Another example for my compilation of
“Worst Practices” And I think I'll file this one under “It's
not rocket science!”
Agencywide
Message to All NASA Employees: Breach of Personally Identifiable
Information
November 13, 2012 by admin
SpaceRef posted a breach notification
from NASA, dated today:
On October 31,
2012, a NASA laptop and official NASA documents issued to a
Headquarters employee were stolen from the employee’s locked
vehicle. The laptop contained records of sensitive personally
identifiable information (PII) for a large number of NASA employees,
contractors, and others. Although the laptop was password protected,
it did not have whole disk encryption software,
which means the information on the laptop could be accessible to
unauthorized individuals. We are thoroughly assessing and
investigating the incident, and taking every possible action to
mitigate the risk of harm or inconvenience to affected employees.
Read more on SpaceRef.
So, who tested this “Feature” and
pronounced it secure?
A Skype
security flaw could allow rogue users to seize control of your
account using nothing more than your email address, thanks to subpar
recovery policies that can be easily gamed. The exploit depends on
Skype’s policy of reminding new sign-ups of any existing usernames
they have previously registered, when they attempt to re-register
using the same email address. According to The
Next Web, with a minor amount of tinkering, it’s
possible to reset another user’s password and thus grab hold of
their account.
… Skype is apparently conducting an
“internal investigation” into the loophole, though for now
there’s no official comment on when it might be closed off. The
hack was first reported on a Russian forum roughly two months ago,
it’s said, with the person responsible for discovering the exploit
claiming to have told Skype about it with no apparent change in
recovery security.
So the 1.7 million voter database WAS
exposed, but it's no big deal. (Unless it exposes all the dead or
fictional voters?)
Chicago
election site exposed personal information
November 13, 2012 by admin
John Byrne and Hal Dardick report:
Chicago election
board officials confirmed Tuesday that sensitive personal information
for about 1,200 people was exposed online but denied allegations by a
computer security firm that the breach was much broader.
The firm,
Forensicon, announced it uncovered the problem while researching
voting patterns. It alleged that personal information of up to 1.7
million registered Chicago voters was exposed on the website of the
Chicago Board of Elections Commissioners.
An election board
spokesman accused the firm of overplaying the problem. James Allen
said the database of 1.7 million registered voters included no
personal information beyond what is already public record—name,
address and voter registration number. “Anyone can request that
information from us, and we have to produce it,” Allen said.
“There’s absolutely no sensitive information there.”
However, Allen
said due to a mistake by the election authority, another database was
inadvertently exposed online with names, addresses, drivers license
numbers and the last four digits of social security numbers for
around 1,200 people who had applied to work for the board in Chicago
polling places on Election Day.
Read more on Chicago
Tribune.
For my Computer Security students.
Attach articles like this (with appropriate highlighting) to your
resume when you submit it...
"A chilling article by
Darkreading's Kelly Jackson Higgins describes how the growing
accessibility of hacking tools like RATs (Remote Access Trojans) have
made
cyber-espionage possible for more than just those financially backed
by large nation-states, and speculates on what the implications
of this may be: 'Researchers at Norman Security today revealed that
they recently analyzed malware used in phishing emails targeting
Israeli and Palestinian targets and found that attackers used malware
based on the widely available Xtreme RAT crimeware kit. The attacks,
which first hit Palestinian targets, this year began going after
Israeli targets, including Israeli law enforcement agencies and
embassies around the world. Norman says the same attacker is behind
the attacks because the attacks use the same command-and-control
(C&C) infrastructure, as well as the same phony digital
certificates. This attack campaign just scratches the surface of the
breadth and spread of these types of attacks around the world as more
players have been turning to cyberspying. "We're
just seeing the tip of the iceberg," says Einar Oftedal, deputy
CTO at Norman.'"
Imagine what they could have found out
if there had been a crime...
No
one’s safe from unfettered domestic surveillance. No one.
November 13, 2012 by Dissent
As a privacy advocate, you might have
expected me to blog about the Broadwell-Petraeus-Kelley-Allen
scandal, with emphasis on the federal govt’s ability or legal
authority to snoop through the records of people who seemingly have
committed no crime.
So how did the FBI get authorization to
snoop? Well, it turns out that they really didn’t much
authorization, and what they did need is all too easy to acquire.
Kade Ellis has a great write-up on
PrivacySOS
about how unfettered access endangers all of us. She’s
preaching to the privacy choir, though, as we already know that we
want a probable cause warrant standard for a lot of things where no
warrant is currently required.
Keep in mind that this whole sordid
affair only came out because someone in the FBI did a
friend a favor when there was no clear legal
justification for the FBI to get involved at all.
So whom do you know who has a friend in
the FBI who could start an investigation of you? Are you okay with
the FBI accessing your email accounts when you’ve done nothing
illegal?
Will Congress hear us now? Will
they start to worry about the privacy of their own accounts?
One can only hope, but frankly, I’m not particularly optimistic
that this scandal will lead to more protective legislation. I’d
love to be proven wrong.
(Related)
Google
sees more government snooping in first half of 2012
November 13, 2012 by Dissent
Graeme McMillan reports:
You may not be
having an affair with a high-ranking American Intelligence Official,
but that doesn’t mean that Big Brother isn’t watching you
nonetheless. Or, at least, that might be the impression that you’re
left with upon discovering that Google has reported a
significant jump in the amount of government surveillance
of online activity in recent months, especially when compared with
just a few years ago.
In its latest
Transparency Report, which covers the first six months of 2012,
government
agencies around the world made a total of 20,938 requests for access
to personal data of Google users, with 34,614 user accounts
affected by the requests.
Read more on Digital
Trends.
Text of most papers available, haven't
found the link to recordings or videos yet.
Solove:
Privacy regulation a failure
November 13, 2012 by Dissent
David Perera reports:
The current U.S.
approach to privacy regulation fails to account for the effects of
information sharing created by the ascendance of technologies that
permit things such as Big Data or fusion centers, said Daniel Solove,
a noted privacy law researcher and a professor at George Washington
University. He spoke Nov. 9 during a symposium
on privacy and technology held by the Harvard Law Review.
The current model,
which Solove dubbed the “privacy self-management approach,” takes
refuge in the notion of consent, he said.
Read more on FierceGovernmentIT
[From the article:
… For more: - listen
to Solove's Nov. 9 talk at the Harvard Law Review symposium
“Let's go back tho the good old days
of “Separate but equal!” only without that pesky equal part.”
Or am I missing something?
According to a story at Northwest
Public Radio, the state of Virginia's board of education has decided
to institute different passing scores for
standardized tests, based
on the racial and cultural background of the students taking the
test. Apparently the state has chosen to divide its student
population into broad categories of black, white, Hispanic, and Asian
— which takes painting
with a rather broad brush, to put it mildly. From the article
(there's an audio version linked as well):
"As part
of Virginia's waiver to opt out of mandates set out in the No Child
Left Behind law, the state has created a controversial new set of
education goals that are higher for white and Asian kids than for
blacks, Latinos and students with disabilities. ... Here's what the
Virginia state board of education actually did. It looked at
students' test scores in reading and math and then proposed new
passing rates. In math it set an acceptable passing rate at 82
percent for Asian students, 68 percent for whites, 52 percent for
Latinos, 45 percent for blacks and 33 percent for kids with
disabilities."
(If officially determined group
membership determines passing scores, why
stop there?) Florida
passed a similar measure last month.
“Do you think we should run this by
the lawyers?” “Nah, they'll just complicate things and they
might cost us as much as a couple of hundred dollars!”
Papa
John's pizza up against $250M lawsuit for text spam
… "After I ordered from Papa
John's, my telephone started beeping with text messages advertising
pizza specials," one of the plaintiffs in the case Erin Chutich
said in a statement.
"Papa John's never asked permission to send me text message
advertisements."
Apparently, in 2010, Papa John's hired
a mass text messaging service called OnTime4U to text ads to its
customers as a way to boost profits. According to the lawsuit (PDF),
which was certified by U.S. District Court Judge John C. Coughenour
on November 9 in Seattle, certain Papa John's franchisees gave
OnTime4U lists of customers phone numbers without getting consent
from those individuals first.
If the judge decides that Papa John's
is guilty of willfully sending the spam messages, this
case could become one of the largest damages awards ever
given under the federal Telephone Consumer Protection Act, which
deems it illegal to send ads via text without an opt-in option. The
lawsuit claims that 500,000 unwanted messages
were sent to customers nationwide and that the pizza chain should pay
$500 for each text.
It's like “Double Secret Probation”
and AT&T is Dean Wormer! (Interesting comments, but no solution
– if they want to charge you extra they will and there is nothing
you can do about it.)
"As many of you know, AT&T
has implemented caps on DSL usage. When this was implemented, I
started getting emails letting me know my usage as likely to exceed
the cap. After consulting their Internet Usage web page, I felt the
numbers just weren't right. With the help of Tomato on my router, I
started measuring my usage, and ended up with numbers substantially
below what AT&T was reporting on a day-to-day basis. Typically
around 20-30% less. By the way, this usage is the sum of inbound and
outbound. At this point, I decided to contact AT&T support to
determine what exactly they were defining as usage, as their web
pages never really define it. Boy, did I get a surprise. After
several calls, they finally told me they
consider the methodology by which they calculate bandwidth usage to
be proprietary.
Yes, you read that right; it's a secret. They left me with the
option to contact their executive offices via snail mail. Email was
not an option. So, I bring my questions to you, all-knowing
Slashdotters: are there any laws that require
AT&T to divulge how they are calculating data usage?
Should I contact my state's commerce commission or the FCC to
attempt to get an answer to this?"
Just a reminder...
Everyone has their set of favorite
websites. No matter what your hobbies and interests are, I’m sure
you can think of at least five websites you love and visit often just
off the top of your head. But just like other habits, when we’re
set in our ways and our websites, we don’t always remember to look
elsewhere.
… Similar websites are a great way
to discover new websites, while making sure you stay on track and
find things you’re really interested in. It’s time to start a
new Web journey: use the tools listed below to expand your horizons
and find more of your favorites!
Google
Similar Pages [Chrome extension ]
If you don't get it from reading the
textbook and the “How to” video is gibberish, and My lectures are
not adequate, there are still thousands of resources you can try
before giving up and actually asking a question...
… a few websites have set out to
provide decent education
in the format of online universities. However, what makes it great is
that these websites offer all of their material for free (well,
for the most part).
No comments:
Post a Comment