Jeff John Roberts reports:
Home Depot has
taken another step to move on from its colossal 2014 data breach, which involved hackers stealing email or
credit card information from more than 50 million customers by infiltrating
self check-out terminals.
In a new
settlement with dozens of banks, the retailer has agreed to pay $25 million
for damages they incurred as a result of the breach, one of the biggest in
history.
The settlement,
filed this week in federal court in Atlanta, also requires Home Depot to
tighten its cyber-security practices and to subject its vendors to more scrutiny—a measure tied to the
fact that a security flaw by a third-party payment processor made the hacked
self-checkout terminals vulnerable.
Read more on Fortune.
It’s
hard to convince my Computer Security students that studies like this are correct.
Study:
Healthcare Organizations Are Top Targets for Hackers – 68% Have Compromised
Email Credentials
Presser, but has some interesting findings:
Evolve IP, The Cloud Services Company™, today released the
results of a study of Dark Web email vulnerabilities in the healthcare
industry. The
research, conducted in a collaboration between Evolve IP and ID Agent, reveals
the pervasive nature of email-based cybersecurity attacks and sheds light on
the quantity, variety, sources and consistent growth of these threats.
Healthcare IT leaders place a high priority on preventing
breaches, but despite their best efforts, hackers often break through the
organization’s weakest link – end user email credentials. The study, which included an analysis of 1,000
healthcare organizations, illustrates the need for proactive threat monitoring
coupled with near real-time disaster recovery solutions to prevent employee
email liabilities from becoming major catastrophes.
- 68 percent of the healthcare organizations analyzed have compromised email credentials as identified by ID Agent’s Dark Web ID analysis. Nearly 80 percent of the positive data set includes actionable password information, simplifying hackers’ efforts to infiltrate the network.
- An estimated 7,500 individual incidents occurred across the study where healthcare companies had email credentials compromised due to phishing or key logging attacks. Any one of these vulnerabilities could rapidly escalate to ransomware, denial of service attacks or PHI breaches across an entire enterprise.
- 23% of the passwords stolen were available for sale or trade on the Dark Web as unencrypted, clearly visible text. While the remainder of passwords were encrypted, the level of encryption used presents no real hurdle to professional hackers that want to crack them. [See Comey article, below. Bob]
Would
my Security students fix this or eliminate it entirely?
Over on TechDirt, Mike Masnick writes:
For years we’ve pointed out the sheer insanity of the
TSA’s security
theater, which is intrusive, insulting and does little to actually make us
any safer. One aspect (of many) that has
been particularly troubling is the way that the TSA has basically enabled sexual assault
of travelers. If you felt that wasn’t
too bad, have no fear, the TSA is apparently increasing the sexual assaulty nature of these searches:
The new physical touching—for
those selected to have a pat-down—will be what the federal agency officially
describes as a more “comprehensive” physical screening, according to a
Transportation Security Administration spokesman.
Denver International Airport, for example,
notified employees and flight crews on Thursday that the “more rigorous”
searches “will be more thorough and may involve an officer making more intimate
contact than before.”
This is madness. The
answer to the TSA’s awful and useless security theater should never be to give
TSA agents more power to sexually assault travelers with “more intimate
contact.” This is not about security. This is about the TSA wanting to make it look
like they’re doing something, and apparently that includes groping strangers
who are just trying to get somewhere. How
the hell does sexually assaulting travelers make anyone any safer?
Scott Greenfield adds
a few choice words of his own:
Remember when they told us that the full body
scanners would keep us safer and diminish the need for intrusive pat-downs? So now they have BOTH, and the public will go
along with this like sheeple. Again.
Between this and the CIA hacking tools leak with FBI
director Comey telling
everyone, “There is no such thing as
absolute privacy in America,” I fear some Americans are first waking up to what
some of us have been yelling from the rooftops for years as we headed towards a
dystopian society. Frighteningly, some
still may not have woken up.
… Reagan’s nine
most terrifying words in the English language, ‘I’m from the government and I’m
here to help,’ should be replaced with, “I’m from TSA and I’m here to
grope you.”
I
wonder how many law firms have had a Computer Security audit?
Derek Borchardt and Michael F. Buchanan have an
update on litigation previously
noted on this site. At its
heart, a lawsuit claimed a Chicago law firm, Johnson & Bell, had
inadequate data security. There was no allegation of any actual breach – the
suit was over inadequate data security.
Back in December of last year,
we reported that
for the first time, a U.S. law firm – Johnson & Bell, a mid-sized Chicago
firm – was publicly named in a class action data security lawsuit. Last month, the firm obtained a significant
victory in the case.
To briefly recap, two of Johnson
& Bell’s former clients claimed in their complaint that the firm had lax data security
practices that put confidential client information at risk of exposure. (Note that the plaintiffs did not claim that
any actual breach had occurred, an omission which presents a significant
question of standing under Article III, an issue this blog has recently
covered.)
The retainer agreement between
the firm and its former clients included an arbitration clause, which stated in
pertinent part: “In the unlikely event of any dispute under this agreement,
including a dispute regarding the amount of fees or the quality of our
services, such dispute shall be determined through binding arbitration.” Based on that clause, Johnson & Bell filed
a motion to require the plaintiffs to arbitrate their dispute on an individual,
rather than class, basis. The firm
argued that because the arbitration clause did not explicitly state that
arbitration may be on a class basis, the only permissible arbitration was on an
individual basis. The court agreed.
Read more on Patterson Belknap Data
Security Law Blog.
I asked Jay Edelson of Edelson, PC, lawyers for the plaintiffs,
his perspective on the decision and its potential impact on other similar cases
they had planned to file. He replied:
We filed suit (under seal)
seeking, first, injunctive relief to fix the alleged security vulnerabilities. Once we were satisfied of the relevant fixes,
we then moved to unseal the case and dismissed it. The dismissal did not mean that we aren’t
pursuing it, but rather was in recognition of the fact that there is an
arbitration clause. Johnson & Bell
asked the Court to rule that we could arbitrate on an individual basis only
(i.e. not on behalf of a class).
The Court agreed with them and we
are going to appeal that decision. However,
regardless of whether this can be brought as a class action, we will still
pursue the suit. The question will be
whether the class members are required to bring many individual arbitrations or
can do it all at once.
In terms of other similar
lawsuits, because this is a procedural issue (as opposed to one on the merits),
it doesn’t have much impact unless a defendant has a similar arbitration clause
as Johnson & Bell’s. Even if they
do, our guess is that because individual arbitrations are so expensive, it is
unlikely that other defendants will choose to potentially face hundreds if not
thousands of arbitrations instead of fighting one single (albeit larger) case.
So stay tuned, I guess. I expect that there will still be issues
raised of standing if there’s been no actual breach, but we’ll have to wait and
see.
Propaganda
101: Make it sound like you are being picked upon. The Evil US is doing something to poor, innocent,
helpless China that no other country would ever do to another.
China to US: Stop hacking us
China asked the U.S. government on Thursday to
stop spying on and hacking other countries, after WikiLeaks revealed data
showing that the CIA can hack a range of devices, including some manufactured
in China.
Also Propaganda-like.
Wasn’t the “bargain” that there was a “right of the people to be secure
in their persons, houses, papers, and effects, against unreasonable searches
and seizures?” Are warrants no longer
adequate because of encryption?
Comey: Strong encryption “shatters” privacy-security bargain
FBI Director James Comey told a Boston audience this
morning that “ubiquitous strong encryption” – the kind now available on most
smartphones and other digital devices – is threatening to undermine the
“bargain” that he said has balanced privacy and security in the US since its
founding.
Actually, he went further, declaring that such default
encryption “shatters” the bargain.
… “Last fall we received 2,800 devices
that we had lawful authority to open. And
there were 1,200 we couldn’t open with any technology tool. These were devices recovered in criminal,
gang, terror and pedophile investigations.”
… But he said with probable cause and a
warrant approved by a court, “government can invade – that’s the bargain. If government has probable cause, it can search
and seize – take whatever the judge said it could. Even our
memories aren’t totally private. The general principle is that there is no such
thing as absolute privacy.”
(Related) Perhaps Comey could hire the Dutch if the FBI is
not competent?
DutchNews.nl reports:
Dutch detectives have gained
access to 3.6 million encrypted emails sent by criminal gangs which will be
used in dozens of prosecutions, the public prosecution department said on
Thursday. The information in the mails
will provide evidence for criminal cases, including murder, armed robbery,
drugs, money laundering and other forms of organised crime, the department said
in a statement.
The messages were found on
servers in Canada belonging to a Dutch company called Ennetcom. Last year, the public prosecution department
won the right to have the Ennetcom servers copied and the seven terabytes of
information sent to the Netherlands for investigation.
Read more at DutchNews.nl.
Update: Read about how they were able to decrypt the messages on HackRead.
Stranger how often my class discussions revolve around failures.
Lessons from Mismanaged Crises at Yahoo, Cuisinart and Wells
Fargo
… Contrast the
above-companies’ performance with Johnson & Johnson’s handling of its
tampered-Tylenol crisis in 1982, long
considered a paradigm of successful crisis management. However, today even its response probably would
be regarded as a failure. The company
took three days to decide how to respond. In our internet age with its 24/7 news cycle,
a company does not have three days to react; it may not have even three hours. Advance
planning is critical.
(Related) Bias is programmed failure. Diversity is a solution.
How I'm fighting bias in
algorithms
MIT grad
student Joy Buolamwini was working with facial recognition software when she
noticed a problem: the software didn't recognize her face — because the people
who coded the algorithm hadn't taught it to identify a broad range of skin
tones and facial structures. Now she's
on a mission to fight bias in machine learning, a phenomenon she calls the
"coded gaze." It's an
eye-opening talk about the need for accountability in coding ... as algorithms
take over more and more aspects of our lives.
We’re going to need to understand this technology and the
laws governing it. This will be very
difficult or impossible to replicate manually.
Mapping the Global Legal Landscape of Blockchain Technologies
by Sabrina
I. Pacifici on Mar 9, 2017
Maupin, Julie A., Mapping the Global Legal Landscape of
Blockchain Technologies (February 14, 2017). Available at SSRN: https://ssrn.com/abstract=2930077
“Blockchain technologies are beginning to push a broad
array of global economic activities away from centralized and toward decentralized
market structures. Governments should
tackle the new regulatory conundrums of an increasingly
disintermediated global economy by focusing on blockchain’s
individual use cases rather than its underlying enabling technologies. Grouping the known use cases around common
characteristics reveals three broad categories of blockchain/law interfaces:
the green box, the dark box, and the sandbox. Each raises distinctive legal, regulatory and
policy challenges deserving of separate analysis.”
Disruption. Clearly Staples et.al. could put up an online
store. Does this actually indicate that
shoppers always start their buying search at Amazon? (Only going to other sites if they don’t find
what they want?)
Staples and Office Depot Are Being Ripped to Shreds by Amazon
and the Internet
Persistently plunging sales, weak profits and more store
closures have become the new normal for office supplies retailers Staples and
Office
Depot as they battle online foes such as Amazon.
My latest ‘get rich quick’ scheme: Print up fancy labels
you can slap on your bottle to make tap water look exotic. For example, “Water from some glacier in the Himalayas.”
Americans drank more bottled water than soda in 2016
No comments:
Post a Comment