Wednesday, May 24, 2017

It takes a while to settle these things. 
Target, states reach $18.5 million settlement on data breach
Target Corp. has reached an $18.5 million settlement over a massive data breach that occurred before Christmas in 2013, New York's attorney general announced Tuesday.
The agreement involving 47 states and the District of Columbia is the largest multistate data breach settlement to date, Attorney General Eric T. Schneiderman's office said.  The settlement, which stipulates some security measures the retailer must adhere to, resolves the states' probe into the breach.
   Target had announced the breach on Dec. 19, 2013, saying it occurred between Nov. 27 and Dec. 15 of that year.  It affected more than 41 million customer payment card accounts and exposed contact information for more than 60 million customers.
   The settlement requires Target to maintain appropriate encryption policies and take other security steps, though the company has already implemented those measures.

For my Computer Security students. 
CEOs and Coffee Shops Are Mobile Computing's Biggest Risks: Report
The balance between encouraging mobility for business purposes and controlling it for security remains as tricky today as ever.  Ninety-three percent of organizations are now somewhat or very concerned that the mobile workforce is presenting an increasing number of security challenges.  Of these, 47% are 'very concerned'; a figure that has grown from 36% a year ago.
These figures come from the iPass 2017 Mobile Security Report (PDF), published today.  iPass is a global provider of always-on, secure Wi-Fi; with more than 60 million hotspots in more than 120 countries.

Something my students and I will explore.
Flashpoint Enhances Risk Intelligence Platform
Just as global intelligence firm Stratfor extracts and presents geopolitical intelligence from the noise of available information, so now does Flashpoint extract cyber business risk intelligence (BRI) from the noise of deep and dark web conversations.
   That process has now come to fruition with today's launch of the Flashpoint Intelligence Platform 3.0.  It aims to convert and present the raw intelligence gleaned from the deep and dark web as actionable business risk intelligence that will help customers take a more strategic role in security planning.

A very long and very damning illustration of failure at HHS.  So why is the government spending my tax dollars?  Perhaps even they do not know.   
I was excited back in 2010 when HHS started posting breaches on what some would call the “wall of shame.”  I knew that we’d only learn about breaches involving HIPAA-covered entities, but at least we were finally starting to get some actual data.  Now, more than 6 years later, it’s become clear to me that it’s probably best to just call time of death on the breach tool, despite its popularity with marketers who look for numbers to support their sales pitches.
In this post, I review some of what we are not seeing on HHS’s breach tool, and why it’s really not a source of accurate or helpful information for those who want to understand breaches and incidents involving health or medical data.

It sure looks like blackmail…  The “Program” consists of an App and some hardware. 
Joe Cadillic writes:
Since 2016, New York motorists are being forced asked to let the police spy on their cellphones for a minimum of 90 days.
In Nassau County, motorists are asked, wink, wink to pay hundreds of dollars to enter the Distracted Driver Education Program’ (DDEP). The Feds, claim to offer motorists a choice, either dispute the texting while driving ticket in court, accept a 5 point moving violation or enter the DDEP.
Before a motorist can enter the DDEP they have to pay a distracted driving citation which can be anywhere from $50 and $400 and have to pay an installation fee of $125.00 for the in-car device.
Read more on MassPrivateI.
[From the article: 
"A device called DriveID is installed in the motorist’s primary vehicle and an app is installed on the motorist’s phone.  The app receives information from the device which causes the keyboard of the phone to deactivate and the screen to be blocked.  The motorist is broken of the habit of reaching for the device.  However, voice commands are not disabled, so the motorist can still use apps like “Hey Siri”, which don’t require the user to touch or even look at their device, to control their device legally while driving."

We can, therefore we must!
Helen Christophi reports:
Even trains are spying on us now, a woman claims in a federal class action accusing the Bay Area Rapid Transit District of tracking passengers’ movements by duping them into downloading a seemingly benign crime-reporting app.
Pamela Moreno claimed Monday that BART collects personal information from riders’ cellphones and tracks their location through its BART Watch app, without consent.
Read more on Courthouse News.

Perhaps the “administration” should actually walk around their school?  What else have they missed? 
CTV reports:
The Simcoe County District School Board  is warning students and parents of a possible privacy breach after discovering surveillance cameras were secretly installed in some of the music classrooms at Collingwood Collegiate Institute.
The discovery was made late last year and the board has been investigating the matter with Collingwood OPP and the Information and Privacy Commissioner of Ontario (IPC).
All of the monitoring equipment was removed by school board staff after being discovered and is now secured at the board office.
An internal investigation determined the surveillance cameras were installed approximately five years ago by two staff members to address issues of alleged instrument theft.  The school’s administration was unaware that the equipment was installed or in place during the five year period, the board said.
Read more on CTV.

So, they could clone you?
Joel Winston writes:
Don’t use the AncestryDNA testing service without actually reading the Terms of Service and Privacy Policy.  According to these legal contracts, you still own your DNA, but so does
The family history website is selling a new DNA testing service called AncestryDNA.  But the DNA and genetic data that collects may be used against “you or a genetic relative.”  According to its privacy policies, takes ownership of your DNA forever.  Your ownership of your DNA, on the other hand, is limited in years.
It seems obvious that customers agree to this arrangement, since all of them must “click here to agree” to these terms.  But, how many people really read those contacts before clicking to agree?  And how many relatives of customers are also reading?

And so it goes…
Appeals court decision keeps lawsuit against NSA surveillance alive
A federal appeals court on Tuesday reversed a lower court’s decision to dismiss Wikimedia’s lawsuit challenging the National Security Agency’s (NSA) mass interception of Americans’ international digital communications.
The lower court had ruled in 2015 that the case, filed by the American Civil Liberties Union (ACLU) on behalf of the Wikimedia Foundation, The Nation magazine, Amnesty International USA, Human Rights Watch and other groups, failed to demonstrate that their communications were being monitored by the NSA.
A panel of three judges on the 4th Circuit Court of Appeals unanimously disagreed with this on Tuesday, allowing Wikimedia to continue its lawsuit.

Google gets “anonymized” data and immediately matches it to your online identity?  They get “encrypted” data and can tell who you are and what you purchased?  I don’t think the authors of these articles knew much about their topic.   
Google’s New Feature Can Match Ad Clicks With In-Store Purchases
   A new feature, born out of partnerships between Google and credit and debit card companies, links in-store purchases to your online identity, CNN reports.  That means Google could tell whether you clicked an online ad before buying the product in a shop later.
Companies that Google partners reportedly account for 70% of all credit and debit card purchases in the U.S.  According to CNN, credit and debit card companies will send Google encrypted information about store purchases, that can then be compared to collective online profiles of users who clicked on corresponding ads.
Google said that encryption means it cannot see identifiable payment information such as the customer's name or what they bought.  The tool also doesn't work for cash payments

This columnist makes an interesting point.
Mark Fields’ abrupt removal from Ford should come as something of a warning to other traditional automakers, especially ones whose shareholders demand answers as to why they aren’t valued as highly as Tesla: profits aren’t enough anymore.  Record sales aren’t enough anymore.  Making the goddamn F-150, which will always sell in huge volumes even in the event of the apocalypse, somehow isn’t enough.
Fields wasn’t perfect but he was far from being a bad CEO, and right now it’s all about “mobility” and “technology” for Wall Street—even though no one really has a clear view of what that means or how to make it profitable.

Researching the Twits?
Twitter as a data source: An overview of tools for journalists
by Sabrina I. Pacifici on May 23, 2017
Data Driven Journalism: “Journalists may wish to use data from social media platforms in order to provide greater insight and context to a news story.  For example, journalists may wish to examine the contagion of hashtags and whether they are capable of achieving political or social change.  Moreover, newsrooms may also wish to tap into social media posts during unfolding crisis events.  For example, to find out who tweeted about a crisis event first, and to empirically examine the impact of social media.  Furthermore, Twitter users and accounts such as WikiLeaks may operate outside the constraints of traditional journalism, and therefore it becomes important to have tools and mechanisms in place in order to examine these kinds of influential users.  For example, it was found that those who were backing Marine Le Pen on Twitter could have been users who had an affinity to Donald Trump.  There remains a number of different methods for analysing social media data.  Take text analytics, for example, which can include using sentiment analysis to place bulk social media posts into categories of a particular feeling, such as positive, negative, or neutral.  Or machine learning, which can automatically assign social media posts to a number of different topics…” 

A place for my students to share their skills? 
IFTTT now lets any developer build and publish applets for others to use
IFTTT, the platform that allows users to create customized, conditional interactions between apps, online services, digital assistants, and devices, has announced that it’s opening its platform to individual developers, allowing them to build and publish their own applets for others to use.
   From today, IFTTT is making this available to individual developers too, via a free “maker” tier that lets anyone build and publish applets.
   It’s worth noting here that up until now, anyone has been able to build applets that work with two IFTTT services for personal use.  But with this new offering they can publish their applets for others to use, and showcase everything on a dedicated maker profile page.
Additionally, they can create applets that work on any connected device, regardless of whether they own one of these devices themselves.  And above all else, makers can now build applets with multiple actions, as partner companies have been able to do since last year.
   In a way, this launch is a little like smartphone app stores allowing any developer to build and create apps.  It enables IoT companies to tap a gargantuan developer pool, with some potentially interesting connected device and service integrations coming to the fore.  By opening to individuals, developers could have their applets picked up and featured by some big name partner companies, including Domino’s or Adobe.

No comments: