Tuesday, September 25, 2012

A clever example of hacker misdirection or yet another example of “We don't need no stinking logs!”
Ah, less-than-sweet mysteries of life: when you can’t figure out if or how you were breached
September 24, 2012 by admin
How frustrating for everyone: St. Agnes Hospital in Baltimore learned that 40 of its physicians had become victims of ID theft. Hapless victims had their names and Social Security numbers used to create wireless telephone accounts that they knew nothing about until they started receiving overdue notices from creditors. [What? They sent the bills to some bogus address but the overdue notices to the doctors? Bob]
But despite its best efforts to identify any internal source of the breach, St. Agnes Hospital could not find any confirmation of a breach. [That's what happens when you don't log access Bob] In a letter to those affected, the text of which was submitted to the state last month, they write:
Once the reports were received, we reviewed all of the points of access and storage for this type of information in Saint Agnes systems. The only system that maintained the same information for all physicians making reports was the credentialing system. We conducted a careful access review and interviews and failed to detect unauthorized access, access after normal business hours, or any other suspicious activity in the system. We were unable to determine that there was a breach of any of our systems that allowed disclosure of the physicians’ personal data.
So what do you do when you suspect your organization has suffered a breach and you think you’ve narrowed it down to one part of your system, but you can’t find out how or when it happened? In this case, the hospital notified physicians that despite its inability to confirm any breach, given the seriousness of the problem, it intended to:
  • Review the list of users with access to sensitive personal data and minimize access where possible to only those who have a business need to access or review the information;
  • Refresh HIPAA privacy education in those departments routinely using physician information; and,
  • Investigate disguising or eliminating social security numbers in data systems where they are stored.
That’s nice, but shouldn’t they have been doing all of that already? [Yes! Bob] And how about running more extensive criminal background checks on employees who could be simply writing down names and SSNs as they access data for their routine job duties? We’ve seen too many insider breaches in hospitals. Usually it’s patient data being sold, but why not physicians, too? [Doctors have huge incomes, patients have huge debts – who do you think is the more attractive target? Bob]


“It's not a failure, it's a feature!” I can hear Dr. Evil laughing...
A single line of code can apparently trigger an unstoppable factory-reset of the Samsung Galaxy S III, security researchers have discovered, with the potential for malicious websites to wipe out users’ phones. The hack was detailed by Ravi Borgaonkar at the Ekoparty security conference, with a simple USSD code – that could be sent from a website, or pushed to the handset by NFC or triggered by a QR code – that can reset the Galaxy S III or indeed other Samsung handsets.



The sad part is, he probably didn't think it was creapy...
"Has Immigration Minister Jason Kenney been emailing you? Maybe it's because you're gay. The minister sent out an email on Sept 24 lauding the government's efforts to protect and promote queer rights abroad. It highlights the 'emphasis . . . on gay and lesbian refugee protection, which is without precedent in Canada's immigration history.' The Ottawa Citizen's Glen McGregor broke the story, complete with reaction over the 'creepy' letter. For many who received an email from Citizenship and Immigration Minister Jason Kenney about gay refugees on Friday, the message raised one important question: How did he know I'm gay? The Conservatives have targeted written messages at minority communities in the past, most notably using direct mail lists to send out greetings to Jewish voters on religious holidays. Some recipients were alarmed by the prospect of the government assembling lists based on ethnicity or religious beliefs. Surely creating such a list will become easier when your are forced to use your real identities on social sites."


It's not uncommon to make rediculous proposals with the assumption that they will be “corrected” before legislation is approved. History tells us otherwise...
Leak reveals EU surveillance of communications
September 24, 2012 by Dissent
Nerea Rial reports:
The CleanIT project was funded by the European Commission’s Home Affairs Directorate in order to reduce the impact of the terrorist use of internet, but a leaked document has shown that the initiative is not what it seems to be.
The main idea of the programme, in which participates among others the Dutch National Coordinator for Terrorism and Security, Spain, UK, Belgium and Europol, is to fight terrorism through voluntary self-regulatory measures under the law. However the document shows how they rapidly forgot about European democracy and legislation.
Read more on New Europe.
[From the article at http://www.edri.org/cleanIT
The proposals urge Internet companies to ban unwelcome activity through their terms of service, but advise that these “should not be very detailed”. This already widespread approach results, for example, in Microsoft (as a wholly typical example of current industry practice) having terms of service that would ban pictures of the always trouserless Donald Duck as potential pornography (“depicts nudity of any sort ... in non-human forms such as cartoons”).
… Moving still further into the realm of the absurd, the leaked document proposes the use of terms of service to remove content “which is fully legal”... although this is up to the “ethical or business” priorities of the company in question what they remove. In other words, if Donald Duck is displeasing to the police, they would welcome, but don't explicitly demand, ISPs banning his behaviour in their terms of service. Cooperative ISPs would then be rewarded by being prioritised in state-funded calls for tender.


“Sure you have rights. In most cases, we just choose to ignore them.”
Do Users of Wi-Fi Networks Have Fourth Amendment Rights Against Government Interception?
September 24, 2012 by Dissent
Orin Kerr writes:
My earlier post on how the Wiretap Act applies to wireless networks triggered a lot of comments on how the Fourth Amendment might apply, so I thought I would have a post specifically on the matter. Here’s the question: Does governmental interception and analysis of the contents of a person’s wi-fi traffic constitute a Fourth Amendment search? And does it depend on whether the traffic is encrypted or unencrypted?
The answer turns out to be surprisingly murky. Because the Wiretap Act has been thought to protect wireless networks, the Fourth Amendment issue has not come up: There’s a surprising lack of caselaw on it. Second, there are plausible arguments on either side of the debate both for encrypted and unencrypted transmissions. So I wanted to run through the arguments, starting with the case of unencrypted communications and then turning to encrypted communications, and then ask which side readers find more persuasive.
Read more on The Volokh Conspiracy.


Is an “Emergency” what I think it is or anything you say it is?
Maine likely to consider cell phone location law that mandates companies provide info in an emergency
September 24, 2012 by Dissent
Mal Leary reports:
A law that requires cellphone providers to give law enforcement agencies the location of a person’s cellhone in an emergency is expected to be considered in Maine next year.
Eight states have adopted a version of the law, known as Kelsey’s Law.
“I fully expect we will see some version of it introduced,” said Rep. Anne Haskell, D-Portland, the lead Democrat on the Legislature’s Criminal Justice Committee and a former-co-chair of the panel. “When we see other states passing a law, we usually see a Maine version introduced.”
Read more on the Portland Press Herald.


Boy, dat Facebook ting one great surveillance tool, aint' she?
Facebook Now Knows What You’re Buying at Drug Stores
September 24, 2012 by Dissent
Rebecca Greenfield writes:
In an attempt to give advertisers more information about the effectiveness of ads, Facebook has partnered with Datalogix, a company that “can track whether people who see ads on the social networking site end up buying those products in stores,” as The Financial Times‘s Emily Steel and April Dembosky explain. Advertisers have complained that Facebook doesn’t give them any way to see if ads lead to buying. This new partnership is their response, as it connects real-life buying with ads seen on the site. Specifically, the service links up the 70 million households worth of purchasing information that Datalogix has with these buyers’ Facebook profiles. Using that, they can compare the ads you see with the stuff you buy and tell advertisers whether their ads are working. Up until now, the social network has been limited to only tracking your Internet life (on and off Facebook.com) with its ubiquitous “like” buttons, but as promised, the future of Facebook is more focused on data, including tracking our offline habits.
Specifically, Datalogix gets its information from retailers like grocery stores and drug stores who keep careful records of what its customers who use its loyalty discount programs are buying. Datalogix’s site doesn’t list its partners, but from a Google search, it looks like the company has worked with CVS’s ExtraCare card program. Datalogix matches the email addresses and other identifying information in those databases to Facebook accounts.
Read more on The Atlantic Wire.
So… do you find that scary, helpful, or neither?

(Related)
FTC should examine Facebook-Datalogix partnership, privacy group says
September 25, 2012 by Dissent
Jeremy Kirk reports:
The U.S. Federal Trade Commission should analyze Facebook’s relationship with a data marketer to ensure it doesn’t violate the social networking site’s recently approved settlement, the Electronic Privacy Information Center said Monday.
Facebook is working with Datalogix, a company based in Colorado that specializes in collecting data from retailers using customer loyalty cards and linking those purchases to future advertising campaigns, The Financial Times reported. Datalogix links loyalty card holders to their Facebook accounts using shared information, such as email addresses, although the information is anonymized, the report said.
Facebook’s user guide say it only provides “data to our advertising partners or customers after we have removed your name or any other personally identifying information from it.”
Read more on CSO.


This confirms a lot of suspicions. Clearly the government is run by Twitts and apparently, not many people care what they Tweet. One person in 100 follows the Whit House and the readers of number 50's Tweets might not even include all the employees...
September 24, 2012
FCW - The 50 most-followed agencies on Twitter
Federal Computer Week: "Twitter has quickly evolved from social media novelty to critical communications channel. This list shows which federal agencies have built the biggest audiences, and where the growth has been fastest over the past year. The data [in this article] was compiled by OhMyGov, a media and technology firm that specializes in providing advanced media intelligence for government agencies, congressional offices, lobbyists, and businesses working with government. Please note that for many agencies, follower totals for multiple Twitter accounts were combined to provide a better sense of total reach. All counts are as of Aug. 31, 2012."


Stunning! Well done, India!
Over in India there’s an extremely cheap Android tablet being deployed by the government to families, schools and more. We’ve talked about the Aakash tablet more than a few times, but this new and improved Aakash 2 tablet for just $35 dollars is set to arrive throughout India starting next month.


For my Computer Forensics students?
"Today's handheld device is the mainframe of years past. An iPhone 5 with 64 GB of storage and the Apple A6 system-on-a-chip processor has more raw computing power entire data centers had some years ago. With billions of handheld devices in use worldwide, it is imperative that digital forensics investigators and others know how to ensure that the information contained in them, can be legally preserved if needed."
In Digital Forensics for Handheld Devices, author Eamon Doherty provides an invaluable resource on how one can obtain data, examine it and prepare it as evidence for court.
… Chapter 5 also has overviews of nearly 50 different forensic tools for every imaginable purpose.


I use LightShot to capture screen images both in the Firefox browser and on the destop. LightShot does not capture video. Here are a few others...
Monday, September 24, 2012
Here are some free tools that you can use to create screen capture videos and images.


Sometimes you just want to let your students watch the boob tube so you can take a nap...
Monday, September 24, 2012


At last! Something to do with all those cellphones I confiscate in class... (At least, that's what I'm going to tell my students)
You can visit the Recycle Through USPS page on the USPS.com website and follow the four easy steps to find out how much your old cell phone is worth and to see if your items qualify for instant cash. Even if your device does not qualify for a buyback, you can use the free mail-back recycling envelopes at the locations to ship and dispose of the waste electronics.


...and all in less than 10 pages!
September 24, 2012
The Debunking Handbook - free download
"The Debunking Handbook, a guide to debunking misinformation, is now freely available to download. Although there is a great deal of psychological research on misinformation, there's no summary of the literature that offers practical guidelines on the most effective ways of reducing the influence of myths. The Debunking Handbook boils the research down into a short, simple summary, intended as a guide for communicators in all areas (not just climate) who encounter misinformation."


Perhaps it's not just a “New Jersey thing” I have no doubt that my students also get very creative when I make them do endless hours of homework.

No comments: