If your procedure for detecting a
breach is inadequate, your procedure for detecting a test is also
inadequate. Hiring multiple security firms is only a way to pass the
buck, it will never ensure that you have adequate security
management.
The
City of Tulsa’s costly screw-up
October 2, 2012 by admin
The saga of the City of Tulsa
hack-that-wasn’t-a-hack
fascinates me and would be funny if it wasn’t such a costly
foul-up. While the city’s IT manager is on paid administrative
leave, Ian Silver of Fox23
provides some additional details , most notably:
- To their credit, the city had hired SecurityMetrics 18 months ago to periodically check their security for holes. The “hack” was a result of SecurityMetrics doing their job and finding a hole in the process.
- The city checked the IP address for the intruder but thought it might be a spammer. It appears they never checked with SecurityMetrics. I contacted SecurityMetrics, who provided the following statement:SecurityMetrics conducts regular vulnerability scans for tens of thousands of clients each month and uses an identical process to notify all account managers of scan results following each scan completion. In addition, each client has 24/7 online access to their SecurityMetrics account which includes times of past and future scans, and individual scan vulnerabilities. Although there was no breach, we applaud the City of Tulsa for implementing a punctual and accurate response process.So it seems the city could have easily checked its account online to see if there had been a scan at the time of the “intrusion,” but didn’t. Had they done that, it could have spared them a lot of time, money, and grief.
- In addition to paying SecurityMetrics, the city wound up paying $20,000 in mailings to 90,000 people whom they thought had been victims of a hack. They also paid $25,000 to True Digital Security to investigate what they thought was a hack. Why they didn’t ask SecurityMetrics to investigate the hack is not explained. Had they done that, they might have also averted the costly mailing and other fees.
- The city is hiring yet another firm to help them restructure their IT department so this type of thing doesn’t happen again.
It’s good that they detected a
breach, and I don’t want to dismiss the importance of that. But
the rest of this was a bit of a fiasco and re-structuring and
improving communications may help avert a similar situation in the
future. But what are other lessons to be learned here?
This has all the earmarks of a
potential, make that probable, disaster. For years, my King Soopers
loyalty card has had the name and address of a certain Law School
professor I know...
"The UK
Government will announce details this month of a controversial
national identity scheme which will allow people to use their mobile
phones and social media profiles as official identification documents
for accessing public services. People wishing to apply for services
ranging from tax credits to fishing licences and passports will be
asked to choose from a list of familiar online log-ins, including
those they already use on social media sites, banks, and large
retailers such as supermarkets, to prove their identity."
I can't wait until carrying a telephone
is mandatory. In the U.S. at least, how else will the government send
you important messages?
A real concern. If their “private
Internet” is controled by people who can't spell 'gMail' and is
disrupted by data volumes equal to a single movie, no wonder they
think they're under constant attack.
Officials in
Iran have been busy over the last few months setting up the country’s
new national information network. Once that information network was
set up, Iran moved to block certain Internet services such as YouTube
and Google search. Iran later said that it
accidentally blocked access to Google Gmail at the same time.
New reports
are coming out of Iran that claim cyber attackers targeted the
country’s infrastructure and communications companies. According
to the officials, the attacks disrupted the Internet across the
entire country. Report of the disrupted Internet access was
announced by Mehdi Akhavan Behabadi, secretary of the High Council of
Cyberspace yesterday.
The official said the attack that
occurred yesterday included “traffic of several
gigabytes” that hit the Internet infrastructure and
slowed down access across the country.
An update the fans have been waiting
for...
...then again, perhaps not. Can you
say: Class Action?
FIFA
Fake-Out: EA Sells Last Year’s Soccer Game as New
… Yes, the uniforms and players
have been updated
to match this year’s rosters, the website Nintendo Gamer
reported. But otherwise, it’s a re-release of the same game with a
new number on the box: The same gameplay modes, character models,
graphics, menu screens, dialogue. And the same $50 price tag.
It doesn’t stop there: Other fans of
the sport say that FIFA
13 on PlayStation Vita is essentially identical to FIFA
Football, the game that Electronic Arts released six
months prior, at the launch of the new Sony gaming handheld.
EA is selling old products to
unsuspecting consumers at a premium price, and fans are confused and
angry.
Ignorance is bliss?
By Dissent,
October 4, 2012
Over on Simple
Justice, criminal defense attorney Scott Greenfield discusses a
news
story that is an eye-opener of sorts. It has do with how the
Sarasota County Sheriff’s Office has tried to capitalize on our
tendency to not really read HIPAA release authorizations we are asked
to sign at a doctor’s office. Read the following carefully:
It’s been years since I’ve blogged
about “tin stars on doctors,” but I was glad to read that no
doctors seem to have actually used the forms or submitted
such releases to the county.
As an attorney, Scott’s focus is
understandably on the Fourth Amendment end-run that such forms
attempt to accomplish. As a privacy advocate, I share his concerns,
but as a healthcare professional, I am even more appalled when law
enforcement tries to erode patient confidentiality and privacy.
Kudos to the Herald
Tribune for bringing this matter to the public’s attention and
to Scott for amplifying
the message.
Scams-du-jour: “It's what you don't
know that hurts you...” FTC fine is $163 million – anyone think
they'll actually collect?
October 03, 2012
FTC
Halts Massive Tech Support Scams
News
release: "The Federal Trade Commission has launched a major
international crackdown on tech support scams in which telemarketers
masquerade as major computer companies, con consumers into believing
that their computers are riddled with viruses, spyware and other
malware, and then charge hundreds of dollars to remotely access and
“fix” the consumers’ computers. At the request of the FTC, a
U.S. District Court Judge has ordered
a halt to six alleged tech support scams pending further
hearings, and has frozen their assets."
(Related) ...and they are 100%
successful!
"A company is putting horrible
reviews of small business online, and then offering to improve the
company's reputation and take
the reviews off for a fraction of the cost that a real reputation
improvement company would charge. Sierra West received a call from a
'reputation improvement company' telling them they had a negative
review online and that the company would take the review offline if
Sierra West paid $500. 'Of course when someone is offering $500 the
day (the bad review) goes up seemed not legitimate.'"
Is RFID cheaper than all those Traffic
Cam with license plate recognition software? Probably... Note that
the first “service” listed is traffic tickets.
"As of January, Brazil intends
to put into action a new system that will track
vehicles of all kinds via radio frequency chips. It will take a
few years to accomplish, but authorities will
eventually require all vehicles to have an electronic chip installed,
which will match every car to its rightful owner. The chip will send
the car's identification to antennas on highways and streets, soon to
be spread all over the country. Eventually, it will be illegal to
own a car without one. Besides real time monitoring of traffic
conditions, authorities will be able to
integrate all kinds of services, such as traffic tickets, licensing
and annual taxes, automatic toll charge, and much more.
Benefits also include more security, since the system will make it
harder for thieves to run far away with stolen vehicles, much less
leave the country with one." [At least, a
car with a working RFID chip... Bob]
A lot of articles before and during, I
can't wait to see what happens after the court reaches a decision.
Thoughts
on the Oral Argument in the Fifth Circuit Cell-Site Case
October 3, 2012 by Dissent
Orin Kerr commented on yesterday’s
oral argument:
The Fifth Circuit held its oral argument in its Fourth Amendment
cell-site case today; the audio is here.
On the whole, I thought the argument was pretty
unilluminating. The judges spent a lot of time trying to figure out
the statute and the facts, but they had surprisingly few questions
about the Fourth Amendment questions DOJ and the amici argued.
Here’s a quick run-down of the argument, followed by my thoughts….
Read his summary and comments on The
Volokh Conspiracy.
Overall, I remain concerned that this
was not the Circuit in which I’d have liked these arguments to be
heard. But we’ll see….
Aside from inserting the word “legally”
in a few places, this doesn't seem to change my life much...
AAP
Publishers Get More Control Over Google As They Settle 7-Year
Copyright Infringement Suit Over Google Library Project
Google has finally made some headway on
the litigation over copyright infringement for the Google Library
Project; and the deal puts in place another key piece of the puzzle
for Google Books. Google has reached
a settlement with the Association of American Publishers, ending
a seven-year legal dispute over the use of books and journals by
Google in its Library Project. The suit was first filed in 2005 by
five publishers.
Under the new agreement, publishers
will have more control over how works that they own appear in Google
catalogs, and get more routes for potentially making money from books
that appear in the Library Project, which is free to use and brings
together content libraries and other sources online.
(Related) Perhaps computers can't do
it all... Or, too many people see an easy way to use the automatic
take-down to mess with competitors or anyone. Well, there goes my
idea to get rich by copyrighting the phrase “I approve this
message” during an election year...
YouTube
Alters Copyright Algorithms, Will ‘Manually’ Review Some Claims
Google-owned YouTube said Wednesday it
is altering its algorithms to reduce invalid copyright infringement
claims on its video-sharing site and will begin manually reviewing
some claims instead of the system automatically blocking disputed
footage.
The development comes a month after
First Lady Michelle Obama’s speech at the Democratic National
Convention was
wrongly flagged by algorithms just after it aired. YouTube, the
official streaming partner of the Democratic National Convention,
automatically put a copyright blocking message on the livestream
video of the event shortly after it ended.
Thabet Alfishawi, rights management
product manager for YouTube, said “mistakes can and do happen”
due to the volume of uploaded videos and the sheer number of
copyrighted clips uploaded into its automated Content ID service. We
at Wired have labeled the algorithm “streaming
video’s robotic overlord.”
For my Data Mining and Data Analysis
students.
October 03, 2012
Demystifying
Big Data: A Practical Guide to Transforming the Business of
Government
TechAmerica Foundation's Big Data
Commission report, Demystifying
Big Data: A Practical Guide to Transforming the Business of
Government
- "Big Data has the potential to transform government and society itself. Hidden in the immense volume, variety and velocity of data that is produced today is new information, facts, relationships, indicators and pointers, that either could not be practically discovered in the past, or simply did not exist before. [Big Data does not create new information. It may make it easier to find. Bob] This new information, effectively captured, managed, and analyzed, has the power to enhance profoundly the effectiveness of government. Imagine a world with an expanding population but a reduced strain on services and infrastructure; dramatically improved healthcare outcomes with greater efficiency and less investment; intensified threats to public safety and national borders, but greater levels of security; more frequent and intense weather events, but greater accuracy in prediction and management... Success in capturing the transformation lies in leveraging the skills and experiences of our business and mission leaders, rather than creating a universal Big Data architecture. It lies in understanding a specific agency’s critical business imperatives and requirements, developing the right questions to ask, understanding the art of the possible, and taking initial steps focused on serving a set of clearly defined use cases. The experiences and value gained in these initial steps lead to more questions, more value, and an evolutionary expansion of Big Data capability that continually leverages prior investments."
Perspective
Facebook has passed one billion active
users, social network founder Mark Zuckerberg has
confirmed, of which 600m are mobile users. The new milestone
again sees Facebook’s average age of users fall, now down to 22
versus 23 when Facebook hit 500m users in July 2010; according to the
site, it has seen over 1.13 trillion “Likes” since the February
2009 launch.
Sort of like a Gold Star... I will
award “I stayed awake through the entire class” badges (probably
once or twice per quarter...) Note: the site is still in Beta
Class
Badges
Class Badges is an awesome new site
that allows educators to award badges for student accomplishments.
These badges are completely customizable for specific subjects,
projects, and even for an individual school or classroom. Class
Badges is simple to use tool that allows teachers to motivate and
reward students for mastery with just a few clicks of their mouse.
This is a fantastic new site that allows you to engage your students,
reward their learning. Be sure to sign up and request a free
account.
There are times when I want this
power...
The built-in Remote Desktop application
within Windows is a highly useful utility that lets you control a
remote computer easily. But what if you need to remotely control
multiple computers through a user-friendly interface? In this case,
you will find an app called LiteManager to be very helpful.
This could be useful. Handouts my
students might actually keep (and dare I hope, read?)
Publish
Your Own Crafty Books and Manifestos With Scout Books
Pinball Publishing was founded 10 years
ago with a focus on traditional fare like haute couture business
cards and gig posters. Having monitored an ongoing explosion of
digital media, founder Laura Whipple decided to blend both worlds in
a diminutive way. She explains, “We combined our ink and paper
expertise with the changing nature of online communications to
develop the perfect pocket-sized publishing format called the Scout
Book.”
Scout Books are 3.5-by-5-inch black-ink
booklets covered with a semi-rigid cardstock that can be printed in
one or two colors. Creators specify content for each page and
publish a book, or slap a custom cover on a template to create a
limited-edition journal.
… The company posts some of the
best creations on their site as case
studies — showing the potential of the simple paper setup.
Clever marketing? If not the little
Trick-or-Treat zombies, then perhaps my Classroom zombies...
Give
trick-or-treaters a free copy of Plants vs. Zombies (PC/Mac)
Let's face it: Zombies have the worst
oral hygiene. I mean, have you ever seen one floss?
Alas, kids run them a close second,
especially around Halloween, when the candy piles up like zombies on
a cheerleader pyramid.
To help thwart the totally made-up
condition known as "Zombie Mouth," PopCap Games has teamed
up with the American Dental Association for a seriously cool
promotion: Halloween-night
coupons for a free copy of Plants vs. Zombies (PC/Mac).
Just print as many copies of the coupon
page (PDF)
as you like, then cut each one into eight individual coupons you can
hand out to trick-or-treaters.
The code can be redeemed (at
www.stopzombiemouth.com)
starting Oct. 30, but no later than Nov. 10. It's
good for the PC or Mac
version of the mega-popular
game, which normally sells for $19.95. You read that right:
This is a $20 freebie for every kid in your neighborhood.
