Wednesday, November 14, 2012

Another example for my compilation of “Worst Practices” And I think I'll file this one under “It's not rocket science!”
Agencywide Message to All NASA Employees: Breach of Personally Identifiable Information
November 13, 2012 by admin
SpaceRef posted a breach notification from NASA, dated today:
On October 31, 2012, a NASA laptop and official NASA documents issued to a Headquarters employee were stolen from the employee’s locked vehicle. The laptop contained records of sensitive personally identifiable information (PII) for a large number of NASA employees, contractors, and others. Although the laptop was password protected, it did not have whole disk encryption software, which means the information on the laptop could be accessible to unauthorized individuals. We are thoroughly assessing and investigating the incident, and taking every possible action to mitigate the risk of harm or inconvenience to affected employees.
Read more on SpaceRef.


So, who tested this “Feature” and pronounced it secure?
A Skype security flaw could allow rogue users to seize control of your account using nothing more than your email address, thanks to subpar recovery policies that can be easily gamed. The exploit depends on Skype’s policy of reminding new sign-ups of any existing usernames they have previously registered, when they attempt to re-register using the same email address. According to The Next Web, with a minor amount of tinkering, it’s possible to reset another user’s password and thus grab hold of their account.
… Skype is apparently conducting an “internal investigation” into the loophole, though for now there’s no official comment on when it might be closed off. The hack was first reported on a Russian forum roughly two months ago, it’s said, with the person responsible for discovering the exploit claiming to have told Skype about it with no apparent change in recovery security.


So the 1.7 million voter database WAS exposed, but it's no big deal. (Unless it exposes all the dead or fictional voters?)
Chicago election site exposed personal information
November 13, 2012 by admin
John Byrne and Hal Dardick report:
Chicago election board officials confirmed Tuesday that sensitive personal information for about 1,200 people was exposed online but denied allegations by a computer security firm that the breach was much broader.
The firm, Forensicon, announced it uncovered the problem while researching voting patterns. It alleged that personal information of up to 1.7 million registered Chicago voters was exposed on the website of the Chicago Board of Elections Commissioners.
An election board spokesman accused the firm of overplaying the problem. James Allen said the database of 1.7 million registered voters included no personal information beyond what is already public record—name, address and voter registration number. “Anyone can request that information from us, and we have to produce it,” Allen said. “There’s absolutely no sensitive information there.”
However, Allen said due to a mistake by the election authority, another database was inadvertently exposed online with names, addresses, drivers license numbers and the last four digits of social security numbers for around 1,200 people who had applied to work for the board in Chicago polling places on Election Day.
Read more on Chicago Tribune.


For my Computer Security students. Attach articles like this (with appropriate highlighting) to your resume when you submit it...
"A chilling article by Darkreading's Kelly Jackson Higgins describes how the growing accessibility of hacking tools like RATs (Remote Access Trojans) have made cyber-espionage possible for more than just those financially backed by large nation-states, and speculates on what the implications of this may be: 'Researchers at Norman Security today revealed that they recently analyzed malware used in phishing emails targeting Israeli and Palestinian targets and found that attackers used malware based on the widely available Xtreme RAT crimeware kit. The attacks, which first hit Palestinian targets, this year began going after Israeli targets, including Israeli law enforcement agencies and embassies around the world. Norman says the same attacker is behind the attacks because the attacks use the same command-and-control (C&C) infrastructure, as well as the same phony digital certificates. This attack campaign just scratches the surface of the breadth and spread of these types of attacks around the world as more players have been turning to cyberspying. "We're just seeing the tip of the iceberg," says Einar Oftedal, deputy CTO at Norman.'"


Imagine what they could have found out if there had been a crime...
No one’s safe from unfettered domestic surveillance. No one.
November 13, 2012 by Dissent
As a privacy advocate, you might have expected me to blog about the Broadwell-Petraeus-Kelley-Allen scandal, with emphasis on the federal govt’s ability or legal authority to snoop through the records of people who seemingly have committed no crime.
So how did the FBI get authorization to snoop? Well, it turns out that they really didn’t much authorization, and what they did need is all too easy to acquire.
Kade Ellis has a great write-up on PrivacySOS about how unfettered access endangers all of us. She’s preaching to the privacy choir, though, as we already know that we want a probable cause warrant standard for a lot of things where no warrant is currently required.
Keep in mind that this whole sordid affair only came out because someone in the FBI did a friend a favor when there was no clear legal justification for the FBI to get involved at all.
So whom do you know who has a friend in the FBI who could start an investigation of you? Are you okay with the FBI accessing your email accounts when you’ve done nothing illegal?
Will Congress hear us now? Will they start to worry about the privacy of their own accounts? One can only hope, but frankly, I’m not particularly optimistic that this scandal will lead to more protective legislation. I’d love to be proven wrong.

(Related)
Google sees more government snooping in first half of 2012
November 13, 2012 by Dissent
Graeme McMillan reports:
You may not be having an affair with a high-ranking American Intelligence Official, but that doesn’t mean that Big Brother isn’t watching you nonetheless. Or, at least, that might be the impression that you’re left with upon discovering that Google has reported a significant jump in the amount of government surveillance of online activity in recent months, especially when compared with just a few years ago.
In its latest Transparency Report, which covers the first six months of 2012, government agencies around the world made a total of 20,938 requests for access to personal data of Google users, with 34,614 user accounts affected by the requests.
Read more on Digital Trends.


Text of most papers available, haven't found the link to recordings or videos yet.
Solove: Privacy regulation a failure
November 13, 2012 by Dissent
David Perera reports:
The current U.S. approach to privacy regulation fails to account for the effects of information sharing created by the ascendance of technologies that permit things such as Big Data or fusion centers, said Daniel Solove, a noted privacy law researcher and a professor at George Washington University. He spoke Nov. 9 during a symposium on privacy and technology held by the Harvard Law Review.
The current model, which Solove dubbed the “privacy self-management approach,” takes refuge in the notion of consent, he said.
Read more on FierceGovernmentIT
[From the article:
… For more: - listen to Solove's Nov. 9 talk at the Harvard Law Review symposium


“Let's go back tho the good old days of “Separate but equal!” only without that pesky equal part.” Or am I missing something?
According to a story at Northwest Public Radio, the state of Virginia's board of education has decided to institute different passing scores for standardized tests, based on the racial and cultural background of the students taking the test. Apparently the state has chosen to divide its student population into broad categories of black, white, Hispanic, and Asian — which takes painting with a rather broad brush, to put it mildly. From the article (there's an audio version linked as well):
"As part of Virginia's waiver to opt out of mandates set out in the No Child Left Behind law, the state has created a controversial new set of education goals that are higher for white and Asian kids than for blacks, Latinos and students with disabilities. ... Here's what the Virginia state board of education actually did. It looked at students' test scores in reading and math and then proposed new passing rates. In math it set an acceptable passing rate at 82 percent for Asian students, 68 percent for whites, 52 percent for Latinos, 45 percent for blacks and 33 percent for kids with disabilities."
(If officially determined group membership determines passing scores, why stop there?) Florida passed a similar measure last month.


“Do you think we should run this by the lawyers?” “Nah, they'll just complicate things and they might cost us as much as a couple of hundred dollars!”
Papa John's pizza up against $250M lawsuit for text spam
… "After I ordered from Papa John's, my telephone started beeping with text messages advertising pizza specials," one of the plaintiffs in the case Erin Chutich said in a statement. "Papa John's never asked permission to send me text message advertisements."
Apparently, in 2010, Papa John's hired a mass text messaging service called OnTime4U to text ads to its customers as a way to boost profits. According to the lawsuit (PDF), which was certified by U.S. District Court Judge John C. Coughenour on November 9 in Seattle, certain Papa John's franchisees gave OnTime4U lists of customers phone numbers without getting consent from those individuals first.
If the judge decides that Papa John's is guilty of willfully sending the spam messages, this case could become one of the largest damages awards ever given under the federal Telephone Consumer Protection Act, which deems it illegal to send ads via text without an opt-in option. The lawsuit claims that 500,000 unwanted messages were sent to customers nationwide and that the pizza chain should pay $500 for each text.


It's like “Double Secret Probation” and AT&T is Dean Wormer! (Interesting comments, but no solution – if they want to charge you extra they will and there is nothing you can do about it.)
"As many of you know, AT&T has implemented caps on DSL usage. When this was implemented, I started getting emails letting me know my usage as likely to exceed the cap. After consulting their Internet Usage web page, I felt the numbers just weren't right. With the help of Tomato on my router, I started measuring my usage, and ended up with numbers substantially below what AT&T was reporting on a day-to-day basis. Typically around 20-30% less. By the way, this usage is the sum of inbound and outbound. At this point, I decided to contact AT&T support to determine what exactly they were defining as usage, as their web pages never really define it. Boy, did I get a surprise. After several calls, they finally told me they consider the methodology by which they calculate bandwidth usage to be proprietary. Yes, you read that right; it's a secret. They left me with the option to contact their executive offices via snail mail. Email was not an option. So, I bring my questions to you, all-knowing Slashdotters: are there any laws that require AT&T to divulge how they are calculating data usage? Should I contact my state's commerce commission or the FCC to attempt to get an answer to this?"


Just a reminder...
Everyone has their set of favorite websites. No matter what your hobbies and interests are, I’m sure you can think of at least five websites you love and visit often just off the top of your head. But just like other habits, when we’re set in our ways and our websites, we don’t always remember to look elsewhere.
… Similar websites are a great way to discover new websites, while making sure you stay on track and find things you’re really interested in. It’s time to start a new Web journey: use the tools listed below to expand your horizons and find more of your favorites!
Google Similar Pages [Chrome extension ]


If you don't get it from reading the textbook and the “How to” video is gibberish, and My lectures are not adequate, there are still thousands of resources you can try before giving up and actually asking a question...
… a few websites have set out to provide decent education in the format of online universities. However, what makes it great is that these websites offer all of their material for free (well, for the most part).

No comments: