Tuesday, January 29, 2013

What strategic objective is being addressed by repeatedly crying “Wolf!??”
"Security pros and government officials warn of a possible cyber 9/11 involving banks, utilities, other companies, or the Internet, InfoWorld reports. 'A cyber war has been brewing for at least the past year, and although you might view this battle as governments going head to head in a shadow fight, security experts say the battleground is shifting from government entities to the private sector, to civilian targets that provide many essential services to U.S. citizens. The cyber war has seen various attacks around the world, with incidents such as Stuxnet, Flame, and Red October garnering attention. Some attacks have been against government systems, but increasingly likely to attack civilian entities. U.S. banks and utilities have already been hit.'"
[One random Comment:
Well, how else are you going to convince people that they should be spending huge sums of taxpayer money to help private industry do the computer security work they should have already done at their own expense?
But yes, it cheapens the meaning of the real 9/11 when you use it to scare people into responding to non-lethal threats. Apparently, banks and utilities have already been hit, and nobody outside of those organizations even noticed. That tells you how much of a non-threat it is.


They keep sharing our secrets!
"Eighteen brands of security camera digital video recorders are vulnerable to an attack that would allow a hacker to remotely gain control of the devices to watch, copy, delete or alter video streams at will, as well as to use the machines as jumping-off points to access other computers behind a company's firewall, according to tests by two security researchers. And 58,000 of the hackable video boxes, all of which use firmware provided by the Guangdong, China-based firm Ray Sharp, [Coincidence, I'm sure Bob] are accessible via the Internet. Early last week a hacker who uses the handle someLuser found that commands sent to a Swann DVR via port 9000 were accepted without any authentication. That trick would allow anyone to retrieve the login credentials for the DVR's web-based control panel. To compound the problem, the DVRs automatically make themselves visible to external connections using a protocol known as Universal Plug And Play, (UPnP) which maps the devices' location to any local router that has UPnP enabled — a common default setting. ...Neither Ray Sharp nor any of the eighteen firms have yet released a firmware fix."


Just in time for Privacy Day...
January 28, 2013
Google’s approach to government requests for user data
Google Official Blog: "..January 28, is Data Privacy Day, when the world recognizes the importance of preserving your online privacy and security. If it’s like most other days, Google—like many companies that provide online services to users—will receive dozens of letters, faxes and emails from government agencies and courts around the world requesting access to our users’ private account information. Typically this happens in connection with government investigations. It’s important for law enforcement agencies to pursue illegal activity and keep the public safe. We’re a law-abiding company, and we don’t want our services to be used in harmful ways. But it’s just as important that laws protect you against overly broad requests for your personal information... Today, for example, we’ve added a new section to our Transparency Report that answers many questions you might have. And last week we released data showing that government requests continue to rise, along with additional details on the U.S. legal processes—such as subpoenas, court orders and warrants—that governments use to compel us to provide this information."


Bad examples from good intentions? Does this suggest a lawyer who has never handled a data breach lawsuit?
Steven J. McDonald is General Counsel at Rhode Island School of Design and previously served as Associate Legal Counsel at The Ohio State University. On Data Privacy Day, he wrote a post on EDUCAUSE on FERPA that unintentionally demonstrates how imprecise standards are for data security and protection of student records. For example, he writes:
electronic records do raise unique security concerns, and FERPA does require us to address them. Even then, however, the standard is the same as for paper records: we must use “reasonable methods” to protect all student records. Just as it is appropriate to lock the file cabinet in which we maintain paper student records, it is appropriate to take steps to prevent unauthorized access to and disclosure of our electronic student records. How we do that, however, is largely up to us. In the words of the Family Policy Compliance Office:
[T]he standard of “reasonable methods” is sufficiently flexible to permit each educational agency or institution to select the proper balance of physical, technological, and administrative controls to effectively prevent unauthorized access to education records, based on their resources and needs.
and:
an educational agency or institution may use any method, combination of methods, or technologies it determines to be reasonable, taking into consideration the size, complexity, and resources available to the institution; the context of the information; the type of information to be protected (such as social security numbers or directory information); and methods used by other institutions in similar circumstances. The greater the harm that would result from unauthorized access or disclosure and the greater the likelihood that unauthorized access or disclosure will be attempted, the more protections an agency or institution should consider using to ensure that its methods are reasonable.
Should consider using? But they don’t have to, because there’s no law requiring them to if they don’t see a real risk of compromise or they just don’t have the resources.
And therein lies a big part of the rub. If a district is totally negligent in its security and your child’s education records are breached and their PII stolen or acquired, FERPA provides no cause of action for you to sue your child’s district.
But I totally disagree with his statement:
Dealing with electronic student records is thus really not terribly difficult, nor terribly different from dealing with other electronic records. The key is simply to think about these issues, rather than to just assume that the system will take care of them. If you have a good general data security program in place already, you’re probably in good shape when it comes to student records.
How many k-12 districts have good general data security programs in place? If you think they do, trot on over to the sister site, DataBreaches.net, and start looking at some of the audits I’ve posted over the years.
Does your district have a good security program? If you want to find out, send them the letter I published earlier today. [In this blog, yesterday Bob]


Do they write subpoenas in 140 characters?
From Twitter’s blog:
Last July we released our first Twitter Transparency Report (#TTR), publishing six months of data detailing the volume of government requests we receive for user information, government requests to withhold content, and Digital Millennium Copyright Act-related complaints from copyright holders.
Since then we’ve been thinking about ways in which we can more effectively share this information, with an aim to make it more meaningful and accessible to the community at large. In celebration of #DataPrivacyDay, today, we’re rolling out a new home for our transparency report: transparency.twitter.com.
In addition to publishing the second report, we’re also introducing more granular details regarding information requests from the United States, expanding the scope of the removal requests and copyright notices sections, and adding Twitter site accessibility data from our partners at Herdict.
Read more on Twitter.

No comments: