Monday, September 11, 2017

If you collect everything that a hacker could possibly want into one, poorly protected database, you should expect hackers to try for it.
Shashank Shekhar reports:
Damning details related to Aadhaar card security have emerged after the Uttar Pradesh Special Task Force on Sunday arrested 10 members of a gang allegedly involved in issuing fake biometric cards. Investigators told Mail Today that the gang members had not only hacked the secure ‘source code’ to access the application but also cloned fingerprints of authorised issuing authorities by using gelatin gel, laser and silicon.
The exposure raises serious questions on the Centre’s efforts to link its various schemes, PAN, individual bank accounts and mobile numbers with Aadhaar card, hitherto considered foolproof.
Read more on India Today.
[From the article:
"The operators made copies of the login details used by valid enrolment centres, issued by UIDAI, the nodal authority mandated to issue the 12-digit unique number. They were also able to crack and replicate the application for the retinal scanning, an ocular-based biometric technology."
… Singh said the team was yet to ascertain the enormity of the operation as these members are believed to have shared or sold these codes to other centres as well.
… "These gang members may have got the access to that source code and tampered the biometric authentication like fingerprints and IRIS. So now, these illegal centres had software to login to Aadhaar sever without using any biometric details, which is worrisome," the web security expert added.

A most interesting email from the “IRS.” If this is real, it is very poorly done. Perhaps this is just the government being uniquely strange, but I can think of no legitimate reason to change a username. I’m waiting for email number two which will point me to a bogus IRS site.
“Due to system updates, the IRS has changed your username for IRS online services. No action is required on your part.”
One clue this is a phishing email:
Your password has not changed.”
So I go to their site and enter a real password which they can then use to connect to my IRS account?

We will discuss this a lot in my Digital Forensics class.
From the law firm of Bryan Cave LLP:
A comprehensive analysis of class action lawsuits involving data security breaches filed in United States District Courts.
2016 was another year in which data breaches continued to dominate the headlines, a constant reminder to people that their personal information was vulnerable and the target of criminal attacks. Yet, despite the fact that data breaches do not appear to be going away anytime soon, the risk that a company will face litigation following a data breach remains relatively low year-after-year. The reason is likely tied to the difficulty plaintiffs continue to face establishing that they were injured by a breach and, therefore, have standing as a matter of law to bring suit.
Nonetheless, fear is a powerful marketing strategy, and we continue to see misinformation disseminated to the public about the likelihood of being sued after a data breach. This is not to say that companies should not continue to devote significant resources to breach preparation, information security, and breach response. But we are firm believers in allocating resources in proportion to the risk of harm, and litigation arising from a breach generally does not occur except in cases of public breaches involving large quantities of highly sensitive information.
Bryan Cave LLP began its survey of data breach class action litigation five years ago to rectify the information gap and to provide our clients, as well as the broader legal, forensic, insurance, and security communities, with reliable and accurate information concerning the risk associated with data breach litigation. Our annual survey continues to be the leading authority on data breach class action litigation and is widely cited throughout the data security community.
Our 2017 report covers federal class actions initiated over a 12 month period from January 1, 2016 to December 31, 2016 (the “Period”). Our key findings are:
  • Modest increase in filings. 76 class actions were filed during the Period. This represents a modest 7% increase in the quantity of cases filed as compared to the 2016 Data Breach Litigation Report (the “2016 Report”).
  • Continued “lightning rod” effect. Consistent with prior years, many of these lawsuits cluster around the same high-profile breaches. When multiple filings against single defendants are removed, there were only 27 unique defendants during the Period. This indicates a continuation of the “lightning rod” effect noted in previous reports, wherein plaintiffs’ attorneys file multiple cases against companies who had the largest and most publicized breaches, and generally bypass the vast majority of other companies that experience data breaches.
  • Decrease in filings as a function of the quantity of breaches. Approximately 3.3% of publicly reported data breaches led to class action litigation. Unlike in prior years, in which the percentage of class action lawsuits has remained relatively steady at 4 or 5% of publically reported breaches, 2016 saw a slight decrease in litigation relative to the number of breaches.
  • Litigation forums cluster around location of defendants. The Northern District of California, the Middle District of Florida, and the District of Arizona were the most popular jurisdictions in which to bring suit in 2016. Choice of forum, however, continues to be primarily motivated by the states in which the company-victims of data breaches are based.
  • Medical industry disproportionately targeted by the plaintiffs’ bar; but may still be underweighted. Like the previous year, the medical industry was disproportionately targeted by the plaintiffs’ bar. Although 70% of publicly reported breaches related to the medical industry, only 34% of data breach class actions targeted the medical industry or health insurance providers.
  • Credit card breach litigation is flat. The percentage of class actions involving the breach of credit cards stayed relatively constant as compared to the 2016 Report, with credit and debit cards data accounting for 21% of the type of data involved in data breach class actions in 2016, slightly down from 23% for the previous reporting period. This may reflect the lack of high profile credit card breaches as in past years, difficulties by plaintiffs’ attorneys proving economic harm following such breaches, and relatively small awards and settlements in previous credit card related litigation.
  • Plaintiffs continue to experiment with legal theories. Plaintiffs’ attorneys continue to allege multiple legal theories. Plaintiffs alleged a total of 21 legal theories during this period.
  • Negligence has emerged as the clear theory of preference. While negligence was the most popular legal theory in the 2016 (and 2015) Report, it has increased from being included in 75% of cases to being included in nearly 95% of all cases.
  • Plaintiffs are focusing on sensitive categories of information. Plaintiffs’ attorneys overwhelmingly focused on breaches in this Period that involved information such as Social Security Numbers, medical treatment information, health insurance information, and security questions and answers, with 89% of cases in 2016 involving a breach of sensitive data.
Click here to read the full report.

No doubt many will quote this study without reading the details.
UBI to Add Trillions of Dollars to U.S. Economy, Study Finds
… In the United States, a report claims that UBI will have a very positive impact on the country’s economy which can attain a growth of as much as $2.5 trillion.
Roosevelt Institute research director Marshall Steinbaum, Michalis Nikiforos of Bard College’s Levy Institute, and Gennaro Zezza of the University of Cassino and Southern Lazio in Italy have recently published their study that shows the remarkable effects of three versions of UBI in an eight-year period based on the Levy Institute macroeconometric model.
The Levy model, however, presupposes that the potential of the economy is constrained due to low household income. A highly-debatable opinion which the authors have themselves admitted in the report.
… According to the authors, “Fundamentally, the larger the size of the UBI, the larger the increase in aggregate demand and thus the larger the resulting economy is.”
However, this kind of growth could only be achieved if the UBI will be paid by increasing federal debt not taxes.
“When paying for the policy by increasing taxes on households, the Levy model forecasts no effect on the economy,” the authors have further stated in their report. “In effect, it gives to households with one hand what it takes away with the other.”

A trend for geeks.
The Incredible Growth of Python
… You can see on Stack Overflow Trends that Python has been growing rapidly in the last few years

I don’t know if I can agree with them.
The Rise of the Twitter Thread
The compelling, incendiary literary form of the Trump era.
We don’t get to choose the literary genre of our epoch, and in this worst-of-times-worst-of-times political era, we have the Twitter thread. A series of tweets, written by one person and strung together by Twitter’s vertical border wall, the thread has emerged as this year’s ascendant form of argument: urgent, galloping, personality-driven and—depending on your view of the topic—either tacky and misleading or damned persuasive.
… A form that requires precise and lively storytelling, and the braiding together of seemingly disparate details and history, has naturally attracted both literary and legal minds.
… Sexton described threading to me as a “linguistic exercise to see how the mind works in quick succession while confined within a certain space.” Abramson has edited or written more than a dozen books, mostly on or of poetry, and is also a graduate of Harvard Law School and former public defender. He calls threading “a formal gesture in the same way a sonnet is.”

I’m sure my students think like Dilbert when I take points off.

No comments: