Tuesday, September 16, 2014

It's very hard to change a culture.
The Veterans Administration continues to struggle with securing veterans’ personal and protected health information, as its monthly reports to Congress reflect. First, consider the sheer number of different types of incidents reported to Congress for the month of August:
Total number of Internal Un-encrypted E-mail Incidents 92
Total number of Mis-Handling Incidents 114
Total number of Mis-Mailed Incidents 138
Total number of Mis-Mailed CMOP Incidents 9
Total number of IT Equipment Inventory Incidents 9
Total number of Missing/Stolen PC Incidents 1 (1 encrypted)
Total number of Missing/Stolen Laptop Incidents 9 (9 encrypted)
Total number of Lost BlackBerry Incidents 17
Total number of Lost Non-BlackBerry Mobile Devices
(Tablets, iPhones, Androids, etc.) Incidents 3


Mobile is a drop in he bucket. The vast majority of “endpoints” will exist on the Internet of Things. Unfortunately, each new “generation” of devices ignores security in the early iterations. Then we play catch up for the next few years.
Focus of Endpoint Breaches Will Shift to Mobile Devices by 2017: Gartner
At the Gartner Security and Risk Management Summit taking place in the United Arab Emirates, the IT research and advisory firm's analysts are discussing the latest mobile security trends and threats.
Gartner predicts that mobile devices will become increasingly targeted by cybercriminals in the upcoming years, and warned organizations of some risks they face unless they take measures. Gartner believes that by 2015, over 75% of mobile applications will fail basic security tests.
While currently most attacks target desktop devices, Gartner predicts that the focus of endpoint breaches will shift to mobile devices such as tablets and smartphones.


Seems like a fast response, but remember: each new generation repeats the sins of the previous generation. If you remember that, you know what questions to ask. Unfortunately, you also know what the answers will be.
Sam Colt reports:
Connecticut’s attorney general has called for a meeting with Apple over concerns about the privacy of health data collected by the Apple Watch.
“When new technologies emerge in consumer markets they inevitably lead to new questions, including questions about privacy,” Attorney General Jepsen said.
Apple has already said that it will not share health information from Apple Watch users. CEO Tim Cook reiterated that on Friday in his interview with Charlie Rose on PBS.
Still, Jepsen has questions for Apple about how the health data will be stored and what specific data the Apple Watch will be able to collect. He also questions how Apple will monitor third-party apps that claim to make diagnoses if they don’t have proper approval from government regulators.
Read more on Business Insider.


More threats? More likely, “we can, therefore we must!”
Google Transparency Report Shows Jump in Data Requests
Demands for Google users' data have shot up 150 percent worldwide since 2009, according to the latest edition of Google's Transparency report.
According to Google, there has been a 250 percent increase during that period in the U.S. In the first half of this year, demands for information in the U.S. jumped 19 percent.


What does a 20% error rate mean? 20% of the time it can't identify me from a picture or 20% of the time it identifies me as “Hillary Clinton?”
From EPIC:
The FBI announced that the Next Generation Identification system, one of the largest biometric databases in the world, has reached “full operational capability.” In 2013, EPIC filed a Freedom of Information Act lawsuit about the NGI program. EPIC obtained documents that revealed an acceptance of a 20% error rate in facial recognition searches. Earlier this year, EPIC joined a coalition of civil liberties groups to urge the Attorney General Eric Holder to release an updated Privacy Impact Assessment for the NGI. The NGI is tied to “Rap Back,” the FBI’s ongoing investigation of civilians in trusted positions. EPIC also obtained FOIA documents revealing FBI agreements with state DMVs to run facial recognition searches, linked to NGI, on DMV databases. EPIC’s recent Spotlight on Surveillance concluded that NGI has “far-reaching implications for personal privacy and the risks of mass surveillance.” For more information, see EPIC: EPIC v. FBI – Next Generation identification.


What is going on here? A very small minority of customers that don't allow them to analyze their behavior for advertising? Some confusion in their legal department?
Comcast Is Threatening To Cut Off Customers Who Use Tor, The Web Browser For Criminals (CMCSA)
Multiple users of anonymous web browser Tor have reported that Comcast has threatened to cut off their internet service unless they stop using the legal software.
According to a report on Deepdotweb, Comcast customer representatives have branded Tor "illegal" and told customers that using it is against the company's policies.
… One Comcast representative, identified only as Kelly, warned a customer over his use of Tor software, DeepDotWeb reports:
Users who try to use anonymity, or cover themselves up on the internet, are usually doing things that aren’t so-to-speak legal. We have the right to terminate, fine, or suspend your account at anytime due to you violating the rules. Do you have any other questions? Thank you for contacting Comcast, have a great day.
… In a statement to Deepdotweb, Comcast defended its actions, seemingly asserting that it needs to be able to monitor internet traffic in case they receive a court order:

(Related)
April Glaser writes that Comcast has responded to allegations previously noted on this blog:
This morning Comcast issued a statement denying that the ISP is blocking Tor and denying that there is any record of exchanges between Comcast and Tor users. The Vice President went as far as to say that he also uses Tor at times, adding, “Comcast doesn’t monitor our customer’s browser software, web surfing or online history.”
But considering the fact that Comcast hasn’t always been completely transparent about its network practices, we still invite Internet users to contact us if they’ve been discouraged from using Tor by any Internet service provider. To do so, please email info@eff.org to share your story.
Read more on EFF.


Perspective. Today's “worst case scenario” is tomorrows commonplace.
Adrienne Hill reports:
Education, like pretty much everything else in our lives these days, is driven by data.
Our childrens’ data. A whole lot of it.
Nearly everything they do at school can be — and often is — recorded and tracked, and parents don’t always know what information is being collected, where it’s going, or how it’s being used.
The story begins at the bus stop.
Read more on MarketPlace.


A slightly different take on the nude celebrity photos here in the US. Involves BYOD and syncing with workplace devices.
Israeli teacher in nude Web photos to return to classroom
A week after nude pictures of an Israeli high school teacher were posted online, the mother of two plans to return to class Tuesday as debate here swirls over issues of privacy, law and digital decorum.
… The high school is one of several in Israel replacing textbooks with computer tablets. The teacher lent her tablet to a pupil who had forgotten hers. Another classmate snooping around the photos file found several nude pictures, snapped them with his cellphone camera and passed them on.
The teacher was further shocked to learn that images long deleted from her phone were on the school-issued device, which pulled them from the cloud as she synced it with her phone and electronic mail as instructed by the program’s computer managers, who reportedly did not mention any information sensitivity issues.
… In January, the parliament, or Knesset, voted to make online circulation of intimate images without the subject’s full consent an act of sexual harassment that can carry a five-year jail sentence.
Being a minor does not protect the 17-year-old student from criminal law, according to the teacher's attorney, Orit Hayoun, who expects the police to investigate the case and the school to discipline the offender and stand by its employee.
… The attorney said that although depicting his client naked, the pictures were innocuous. “We don’t live in the dark ages,” she said. [Apparently, here in the US, we do. Bob]


Perspective. Something to generalize?
Rethinking the Bank Branch in a Digital World
More US bank branches closed in 2013 than ever before. More than 85% of retail banking transactions are now digital. The bank branch is “going south,” mobile-banking entrepreneur Brett King said to CNBC. “And there’s no reason to assume we’ll see a resurgence of activity at the branch—the mobile app is the nail in the coffin.”
So are we witnessing the death throes of brick-and-mortar retail banking? Will banking soon be like the business of selling recorded music—almost all done online?
In our view, no. Rather than going the way of Tower Records, leading banks are reinventing themselves with innovative mashups of digital technologies and physical facilities, a combination we call “digical.”


Another infographic for my Computer Security students.
How To Stay Anonymous Online In 2014


An “old school” business plan? Weave an image into fabric. Make everything from T-shirts to wallpaper to baby blankies to socks with your face on them.
Before Computers, People Programmed Looms

No comments: