Friday, January 15, 2016

Update. Still not clear. Are those Hyatt's processing systems or a third party?
Card Breach Affects 250 Hyatt Hotels Worldwide
Following an investigation into a breach of its payment processing systems, Chicago-based hotel operator Hyatt Hotels has determined that the incident affects 250 hotels worldwide.
According to the company, the investigation revealed unauthorized access to data associated with payment cards used at Hyatt-managed locations, mainly restaurants, between August 13, 2015 and December 8, 2015.
Customers for whom Hyatt does not have any contact information are advised to check the list of affected hotels to determine if they are impacted.
… “Though it is common to see malware capture credit cards at the time of the swipe, in this instance, the malware collected card data while it was being routed through the affected payment processing systems, according to Hyatt’s statement,” said Brad Cyprus, chief of security and compliance at Netsurion, a provider of remotely-managed security services for multi-location businesses.

I would have expected attacks to drop like the price of oil. (Unless of course you are trying to slow production to raise prices.)
Oil and Gas Industry Increasingly Hit by Cyber-Attacks: Report
According to the study, which was conducted by Dimensional Research in November 2015, 82 percent of oil and gas industry respondents said their organizations registered an increase in successful cyber-attacks over the past 12 months. Moreover, 53 percent of the respondents said that the rate of cyber-attacks has increased between 50 and 100 percent over the past month.
The report also reveals that 69 percent of respondents said they were “not confident” in their organizations’ ability to detect all cyber-attacks.

Sad to see that this still happens. Does no one know how the technology they use every day works?
Earlier this week, Jigsaw Security noted that they had discovered that improper redaction of documents posted on the Virginia Dept of Human Resource Management website was potentially exposing employees’ personal information:
A PDF posted by this organization contained information that was obfuscated by blocks but was a layered image so if you edit the document the blocks can be removed and the original content is then visible.
The Jigsaw Security Operations Center sent a standard notification advising them of the issue but they have failed to respond to the request.
Because there were many improperly redacted files putting employees’ SSN, salary, and other details at risk, Jigsaw reached out to to help with the notification. On January 12, this site sent a notification to the same DHRM liaison that Jigsaw had attempted to notify, but also contacted DHRM’s media contact to ask for a statement. When there was no response from either party, this site sent a second request to their media contact. That one got their attention, and they asked me for my real name and documentation. I sent them a link to Jigsaw’s post and offered to send them screenshots showing unmasked employee information. I also told them I would delay publication to give them a chance to remove the files from view.
That seemed to produce results. DHRM thanked me for reaching out to them and the next day, they informed this site that DHRM was addressing the security concern by:
  • Removal of the referenced documents and links from DHRM’s servers so that data is no longer exposed that might impact employee privacy and security;
  • Software that has proper redacting capability was being supplied to users; and
  • Staff training was introduced to ensure that no lapses will occur in the future.
DHRM’s ITECH director and security officer also reached out to Jigsaw Security, who provided DHRM with additional assistance with the issue and also provided them with information about other vulnerabilities the intel firm had spotted. Hopefully, DHRM is addressing those issues, too.
And thus ends another adventure in trying to notify entities of security problems. But it shouldn’t be difficult to notify state agencies of security problems. Hopefully, DHRM is addressing that, too, so the next time a white hat tries to alert them to a problem, they get the notification.

“We gonna protect everything, except for almost everything.”
Bill Fitzgerald (@FunnyMonkey) writes:
….As described in this FERPA directory information model form, “Directory information, which is information that is generally not considered harmful or an invasion of privacy if released, can also be disclosed to outside organizations without a parent’s prior written consent.”
The list of information included as part of directory information – or “information that is generally not considered harmful or an invasion of privacy if released” – is pretty complete:
  • Student’s name
  • Address
  • Telephone listing
  • Electronic mail address
  • Photograph
  • Date and place of birth
  • Major field of study
  • Dates of attendance
  • Grade level
  • Participation in officially recognized activities and sports
  • Weight and height of members of athletic teams
  • Degrees, honors, and awards received
  • The most recent educational agency or institution attended
  • Student ID number, user ID, or other unique personal identifier used to communicate in electronic systems
  • A student ID number or other unique personal identifier that is displayed on a student ID badge
If this information was compromised as part of a data breach, it would be considered substantial – yet, this information about children can be shared without parental consent, for their entire K12 experience.
Read more on his blog.
Note that if these data are breached, if student ID is not SSN, then many states would not even require breach notification under their statutes. And we know that the U.S. Education Dept. has never withheld federal funds from any k-12 institution over a breach.
Consequences for breaches at the post-secondary level can be more costly for universities and colleges who may find themselves sued (generally unsuccessfully), but again, federal enforcement is lacking: USED does nothing and FTC has no authority other than enforcing the Safeguards Rule if financial information is involved – an authority it seemingly declined to use in the case of the massive MCCCD breach that I reported on
If student privacy is to be truly protected, it’s time to revise FERPA to make sharing of “directory” information opt-in, not opt-out. And it’s time to recognize that Google is not a school official – it’s a vendor that is not in business to be charitable. There is no such thing as a free lunch when it comes to student data and tech.

Does Facebook have to drop the people who signed up because of this? Being aggressive had benefits that this court can't reverse.
Harro ten Wolde reports:
Germany’s highest court has declared unlawful a feature that encourages Facebook users to market the social media network to their contacts, confirming the rulings of two lower courts.
A panel of the Federal Court of Justice ruled that Facebook’s “friend finder” promotional feature constituted advertising harassment in a case that was filed in 2010 by the Federation of German Consumer Organisations (VZBV).
Read more on Reuters.

My tax dollars at work? Guideline promising more guidelines?
Overnight tech: Feds look to boost self-driving cars
Transportation Secretary Anthony Foxx was in Detroit on Thursday to announce that the administration will request close to $4 billion over ten years to "accelerate the development and adoption of safe vehicle automation through real-world pilot projects." The testing would take place in certain areas of the country, according to a release, and the program would "work with industry leaders to ensure a common multistate framework for connected and autonomous vehicles."
… The National Highway Traffic Safety Administration also rolled out new policy guidance on autonomous vehicles, which included a commitment to produce policy guidelines within six months for states grappling with how to regulate self-driving cars.
… California's Department of Motor Vehicles recently released draft regulations that would require a licensed human driver behind the wheel of every autonomous vehicle.

Might be useful for Data Mining and Analytics.
Yahoo Releases Largest Cache of Internet Data
… On Thursday, the embattled Internet company said it would release the largest cache of Internet behavior data—the clicks, hovers and scrolls of some 20 million anonymous users on Yahoo’s sports, finance, news, real estate and other pages. The trove, which will be available only to universities, is expected to give researchers a rare, real-world look at how large numbers of people behave online.
… The Yahoo data set weighs in at 13.5 terabytes, about two-thirds the size of the library of Congress.
That is larger than anything available to the vast majority of academic computer scientists, and so big that it likely will have to be stored outside a university system, possibly in a cloud computing center run by Inc. or Alphabet Inc. ’s Google, said Carnegie’s Moore, a former Google executive.

Jordan Pearson reports:
Yahoo Labs, the research wing of Yahoo, just released what the company is calling the “largest ever” machine learning dataset for artificial intelligence researchers to use in their work, for free. For example, to create a Facebook-like recommendation algorithm.
In doing so, Yahoo also released information that could potentially be used by researchers who download the database—and anyone they share it with—to identify Yahoo customers.
The behemoth dataset consists of 13.5 terabytes of user interactions with news items from some 20 million users, which the company says have been “anonymized.” While there are no names attached to the data, seven million users in the database also had information about their age, gender, the city they were in when they accessed the page, whether they used a mobile device or a desktop, and a timestamp of when they accessed the news item, included in the dataset.
Read more on Motherboard.

“Bragging for Budget?” Politics as usual.
January Terror Threat Snapshot: 21 ISIS-linked Plots in the US
… The report also mentions 139 terrorist cases involving homegrown Islamist extremists since 9/11, along with a running tally of ISIS supporters arrested in the U.S. to date: 79 people.

How does this relate to the profit made selling toxic mortgages? Did everyone return their commissions and bonuses?
Goldman Sachs Reaches $5.1 Bln Settlement Over Mortgage-Backed Securities
The Goldman Sachs Group Inc. (GS) said Thursday that it agreed to a $5.1 billion settlement to resolve U.S. and state claims related to securitization, underwriting and sale of residential mortgage-backed securities from 2005 to 2007. The agreement in principle will reduce earnings for the fourth quarter of 2015 by about $1.5 billion on an after-tax basis.
… As per the terms of the agreement in principle, the firm will pay a $2.385 billion civil monetary penalty, make $875 million in cash payments and provide $1.8 billion in consumer relief. [Leaving 400 million for the lawyers? Bob]

A significant economic development? Certainly an opportunity, if we can learn from Bitcoin's failures.
The resolution of the Bitcoin experiment
I’ve spent more than 5 years being a Bitcoin developer. The software I’ve written has been used by millions of users, hundreds of developers, and the talks I’ve given have led directly to the creation of several startups. I’ve talked about Bitcoin on Sky TV and BBC News. I have been repeatedly cited by the Economist as a Bitcoin expert and prominent developer. I have explained Bitcoin to the SEC, to bankers and to ordinary people I met at cafes.
From the start, I’ve always said the same thing: Bitcoin is an experiment and like all experiments, it can fail. So don’t invest what you can’t afford to lose. I’ve said this in interviews, on stage at conferences, and over email. So have other well known developers like Gavin Andresen and Jeff Garzik.
But despite knowing that Bitcoin could fail all along, the now inescapable conclusion that it has failed still saddens me greatly. The fundamentals are broken and whatever happens to the price in the short term, the long term trend should probably be downwards. I will no longer be taking part in Bitcoin development and have sold all my coins.

“There's an App (or website or social network or ...) for every purpose under heaven.” (apologies to Pete Seeger)
How Big Is You Won’t Believe These Stats & Facts
There’s a video service on the Internet that’s pretty popular called Even if you’ve never played a video game in your life, you’ve probably heard of it.
But just how big is Twitch? How much time do people spend watching others play video games? You seriously won’t believe some of these facts about just how popular it is:
  • Twitch has over 100 million unique users. That’s not 100 million page views, which would be impressive for most websites, but the actual number of people who come to the site every month.
  • The average Twitch user watches 1 hour and 46 minutes of video per day.
  • In total, users watch 16 billion minutes of content on the service each month.
  • It’s not just viewers, as 1.7 million people actually broadcast themselves playing games on Twitch.
  • Of those, more than 12,000 of them are partners, meaning they get paid to stream!

As I read it, there are only three or four skills that aren't completely “techie.”
LinkedIn's Top 25 Most In-Demand Career Skills

No comments: