opinion of the Court of Justice of the European Union (CJEU) Advocate General Yves Bot, whose views are generally followed by the CJEU when it hands down its final rulings.
The case was sent to the CJEU by the High Court of Ireland, after the Irish data protection authority rejected a complaint from Maximillian Schrems, an Austrian citizen. He had argued that in light of Snowden's revelations about the NSA, the data he provided to Facebook that was transferred from the company's Irish subsidiary to the US under the Safe Harbour scheme was not, in fact, adequately protected. The Advocate General Bot agreed with Schrems that the EU-US Safe Harbour system did not meet the requirements of the Data Protection Directive, because of NSA access to EU personal data.
According to the CJEU statement (PDF link), "the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data, which are guaranteed by the [Charter of Fundamental Rights of the EU]." Another issue, according to the Advocate General, was "the inability of citizens of the EU to be heard on the question of the surveillance and interception of their data in the United States," which therefore amounts to "an interference with the right of EU citizens to an effective remedy, protected by the Charter."

The downside of failure to understand technology. “Deleted” does not mean “unrecoverable.”
FBI Said to Recover Personal E-Mails From Hillary Clinton Server
The FBI has recovered personal and work-related e-mails from the private computer server used by Hillary Clinton during her time as secretary of state, according to a person familiar with the investigation.
The Federal Bureau of Investigation’s success at salvaging personal e-mails that Clinton said had been deleted raises the possibility that the Democratic presidential candidate’s correspondence eventually could become public. The disclosure of such e-mails would likely fan the controversy over Clinton’s use of a private e-mail system for official business. [You think? Bob]

Perspective. The “face” of the news?
Facebook Ramps Up Its Instant Articles, and the Washington Post Is All In
Last spring Facebook started hosting stories from the New York Times, BuzzFeed and other publishers directly on its iPhone app — a move that generated much chatter and hand-wringing about the Future of Media.
… The Post has also published its full content on other platforms, like Flipboard. But the move is a symbolic one for Facebook, which is now one of several platforms that want to host digital publishers’ stuff.
Snapchat has its Discover feature, Apple just launched Apple News, and Google and Twitter are working on an open-source version of the concept that they are explicitly pitching as a response to Facebook.

Perspective. We abandoned gold, now we abandon reality?
NY regulator issues first license for bitcoin company
Circle Internet Financial, a Boston-based bitcoin startup backed by Goldman Sachs Group Inc, has received New York's first BitLicense, allowing it to offer digital currency services in the state.
The firm, founded in 2013, released a new version of its mobile payment service on Tuesday.
The BitLicense from the New York Department of Financial Services is based on the first set of U.S. state guidelines for companies that operate in virtual currencies such as bitcoin, which is created and exchanged independent of banks.
[In case you want to get in on the ground floor:

Too nerdy?
'Star Trek' virtual tour will recreate every deck of the Enterprise

For my Spreadsheet students, but I rarely ask them to print anything. Paper is so “Age of the Pharaohs.”
How to Print an Excel Spreadsheet on One Single Page

For all my students.
How to Learn Anything New with 5 Sure-Fire Tips

To my horror, I discovered that some of my students (and not just the International students) did not know who Yogi Berra was!
Yogi Berra's most famous quotes: The wit and wisdom of the late Yankees legend
On getting enough rest:
“I usually take a two-hour nap from one to four.”
On "fan" mail:
“Never answer an anonymous letter.”
On education:
“I’m not going to buy my kids an encyclopedia. Let them walk to school like I did.”
“You can observe a lot by watching.”
On the future:
“The future ain’t what it used to be.”
On travel:
“If you don’t know where you are going, you might wind up someplace else.”
“Why buy good luggage, you only use it when you travel.”
“The towels were so thick there I could hardly close my suitcase.”
“When you come to a fork in the road, take it.”
On social life:
"Nobody goes there anymore, it's too crowded."
“It gets late early out here.”
On youth sports:
“I think Little League is wonderful. It keeps the kids out of the house.”
On the human anatomy:
“I don’t know (if they were men or women fans running naked across the field). They had bags over their heads.”
On receiving advice:
“Take it with a grain of salt.”
On weather:
“It ain’t the heat, it’s the humility.”
On finance:
“A nickel ain’t worth a dime anymore.”
On baseball:
“In baseball, you don’t know nothing.”
“We made too many wrong mistakes.”
“So I’m ugly. I never saw anyone hit with his face.”
“If the people don’t want to come out to the ballpark, nobody’s going to stop them.”
“Baseball is 90 percent mental. The other half is physical.”
“All pitchers are liars or crybabies.”
“We were overwhelming underdogs.”
“Bill Dickey is learning me his experience.”
“He hits from both sides of the plate. He’s amphibious.”
“I always thought that record would stand until it was broken.”
“I can see how he (Sandy Koufax) won 25 games. What I don’t understand is how he lost five.”
“I want to thank everyone for making this night necessary.”
On being thought of as a philosopher:
"I didn't really say everything I said."
On death:
“You should always go to other people’s funerals, otherwise, they won’t come to yours.”

No comments: