Tuesday, February 12, 2013

LOCAL “On the Internet, everybody knows you're a victim.” Privacy of victims is apparently not on the DA's checklist.
Survivors of the Colorado movie theater massacre have been harassed by conspiracy theorists who posted victims’ addresses and phone numbers online, prosecutors said in a motion to have the victims’ names redacted.
James Holmes is charged with murder and attempted murder in the midnight shooting that killed 12 people and wounded 58 others during the premiere of a Batman movie, “Dark Knight Rises.”
Arapahoe County Judge William Sylvester in November ordered names released of those injured and killed.
The media had claimed there would not be “any danger to the physical safety of any witnesses, or the substantial probability of attempted witness tampering.”
But Arapahoe County District Attorney George Brauchler said in his new motion last week that the victims’ personal information has made the rounds on the Internet, at the hands of skeptics who doubt that the July 20, 2012 shootings happened as reported.
“Since the time this case was filed, unforeseen events continue to adversely affect the lives of the victims and witnesses in this case,” Brauchler wrote in a Motion for Reconsideration.
Read more on Courthouse News.
Should the court shield survivors’ names because of conspiracy theorists or those who might use the disclosure to contact victims’ friends and family or survivors in ways that may be experienced as harassing? The prosecutors cite Colorado’s Victims’ Rights Act as their justification for the request.
It’s balancing act time, it seems. Which way do you think the balance should tip in this case?
[Don't blame the judge for releasing the names:
The original criminal complaint filed against Holmes contained a list of the names and addresses of dozens of witnesses and victims of the shootings.


I can't let this go unanswered. This can only happen if you have no control over your operating environment. It requires that you have no way to identify who is doing what in your system. Us MBA-types call this “really bad management!”
Dan Raywood has a piece in SC Magazine about how long it takes to detect breaches:
Companies are still failing to detect data breaches and hacking incidents, with outsiders getting access and sitting on the corporate network for up to two years in some cases.
According to the Trustwave 2013 global security report, organisations fail to detect attacks and breaches and EMEA Trustwave Spiderlabs director John Yeo said that this ‘exacerbates the data breach’. He said: “This is the point where an intrusion leads to a data breach, our investigation found that sometimes, attackers spent two years living in the environment and exposing data records.”
Read more on SC Magazine.
I wonder how/whether the Trustwave and Verizon DBIR findings might be used in the lawsuit naming Trustwave for their role in the South Carolina Department of Revenue breach. The court is currently considering dismissing them as a defendant. Their findings might also be relevant should they be sued for their role in the more recent Jetro/Restaurant Depot breach.
As always, I guess we’ll have to wait to see.


How bad was it?
Risk Based Security and the Open Security Foundation released a report this morning, Data Breach QuickView: An Executive’s Guide to Data Breach Trends in 2012. The report summarizes some of the major statistics for 2012, based on analysis of the incidents compiled in OSF’s DataLossDB. As most readers know by now, I am involved in DataLossDB project, and I contributed to the writing of this report.
From the 2012 at a Glance:
  • The 2,644 incidents represent a 117.3% increase over the previous high mark recorded in 2011.
  • Over 267 million records were exposed. Over 150 million records were exposed in a single incident (Shanghai Roadway), setting a new record for number of records exposed in a breach or data loss incident.
  • The Business sector accounted for 60.6% of reported incidents, followed by Government (17.9%), Education (12.0%), and Medical (9.5%).
  • The Business sector accounted for 84.7% of the number of records exposed, followed by Government (12.6%), Education (1.6%), and Medical (1.1%).
  • The Data Services industry accounted for just 0.3% of incidents, but 56.2% of exposed records.
  • 76.8% of reported incidents were the result of external agents or activity outside the organization:
    • Hacking accounted for 68.2% of incidents and remained the #1 breach type for the second consecutive year. Hacking accounted for 22.8% of exposed records in 2012.
    • 7.3% of reported incidents involved a third party. These incidents accounted for 6.2% of the exposed records.
  • Insiders accounted for 19.5% of incidents and 66.7% of exposed records:
    • Insider wrong-doing accounted for 7.1% of reported incidents and 56.8% of exposed records.
    • Insider errors accounted for 8.9% of incidents and 5.1% of exposed records.
  • Breaches involving U.S. entities accounted for 40.7% of the incidents reported and 25.0% of the records exposed.
  • Individuals’ names, passwords, email addresses, and other miscellaneous data were exposed in nearly 45% of reported incidents. In combination, this data is more than enough information to commit identity fraud on a large scale.
  • 14.4% of breaches included a Social Security Number or Non-US Equivalent.
  • After removing the single incident of 150 million and any incidents for which we do not have the number of records exposed, on average, 55,863 records were exposed per incident in 2012.
You can download the report here. A more detailed analysis of the 2012 incidents will be available in a fuller report to be released next month.
Some of the statistics may appear to conflict with others’ reports or findings. As always, differences in methodology are important to appreciate, as is the impact of state laws on breach disclosures. As one example, the majority of state breach notification laws often only apply to electronic records, not paper. The 2012 statistics, then, may be a significant underestimate for breaches involving paper records and for sectors such as the Education sector where FERPA does not require breach notification and where state laws may or may not require notification under a “harm” threshold.


They keep saying this. It is clearly a rather amateurish attempt to “justify” new and intrusive “spying on Americans” laws.
U.S. said to be target of massive cyber-espionage campaign
A new intelligence assessment has concluded that the United States is the target of a massive, sustained cyber-espionage campaign that is threatening the country’s economic competitiveness, according to individuals familiar with the report.
The National Intelligence Estimate identifies China as the country most aggressively seeking to penetrate the computer systems of American businesses and institutions to gain access to data that could be used for economic gain.


Would Google extend this courtesy to me?
Google warns journalists in Myanmar of state-sponsored email hacks
The New York Times reports that several journalists who cover Myanmar may have had their email accounts hacked by "state-sponsored attackers." Journalists in the country say that warnings from Google began appearing last week, and the Times says some journalists speculate that the attack could be linked to a conflict in the northern region of the country, where government troops have fought rebels for control of territory. Myanmar has only recently opened up restrictions on news media, which was tightly controlled during decades of military rule; the Times notes that the country now has successful weekly publications that have begun to report on topics that could make the government uncomfortable.


Amazingly hard to get students to plug numbers into the formulas in their textbooks. “It can't be that simple!”
"Children in the Baltic state will learn statistics based less on computation and doing math by hand and more on framing and interpreting problems, and thinking about validation and strategy. From the article: 'Jon McLoone is Content Director for computerbasedmath.org, a project to redefine school math education assuming the use of computers. The company announced a deal Monday with the Estonian Education ministry to trial a self-contained statistics program replacing the more traditional curriculum. “We are re-thinking computer education with the assumption that computers are the tools for computation.,” said Mr. McLoone. “Schools are still focused on teaching hand calculating. Computation used to be the bottleneck. The hard part was solving the equations, so that was the skill you had to teach. These days that is the bit that computers can do. What computers can’t do is set up the problem, interpret the problem, think about validation and strategy. That is what we should be teaching and spending less time teaching children to be poor computers rather than good mathematicians.”'"

(Related)
"The January edition of Science, Technology & Human Values published an article titled, Technological Change and Professional Control in the Professoriate, that details interviews with 42 faculty members at three research-intensive universities. The research concludes that faculty have little interest in the latest IT solutions. 'I went to [a course management software workshop] and came away with the idea that the greatest thing you could do with that is put your syllabus on the Web and that's an awful lot of technology to hand the students a piece of paper at the start of the semester and say keep track of it,' said one. 'What are the gains for students by bringing IT into the class? There isn't any. You could teach all of chemistry with a whiteboard. I really don't think you need IT or anything beyond a pencil and a paper,' said another."


Another research resource?
FindPDF is a free to use website that gives you access to many publicly available PDF files. You simply enter the name of the document that you are looking for. If you do not have the exact name, then you can type in a few words and a keywords search is executed. Results are shown and you can click on them to view the documents online. Original documents can be downloaded as well from the website.
Similar sites: PDFSb, LocPDF, PDF Search Engine, Data-Sheet, and LivePDF.

No comments: