Why would a branch store in California
have data on all the company's customers? Sounds like an invitation
to steal the data!
Aaron’s
operations computer stolen during burglary, contained customers’
Social Security numbers
November 2, 2011 by
admin
It never rains but it pours?
I had never heard of Aaron’s until
earlier this year when they were sued for
allegedly
installing spyware on rent-to-own computers. But now I see their
name again – this time, on a breach notification to the New
Hampshire Attorney General’s Office.
According to the firm’s
letter
of October 18, a Fresno, California franchise was burglarized.
Aaron’s was
informed of the burglary on September
26, [no indication of when it actually occurred Bob] and
by September 30, had determined that a computer stolen in the
burglary contained customers’ names and Social Security numbers.
According to their notification, 1,008 residents of New Hampshire
were affected by the breach; the nationwide total was not provided.
Reportedly, the computer contained information on the franchisee’s
customers and (other) Aaron’s customers.
The firm sent out notifications to
consumers the week of October 17, offering them free credit
monitoring services even though it appeared the
computer was likely stolen for its hardware value and not for the
data. [That is a good way of saying it, however what they actually
said in the New Hampshire letter was:
“All
of the circumstances indicate that this was a common petty theft and
that there was no intent to obtain or distribute personal information
on the computers. We also have no reason to believe that the
information has been accessed by the thieves.”
I doubt that
circumstances indicate intent or that their belief that the thieves
didn't want the data is any more reliable than my belief that they
did. Bob]
Confusing. Did the breach involve only
one bank? Very unlikely. So are the other banks lying? Why would
MasterCard not notify everyone? If it is a merchant breach, why only
debit cards?
Update,
Iowa – MasterCard issues local security alert
November 2, 2011 by
admin
Bob Eschliman reports more on a
recent
breach disclosure in Iowa:
The MasterCard
Fraud Management department has been notified of a security breach of
a U.S. merchant’s network. A data security firm has been engaged
to conduct an onsite forensic investigation. This alert discloses
the payment account numbers of MasterCard accounts that were
potentially exposed to compromise.
Preliminary
investigations indicate that magnetic stripe data is at risk.
This alert
contains account numbers used in transactions at the subject merchant
from November 2, 2010 through April 20, 2011.
What I find intriguing is that no
other bank in the area has indicated that they have been notified
of the merchant breach.
That’s also a long time for the
network to have been breached without the merchant realizing it,
although sadly, it’s not particularly uncommon.
[From the Southwest
article:
No information was
believed to be stolen... [But that's wishful thinking, because...
Bob]
… The letter stated the
bank was not provided details of the security compromise
… This involved only debit card
accounts.
… Baier indicated the
compromise occurred with the data processor, not with Bank
Iowa, and that the confidential information for all other accounts at
the Clarinda bank are still safe. Bank president John Krummel said
the data processor was MasterCard.
He provided a copy of the notice sent
to the bank, with the affected account numbers redacted to protect
customers’ privacy. The report stated:
The MasterCard
Fraud Management department has been notified of a
security breach of a U.S. merchant’s network. [i.e. NOT MasterCard
Bob]
… Other banks in Clarinda said they
were not notified for any security compromise.
“All your Facebook base belong to my
bot”
Researchers
Glean 250GB of Facebook User Data with New Socialbot
Facebook's "
Immune
System" might not be as robust as Zuckerberg believes. In
fact, four researchers from the
University
of British Colombia have recently demonstrated just how easily a
new breed of bot can infiltrate the FB system and harvest user data.
Socialbots, also known as "sock
puppet" bots, are designed to mimic a human
user. Those unsolicited Friend invites your receive from
scantily-clad co-eds? Socialbots. And, once Friended, they obtain
instant access to email addresses, phone numbers, and the rest of
your personal details that you only share with your "Friends."
Researchers from UBC devised this
eight-week test, employing a single botmaster and 102 bots, to
infiltrate the Facebook network specifically because the team
believed FB to have superior security measures compared to other
social sites (*snicker*). Their ruse eventually garnered more than
3000 new—presumably human—friends with a network of nearly a
million users. As for Facebook's "Immune System," only
20 bots were flagged and only because users reported them for spam.
Is “silent” the same as “private?”
Can I have any expectation of privacy if I can be compelled to
disclose that which I want to remain private? Is “forgone
conclusion” (We know they exist and are here on your laptop) the
same as “We know what they contain?” in which case would they
need my key?
Does
the Fifth Amendment Protect Your Encryption Key?
In a new article on an unresolved
question, Joshua A. Engel writes, in part:
In cases starting
to wind through state and federal courts, the government has sought
to compel suspects and defendants to provide passwords and encryption
keys. For example,
in
a Colorado case involving allegations of real estate fraud, the
government seized several computers after executing search warrants
at the defendant’s residence. The government obtained an
additional search warrant to search a laptop, but was unable to read
the encrypted contents. The government then sought an order
compelling the defendant to provide or enter the password.
The Colorado case
remains undecided, but other courts to address this issue have
generally concluded that the provision of a password or encryption
key is subject to the protections of the Fifth Amendment because
the
provision of this information is essentially an admission that the
person had possession and control over, and access to, the computer,
files, or data. A good illustration is found in
In
re Grand Jury Subpoena to Sebastian Boucher. U.S.D.C., D.
Vt. No. 2:06-mj-91 (February 19, 2009).
I would seriously disagree – if IT
actually had a memory for “things we did before” they would
remember integrating those pesky “Personal” computers they they
ignored for years... Even Local Area Networks (LANs) were introduced
to the organization by accounting (and other) departments over the
objection of IT.
"Advice Line's Bob Lewis
discusses the difficulties
IT faces in embracing the kinds of consumer technologies business
users are demanding they support. 'Let's assume the consumerization
of IT is the big trend many think it is. But using
consumer tech in a business environment is a very different matter
from being satisfied
with consumer tech in a business environment. One of IT's
legitimate [I'd
say: “irrational” Bob] gripes is that we're
often asked to turn consumer-grade technology into business-grade
technology with a wave of our magic wands. On top of the intrinsic
technical challenges, there's this: IT doesn't
have anything that even resembles a methodology for
performing the business analysis we need to figure out what it means
to put consumer tech to productive day-to-day use.'"
A “Buy my Security Product/Service”
survey?
http://www.databreaches.net/?p=21297
What
does the Unisys Security Index really tell us about consumer
responses to a data breach?
November 2, 2011 by
admin
I’m going to post a press release
from Unisys with a warning: never confuse what
consumers say they will do with what they actually do. [Amen Bob]
I’ll meet you on the other side of the release:
Americans will go
to great lengths to avoid identity theft, and many say they would
take legal action against government or private organizations that
compromise their personal data, according to new research conducted
by
Unisys Corporation.
Results from the
bi-annual
Unisys
Security Index, which surveys more than 1,000 Americans for
consumer views on a wide range of security concerns, indicated that
more than three-quarters of respondents would stop dealing with an
organization entirely in the event of a security breach, underlining
the need to better protect customers’ personal data shared
electronically.
Nearly 90 percent
of all survey respondents said they would take some sort of action in
the event of a data breach, ranging from conservative solutions like
changing their passwords (87 percent) to those with more serious
commercial implications, such as closing their
accounts (76 percent) or taking legal action (53 percent).
Organizations that
ignore security concerns also face public perception risks. Nearly
65 percent of U.S. survey respondents said they’d publicly expose a
company that allows a breach. And in a world where communities such
as Facebook and Twitter provide the opportunity to instantly
broadcast dissatisfaction to a broad audience, this threat seems more
real than ever before.
The Unisys study
also revealed that more than half of surveyed Americans are willing
to provide biometric data to secure their identities. This includes
a willingness to provide biometric data at security checkpoints at
airports (59.6 percent); when conducting financial transactions with
banking institutions (56.9 percent); and when receiving government
benefits or other services (53.0 percent).
Still, only 21.3
percent were willing to give their biometric data to social media
sites, suggesting a perception that either these entities were less
careful with their data, or that the risk was simply not worth the
reward.
“The latest
results of the Unisys Security Index suggest that organizations face
very real business and financial implications for security breaches,”
said Steve Vinsik, vice president, enterprise security, Unisys.
“Given recent highly publicized breaches that have exposed large
amounts of sensitive data, the results should be a wake-up call for
organizations to take more proactive measures to protect customer
data.”
The new findings
follow the results of the
May
2011 Unisys Security Index, in which 70 percent of respondents
reported they were seriously concerned about identity theft.
The Unisys
Security Index found similar responses in 11 other countries where
the survey was performed. For example, 82 percent of citizens
surveyed in the United Kingdom said they would close their accounts
with an organization responsible for a breach of their private data.
In Mexico, 62 percent said they would publicly expose the issue, and
86 percent of Brazilians surveyed said they would
take legal action.
About
the Unisys Security Index
The Unisys
Security Index is a bi-annual global study that provides insights
into the attitudes of consumers on a wide range of security related
issues. Lieberman Research Group conducted the survey in Latin
America, Europe and the U.S.; Newspoll conducted the research in
Asia-Pacific. The Unisys Security Index surveys more than 10,000
people in 12 countries: Australia, Belgium, Brazil, Colombia,
Germany, Hong Kong, Mexico, the Netherlands, New Zealand, Spain, the
United Kingdom and the United States. For more information, visit
www.unisyssecurityindex.com.
Okay, now most readers of my blog have
been reading dire warnings about churn and reputation harm for years.
And now we have 76% reporting that they would stop doing business
with a company? Seriously? No way. They may bluster and tell that
to pollsters, and maybe they even believe they would do it, but I
want to see a survey of those who received breach notifications that
shows that 76% stopped doing business with the firm. Did 76% of Sony
PSE users stop using Sony? No. Has 76% of ANY business’s or
bank’s customer or client base left them following a breach? No.
Think TJX. Think any big breach. That statistic just does not stack
up to the reality of what we see following a breach.
It’s time to stop
asking people what they would do and ask more people what they have
actually done.
Do you think this will spread to the
US? Is a Policy enough to justify firing?
Apple
was OK to fire man for private Facebook comments
Anna Leach reports:
Apple
was right to fire an employee of one of its UK stores for
saying rude things about the company on his Facebook wall, an
employment tribunal in Bury St Edmunds ruled.*
The tribunal judge
upheld Apple’s dismissal of the man for gross misconduct in a case
which sets another precedent for social network users who like to
bitch about work online.
The Apple Store
worker had made derogatory comments about Apple’s brand and
products on his Facebook wall. Although his posts
were not public, one of his unfriendlier “friends” –
also a colleague in the store – printed the comments out and showed
them to their boss, who fired the man for misconduct.
One of the key elements
of the case was that Apple had a clear policy in place so it is not
liked the employees weren’t forewarned about conduct on social
media. The second key element was that even using
“private” setting on Facebook does not protect the employee
because it’s so easy for “friends” to copy and paste “private”
messages that Facebook users/employees cannot really
invoke Article 8 of the European Convention of Human Rights.
So how does that play out for students
in schools, posting from their home on their own time? Freedom of
expression seems to be shrinking as employers and schools establish
policies and justify limiting speech off-hours.
Hmmm.
Oh, the horror!
November 02, 2011
New
on LLRX.com - The Digital Death of Copyright's First Sale Doctrine
via
LLRX.com
-
The
Digital Death of Copyright's First Sale Doctrine:
An
important copyright case won't be argued in the Supreme
Court, which on October 3, 2011 declined to review Vernor v.
Autodesk, a Ninth Circuit Court of Appeals decision involving the
applicability of copyright's first sale doctrine to transactions
involving software and other digital information goods. Law
professor
Annmarie Bridy
discusses the wide reaching impact of the first sale doctrine,
without which there would be
no free market for used
books, CDs, or DVDs, because the copyright owner's right
of distribution would reach beyond the first sale, all the way down
the stream of commerce.
This is smart! A library that
generates its own content! Probably lots of non-academic
publications they could assist with...
November 01, 2011
Library
Publishing Services: Strategies for Success - Research Report
Library
Publishing Services: Strategies for Success, Research Report Version
1.0. James L. Mullins, Catherine Murray-Rust, Joyce Ogburn, Raym
Crow, October Ivins, Allyson Mower, Mark P. Newton, Daureen Nesdill,
Julie Speer, and Charles Watkinson. Libraries Research Publications.
Paper 136.
"Over the past five years,
libraries have begun to expand their role in the
scholarly publishing value chain by offering a greater range of
pre-publication and editorial support services. Given
the rapid evolution of these services, there is a clear community
need for practical guidance concerning the challenges and
opportunities facing library-based publishing programs. Recognizing
that library publishing services represent one part of a complex
ecology of scholarly communication, Purdue University Libraries, in
collaboration with the Libraries of Georgia Institute of Technology
and the University of Utah, secured an IMLS National Leadership
Grant under the title
Library
Publishing Services: Strategies for Success. The project,
conducted between October 2010 and September 2011, seeks to advance
the professionalism of library-based publishing by identifying
successful library publishing strategies and services, highlighting
best practices, and recommending priorities for building capacity."
Perspective. Siri the Google killer?
Voice interface has been discussed for years as simplest way to
communicate with your computer. (Decades in the SciFi literature)
"Gary Morgenthaler, a
recognized expert in artificial intelligence and a Siri board member,
says that Apple now has at least a two-year
advantage over Google in the war for best smartphone platform.
'What Siri has done is changed people's
expectations about what's possible,' says
Morgenthaler. 'Apple has crossed a threshold; people now expect that
you should be able to expect to speak ordinary English — and be
understood. Siri has cracked the code.' The threshold, from mere
speech recognition to natural language input and understanding, is
one that Google cannot cross by replicating the technology or making
an acquisition adds Morgenthaler. 'There's no company out there they
can go buy.' Morgenthaler's comments echo the recent article in
Forbes Magazine, 'Why
Siri Is a Google Killer' that says that Apple's
biggest advantage over any other voice application out there today is
the massive data Siri will collect in the next 2 years
— all being stored in Apple's massive North Carolina data center —
that will allow Siri to get better and better. 'Siri is a new
interface for customers wanting to get information,' writes Eric
Jackson. 'At the moment, most of us still rely on Google for getting
at the info we want. But Siri has a foot in the door and it's
trusting that it will win your confidence over time to do basic info
gathering.'"
Perspective:
The
End of an Era: Internet Explorer Drops Below 50 Percent of Web Usage
It seems you can get a bit carried away
with this “Green” stuff... (Note to students: Wearing your jeans
in sub-freezing weather is not the same as washing
them!)
Stone-Washed
Blue Jeans (Minus the Washed)
Levi Strauss suggests washing jeans
rarely, if at all — the theory being that putting them in the
freezer will kill germs that cause them to smell.
Geeky giggles!
Japan
Pushes World’s Fastest Computer Past 10 Petaflop Barrier
Global Warming! Global Warming!
Injecting politics always makes bad science.
Scientist
who said climate change sceptics had been proved wrong accused of
hiding truth by colleague
It was hailed as the scientific study
that ended the global warming debate once and for all – the
research that, in the words of its director, ‘proved you should not
be a sceptic, at least not any longer’.
… But today The Mail on Sunday can
reveal that a leading member of Prof Muller’s team has accused him
of trying to mislead the public by hiding the fact that BEST’s
research shows global warming has stopped.
Interesting
business model: Get someone with no claim to fame other than being
famous and have them pick (not just suggest) the products you buy. I
never would have thought of that.
BeachMint’s
BeautyMint Gets 500,000 Visitors In First 24 Hours (Thanks To Jessica
Simpson)
When I saw this
Infographic, I asked myself what percentage of this activity we were
teaching our students about...
60
Seconds on the Internet [Infographic]
(Related) That wasn't depressing
enough, so look at this one...
Infographic:
The Mobile World In 60 Seconds