Sunday, October 28, 2012

Interesting. Does the FTC have a procedure for finding these disconnects or do they rely on the occasional “pop up” to determine who they go after? Since they are ignoring hundreds of similar situations, I suspect the latter... Note too, this is a case of BYOT coming back to bite the organization...
FTC Finalizes Settlements with Two Businesses that Exposed Consumers Sensitive Information Over P2P Networks
October 27, 2012 by Dissent
From the FTC:
Following a public comment period, the Federal Trade Commission has accepted as final settlements with two operations it charged with illegally exposing the sensitive personal information of thousands of consumers by allowing peer-to-peer file-sharing software to be installed on their corporate computer systems. Settlements with Utah-based debt collector EPN, Inc., and Georgia auto dealer Franklin Budget Car Sales, Inc., will bar misrepresentations about the privacy, security, confidentiality, and integrity of any personal information collected from consumers. Both companies also must establish and maintain comprehensive information security programs.
Franklin Budget Car Sales also dba Franklin Toyota/Scion and Franklin Toyota. According to the complaint, as a result of Franklin’s failure to implement adequate privacy and security policies and practices:
customers’ personal information was accessed and disclosed on peer-to-peer (“P2P”) networks by a P2P application installed on a computer that was connected to respondent’s computer network.
Information for approximately 95,000 consumers, including, but not limited to, names, Social Security numbers, addresses, dates of birth, and drivers’ license numbers (“customer files”) was made available on a P2P network. Such information can easily be misused to commit identity theft and fraud.
Debt collection business EPN also dba Checknet, Inc. , and their clients include hospitals and medical providers. In their case, the complaint alleges that as a result of their failure to implement adequate security policies and practices:
EPN’s chief operating officer was able to install a P2P application on her desktop computer, which was connected to EPN’s computer network. Respondent is unaware of the date the application was installed; it was disabled in April 2008 when EPN was informed by a client that two files containing personal information about the client’s debtors were available on a P2P network (“breached files”). EPN had no business need for the P2P application. [But this falls under the BYOT trend... Bob]
The breached files contained personal information about approximately 3,800 consumers, including each consumer’s name, address, date of birth, Social Security number, employer name, employer address, health insurance number, and a diagnosis code. Such information, among other things, can easily be used to facilitate identity theft (which also could result in medical histories that are inaccurate because they include the medical records of identity thieves) and exposes sensitive medical data.
The affected hospital was not named in the complaint, and there is no entry in HHS’s breach tool that appears to correspond to this breach.
Significantly, I do not see any allegations that the breaches or exposure actually resulted in ID theft or harm to consumers, but the potential for harm was certainly there and the FTC took the position that these were unfair business practices under the FTC Act. The message, again, is that if you have boilerplate policies that assure consumers of privacy and data security, you’d better live up to them. And if you don’t have policies and practices in place that conform to requirements for annual privacy notices and assessments, etc., you’d better put them in place.
In both cases, the businesses were put under 20-year monitoring and reporting plans but, consistent with the law and available remedies, there is no monetary fine (FTC cannot fine entities for first offenses). The consent decrees also contain no admission of guilt or wrong-doing.
Related Files:


Do you tie your security budget to revenue or to risk?
"As budgets are pinched by reduced tax collection, many U.S. states are facing a possibility of not being able to handle the ever-increasing number of data breaches. 70% of state chief information security officers (CISOs) reported a data breach this year, each of which can cost up to $5M in some states. 'Cybersecurity accounts for about 1 to 2 percent of the overall IT budget in state agencies. ... 82 percent of the state CISOs point to phishing and pharming as the top threats to their agencies, a threat they say will continue in 2013, followed by social engineering, increasingly sophisticated malware threats, and mobile devices.' The full 2012 Deloitte-National Association of State Chief Information Officers (NASCIO) Cybersecurity Study is available online (PDF)."


I'll keep repeating this, even if it seems repetitious and redundant, because somewhere there is a manager who will say, “Nobody told me!”
"CoDeSys, a piece of software running on industrial control systems from hundreds of vendors, has been revealed to be easily hackable by security researchers, giving rise to a scenario where computer hacking could cross the line into the physical world. Worse, many of these systems are unneccessarily connected to the Internet, which is a terrible, terrible idea."


A growing concern...
"Last year a Slashdot story mentioned the case of Daniel David Rigmaiden, or 'the Hacker.' With the help of an IMSI-catcher device, law enforcement had been able to locate and arrest the elusive 'Hacker,' leading to U.S. v. Rigmaiden. But far more elusive than the 'Hacker,' is the IMSI-catcher device itself — particularly the legalities governing its use. The secrecy and unconstitutionality of these Man In The Middle devices, i.e. 'stingrays,' has caught some attention. The EFF and ACLU have submitted an amicus brief in the Rigmaiden case; and EPIC, after filing an FOIA request in February and receiving a grossly redacted 67 out of 25,000 (6,000 classified) pages on the "stingray" devices, has now requested a district judge expedite disclosure of all documents. Some Judges also seem wary of the 'stingray,' having expressed concerns that their use violates the Fourth Amendment; and additionally, that information explaining how the technology is used remains too obscure. Perhaps the most controversial aspect of ISMI-catchers is their several-kilometer range. When a "stingray" is used to spoof a cellphone tower, thousands of innocent users may be collaterally involved. And while the government claims to delete all gathered data unrelated to the target, it also means no one else can know what that data really was. The government claims that because only attributes of calls — but not their content — are captured in the attack, search warrants aren't necessary." (More, below.)
Penurious Penguin continues, "The use of a pen-register (outgoing) and trap & trace (incoming) device, requires little more than a mewl of penal curiosity before a court, and no warrant or follow-up on the case is needed. The pen/trap seems unwieldy enough, as the EFF explains:
"Most worrisome, we've heard some reports of the government using pen/trap taps to intercept content that should require a wiretap order: specifically, the content of SMS text messages, as well as "post-cut-through dialed digits" (digits you dial after your call is connected, like your banking PIN number, your prescription refill numbers, or your vote for American Idol). intercept information about your Internet communications as well."
Precisely what data these "stingrays" collect will hopefully be soon revealed through such efforts as those of EPIC. It should be noted that the Stingray is one of multiple devices with the same application. The Stingray and several others are trademarks of the Harris Corporation. Some are quite pricey ($75,000), and others are, as mentioned last year by a Slashdot reader, peculiarly affordable — and available. For a more comprehensive overview of the subject, see this Wall Street Journal article."


An interesting question. After you blow the whistle, how do you ensure the “fix” goes beyond a cosmetic patch to keep you quiet? No clear direction from the Comments, yet.
"A few months ago I stumbled across an interesting security hole with my webhost. I was able access any file on the server, including those of other users. When I called the company, they immediately contacted the server team and said they would fix the problem that day. Since all you need when calling them is your username, and I was able to list out all 500 usernames on the server, this was rather a large security breach. To their credit, they did patch the server. It wasn't a perfect fix, but close enough that moving to a new web host was moved down on my list of priorities. Jump a head to this week: they experienced server issues, and I asked to be moved to a different server. Once it was done, the first thing I did was run my test script, and I was able to list out everyone's files again. The hosting company only applied the patch to old server. I'm now moving off this web host all together. However, I do fear for the thousands of customers that have no clue about this security issue. With about 10 minutes of coding, someone could search for the SQL connection string and grab the username/password required to access their hosting account. What's the best way to handle this type of situation?"


I fail to see the logic in lots of “Labor Law” (Unless you recall organized crime's close connection)
NC: Court exempts union bosses from laws against identity theft
October 27, 2012 by Dissent
Mark Mix, President of National Right to Work., has an OpEd in Washington Examiner that is somewhat disturbing, because even allowing for bias, if two courts really ruled that unions can get away with posting workers’ Social Security numbers online or disseminating SSN, that’s just plain unhelpful on so many levels. Mark writes, in part:
both the trial court and the North Carolina Court of Appeals found that the unions are entitled to a special exemption from being penalized for revealing employees’ personal information. Both courts ruled that such trampling of employee rights is an activity that can be covered only by the National Labor Relations Act, or NLRA, and consequently may not be punished by state authorities.
Imagine that. North Carolina’s courts have held that federal labor law pre-empts a completely unrelated state identity theft law, even though the U.S. Supreme Court has long held that a state retains jurisdiction where the conduct to be regulated touches deeply rooted local interests.
In a last ditch effort to help these workers seek justice, National Right to Work Foundation staff attorneys appealed the case to the U.S. Supreme Court, but the court announced earlier this month that it will not hear the case.
Read more on Washington Examiner.


Is there any question why this is causing a flap in New Zealand? If so, note that this article links to related articles that appear almost daily...
Police got Dotcom’s bank details without a warrant
October 27, 2012 by Dissent
David Fisher reports:
Police got personal banking details of Kim Dotcom and his staff without getting a search warrant in a move that has implications for bank customers.
Banks, including the ANZ, BNZ and Westpac, turned the information over after deciding there was no Privacy Act reason not to.
The police request referred the banks to a Privacy Act principle which allowed them to release information to “avoid prejudice to the maintenance of the law by any public sector agency including the prevention, detection, investigation, prosecution, and punishment of offences”.
The mechanism led to banks releasing – without a legal warrant – the name of the account holder, the account number and home address.
Read more on New Zealand Herald.
[From the article:
Dotcom was charged with money-laundering when arrested - the only charge he faces on which he can be extradited. Criminal copyright violation charges are not serious enough for extradition. If they are dismissed, then the money laundering charge also collapses.
Assistant Privacy Commissioner Katrine Evans said it was up to agencies asked for information to form a "reasonable belief".
"They need to make their own judgment calls but simply because the request comes from the police isn't necessarily enough."
She said police needed to specify a reason - and general descriptions of "money laundering" could be enough.


Perspective Back when I was a kid, we couldn't count that high...
"Last night, the Internet Archive threw a party; hundreds of Internet Archive supporters, volunteers, and staff celebrated that the site had passed the 10,000,000,000,000,000 byte mark for archiving the Internet. As the non-profit digital library, known for its Wayback Machine service, points out, the organization has thus now saved 10 petabytes of cultural material."
The announcement coincided with the release of an 80-terabyte dataset for researchers and, for the first time, the complete literature of a people: the Balinese.


For my Data Mining and Data Analytics students... I'll just mention one... (Okay, one and a half)
Big Data Right Now: Five Trendy Open Source Technologies
Big Data is on every CIO’s mind this quarter, and for good reason. Companies will have spent $4.3 billion on Big Data technologies by the end of 2012.
But here’s where it gets interesting. Those initial investments will in turn trigger a domino effect of upgrades and new initiatives that are valued at $34 billion for 2013, per Gartner. Over a 5 year period, spend is estimated at $232 billion.
… R [ http://www.r-project.org/ ] is an open source statistical programming language. It is incredibly powerful. Over two million (and counting) analysts use R. It’s been around since 1997 if you can believe it. It is a modern version of the S language for statistical computing that originally came out of the Bell Labs. Today, R is quickly becoming the new standard for statistics.
… To keep an eye on: Julia is an interesting and growing alternative to R, because it combats R’s notoriously slow language interpreter problem.


I'm looking for a “Music to take tests by” channel...
The first thing you should know about SomaFM is that it’s free. There are no commercials or ads, it is supported by donations from loyal listeners, and it streams hand-picked music 24/7.


This is interesting. Think I'll print up a few hundred and pass them to students and faculty...

No comments: