Thursday, April 05, 2018
No breach is ever so bad that it can’t become worse.
‘Malicious actors’ collected data on 2 billion Facebook users worldwide
It is not surprising to now today from Facebook that the debacle of Cambridge Analytica harvesting data on 87 million people has escalated monumentally to the level of 2 billion users worldwide per the Washington Post: “Facebook said Wednesday that “malicious actors” took advantage of search tools on its platform, making it possible for them to discover the identities and collect information on most of its 2 billion users worldwide. The revelation came amid rising acknowledgement by Facebook about its struggles to control the data it gathers on users… But the abuse of Facebook’s search tools — now disabled — happened far more broadly and over the course of several years, with few Facebook users likely escaping the scam, company officials acknowledged. The scam started when malicious hackers harvested email addresses and phone numbers on the so-called “Dark Web,” where criminals post information stolen from data breaches over the years. Then the hackers used automated computer programs to feed the numbers and addresses into Facebook’s “search” box, allowing them to discover the full names of people affiliated with the phone numbers or addresses, along with whatever Facebook profile information they chose to make public, often including their profile photos and hometown…”
Practical Approaches to Big Data Privacy Over Time
“The Berkman Klein Center is pleased to announce a new publication from the Privacy Tools project, authored by a multidisciplinary group of project collaborators from the Berkman Klein Center and the Program on Information Science at MIT Libraries. This article, titled “Practical approaches to big data privacy over time,” analyzes how privacy risks multiply as large quantities of personal data are collected over longer periods of time, draws attention to the relative weakness of data protections in the corporate and public sectors, and provides practical recommendations for protecting privacy when collecting and managing commercial and government data over extended periods of time. …
I’d like someone to step up and give my Computer Security students good example for a change.
Protect Yourself from Panera’s Half-Baked Security
Have you ever noticed that most companies say, “We take your security very seriously” only after they demonstrably didn’t take your security all that seriously? The latest business to let its customers down is Panera Bread, a popular bakery chain, whose security countermeasures probably needed a little more time in the oven.
A huge flaw could expose as many as 37 million user accounts. That’s bad enough on its own, but what’s even worse is that Panera has known about the underlying flaw for eight months, and did not address it.
The frankly incredible story comes courtesy of security researcher Dylan Houlihan and his colleague Brian Krebs. Houlihan explained the full story in a detailed Medium post, while Krebs added additional commentary on his own blog.
To simplify a very complex issue: Anyone who’s ever signed up for a Panera account can leverage a flaw in its website to view another user’s information. This includes his or her username, phone number, birthday, and last four digits of a credit card — in addition to a full name, physical address, e-mail address and even your dietary restrictions.
I would not be pleased with a vendor who failed to notify me for months!
Delta Air Lines Inc. and Sears Holding Corp., including its Kmart stores, confirmed late Wednesday that select customer payment information may have been exposed in a cybersecurity breach at a software service provider they both use, called 7.ai.
The tech firm found that a cybersecurity incident affected online customer payment information of its clients, it said. The incident happened on or after Sept. 26, 2017, and was found and resolved on Oct. 12 that year.
Delta and Sears said they were notified of the incident last week and that certain customer payment information may have been accessed.
For my Software Architecture students.
Smartphones becoming primary device for physician and patient communications
Hospitals are making significant investments in smartphone and secure mobile platforms to enable communications between clinicians and between them and patients, according to a new survey.
Nine of 10 healthcare systems plan significant investments in smartphones and secure unified communications over the next 12 to 18 months, according to the results of the survey, performed in person by Spyglass Consulting Group; the survey included more than 100 healthcare professionals working in hospital environments.
… "The whole idea of patient-staff communications is a relatively new concept," Malkary said, referring to the 2012 requirements set down by the federal government's "meaningful use" of electronic healthcare records (EHR) standards.
While my students are still healthy?
HHS Releases a New Resource to Help Individuals Access and Use Their Health Information
“The US Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) today released the ONC Guide to Getting and Using your Health Records, a new online resource for individuals, patients, and caregivers. This new resource supports both the 21st Century Cures Act goal of empowering patients and improving patients’ access to their electronic health information and the recently announced MyHealthEData initiative.
… In fact, a new ONC data brief – PDF shows that in 2017, half of Americans reported they were offered access to an online medical record by a provider or insurer…” [h/t Pete Weiss]
I’m sure my students will want to build one. They’re still divided as to the targets.
'Killer robots': AI experts call for boycott over lab at South Korea university
… More than 50 leading academics signed the letter calling for a boycott of Korea Advanced Institute of Science and Technology (KAIST) and its partner, defence manufacturer Hanwha Systems. The researchers said they would not collaborate with the university or host visitors from KAIST over fears it sought to “accelerate the arms race to develop” autonomous weapons.
(Related) Overreaction? I bet the Pentagon uses Google search too.
Google employees demand the company pull out of Pentagon AI project
Last month, it was revealed that Google was offering its resources to the US Department of Defense for Project Maven, a research initiative to develop computer vision algorithms that can analyze drone footage. In response, more than 3,100 Google employees have signed a letter urging Google CEO Sundar Pichai to reevaluate the company’s involvement, as “Google should not be in the business of war,” as reported by The New York Times.
Work on Project Maven began last April, and while details on what Google is actually providing to the DOD are not clear, it is understood that it’s a Pentagon research initiative for improved analysis of drone footage. In a press statement, a Google spokesperson confirmed that the company was giving the DOD access to its open-source TensorFlow software, used in machine learning applications that are capable of understanding the contents of photos.
I often tell my students where to go.