Saturday, May 19, 2018

Let this be a lesson to my Computer Security students.
Mark Satter reports:
The nation relies on teachers to educate our children and help them when they make mistakes. But when it comes to protecting students’ data, it is often the teachers and school staff who mistakenly let bad actors in to school computer systems, officials say.
In a hearing Thursday before the House Committee on Education and the Workforce, a panel of educators, privacy experts and U.S. Department of Education officials pointed to accidental online errors by school staff as the main threat to protecting school data.
In the state of Kentucky, which experienced more than 4 billion attempted attacks on the computer systems of K-12 services last year, the greatest number of data breaches were the result of staff who fell for email phishing scams, according to David Couch, CIO for the Kentucky Education Technology System (KETS) at the Kentucky Department of Education.
“By far the greatest vulnerability to our systems is internal staff who fall victim to phishing attempts,” Couch said during the hearing.
Read more on EdScoop.

(Related) Perhaps a class or two on Ethics?
Violet Ikonomova reports:
Leave it to kids in one of Michigan’s best school districts to have figured out how to hack the district’s grading system and (presumably) give themselves A’s.
A message posted to the Bloomfield Hills Schools website alerts parents that “a couple” students made “some poor choices lately,” hacking into the district’s student information system and manipulating their personal grades, attendance, and lunch balance information. The data base houses all of the district’s student and family data, the notice says.
The students are in high school and modified the information of their own accounts and others high schoolers, Bloomfield Hills Schools Superintendent Robert Glass says in a video message elsewhere on the website. A total of 20 students saw changes made in the form of improved grades, improved attendance, and reduced lunch balances.
Read more on Detroit Metro Times.

Aggregating data for resale.
200 Million Sets of Japanese PII Emerge on Underground Forums
A dataset allegedly containing 200 million unique sets of personally identifiable information (PII) exfiltrated from several popular Japanese website databases emerged on underground forums, FireEye reports.
Advertised by a Chinese threat actor at around $150, the dataset contained names, credentials, email addresses, dates of birth, phone numbers, and home addresses, and was initially spotted in December 2017.
The data appears sourced from a variety of Japanese websites, including those in the retail, food and beverage, financial, entertainment, and transportation sectors, and FireEye believes that the cybercriminals obtained it via opportunistic compromises.

It’s cheaper (for the state) if you have no rights!”
Gavin Reinke of Alston & Bird writes:
The Georgia Court of Appeals recently reaffirmed its prior conclusion that there is no duty to safeguard personal information under Georgia law. In McConnell v. Ga. Dep’t of Labor, — S.E.2d —-, 2018 WL 2173252 (Ga. App. May 11, 2018), the Court of Appeals addressed whether a plaintiff whose social security number and other personal identifying information (“PII”) had allegedly been negligently disclosed by an employee of the Georgia Department of Labor stated a negligence claim in connection with the unauthorized disclosure.
In urging that the Court of Appeals should recognize such a duty, the plaintiff in McConnellrelied on the Georgia Personal Identity Protection Act (the “GPIPA”). The plaintiff argued that the GPIPA supported recognizing a duty to safeguard PII because the statute reflects the General Assembly’s “intent to protect citizens from the adverse effects of disclosure of personal information and created a general duty to preserve and protect personal information.” McConnell, 2018 WL 2173252.

You have no ‘right to be forgotten.’
All of’s alleged co-owners arrested on extortion charges
Two alleged owners of—Sahar Sarid and Thomas Keesee—have been arrested in south Florida on a recently issued California warrant. The notorious website publishes mugshots and then demands payment for their removal.
… "This pay-for-removal scheme attempts to profit off of someone else's humiliation," said Attorney General Becerra in a statement. "Those who can't afford to pay into this scheme to have their information removed pay the price when they look for a job, housing, or try to build relationships with others. This is exploitation, plain and simple."
… The 29-page affidavit provides a lengthy explanation of what prosecutors call a "business permeated with fraud."

(Related) For all my students!
I sometimes think people don’t realize the amount of time and passion Joe Cadillic dedicates to informing you all of surveillance issues and online threats to our privacy. We’ll get back to that later in this post, but for now:
This week, one of the links he sent me to share with you all is a treasure.
Michael Bazzell writes:
Posted on May 15th, 2018
I received an email today from a reader of the latest edition of my privacy book Hiding from the Internet. In the book, I include an entire chapter of opt-out links for removing personal information from people-search, data-mining, marketing, and data broker websites. The reader asked if I maintained a digital version of the workbook with active hyperlinks for easy navigation. While I try to maintain a page for hyperlinks from the book, it did not quite replicate the workbook model that is in the official publication. Today, I am releasing the entire workbook in PDF format for free. I hope it helps the process of cleaning up unwanted online details. The direct link is below.

Computers and the Constitution.
From EPIC:
EPIC has filed a “friend of the court” brief, joined by forty-four technical experts and legal scholars (members of the EPIC Advisory Board), in the OPM Data Breachcase. The case concerns the data breach at the US Office of Personnel and Management in 2015 that affected 22 million federal employees, their friends, and family members. In the brief to the federal appeals court, EPIC said that “when personal data is collected by a government agency, that agency has a constitutional obligation to protect the personal data it has obtained.” In a 2011 case NASA v. Nelson, EPIC urgedthe Supreme Court to limit data collection by federal agencies, citing the growing risk of data breach in the federal government.

Adding ‘touch’ to Tech. Hand holding for people not comfortable with e-commerce?
Walmart has quietly launched Jetblack, a ‘members-only’ personal shopping service for affluent city moms
Code Eight, a stealthy personal-shopping startup incubated inside of Walmart, has rebranded itself as Jetblack, Recode has learned.
In job listings, the service is described as a “members-only personal shopping and concierge service that combines the convenience of e-commerce with the customized attention of a personal assistant.”
Visitors to are greeted by a landing page that says, “Nice work, you found us!”
“Jetblack is currently in beta in Manhattan,” the site says. It gives visitors an option to request early access.
A new Walmart subsidiary, called Code Eight, has recently started testing a personal shopping service for “busy NYC moms,” according to multiple sources, with the goal of letting them get product recommendations and make purchases simply through text messaging.
The target customer of Code Eight is described in an online job listing as a “high net worth urban consumer” — translation: A rich city dweller — certainly not the historical sweet spot for Walmart’s main business.
Household items are delivered for free within 24 hours; other purchases are delivered within two business days. Returns are picked up for free at a customer’s apartment building or house.

No comments: