Friday, March 17, 2017

Just when you thought the risks of social media were limited to a few million dollars, now you have to worry about the 82 Airborne dropping in.  Or, you could shout “fake news!”  (If this was a real hack, we really, really need to know how it happened.)
McDonald's tweets to Trump: 'You are actually a disgusting excuse of a President'
"@realDonaldTrump You are actually a disgusting excuse of a President and we would love to have @BarackObama back, also you have tiny hands," the tweet read.
McDonald's later said in a statement that the account was hacked and apologized.
"Based on our investigation, we have determined that our Twitter account was hacked by an external source.  We took swift action to secure it, and we apologize this tweet was sent through our corporate McDonald’s account," spokeswoman Terri Hickey said.

It “only” took them a couple of years to discover this? 
And this, kids, is why you need to monitor employee access to patient records and audit over longer periods.
Kyle Spurr reports:
A caregiver at St. Charles Health System accessed nearly 2,500 patients’ electronic medical records without authorization from the hospital.
The caregiver told the hospital she viewed the files out of curiosity.  Her actions are not considered criminal.  She signed an affidavit stating she never used or shared any of the confidential patient information for the purpose of committing fraud, financial crimes or other crimes against the patients whose records she viewed.
On Jan. 16, the hospital launched an investigation and audit of all of the patient files accessed by the caregiver.  The audit found between Oct. 8, 2014 and Jan. 16, the caregiver may have reviewed as many as 2,459 files containing patients’ names, addresses, dates of birth, health insurance information, driver’s license numbers and health information such as diagnoses, physicians’ names, medications and treatment information.
Read more on Bend Bulletin.

(Related).  A different approach in Canada.  
John Chippa reports:
A Justice of the Peace in Goderich has handed down the stiffest fine to date in Canada for a health privacy breach.
A university student who was on an educational placement with the family health team in Central Huron has been ordered to pay a $20,000 fine and a $5,000 victim surcharge for accessing personal health information without authorization.
The student pled guilty to willfully accessing the personal health information of five individuals.
As part of her plea, she agreed that she accessed the personal health information of 139 individuals without authorization between September 9th, 2014 and March 5th, 2015.
Read more on Blackburn News.
A $25,000 fine is the biggest fine to date in Canada for a health privacy breach?  Wow.

For my Ethical Hacking students. 
Advanced Persistent "Bad Bots" are Rampant
In 2016, 40% of all web traffic originated from bots -- and half of that came from bad bots.  A bot is simply a software application that runs automated tasks over the internet.  Good bots are beneficial.  They index web pages for the search engines, can be used to monitor web site health and can perform vulnerability scanning.  Bad bots do bad things: they are used for content scraping, comment spamming, click fraud, DDoS attacks and more.  And they are everywhere.
Findings from Distil's 2017 Bad Bot Report (PDF) released Thursday show that the problem is rising again after a brief improvement in 2015.

“Hey, somebody is guilty!”  Since they have the guy’s photo, perhaps an image search of Facebook would be a better method? 
Thomas Claburn reports:
A US judge has granted cops a search warrant to direct Google to provide personal details about anyone searching for a specific name in the town of Edina, Minnesota.
Tony Webster, who describes himself as a web engineer, public records researcher, and policy nerd, published a portion of the warrant out of concern that administrative subpoenas and search warrants are being used for what amounts to fishing expeditions.
Under the Fourth Amendment, searches and seizures must be reasonable and as such are generally limited in their scope, to balance privacy expectations.  At issue is whether a warrant for the Google account data of anyone searching for a given term is unconstitutionally broad.
Read more on The Register.
[From the article: 
According to the warrant, seen in full by The Register, the case involves bank fraud in which an unknown party used the victim's name to wire $28,500 from Spire Credit Union to Bank of America.  The credit union relied on a faxed copy of the victim's passport to verify the transaction, but the document was faked.
The search warrant, filed by Edina Police Detective David Lindman, says that when investigators searched Google Images for the victim's name, they found the photo used to make the fake passport – an image of someone who resembled the victim but was not the same person.  This led police to believe that the person responsible searched Google for the victim's name.

Horsefeathers!  But, as long as the tools are available…
No One Wants the Internet of Things …
… Except Big Brother
The CIA wants to spy on you through your dishwasher and other “smart” appliances. Slate reported in 2012:
Watch out: the CIA may soon be spying on you—through your beloved, intelligent household appliances, according to Wired.
Read more on WashingtonsBlog.

“We’re the government.  Failure to follow the rules is normal!”
Three out of Five Federal Agencies Flout New FOIA Law
by Sabrina I. Pacifici on Mar 16, 2017
National Security Archive: “Three out of five of all federal agencies are flouting the new law that improved the Freedom of Information Act (FOIA) and required them to update their FOIA regulations, according to the new National Security Archive FOIA Audit released today to celebrate Sunshine Week.  The National Security Archive Audit found that only 38 out of 99 federal agencies have updated their FOIA regulations in compliance with the FOIA Improvement Act of 2016 that was passed with bipartisan, bicameral support.  The new law required agencies to update their FOIA regulations within 180 days of passage – that was June 30 so December 27, 2016 was the deadline.  Updated regulations were supposed to include the law’s new improvements, such as requiring agencies provide requesters with no less than 90 days to file an appeal, prohibiting agencies from charging “search or duplication fees when the agency fails to meet the notice requirements and time limits set by existing law,” and mandating agencies notify requesters of their right to seek assistance from either the agency’s FOIA Public Liaison or to seek dispute resolution services with the Office of Government Information Services (OGIS), the FOIA ombudsman…”

I wonder if J.K Rowling owns the copyright on ‘Defense against the dark arts?” 
Paper – Defense Against the Dark Arts of Copyright Trolling
by Sabrina I. Pacifici on Mar 16, 2017
Sag, Matthew and Haskell, Jake, Defense Against the Dark Arts of Copyright Trolling (March 14, 2017).  Available at SSRN:
“In this Article, we offer both a legal and a pragmatic framework for defending against copyright trolls.  Lawsuits alleging online copyright infringement by John Doe defendants have accounted for roughly half of all copyright cases filed in the United States over the past three years.  
   We also undertake a detailed analysis of the legal and factual underpinnings of these cases.  Despite their underlying weakness, plaintiffs have exploited information asymmetries, the high cost of federal court litigation, and the extravagant threat of statutory damages for copyright infringement to leverage settlements from the guilty and the innocent alike.  We analyze the weaknesses of the typical plaintiff’s case and integrate that analysis into a comprehensive strategy roadmap for defense lawyers and pro se defendants.  In short, as our title suggests, we provide a comprehensive and useful guide to the defense against the dark arts of copyright trolling.” 

Tread lightly, Google.  You don’t want to tell them that your Behavioral Advertising AI suggested this ad placement because people going to those sites respond best to (click on) the government ads. 
Google summoned to appear before the UK government to explain why ads keep appearing next to extremist YouTube videos
LONDON — Google has been summoned to appear in front of the UK government to explain why taxpayer-funded ads are appearing next to extremist content on YouTube, The Times reported.
The Times found government ads — and also those from the BBC, The Royal Air Force, and The Royal Navy — appearing next to videos from American white nationalist David Duke, a pastor who praised the killing of 49 people in an Orlando gay nightclub, and videos from Michael Savage, who the newspaper describes as a "homophobic shock-jock."
   The issue is not only the juxtaposition of government ads next to inappropriate content, but the fact that those ads are making money for the video creators.  The Times says a YouTube user earns $7.60 on average for every 1,000 times an ad is viewed.
On Thursday, the government suspended all of its YouTube advertising until Google can make assurances that ads from public-funded bodies would not appear in unsafe environments.

On the other hand, this one looks like a slam dunk for Google.
Someone Copied The Wrong Person On An Email, And It Just Might Destroy Uber
On Dec. 13, an employee at Waymo, a self-driving startup founded by Google, was accidentally copied on an email from one of its vendors.  Where was the email supposed to go?  Why, to Uber ― or, more specifically, to Uber’s newly acquired startup Otto.
Included in the email were schematics for a circuit board, one that looked remarkably similar to a board designed at considerable expense by Waymo.  Without that circuit board and the “LiDAR” (laser-based surveying) technology it made possible, neither Otto nor Waymo would be going on a self-driving jaunt any time soon.
   Levandowski abruptly resigned from Waymo in January 2016, then founded Otto and sold it to Uber for $680 million that summer.  (You can read a complete, surprisingly riveting timeline of the saga here, via the New Zealand tech blogger Daniel Compton.)
The vendor’s misaddressed email has spurred an investigation by Waymo into Levandowski’s activities.  Waymo declined to speak about the email or the ensuing investigation, instead directing The Huffington Post to a company blog post on the matter:

Some things are clearly inevitable.
Google Tests Waters of Voice Ads on Speaker
Google’s smart home speakers on Thursday played an unprompted promotion for Walt Disney Co.’s new “Beauty and the Beast” movie, the first sign of how the world’s largest advertising company could shoehorn ads into its growing number of voice interactions with users.

No comments: