A clever example of hacker misdirection
or yet another example of “We don't need no stinking logs!”
Ah,
less-than-sweet mysteries of life: when you can’t figure out if or
how you were breached
September 24, 2012 by admin
How frustrating for everyone: St.
Agnes Hospital in Baltimore learned that 40 of its
physicians had become victims of ID theft. Hapless victims had their
names and Social Security numbers used to create wireless telephone
accounts that they knew nothing about until they
started receiving overdue notices from creditors. [What? They sent
the bills to some bogus address but the overdue notices to the
doctors? Bob]
But despite its best efforts to
identify any internal source of the breach, St. Agnes Hospital could
not find any confirmation of a breach. [That's what happens when you
don't log access Bob] In a letter to those affected, the
text of which was submitted to the state last month, they write:
Once the reports
were received, we reviewed all of the points of access and storage
for this type of information in Saint Agnes systems. The only system
that maintained the same information for all physicians making
reports was the credentialing system. We conducted a careful access
review and interviews and failed to detect unauthorized access,
access after normal business hours, or any other suspicious activity
in the system. We were unable to determine that there was a breach
of any of our systems that allowed disclosure of the physicians’
personal data.
So what do you do when you suspect your
organization has suffered a breach and you think you’ve narrowed it
down to one part of your system, but you can’t find out how or when
it happened? In this case, the hospital notified physicians that
despite its inability to confirm any breach, given the seriousness of
the problem, it intended to:
- Review the list of users with access to sensitive personal data and minimize access where possible to only those who have a business need to access or review the information;
- Refresh HIPAA privacy education in those departments routinely using physician information; and,
- Investigate disguising or eliminating social security numbers in data systems where they are stored.
That’s nice, but
shouldn’t they have been doing all of that already? [Yes! Bob]
And how about running more extensive criminal background checks on
employees who could be simply writing down names and SSNs as they
access data for their routine job duties? We’ve seen too many
insider breaches in hospitals. Usually it’s patient data being
sold, but why not physicians, too? [Doctors have
huge incomes, patients have huge debts – who do you think is the
more attractive target? Bob]
“It's not a failure, it's a feature!”
I can hear Dr. Evil laughing...
A single line of code can apparently
trigger an unstoppable factory-reset of the Samsung Galaxy S III,
security researchers have discovered, with the potential for
malicious websites to wipe out users’ phones. The hack was
detailed by Ravi Borgaonkar at the Ekoparty security conference, with
a simple USSD code – that could be sent from a website, or pushed
to the handset by NFC or triggered by a QR code – that can reset
the Galaxy S III or indeed other Samsung handsets.
The sad part is, he probably didn't
think it was creapy...
"Has Immigration Minister Jason
Kenney been emailing you? Maybe
it's because you're gay. The minister sent
out an email on Sept 24 lauding the government's efforts to
protect and promote queer rights abroad. It highlights the 'emphasis
. . . on gay and lesbian refugee protection, which is without
precedent in Canada's immigration history.' The Ottawa Citizen's
Glen McGregor broke the story, complete with reaction over the
'creepy' letter. For many who received an email from Citizenship and
Immigration Minister Jason Kenney about gay refugees on Friday, the
message raised one important question: How did
he know I'm gay? The Conservatives have targeted
written messages at minority communities in the past, most notably
using direct mail lists to send out greetings
to Jewish voters on religious holidays. Some
recipients were alarmed by the prospect of the government assembling
lists based on ethnicity or religious beliefs.
Surely creating such a list will become easier when your are forced
to use your real identities on social sites."
It's not uncommon to make rediculous
proposals with the assumption that they will be “corrected”
before legislation is approved. History tells us otherwise...
Leak
reveals EU surveillance of communications
September 24, 2012 by Dissent
Nerea Rial reports:
The CleanIT
project was funded by the European Commission’s Home Affairs
Directorate in order to reduce the impact of the terrorist use of
internet, but a leaked document has shown that the initiative is not
what it seems to be.
The main idea of
the programme, in which participates among others the Dutch National
Coordinator for Terrorism and Security, Spain, UK, Belgium and
Europol, is to fight terrorism through voluntary self-regulatory
measures under the law. However the
document shows how they rapidly forgot about European democracy
and legislation.
Read more on New
Europe.
[From the article at
http://www.edri.org/cleanIT
The proposals urge Internet companies
to ban unwelcome activity through their terms of service, but advise
that these “should not be very detailed”.
This already widespread approach results, for example, in Microsoft
(as a wholly typical example of current industry practice) having
terms of service that would ban pictures of the
always trouserless Donald Duck as potential pornography
(“depicts nudity of any sort ... in non-human forms such as
cartoons”).
… Moving still further into the
realm of the absurd, the leaked document proposes the use of terms of
service to remove content “which is fully legal”... although this
is up to the “ethical or business” priorities of the company in
question what they remove. In other words, if Donald Duck is
displeasing to the police, they would welcome, but don't explicitly
demand, ISPs banning his behaviour in their terms of service.
Cooperative ISPs would then be rewarded by
being prioritised in state-funded calls for tender.
“Sure you have rights. In most
cases, we just choose to ignore them.”
Do
Users of Wi-Fi Networks Have Fourth Amendment Rights Against
Government Interception?
September 24, 2012 by Dissent
Orin Kerr writes:
My earlier
post on how the Wiretap Act applies to wireless networks
triggered a lot of comments on how the Fourth Amendment might apply,
so I thought I would have a post specifically on the matter. Here’s
the question: Does governmental interception and analysis of the
contents of a person’s wi-fi traffic constitute a Fourth Amendment
search? And does it depend on whether the traffic is encrypted or
unencrypted?
The answer turns
out to be surprisingly murky. Because the Wiretap Act has been
thought to protect wireless networks, the Fourth Amendment issue has
not come up: There’s a surprising lack of caselaw on it. Second,
there are plausible arguments on either side of the debate both for
encrypted and unencrypted transmissions. So I wanted to run through
the arguments, starting with the case of unencrypted communications
and then turning to encrypted communications, and then ask which side
readers find more persuasive.
Read more on The
Volokh Conspiracy.
Is an “Emergency” what I think it
is or anything you say it is?
Maine
likely to consider cell phone location law that mandates companies
provide info in an emergency
September 24, 2012 by Dissent
Mal Leary reports:
A law that
requires cellphone providers to give law enforcement agencies the
location of a person’s cellhone in an emergency is expected to be
considered in Maine next year.
Eight states have
adopted a version of the law, known as Kelsey’s Law.
“I fully expect
we will see some version of it introduced,” said Rep. Anne Haskell,
D-Portland, the lead Democrat on the Legislature’s Criminal Justice
Committee and a former-co-chair of the panel. “When we see other
states passing a law, we usually see a Maine version introduced.”
Read more on the Portland
Press Herald.
Boy, dat Facebook ting one great
surveillance tool, aint' she?
Facebook
Now Knows What You’re Buying at Drug Stores
September 24, 2012 by Dissent
Rebecca Greenfield writes:
In an attempt to
give advertisers more information about the effectiveness of ads,
Facebook has partnered with Datalogix,
a company that “can track whether people who see ads on the social
networking site end up buying those products in stores,” as
The Financial Times‘s Emily Steel and April Dembosky
explain. Advertisers have complained
that Facebook doesn’t give them any way to see if ads lead to
buying. This new partnership is their response, as it connects
real-life buying with ads seen on the site. Specifically, the
service links up the 70 million households worth of purchasing
information that Datalogix has with these buyers’ Facebook
profiles. Using that, they can compare the ads you see with the
stuff you buy and tell advertisers whether their ads are working. Up
until now, the social network has been limited to only tracking your
Internet life (on and off Facebook.com) with its ubiquitous “like”
buttons, but as
promised, the future of Facebook is more focused
on data, including tracking our offline habits.
Specifically,
Datalogix gets its information from retailers like grocery stores and
drug stores who keep careful records of what its customers who use
its loyalty discount programs are buying. Datalogix’s site doesn’t
list its partners, but from a Google
search, it looks like the company has worked with CVS’s
ExtraCare card program. Datalogix matches the email addresses and
other identifying information in those databases to Facebook
accounts.
Read more on The
Atlantic Wire.
So… do you find that scary, helpful,
or neither?
(Related)
FTC
should examine Facebook-Datalogix partnership, privacy group says
September 25, 2012 by Dissent
Jeremy Kirk reports:
The U.S. Federal
Trade Commission should analyze Facebook’s relationship with a data
marketer to ensure it doesn’t violate the social networking site’s
recently approved settlement, the Electronic Privacy Information
Center said Monday.
Facebook is
working with Datalogix, a company
based in Colorado that specializes in collecting data from
retailers using customer loyalty cards and linking those purchases to
future advertising campaigns, The Financial Times reported.
Datalogix links loyalty card holders to their Facebook accounts
using shared information, such as email addresses, although the
information is anonymized, the report said.
Facebook’s user
guide say it only provides “data to our advertising partners or
customers after we have removed your name or any other personally
identifying information from it.”
Read more on CSO.
This confirms a lot of suspicions.
Clearly the government is run by Twitts and apparently, not many
people care what they Tweet. One person in 100 follows the Whit
House and the readers of number 50's Tweets might not even include
all the employees...
September 24, 2012
FCW
- The 50 most-followed agencies on Twitter
Federal
Computer Week: "Twitter has quickly evolved from social
media novelty to critical communications channel. This list shows
which federal agencies have built the biggest audiences, and where
the growth has been fastest over the past year. The data [in this
article] was compiled by OhMyGov,
a media and technology firm that specializes in providing advanced
media intelligence for government agencies, congressional offices,
lobbyists, and businesses working with government. Please note that
for many agencies, follower totals for multiple Twitter accounts were
combined to provide a better sense of total reach. All counts are as
of Aug. 31, 2012."
Stunning! Well done, India!
Over in India
there’s an extremely cheap Android tablet being deployed by the
government to families, schools and more. We’ve talked about the
Aakash tablet more
than a few times, but this new and improved Aakash 2 tablet for
just $35 dollars is set to arrive throughout India starting next
month.
For my Computer Forensics students?
"Today's handheld device is the
mainframe of years past. An iPhone 5 with 64
GB of storage and the Apple A6 system-on-a-chip processor has more
raw computing power entire data centers had some
years ago. With billions of handheld devices in use worldwide, it is
imperative that digital forensics investigators and others know how
to ensure that the information contained in them, can be legally
preserved if needed."
In Digital Forensics for Handheld
Devices, author Eamon Doherty provides an invaluable resource on
how one can obtain data, examine it and prepare it as evidence for
court.
… Chapter 5 also has overviews of
nearly 50 different forensic tools for every imaginable purpose.
I use LightShot to capture screen
images both in the Firefox browser and on the destop. LightShot does
not capture video. Here are a few others...
Monday, September 24, 2012
Here are some free
tools that you can use to create screen capture videos and images.
Sometimes you just want to let your
students watch the boob tube so you can take a nap...
Monday, September 24, 2012
At last! Something to do with all
those cellphones I confiscate in class... (At least, that's what I'm
going to tell my students)
You can visit the Recycle
Through USPS page on the USPS.com website and follow the four
easy steps to find out how much your old cell phone is worth and to
see if your items qualify for instant cash. Even if your device does
not qualify for a buyback, you can use the free mail-back recycling
envelopes at the locations to ship and dispose of the waste
electronics.
...and all in less than 10 pages!
September 24, 2012
The
Debunking Handbook - free download
"The
Debunking Handbook, a guide to debunking misinformation, is now
freely
available to download. Although there is a great deal of
psychological research on misinformation, there's no summary of the
literature that offers practical guidelines on the most effective
ways of reducing the influence of myths. The Debunking
Handbook boils the research down into a short, simple summary,
intended as a guide for communicators in all areas (not just climate)
who encounter misinformation."
Perhaps it's not just a “New Jersey
thing” I have no doubt that my students also get very creative
when I make them do endless hours of homework.
No comments:
Post a Comment