Saturday, October 03, 2015

Targeting clients for a little “spear phishing?” I'm not sure I would have agreed to hold off notifying my clients. The crooks must know they will eventually be hunted. If they are in China, how does this help anything? Interesting ethical question.
Scottrade Discloses Data Breach Potentially Targeting 4.6 Million Clients
Discount brokerage Scottrade Inc. disclosed a data breach Friday that appeared to target the names and street addresses of about 4.6 million clients.
The firm believes criminal activity penetrated its network between late 2013 and early 2014, and may affect clients who opened an account before February 2014.
… “Although Social Security numbers, email addresses and other sensitive data were contained in the system accessed, it appears that contact information was the focus of the incident,” the company said in a statement
… Scottrade said it was alerted to the breach by federal authorities in late August and was asked not to share any information due to the continuing criminal investigation. The authorities were investigating cybertheft from Scottrade and other financial services companies.

An update. I read it that way too. I still fall for bad reporting. Too trusting I guess.
No, the Experian hack did NOT go on for over two years: it happened last month
In reading a lot of the coverage of Experian’s breach affecting those who applied for T-Mobile USA accounts, I noticed that some journalists and others seemed to interpret Experian’s statement as indicating that the data were hacked/accessed over a two-year period (from September 2013 to September 2015). As I noted to a commenter earlier today, I had read Experian’s statement (and T-Mobile’s statement) as meaning that the hacked database held data from those who applied for T-Mobile accounts between September 2013 until the breach was discovered, but that the hack itself occurred during a relatively brief and recent period.
My impression was formed, in part, because in their submission to the California Attorney General’s Office, Experian reported that the breach occurred on September 14, 2015, and was discovered on September 15, 2015.
So I emailed Experian earlier today, told them my understanding of the timeframe, and asked them to clarify what the time frame of the hack was. Spokesperson Susan Henson responded:
Regarding the timing of when the intrusion happened, yes, much of the reporting on that topic has been incorrect. The breach was not undiscovered for two years. Our investigation shows the activity took place over a number of days in mid-September, not two years as was reported by some media outlets. In fact the intrusion was discovered, investigated and secured in a matter of days, and our notice to consumers and standing up a support call center and identity theft protection service happened yesterday, Oct. 1. The notice to state AG’s happened today.
Where I think the confusion happened is that the data acquired was for some T-Mobile USA customers who applied for services between Sept., 2013 and Sept. 16, 2015.
You got the timing of the actual intrusion correct and on Sept. 15 we discovered the unauthorized access.
So there you have it: the breach occurred last month and was discovered within days.

For my Risk Management and Computer Security students. If you ignore a warning, aren't you increasing your liability?
More sites may be in danger following Patreon hack
In the days running up to the massive hack on the Patreon database, the company was apparently warned about a major programming issue that could result in the compromise of information.
A special report from Ars Technica documented how Patreon was notified by Swedish security firm Detectify regarding the serious error, and how that same firm believes that that error was what hackers exploited when they published 15 GB worth of sensitive user information, including passwords and private messages. This, according to the tech publication, was “nothing short of facepalm material,” and other sites may have similar errors that may allow them to be hacked in the future.

Is this normal? (See the article)
Homeland Security Detains Stockton Mayor, Forces Him To Hand Over His Passwords
Mike Masnick writes:
Anthony Silva, the mayor of Stockton, California, recently went to China for a mayor’s conference. On his return to San Francisco airport he was detained by Homeland Security, and then had his two laptops and his mobile phone confiscated. They refused to show him any sort of warrant (of course) and then refused to let him leave until he agreed to hand over his password [Would this be kidnapping or extortion? Bob]
Read more on TechDirt.

These are not Snowden's picks. Strange they don't mention the Privacy Foundation. Probably because we don't Tweet!
Snowden’s on Twitter, Here Are 7 More Privacy Advocates to Follow

“We can, therefore we must!”
LinkedIn might have to pay you money for spamming your email contacts
… In 2013, a class-action lawsuit accused LinkedIn of accessing users' email accounts without their permission and unwittingly using their names to send email invitations to people in their address books.
At the time, LinkedIn called many of the accusations false.
The court agreed that LinkedIn members did give the social network permission to use their email contacts to send connection invitations.
But the court found that although LinkedIn members consented to importing their contacts and sending LinkedIn connection requests, they did not consent to the two additional "reminder emails" that LinkedIn would send about those requests.

Reduce all second class citizens to a number, making it easier to avoid treating them as people. Watch this and remember it when the US wants to do the same.
JP: My Number system raises red flags ahead of notice release
From Kyodo News:
Despite being trumpeted as ushering in a more efficient, egalitarian society, the government’s controversial My Number system that starts with identification numbers being sent out to residents of Japan next week is raising serious qualms about invasion of privacy and leakage of personal information.
These are not the only concerns, however.
Read more on Japan Today.
[From the article:
… Others relate to the heavy burden the project will put on businesses that will be tasked with collecting the identification numbers of employees and part-time workers—not to mention their family dependents.
Add to this the fuss about how exactly a tax rebate proposal under the system will work, fears about photo-ID cards being lost, and question marks over whether municipalities are capable of handling the expected number of applications.

Perspective. Has war been declared? (Check the interactive graphic!)
Putting Mobile Ad Blockers to the Test
To block ads or not to block ads on your mobile device? That’s the philosophical dilemma facing consumers since Apple added support for ad blockers to its iPhone operating system a couple of weeks ago.
To help answer the question, we decided to put multiple ad blockers to the test.
… The advantages of ad blocking seem obvious. Not only can consumers eliminate the clutter of promotions, but eradicating data-intensive ads could help deliver faster web page load times and longer battery lives for devices. Dean Murphy, who developed the ad-blocking app Crystal, said blocking programs might also encourage publishers to create better ads that are less taxing on mobile gadgets.

Perspective. Visualizing Big Data.
How Much Physical Media Would it Take to Store the Internet?

Perhaps my students could point their children to these.
Zing! - Thousands of Free eBooks for Students
Zing is a new service offering thousands of free fiction and non-fiction ebooks to teachers and students. On Zing you can browse for books by topic, language, or reading level. You can read the books in your web browser on a laptop or tablet.
Zing is more than just a repository of free ebooks. In the Zing reader students will find a built-in dictionary and tools for taking notes while they read.
If you create an accounts on Zing you will be able to create Zing classrooms. In those classrooms you can create and manage accounts for students. Through your Zing classroom portal you can check your students' reading logs.
[From the Zing website:
Zing’s proprietary eLearning functionality embeds teaching points directly into the digital texts, providing an interactive, engaging, and instructional learning experience for student readers.
Personalized Learning Package: Teachers have the ability to add their own eLearning teaching points to ANY Zing text! Teaching points can be differentiated by student, by title, or by reading/writing skill or strategy.

For my researching (all) students.
Searching SSRN Just Got Easier
by Sabrina I. Pacifici on Oct 2, 2015
Abou SSRN: “SSRN’s new page centralizes all the tools you need to find stuff in the eLibrary. We combined Quick Search and Advanced Search onto one tab, and made it simple to switch to Browse SSRN Networks or Browse JEL Codes. Did you even know all of those functions existed?
What’s New for the Savvy reSearcher? – In the Advanced Search area, we kept the traditional search options: title, abstract ID, keywords, author name, or date range, but added more. You can now further refine your search by selecting the Subject Matter Networks you want to search within – the default is all networks but you can store your preference..”

The Neverending Story.
Kim Dotcom’s extradition: the prosecution rests, now it’s time for the defence
… The prosecution relied heavily on documents provided by the United States Department of Justice - which included emails and Skype messages from the Megaupload team - to prove its case.
Now Dotcom’s defence team has its chance to debunk the prosecution’s arguments, and its biggest asset appears to be the fact that Megaupload only facilitated piracy and therefore did not itself pirate content. However, the explicit nature of the documentation provided by the prosecution means that the defence has a difficult climb ahead.

(Related) Is this unusual?
Crown unable to produce Dotcom extradition notices
… North Shore district court services manager Fiona Parkes - a witness for the Crown - today produced several documents she said appeared to be copies of the extradition requests.
Mr Dotcom's lawyer Ron Mansfield pointed out the documents were not date-stamped and asked Ms Parkes if she knew whether any originals existed.
She said she did not.

Every week this column amuses (and depresses) me.
Hack Education Weekly News
… Earlier in the week, Duncan proposed a “prison-to-school pipeline,” reducing the number of people incarcerated for non-violent crimes and using the money saved for pay raises for teachers in high poverty schools. [Does this sounds strange to you? Bob]
Via Education Week: “Wyoming could become one of the first states to institute broad protections for students unwilling to give school officials access to their social media accounts. The proposal, which made its way through the state Task Force on Digital Information Privacy, now sits before the state’s joint education committee.”
… A federal judge has ruled that “students who experience traumatic events while growing up in poor, turbulent neighborhoods could be considered disabled,” NPR reports. The ruling comes as part of a class action lawsuit against the Compton School District. (The judge also denied the plaintiffs’ request for class action status.)
Via the Southern Poverty Law Center: “A federal judge in Alabama has found that the Birmingham Police Department violated the constitutional rights of students in public schools by using pepper spray to deal with minor discipline problems and by failing to ensure that children were decontaminated afterward.”
… The Kansas Court of Appeals reversed the expulsion of Navid Yeasin, a University of Kansas student expelled for tweets he made about his ex-girlfriend.
Via The Chronicle of Higher Education: “A Year After Starbucks Offered Tuition Discounts at Arizona State, Who's Enrolling?” Spoiler alert: about 3700 employees, far fewer than the enrollment projects of 15,000.

No comments: