Sunday, December 06, 2015

Update – the downside.
In the wake of the Ashley Madison hack, we read a few reports that suggested that the revelations may have contributed to a few suicides. There is still fallout happening from that breach and data dump. Dean Balsamini reports:
A prominent New Jersey educator lost his job, his wife, his mind and possibly his freedom — thanks to the Ashley Madison hack, The Post has learned.
[The] district school superintendent of Randolph NJ, sustained severe burns while trying to torch his garage after confessing to his wife and school board he had an account with the infamous infidelity Web site.
The downward spiral accelerated. On the same day as the suspected arson, [he] was placed on paid administrative leave.
Two weeks later, on Oct. 27, he resigned from his $167,500-a-year job as school boss. Officials said, “It was in the best interest of both parties to end the employment relationship.”
Read more on NY Post.
I’ve omitted his name from the quoted material because his children are old enough to be online and to be Googling. I hope the media does respect their privacy and not make this worse for them. Maybe as a citizen journo I should be providing his name, but it just feels wrong right now. [See the Jonathan Zittrain TED talk, below. Bob] The point of the story is that the breach and data dump have had consequences for people’s lives.

For my Computer Security students.
Jigsaw Security Analytics posted an interesting report today.
Over the past few months we have been silently collecting data and comparing news articles to actual data that our OSINT-X platform has been monitoring.
We setup a quick test plan and implemented the plan in OSINT-X to basically read news articles, pull out any references to leaks of information, personal credential disclosures, breach notifications, etc and we started comparing this data to information being posted to Pastebin, other paste sites, Darknet and underground forums. The goal in this was to find out just how many times corporations actually disclose that they have been breached. To keep things fair we had manual review to ensure that the “breached” information was legitimate (meaning we checked to verify whenever possible before including the results in our statistics). What we found was quite interesting.
In this article, they reported on three sectors. I’m going to jump to their results in the healthcare sector:
By far the healthcare industry was the worst of the worst during this timeframe. From inadvertain (sic) prescriptions being sent to the wrong fax number to multiple instances of hackers stealing data, we really don’t even know where to begin.
During our analysis we noted a total of 305 individual incidents during the 90 day study period of which only 52 were publicly disclosed by the healthcare organization. It appears as though many times the victims are reluctant to disclose the issues out of fear of litigation or brand reputation.
Well, wait a second. Are you assuming that the entity even knows about the breach? If data are posted on a paste site, what makes you think the entity even knows about the problem? Did you contact them to inquire?
And if you didn’t contact them and they’re a U.S. entity covered under HIPAA, how do you know that the entity didn’t disclose the breach to HHS and send notification letters to individuals? Under HITECH, a covered entity has no obligation to issue a public statement/substitute notice unless certain conditions exist. So if you’re looking at small-n incidents and don’t see a public statement, it is not safe to assume that there has been no disclosure.
What was interesting is that of the ones the disclosed leaks only 4 of them have had any sort of legal issue as a result of the breach itself. 3 events were insider theft of health information for illicit use.
It seems the healthcare industry as a whole refrains from reporting whenever they can get away with it even though the actual cost of a breach seems to be leveling out and many organization are covered under cyber insurance policies.
Read more on Jigsaw Security Analytics. I want to find out more about their methodology and results.

Is this the future of news? Random photos with incoherent captions?
Snapchat’s Move Into Real-Time News is Fascinating
For an app that many—possibly even most—initially dismissed as a trivial tool for teens to send sexy texts that would automatically disappear, Snapchat has certainly come a long way. Not only does it have an estimated market value of about $16 billion, but it is also now seen by many media outlets as a viable platform for their news, thanks in part to its Discover feature.
… Although the company has experimented with news aggregation features a few times before now, the latest and most powerful example of it doing so came on Wednesday and Thursday, after a mass shooting in San Bernardino, Calif.
… Snapchat creates stories based around geographic locations such as Los Angeles every day, with random content uploaded by users about the city. The service usually employs GPS location tools to show that kind of story only to those who are in that city. But in the case of the shooting, the company made the San Bernardino stream available to everyone in the U.S., for the first time.
… The results of Snapchat’s news gathering can be seen in a post that Mashable did, as well as a similar piece that Business Insider did on the phenomenon. It’s a live stream of images and videos from people who were near the shooting location, including some shaky footage of people under lockdown.

This is how you say, “nyah nyah, na nyah nyah” in Russian.
BBC reports:
Russia has adopted a law allowing it to overrule judgements from the European Court of Human Rights (ECHR).
The vote in the Duma, Russia’s lower house of parliament, came the same day as the ECHR ruled against Russia’s Federal Security Service over spying.
The European court said Russia had violated privacy rights with a system to secretly intercept mobile phone communications.
The Russian constitution takes precedence under the new Duma law.
The measure was fast-tracked, giving the constitutional court the right to declare international court orders unenforceable in Russia if they contradict the constitution.
Read more on BBC.

Jonathan is an optimist? Perhaps too much of an optimist.
Jonathan Zittrain: The Web as random acts of kindness
Feeling like the world is becoming less friendly? Social theorist Jonathan Zittrain begs to difffer. The Internet, he suggests, is made up of millions of disinterested acts of kindness, curiosity and trust.

No comments: