Wednesday, October 10, 2012

Wow, they still use tapes in Canada? (Impacts customers from Maine to Florida only?)
Missing backup tapes reported to TD Bank customers
October 9, 2012 by admin
A letter from TD Bank to affected customers reads, in part:
Some of your personal information was included on two data backup tapes that we shipped to another one of our locations in late March 2012. The tapes have been missing since then, and we have been unable to locate them despite diligent efforts. This isolated incident has been the subject of an internal investigation by our corporate security and information security teams. We have also notified law enforcement. Your personal information included on the tapes may have included your name or address, Social Security Number, and account, debit or credit card number.
We are not currently aware of any misuse of the personal information. However, because we are unable to locate the tapes or to account for their disappearance, we want to provide you with advice on ways to protect yourself.
The sample notification letter was not dated, so it’s not clear to me when customers were actually notified of this incident, but the letter was just posted to the California Attorney General’s web site this week. The letter also does not make clear whether the tapes ever arrived at the destination or were lost in transit, and if the latter, how they were shipped or transported.
Update: According to the Portland Press Herald, the letters are in the process of being sent out, and no, they couldn’t get an explanation of why the six-month delay in notification.


I would suspect this will be investigated as a potential 'dry run' by terrorists or nation state actors, at least until they find the Ethical Hacking class responsible...
"A single mysterious computer program that placed orders — and then subsequently canceled them — made up 4 percent of all quote traffic in the U.S. stock market last week, according to the top tracker of high-frequency trading activity. The motive of the algorithm is still unclear. The program placed orders in 25-millisecond bursts involving about 500 stocks, according to Nanex, a market data firm. The algorithm never executed a single trade, and it abruptly ended at about 10:30 a.m. ET Friday."

(Related) Of course, it might just be Gordon Geeko (Greed is good)
Unknown High-Frequency Trading Algorithm Detected
Market-data tracking firm Nanex said the algorithm behind the trades was routed from the Nasdaq, placing numerous orders and then canceling them repeatedly. In doing so, it managed to use 10% of available trading bandwidth.
High-frequency traders might use such a program to hog bandwidth, slowing down the system for other traders for arbitrage purposes. That sort of trading and market interference has caught the attention of regulators. Last month, a U.S. Senate committee held discussions on how to prevent such incidents.
Some industry experts called for a tax on “order-stuffing,” the deliberate placement of fake bids and offers that then get canceled, in order to discourage the practice.


Perspective
Average insurance cost per data breach rises to $3.7M: Study
October 9, 2012 by admin
Mike Tsikoudakis reports:
The average insurance cost per data breach incident increased sharply from $2.4 million in 2010 to $3.7 million in 2011, according to a new NetDiligence study released Tuesday.
Based on insurance claims that were submitted in 2011 for incidents that occurred from 2009 to 2011, the average number of records exposed decreased 18% to 1.4 million, according to NetDiligence’s “Cyber Liability & Data Breach Insurance Claims — A Study of Actual Payouts for Covered Breaches.”
A typical breach ranged from $25,000 to $200,000 in insurance costs, according to the study.
Read more on Business Insurance.
If NetDiligence’s figures seem lower than Ponemon’s, they offer an explanation:
When compared with the Ponemon Institute’s Seventh Annual U.S. Cost of a Data Breach Study, our figures appear to be extremely low. The institute reported an average cost of $5.5 million per breach and $194 per record. However, Ponemon differs from our study in two distinct ways: the data they gather is from a consumer perspective and as such they consider a broader range of cost factors such as detection, investigation and administration expenses, customer defections, opportunity loss, etc1. Our study concentrates strictly on costs from the insurer’s perspective and therefore provides a more focused view of breach costs.
The NetDiligence study also focuses primarily on insured per-breach costs, rather than per-record costs.
You can find the study on NetDiligence.


It's not enough to know “There's an App for that...” You have to actually use it!
"Neal Ungerleider notes that cryptography pioneer and Pretty Good Privacy (PGP) creator Phil Zimmermann has launched a new startup that provides industrial-strength encryption for Android and iOS where users will have access to encrypted phone calls, emails, VoIP videoconferencing, SMS, and MMS. Text and multimedia messages are wiped from a phone's registry after a pre-determined amount of time, and communications within the network are allegedly completely secure. An 'off-shore' company with employees from many countries, Silent Circle's target market includes troops serving abroad, foreign businesspeople in countries known for surveillance of electronic communications, government employees, human rights activists, and foreign activists. For encryption tools, which are frequently used by dissidents living under repressive regimes and others with legitimate reasons to avoid government surveillance, the consequences of failed encryption can be deadly. 'Everyone has a solution [for security] inside your building and inside your network, but the big concern of the large multinational companies coming to us is when the employees are coming home from work, they're on their iPhone, Android, or iPad emailing and texting,' says Zimmermann. 'They're in a hotel in the Middle East. They're not using secure email. They're using Gmail to send PDFs.' Another high-profile encryption tool, Cryptocat, was at the center of controversy earlier this year after charges that Cryptocat had far too many structural flaws for safe use in a repressive environment."


This may be important.
another random user sends word of a case in Pennsylvania District Court in which Judge Michael Baylson has ordered a trial to resolve the issue of whether an IP address can identify a particular person. The plaintiff, Malibu Media, has filed 349 lawsuits against groups of alleged infringers, arguing that getting subscriber information from an ISP based on an IP address that participated in file-sharing was suitable for identification purposes. A motion filed by the defendants in this case explains "how computer-based technology would allow non-subscribers to access a particular IP address," leading Judge Baylson to rule that a trial is "necessary to find the truth."
"The Bellwether trial will be the first time that actual evidence against alleged BitTorrent infringers is tested in court. This is relevant because the main piece of evidence the copyright holders have is an IP-address, which by itself doesn't identify a person but merely a connection. ... Considering what's at stake, it would be no surprise if parties such as the Electronic Frontier Foundation (EFF) are willing to join in. They are known to get involved in crucial copyright troll cases, siding with the defendants. We asked the group for a comment, but have yet to receive a response. On the other side, Malibu Media may get help from other copyright holders who are engaged in mass-BitTorrent lawsuits. A ruling against the copyright holder may severely obstruct the thus far lucrative settlement business model, meaning that millions of dollars are at stake for these companies. Without a doubt, the trial is expected to set an important precedent for the future of mass-BitTorrent lawsuits in the U.S. One to watch for sure."


Really dumb? Perhaps it will stimulate some thought?
Judge: Takeover of employee LinkedIn account doesn’t violate hacking law
October 10, 2012 by Dissent
Timothy B. Lee writes:
A federal judge rejected a Pennsylvania woman’s argument that her employer violated a federal anti-hacking statute when it took control of her LinkedIn account after firing her. The court ruled the harms cited by the plaintiff were too speculative to pass muster under the Computer Fraud and Abuse Act (CFAA).
Linda Eagle was the head of a company called Edcomm when it was acquired in 2010. But relations soured and Eagle was fired the following year. Eagle had shared her LinkedIn password [Don't do that! Bob] with another Edcomm employee so that she could help Eagle manage the account. When Eagle was shown the door, her former assistant changed the password on her account, freezing Eagle out of it. Edcomm then replaced Eagle’s name and picture with the name and photograph of her successor.
Eagle sued in federal court, arguing among other things that the company’s actions violated the CFAA. But the court dismissed that argument last week.
Read more on Ars Technica. The decision can be found here.
[From Ars Technica:
Eagle had argued the loss of her LinkedIn account damaged her reputation, since she was unable to respond in a timely fashion to messages sent to her on the site. She also claimed that as a result, she lost business opportunities including one valued at more than $100,000.
But the court ruled those were not the kind of harms that triggered liability under the CFAA.
… Additionally, the court dismissed Eagle's argument that replacing her name with that of her successor violated trademark law. However, this case will go forward based on Pennsylvania state law charges.
The obvious lesson of this incident is employers and employees should be sure to establish, in writing, whether a social media account is a personal account or belongs to the employer. And if you have a personal account, it can be risky to share the password with coworkers.


And so the escalation begins...
Navy Lasers’ First Target: Enemy Drones
One of the first tasks the Navy expects to assign its forthcoming arsenal of laser guns: shooting down drones that menace its ships.
The Navy is confident that laser cannons will move out of science fiction and onto the decks of its surface ships by the end of the decade. Its futurists at the Office of Naval Research still have visions of scalable laser blasts that can fry an incoming missile at the rate of 20 feet of steel per second. But now that laser guns are approaching reality, Pentagon officials are starting to consider the practicalities of what they’ll be used for, and they’re not thinking missiles — yet. Among their initial missions will be the relatively easier task of tracking and destroying unmanned aerial vehicles, or UAVs, that fly too close to Navy ships.


Only fair. Proving you are dead should be harder than proving you are alive...
Social Security record limits hinder research
October 9, 2012 by Dissent
Kevin Sack of the New York Times reports:
A Social Security Administration shift last year to limit access to its death records amid identity-theft concerns is beginning to hamper a broad swath of research, including federal government assessments of hospital safety and financial industry efforts to spot consumer fraud.
For example, a research group that produces reports on organ-transplant survival rates is facing delays because of extra work required to determine whether patients are still alive. The federal agency that runs Medicare uses the data to determine whether some transplant programs have such poor track records that they should be cut off from government financing.

(Related) Which costs more? New IDs or dealing with thousands for bogus claims? Note that “Connected to SSANs” is not “the same as” a SSAN
Despite thefts, no new Medicare IDs
October 10, 2012 by Dissent
Kelly Kennedy reports:
More than a quarter-million Medicare beneficiaries are victims of identity theft and hampered in getting health care benefits because the government won’t issue new IDs, according to an investigation report released today.
Medicare officials say it’s too expensive and too many agencies are involved to reissue those numbers to patients victimized by identity theft — about 284,000 beneficiaries, according to a report by the Department of Health and Human Service’s inspector general.
Beneficiary numbers are directly connected to a patient’s Social Security number, and the government is unable to create a new Social Security number for a patient whose Medicare identity has been stolen, according to the report, which was obtained by USA TODAY.
And beneficiaries can do little more than report abuse of their beneficiary numbers because the government does not provide them with updates about investigations or amend their records with correct billing information. That, investigators say, slows down access to care.
Read more on PressConnects.


Perhaps sorting the wheat from the chaff takes more than 60 days?
Interesting Article on United States v. Collins, Case on Ex Ante Limitations on Computer Warrants
October 9, 2012 by Dissent
Orin Kerr comments on a situation discussed in a recent Law.com article on U.S. v. Collins (mentioned here). One of the issues raised by defense counsel concerns the prosecution hanging on to unnecessary and irrelevant computer files on seized computers when the warrants contained clauses saying that materials not needed for prosecution would be deleted or returned within 60 days.
Orin’s position seems to be that any such conditions included in warrants “are not permissible in the first place.” You can read his commentary on The Volokh Conspiracy, but it seems to me if such statements were included in the applications for the warrants, the prosecution should be bound by them. Otherwise, one could argue that the court might never have approved the warrant in the first place as it might seem overly broad. But then, I am not a lawyer and Orin is


The RIAA is gonna have a stroke. (Unless you think they can top these payouts?)
"Today in a blog post, Pandora has shared some details of the fees they pay to musical artists for playing songs over their music streaming service. Over 2,000 different artists will pull in $10,000 or more in the next year, and 800 will get paid over $50,000. They provided a few specific examples as well. Grupo Bryndis, who has a sales rank on Amazon of 183,187 (in other words, who is not at all a household name), is on track to receive $114,192. A few earners are getting over $1 million annually, such as Coldplay and Adele. 'Drake and Lil Wayne are fast approaching a $3 million annual rate each.' The post segues into a broader point about the age of internet radio: 'It's hard to look at these numbers and not see that internet radio presents an incredible opportunity to build a better future for artists. Not only is it bringing tens of millions of listeners back to music, across hundreds of genres, but it is also enabling musicians to earn a living. It's also hard to look at these numbers, knowing Pandora accounts for just 6.5% of radio listening in the U.S., and not come away thinking something is wrong. ... Congress must stop the discrimination against internet radio and allow it to operate on a level playing field, under the same rules as other forms of digital radio.'"

(Related)
Following on the success of the various Humble Bundles for DRM-free video games, the organization has just launched its first Humble eBook Bundle. It includes Pirate Cinema by Cory Doctorow, Pump Six by Paolo Bacigalupi, Zoo City by Lauren Beukes, Invasion by Mercedes Lackey, Stranger Things Happen, and Magic for Beginners, both by Kelly Link. If you choose to pay more than the average [Statistics students, what does that do to the average? Bob] (about $11 at this writing), you also get Old Man's War by John Scalzi, and Signal to Noise, by Neil Gaiman and Dave McKean. The books are available in PDF, MOBI, and ePub formats, without DRM. As with all the Humble Bundles, you can choose how much you'd like to pay, and how the proceeds are split between any of the authors and/or among three charities.


Somehow I don't think they realize just how unstable statements like this make them sound.
North Korea claims US mainland within range of its missiles
Isolated North Korea claimed Tuesday that the U.S. mainland is "within the scope" of its missiles, two days after South Korea struck a deal with the United States to extend the range of its ballistic missiles.
… North Korea's National Defense Commission said in a statement that the North was prepared to counter any U.S. military threats, its KCNA news agency said.
"We do not hide (the fact) that the revolutionary armed forces ... including the strategic rocket forces are keeping within the scope of strike not only the bases of the puppet forces and the U.S. imperialist aggression forces' bases in the inviolable land of Korea, but also Japan, Guam and the U.S. mainland," KCNA said.


Didn't Madonna sing, “We live in a digital world and I am a digital girl”
October 09, 2012
Chronicle of Higher Education: Research Libraries Increase Spending on Digital Materials
Alisha Azevedo: "Spending by research libraries appears to be rising, especially for digital materials, according to new data from the Association of Research Libraries. The data are part of the association's Library Investment Index, which ranks the association's member libraries each year based on total library expenditures, salaries and wages of professional staff, spending on library materials, and the number of professional and support staff. The upward trend for the 2011 fiscal year was the first in several years. The economic downturn in 2008 and the tight budgets that followed caused a drop in spending on all of the index's categories, said Martha Kyrillidou, senior director of the association's statistics and service-quality programs, in an e-mail interview. She added that it "remains to be seen if this is a temporary reversal or a true shift to sustain itself more than a year."


Not all my students are uber geeks...

No comments: