A couple of examples of
companies who have given no thought to handling a security breach and
spent no time researching “Best Practices” once it occurred.
Somehow I doubt their
Marketing Department was involved in these decisions. Has no one
read “The Prince?”
TD
Bank: Data loss affects about 260,000 U.S. customers
October 12, 2012 by
admin
Jessica Hall continues to
update the TD Bank backup tapes breach:
In
Maine, 34,907 residents were affected, according to a letter sent to
the attorney general from TD Bank. In Massachusetts, the Attorney
General’s Office said more than 73,000 residents were affected. In
Connecticut, 35,000 residents were affected, while Rhode Island had
500 residents and Maryland had 398 residents affected, according to
the state attorney general.
Read more on Morning
Sentinel.
As I tweeted earlier
today, TD Bank made a bad decision, in my opinion, not to release the
total number all at once in their original statement. The
story’s staying in the news cycle as each new state discloses their
numbers. So now we have a breach that was 6-month delayed
in notification and what looks like an attempt to not reveal how bad
it may have been. Not a good post-incident response plan.
(Related) Another breach
the victim is trying to cover up? Those of us who track security
breach stories will follow up until we know how many people were
impacted, when and how the breach occurred, and (probably) why the
company wouldn't come clean immediately – lots of conspiracy
speculation here....
Korn/Ferry
breach details emerge
October 12, 2012 by
admin
Thanks to the
California Attorney General’s Office, we now have some of the
details on the Korn/Ferry
breach, reported yesterday on this blog. Korn/Ferry is an
executive recruiting firm.
In their sample
notification, Thom Steinoff, CTO, writes:
We
are writing to inform you about a recent incident involving our data
network. We recently learned that we were the victim of a
sophisticated cyber attack. We deeply regret that this incident
occurred and take very seriously the security of our network.
But when did
this “recent” incident occur? They don’t say at this point,
but they indicate later that it may have gone on for months before
they learned of it in August.
We
began investigating the incident as soon as we learned of it.
How did they
learn of it? They don’t say. And why did it take them months to
learn of it? They don’t tell us that, either.
While
our investigation is ongoing, we have determined that, although the
affected databases were not designed or structured to receive
sensitive personal information, a small percentage of the files
nevertheless included an individual’s
name in combination with his or her driver’s license number,
government-issued identification number, Social Security number,
credit card numbers or health information. It
is important to note that we have no evidence that access to personal
information was the goal of the attack. [And
none to suggest otherwise Bob]
Korn/Ferry
has already taken a number of steps to enhance the security of the
relevant computer network. In addition to these steps, we have been
working with law enforcement in connection with their investigation
of the incident. Korn/Ferry quickly secured its network against the
attack, which appears to have been
underway for a number of months,
shortly after discovering it in
August 2012. Korn/Ferry was asked
by federal law enforcement officials, however, to delay disclosure of
the existence of the attack until now.
Emphasis in the
above added by me.
You can read the
full letter here,
which includes an offer of free credit monitoring protection.
In light of this
explanation, their press release yesterday is even more problematic
as their statement, “The databases that were impacted are not
designed or structured to collect credit card, payment card, bank
account, social security numbers, government identification numbers
or health information. ” might have been interpreted by some to
mean that those types of data were not
in the impacted databases. To the contrary, while the databases were
not supposed to have such data, they apparently did.
Korn/Ferry did not
indicate how many clients or candidates were affected by this
incident.
Should the government try
to be “cutting edge?” I think their time and money would be
better spent facilitating the work of consultants. If a consultant
does not have the skill set you need, fire him and hire someone who
does. The model here seems to be send the employee off for training.
Not the most responsive reaction...
Task
Force Tells DHS to Offer ‘Cool’ Cybersecurity Jobs to Gov.
Workers and Test Them Like Pilots
… This means, in part, hiring at
least 600 new cybersecurity professionals, including ones who have
proven, hands-on experience to take on critical tasks, the task
force recommended in its 41-page report (.pdf).
Furthermore, the government needs to
focus less on professional certifications in making its hiring
decisions and more on real-world experience and expertise. To do
this, it needs to build a system for actively measuring these skills,
such as one that is currently used for testing pilots, the group
said.
The group noted that pilots undergo
situational testing that becomes more complicated as their skills
increase, such as placing them in conditions where the weather
deteriorates or where systems malfunction, in order to test
them under duress. [I think they mean “stress” but this would
work too Bob]
Drones, Cyber weapons and
more...
Darpa’s
New Director Wants to Keep the Skies Under U.S. Control
The U.S. has total
dominance of the skies above planet Earth, a defense budget five
times as large as its nearest competitor, and a fleet of robotic
aircraft and advanced manned planes. The newest leader of the
Pentagon’s blue-sky researchers says the U.S. is more vulnerable
than it thinks in the skies. Maintaining America’s air supremacy
may be about to become a top priority for the agency that helped give
the world the Predator drone.
(Related) “We need more
because they are so cool! Don't worry, we'll talk the city
into using them our way. After all J. Edgar isn't the only one with
files on politicians...”
"The
Seattle Police Department is seeking
to buy more unmanned aerial vehicles (a.k.a. drones) even as the
two it currently owns site warehoused until the city develops a
policy for their use, documents released as part of the EFF and
MuckRock's Drone Census show. More frightening than the $150,000
price tag? The fact that the drone vendors market the fact that
these lease agreements do 'not require voter approval.'"
Does your city or town use
drones?
When is electronic storage
not electronic storage? When the court says, “Clouds are made of
water vapor, so they can't be electronic...” (and I thought the
only smoked tobacco in South Carolina)
"I leave my
email stored online, as do many modern email users, particularly for
services like Gmail with its ever-expanding storage limit. I don't
bother downloading every email I receive. According to the South
Carolina Supreme Court, this doesn't qualify as electronic storage.
This means most
email users are not protected by the Stored Communications Act.
All your emails are fair game, so be careful what you write. From
the article: 'This new decision creates
a split with existing case law (Theofel
v. Farey-Jones) as decided in a 2004 case decided by the Ninth
Circuit Court of Appeals. That decision found that an e-mail message
that was received, read, and left on a server (rather than being
deleted) did constitute storage "for purposes of backup
protection," and therefore was also defined as being kept in
"electronic storage." Legal scholars point to this
judicial split as yet another reason why the Supreme Court (and/or
Congress) should take up the issue of the Stored Communications
Act.'"
Very misleading title
since “Do Not” does not mean Do Not...
"The Verge
is carrying an accurate
and accessible overview of the Do Not Track debate. Quoting:
'With the fate of our beloved internet economy allegedly at stake,
perhaps it's a good time to examine what Do Not Track is. How did
the standard come to be, what does it do, and how does it stand to
change online advertising? Is it as innocuous as privacy advocates
make it sound, or does it stand to jeopardize the free, ad-supported
internet we've all come to rely on?' The issues surrounding Do Not
Track can be difficult to understand, owing to rampant rhetoric and
spin. This article unpacks the tracking technology, privacy
concerns, economic questions, and political outlook. Full
disclosure: I'm quoted."
“After a careful review
of the law, we decided to do what the RIAA wanted instead.”
A
leaked batch of AT&T
training documents reveal an anti-piracy plan in the books, which
includes sending warning notices to flagged accounts. In what seems
to be a completely draconian measure, any subscriber who’s account
is flagged multiple times for copyright infringement will have access
to frequently-visited websites (Facebook? YouTube?) blocked until
they complete an online course on copyright. The warning notices
will begin on November 28th.
This should surprise no
one. My guess is an announcement before the election, followed by a
“thorough and complete” exoneration of a large campaign
contributor. Note that the FTC is ready to sue before they
investigate – your government in action...
According to multiple
sources, it’s said that the Federal Trade Commission (FTC) is
closer than ever to hitting Google with an antitrust lawsuit. The
plan has been in the works for almost a year, and now four out of the
five FTC commissioners are wanting to open up the doors to begin the
process of investigating any wrongdoing by the search giant.
Perspective (Even if I
find it hard to believe)
Smartphones and tablets
are obviously taking the entire world by storm, but would it surprise
you if you knew that nearly 85% of the world’s population is using
mobile devices? [Not just phones Bob]
According to the International Telecommunications Union (ITU), six
billion people in the world use smartphones and/or tablets.
[According to WolframAlpha, “6 billion / world
population” = 88.4% Bob]
Among other things, the
government now recognizes that meteors come from outer space...
"New
regulations by the Federal government define asteroidal material
to be an antiquity, like arrowheads and pottery, rather than a
mineral — and, therefore, not
subject to U.S. mining law or eligible for mining claims. At the
moment, these regulations only apply to asteroidal materials that
have fallen to Earth as meteorites. However, they create a precedent
that could adversely affect the plans of companies such as Planetary
Resources, who intend to mine asteroids in space."
Interesting. Is this how
to replace Journals?
Academia.Edu
Overhauls Profiles As The Onus Falls On Researchers To Manage Their
Personal Brands
Even though it’s taken for granted
that you have to manage your own personal brand on the web, that
still isn’t necessarily the case in the slower-moving world of
academia.
But it’s starting to happen, with
individual brands beginning to eclipse the importance of being
published in a well-known (and often exorbitantly expensive) journal.
Academia.edu,
a social network for professors and researchers, is taking advantage
of this by
overhauling its profile pages.
The company’s CEO Richard Price says
that academics are starting to want more of a direct connection with
their audiences. So Academia.edu’s new profiles let researchers
showcase their best work and track analytics on views and followers.
… “We’re shifting away from a
world where the journal industry sits between the academic and the
audience,” Price said. “We’re now moving to a world that’s
more reflective of social media, where the academic is becoming the
key node of distribution of research.”
As for the Academia.edu itself, the
site is approaching 2 million users with 4,000 joining every day.