Saturday, October 13, 2012

A couple of examples of companies who have given no thought to handling a security breach and spent no time researching “Best Practices” once it occurred.
Somehow I doubt their Marketing Department was involved in these decisions. Has no one read “The Prince?”
TD Bank: Data loss affects about 260,000 U.S. customers
October 12, 2012 by admin
Jessica Hall continues to update the TD Bank backup tapes breach:
In Maine, 34,907 residents were affected, according to a letter sent to the attorney general from TD Bank. In Massachusetts, the Attorney General’s Office said more than 73,000 residents were affected. In Connecticut, 35,000 residents were affected, while Rhode Island had 500 residents and Maryland had 398 residents affected, according to the state attorney general.
Read more on Morning Sentinel.
As I tweeted earlier today, TD Bank made a bad decision, in my opinion, not to release the total number all at once in their original statement. The story’s staying in the news cycle as each new state discloses their numbers. So now we have a breach that was 6-month delayed in notification and what looks like an attempt to not reveal how bad it may have been. Not a good post-incident response plan.

(Related) Another breach the victim is trying to cover up? Those of us who track security breach stories will follow up until we know how many people were impacted, when and how the breach occurred, and (probably) why the company wouldn't come clean immediately – lots of conspiracy speculation here....
Korn/Ferry breach details emerge
October 12, 2012 by admin
Thanks to the California Attorney General’s Office, we now have some of the details on the Korn/Ferry breach, reported yesterday on this blog. Korn/Ferry is an executive recruiting firm.
In their sample notification, Thom Steinoff, CTO, writes:
We are writing to inform you about a recent incident involving our data network. We recently learned that we were the victim of a sophisticated cyber attack. We deeply regret that this incident occurred and take very seriously the security of our network.
But when did this “recent” incident occur? They don’t say at this point, but they indicate later that it may have gone on for months before they learned of it in August.
We began investigating the incident as soon as we learned of it.
How did they learn of it? They don’t say. And why did it take them months to learn of it? They don’t tell us that, either.
While our investigation is ongoing, we have determined that, although the affected databases were not designed or structured to receive sensitive personal information, a small percentage of the files nevertheless included an individual’s name in combination with his or her driver’s license number, government-issued identification number, Social Security number, credit card numbers or health information. It is important to note that we have no evidence that access to personal information was the goal of the attack. [And none to suggest otherwise Bob]
Korn/Ferry has already taken a number of steps to enhance the security of the relevant computer network. In addition to these steps, we have been working with law enforcement in connection with their investigation of the incident. Korn/Ferry quickly secured its network against the attack, which appears to have been underway for a number of months, shortly after discovering it in August 2012. Korn/Ferry was asked by federal law enforcement officials, however, to delay disclosure of the existence of the attack until now.
Emphasis in the above added by me.
You can read the full letter here, which includes an offer of free credit monitoring protection.
In light of this explanation, their press release yesterday is even more problematic as their statement, “The databases that were impacted are not designed or structured to collect credit card, payment card, bank account, social security numbers, government identification numbers or health information. ” might have been interpreted by some to mean that those types of data were not in the impacted databases. To the contrary, while the databases were not supposed to have such data, they apparently did.
Korn/Ferry did not indicate how many clients or candidates were affected by this incident.


Should the government try to be “cutting edge?” I think their time and money would be better spent facilitating the work of consultants. If a consultant does not have the skill set you need, fire him and hire someone who does. The model here seems to be send the employee off for training. Not the most responsive reaction...
Task Force Tells DHS to Offer ‘Cool’ Cybersecurity Jobs to Gov. Workers and Test Them Like Pilots
… This means, in part, hiring at least 600 new cybersecurity professionals, including ones who have proven, hands-on experience to take on critical tasks, the task force recommended in its 41-page report (.pdf).
Furthermore, the government needs to focus less on professional certifications in making its hiring decisions and more on real-world experience and expertise. To do this, it needs to build a system for actively measuring these skills, such as one that is currently used for testing pilots, the group said.
The group noted that pilots undergo situational testing that becomes more complicated as their skills increase, such as placing them in conditions where the weather deteriorates or where systems malfunction, in order to test them under duress. [I think they mean “stress” but this would work too Bob]


Drones, Cyber weapons and more...
Darpa’s New Director Wants to Keep the Skies Under U.S. Control
The U.S. has total dominance of the skies above planet Earth, a defense budget five times as large as its nearest competitor, and a fleet of robotic aircraft and advanced manned planes. The newest leader of the Pentagon’s blue-sky researchers says the U.S. is more vulnerable than it thinks in the skies. Maintaining America’s air supremacy may be about to become a top priority for the agency that helped give the world the Predator drone.

(Related) “We need more because they are so cool! Don't worry, we'll talk the city into using them our way. After all J. Edgar isn't the only one with files on politicians...”
"The Seattle Police Department is seeking to buy more unmanned aerial vehicles (a.k.a. drones) even as the two it currently owns site warehoused until the city develops a policy for their use, documents released as part of the EFF and MuckRock's Drone Census show. More frightening than the $150,000 price tag? The fact that the drone vendors market the fact that these lease agreements do 'not require voter approval.'"
Does your city or town use drones?


When is electronic storage not electronic storage? When the court says, “Clouds are made of water vapor, so they can't be electronic...” (and I thought the only smoked tobacco in South Carolina)
"I leave my email stored online, as do many modern email users, particularly for services like Gmail with its ever-expanding storage limit. I don't bother downloading every email I receive. According to the South Carolina Supreme Court, this doesn't qualify as electronic storage. This means most email users are not protected by the Stored Communications Act. All your emails are fair game, so be careful what you write. From the article: 'This new decision creates a split with existing case law (Theofel v. Farey-Jones) as decided in a 2004 case decided by the Ninth Circuit Court of Appeals. That decision found that an e-mail message that was received, read, and left on a server (rather than being deleted) did constitute storage "for purposes of backup protection," and therefore was also defined as being kept in "electronic storage." Legal scholars point to this judicial split as yet another reason why the Supreme Court (and/or Congress) should take up the issue of the Stored Communications Act.'"


Very misleading title since “Do Not” does not mean Do Not...
"The Verge is carrying an accurate and accessible overview of the Do Not Track debate. Quoting: 'With the fate of our beloved internet economy allegedly at stake, perhaps it's a good time to examine what Do Not Track is. How did the standard come to be, what does it do, and how does it stand to change online advertising? Is it as innocuous as privacy advocates make it sound, or does it stand to jeopardize the free, ad-supported internet we've all come to rely on?' The issues surrounding Do Not Track can be difficult to understand, owing to rampant rhetoric and spin. This article unpacks the tracking technology, privacy concerns, economic questions, and political outlook. Full disclosure: I'm quoted."


“After a careful review of the law, we decided to do what the RIAA wanted instead.”
A leaked batch of AT&T training documents reveal an anti-piracy plan in the books, which includes sending warning notices to flagged accounts. In what seems to be a completely draconian measure, any subscriber who’s account is flagged multiple times for copyright infringement will have access to frequently-visited websites (Facebook? YouTube?) blocked until they complete an online course on copyright. The warning notices will begin on November 28th.


This should surprise no one. My guess is an announcement before the election, followed by a “thorough and complete” exoneration of a large campaign contributor. Note that the FTC is ready to sue before they investigate – your government in action...
According to multiple sources, it’s said that the Federal Trade Commission (FTC) is closer than ever to hitting Google with an antitrust lawsuit. The plan has been in the works for almost a year, and now four out of the five FTC commissioners are wanting to open up the doors to begin the process of investigating any wrongdoing by the search giant.


Perspective (Even if I find it hard to believe)
Smartphones and tablets are obviously taking the entire world by storm, but would it surprise you if you knew that nearly 85% of the world’s population is using mobile devices? [Not just phones Bob] According to the International Telecommunications Union (ITU), six billion people in the world use smartphones and/or tablets. [According to WolframAlpha, “6 billion / world population” = 88.4% Bob]


Among other things, the government now recognizes that meteors come from outer space...
"New regulations by the Federal government define asteroidal material to be an antiquity, like arrowheads and pottery, rather than a mineral — and, therefore, not subject to U.S. mining law or eligible for mining claims. At the moment, these regulations only apply to asteroidal materials that have fallen to Earth as meteorites. However, they create a precedent that could adversely affect the plans of companies such as Planetary Resources, who intend to mine asteroids in space."


Interesting. Is this how to replace Journals?
Academia.Edu Overhauls Profiles As The Onus Falls On Researchers To Manage Their Personal Brands
Even though it’s taken for granted that you have to manage your own personal brand on the web, that still isn’t necessarily the case in the slower-moving world of academia.
But it’s starting to happen, with individual brands beginning to eclipse the importance of being published in a well-known (and often exorbitantly expensive) journal.
Academia.edu, a social network for professors and researchers, is taking advantage of this by overhauling its profile pages.
The company’s CEO Richard Price says that academics are starting to want more of a direct connection with their audiences. So Academia.edu’s new profiles let researchers showcase their best work and track analytics on views and followers.
… “We’re shifting away from a world where the journal industry sits between the academic and the audience,” Price said. “We’re now moving to a world that’s more reflective of social media, where the academic is becoming the key node of distribution of research.”
As for the Academia.edu itself, the site is approaching 2 million users with 4,000 joining every day.

No comments: