Saturday, December 29, 2012

If this is what it costs to lose an unencrypted laptop, and encryption is really really cheap, is the failure to encrypt negligence? Somehow I think there is much more to the story.
By Dissent, December 28, 2012 11:48 am
I was surprised to read this morning that Hospice of North Idaho had settled charges by HHS over a laptop stolen from an employee’s car in the summer of 2010.
I was surprised, in part, because I was not aware of this incident at all as it had not appeared in HHS’s breach tool. Since it occurred after HITECH went into effect, it’s possible that the breach affected less than 500 patients. According to a statement from the hospice reported by David Cole of the Coeur d’Alene Press, the hospice had appropriately reported the incident at the time to HHS.
So why did HHS fine this hospice $50,000? Was it to make some point about leaving laptops in unattended cars? If so, I approve in principal, but why this hospice instead of one of the many other covered entities that have had laptops stolen from cars? At least in this case, it is somewhat more understandable that an employee would have removed patient data from the office as they provide home-based hospice services.
Should the data have been encrypted or otherwise protected? Obviously. And do I agree with the hospice’s statement that “The theft of the laptop was out of our hands?” Obviously not. If you wouldn’t leave your wallet with all your credit cards and IDs in your car to be stolen, you shouldn’t be leaving a laptop with patient information in your car to be stolen. And if you would leave your wallet in your car, I personally don’t think you should ever be trusted with patient data.
But a $50,000 fine for a hospice that self-reported a breach seems harsh, particularly when we think of all the other cases where no fine was imposed.
There is no statement on the hospice’s web site at this time. Nor on HHS’s. I’ve e-mailed both requesting a statement or explanation as to why this breach resulted in a fine and hope we’ll find out more. [I'll watch for that... Bob]


Tools & Techniques Who should have these installed? (Each has a free version)
… What exactly is a keylogger? Forgive me for using the term in the definition, but it’s a malicious infection that resides on your computer, logging a record of your keys as you press them. It saves every key pressed on your keyboard then sends that information back to a home server somewhere. A hacker then uses this information to break into your personal accounts and dig through your information.
The cold and honest truth, however, is that preventative software will never catch 100% of keylogger cases. Hackers are constantly creating new keyloggers and new malware to infest computers all over the globe. Protective software will always be playing a game of “catch up”.
So if you want to maximize your safety, be sure to read Matt’s article on 4 ways to protect yourself against keyloggers.


What ever you do, don't broadcast on 104.7 FM (without recording it all on your smartphone!)
"For months, dozens of people could not use their keyless entry systems to unlock or start their cars when parked in the vicinity of the eight-story Regents bank building in Hollywood, FL. Once the cars were towed to the dealership for repair, the problem went away. The problem resolved itself when police found equipment on the bank's roof that was broadcasting a bootleg radio station. A detective and an FCC agent found the equipment hidden underneath an air conditioning chiller. The man who set up the station has not been found, but he faces felony charges and fines of at least $10,000 if he is caught. The radio station was broadcasting Caribbean music around the clock on 104.7 FM."


A concise summary, with lots of links.
December 28, 2012
TrendMicro - The Trends in Targeted Attacks of 2012
Nart Villeneuve (Senior Threat Researcher): "Throughout 2012, we investigated a variety of targeted attacks including several APT campaigns such as LuckyCat and Ixeshe, as well as updates on some long running campaigns such as Lurid/Enfal and Taidoor. There was a lot of great research within the community related to targeted attacks published this year, and I’ve clustered the research I found to be the most interesting into six themes that I think also encapsulate the trends in targeted attacks of 2012."


Ah, if only... Meanwhile, have fun imagining the various scenarios that could result in a cloned profile.
There’s a story in the Cranberry Eagle by Jared Stonesifer about a man who has sued LinkedIn because his information was displayed in a profile that he hadn’t created, and LinkedIn wouldn’t tell him who created it – even though they removed the page:
The lawsuit, which was filed Thursday, says that Senft keeps his personal contact information private.
The Point Daily also covers the lawsuit.
So what do you think will happen here? Will LinkedIn try to settle the suit by giving the plaintiff the information he requested, or will it hold out for a court order? And what should be the consequences of this breach? Can Senft show harm? Or will this breach, too, gets dismissed?
I can’t wait to see what Venkat Balasabrumani thinks of its chances.
[From the PointDaily article:
… the supporters of improved privacy on social media are taking this development very seriously, because other people can also be effected by similar results as well. On the other hand, Linkedin Corp. is not reacting to the legal action proactively and is looking to bury the matter under the dust of time, analysts added.


Soon, everyone will have at least one drone. Perhaps we should get into the “Rent a Drone” business?
In January of this year, we posted news of a major pollution site in Texas that was the subject of some anonymous amateur sleuths with drones, who used their UAVs to document the release of a "river of blood" (pig blood, that is) into the Trinity River as it flows through Dallas. Now, garymortimer writes, that documentation has resulted in legal action in the form of an indictment from a Dallas grand jury.
"The story went viral and continues to receive hits nearly a year later. I believe this is the first environmental crime to be prosecuted on the basis of UA evidence. Authorities had to act because of the attention the story was receiving." [Not entirely true, but an invitation to activists with drones... Bob]

(Related)
Texas UAV Enthusiast Uses Pilotless Aircraft to Uncover River Contamination
… The contamination was noticed by the operator after reviewing images he’d taken of the Trinity River while flying a homemade UAV, according to Small Unmanned Aerial Systems News (sUAS), a Web site that tracks unmanned vehicle-related news.
“This flight was undertaken completely within the law, below 400 feet and visual line of sight,” wrote Gary Mortimer of sUAS.
… The UAV used to photograph Trinity River was created by mounting a point-and-shoot digital camera onto a $75 airframe.
… Mortimer says UAS technology gives operators the "ability to look over a fence" that didn't exist years ago, so privacy issues are inevitable.


I wonder who gave them this idea?
"Prenda Law — one of the most notorious copyright trolls — has sued hundreds of thousands of John Doe defendants, often receiving settlements of thousands of dollars from each. Prenda Law principal John Steele has reportedly made a few million dollars suing BitTorrent file-sharers. Prenda Law has been accused in federal court of creating sham offshore corporations using the identity of his gardener. In other words, it is alleged that the law firm and their client are the same entity, and that Prenda law has committed identity theft and fraud. Now, a judge in California has granted a John Doe defendant's motion to further explore the connection between the offshore entity and the law firm."


This is very wrong students. I'm only pointing out the details so you can avoid doing wrong (under your own name)
… Amazon’s official Kindle Store Terms of Use are very clear about this, stating “Kindle Content is licensed, not sold, to you by the Content Provider”. Technically speaking, Amazon can take the book away at any time – simply remove it from your device remotely and delete your account, which wouldn’t be a first for them.
… After you de-DRM your Kindle books, you will be able to read them on your Kindle as per usual, but you will also be able to convert them to PDFs, ePubs (for reading on a Nook, for example), and any other format. Most importantly, Amazon would never be able to take those books away from you – you get to keep what you bought.
  • Stripping DRM violates Amazon’s ToS.
  • Stripping DRM may be illegal in your country or state.
  • If you are a decent human being, I trust that you will not distribute the content you de-DRM.
  • Last but not least: DRM is a cat-and-mouse game. This method works at the time of this writing, and may stop working tomorrow, as soon as Amazon change things.


End of year lists...


Because nobody will ever create an Infographic of “Bob Quotes” (I particularly like number 13)


Well, I find it interesting...
… As of January 1, 2013, we can welcome to the public domain (in countries that follow the “life plus 70 years” copyright period) the works of writers and artists like anthoplogists Franz Boas and BronisÅ‚aw Malinowski and Anne of Green Gables author L. M. Montgomery. Mike Masnick has pulled together the list of new items in the public domain for the U.S. — empty.
… A competition on the machine learning site Kaggle is looking for folks to “visually uncover trends in the Colorado public school system” by using 3 years of school grading data supplied by the Colorado Department of Education. The prize is $5000. The deadline, January 19.

No comments: