So
what do we call it? A “drive-by?” Even worse: Putin thinks this
will stimulate the Russian economy.
Russian
Tanks in Ukraine, but US Won’t Say ‘Invasion’
Thousands
of Russian troops have crossed into eastern Ukraine in recent days,
along with columns of tanks, artillery and air-defense systems,
according to NATO’s top commander.
By
nearly every definition – indeed, according to the Oxford
dictionary – the act of armed forces crossing the border would
constitute an invasion.
But
the Obama administration has noticeably avoided using the word to
describe Russia’s apparent action (Russia denies any of its troops
or military equipment are in Ukraine). Instead, U.S. officials have
resorted to terms like “incursion” or even more contorted
rhetorical gymnastics.
If I
was the suspicious type, which I have been trained to be, I might
think this was a deliberate backdoor into Windows. Even so, it's
amazing that it took 19 years for someone outside of the NSA to find
it.
Microsoft
fixes severe 19-year-old Windows bug found in everything since
Windows 95
…
IBM researcher Robert Freeman described
the vulnerability as “rare, ‘unicorn-like’ bug found in
code that IE relies on but doesn’t necessarily belong to.”
According
to Freeman, the bug relies on a vulnerability in VBScript, which was
introduced in Internet Explorer 3.0. Even today, the bug is
impervious to Microsoft’s anti-exploitation tools (known as
Enhanced Mitigation Experience Toolkit) and the sandboxing features
in Internet Explorer 11.
The
good news is that there’s no
evidence of anyone actually exploiting this vulnerability
in the wild, and doing so would be technically tricky. [Good
hacking technique: erase the evidence! Bob]
For
discussion n my Computer Security class.
The
Veterans Administration has introduced a new snapshot element to
their monthly reports to Congress, and it’s informative. For the
month of October, they report:
- Intrusion Attempts (Blocked): 12,148,205
- Malware (Blocked/Contained): 206,564,180
- Suspicious/Malicious Emails (Blocked): 71,598,834
- Infected Medical Devices (Contained)** 27
- Outgoing Unencrypted Emails (Blocked) 96
**
Running total of medical device infections for which remediation
efforts are underway
In
terms of reported breach/incidents for the month, they report:
- Lost and Stolen Devices: 52
- Lost PIV Cards: 131
- Mishandled Incidents: 128
- Mis-mailed Incidents: 146
The
incidents resulted in:
- 765 VETERANS AFFECTED
- 229 Notifications
- 536 Credit Protection Services Offered
The
VA notes: “Of the total # of Veterans affected, 640 were in
relation to protected health information incidents, reported to HHS
in accordance with the HITECH Act.”
You
can read details of the incidents in the full
report.
Not
a large beach, but the “third party” here is a law firm.
Heather
Graf reports that Seattle Public Schools has
notified parents of approximately 8,000 students of a breach
involving their records. Most of the students involved are special
education students.
According
to King5 News, the notification states, in part:
“Late Tuesday night Seattle Public Schools learned that a law firm
retained by the district to handle a complaint against the district
inadvertently sent personally identifiable student information to an
individual involved in the case. The district promptly removed the
law firm from the case and is working to ensure that all improperly
released records are retrieved or destroyed.”
The
person to whom the records were mistakenly released contacted the
district to report the breach.
You
can read more on King5
News. There does not appear to be any notice up on the Seattle
Public Schools web site at this time.
The
district has reportedly notified the U.S. Education Department of the
breach to seek their assistance in investigating how the breach
happened. I’d be surprised if they got any real assistance of that
kind, but I’d be happy to be wrong about that.
Most
people know that students’ education records are protected under
FERPA, but for special education students, another federal law, the
Individuals with Disabilities Education Act (IDEA) also applies.
IDEA has provisions requiring confidentiality of records. Unlike
FERPA, however, IDEA is enforced by the state’s education agency,
not the U.S. Education Department.
So
what might the consequences of this breach be? The law firm who
exposed the information got fired. That’s unusual, but I do think
that needs to be headlined so that law firms get the message that
their clients are serious about data protection. Other than that, I
don’t really expect anything else. A complaint to USED under FERPA
might result in an educative letter to the District without any other
consequences, and a complaint to the state is unlikely to result in
any consequences for the district.
Could
the FTC initiate an investigation and/or enforcement action against
the law firm? I cannot think of any data security cases involving
law firms, can you?
In
other words, this is likely to be just another day in the education
sector.
I
think, in some instances, she is correct.
Margo
Schlanger has written a great article forthcoming
in the Harvard National Security Journal about intelligence
legalism, an ethical framework she sees underlying NSA
surveillance. Margo makes the case that NSA and the executive branch
haven’t been asking what the right surveillance practices should
be, but rather what surveillance practices are allowed to be.
…
In the model of legalism that Margo sees the NSA following, any
spying that is not legally prohibited is also right and good because
ethics is synonymous with following the rules. Her critique
of “intelligence legalism” is that the rules are the bare
minimum, and merely following the rules doesn’t take civil
liberties concerns seriously enough.
Leaves
much to be desired...
Marianne
Le Moullec writes:
The Article 29 Working Party, which is composed of representatives of
DPA’s from every European country, has recently rendered an opinion
(http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf)
on data privacy issues surrounding the development of the “Internet
of Things” (IoT), which includes wearable computing, quantified
self devices, and domotics. Although such data is generated by
“things” or devices, it is considered personal data because it
may enable the life pattern of a specific individual to be discerned.
After identifying the major privacy issues raised by such devices,
the Article 29 Working Party made a series of recommendations to IoT
stakeholders.
Read
more on Proskauer Privacy
Law Blog.
I'm
going to go way out on a limb here and suggest that nothing written
by lawyers is written for “users.” Everything is written with
that court clash in mind.
Facebook released proposed
changes to its policy Thursday and created a tutorial to answer
questions about privacy. But the changes don't do anything to alter
what data Facebook collects.
…
The proposed
policy is 2,700 words, down from 9,000. Facebook will be taking
comments
and questions about the new policy for the next seven days. The
announcement included a new "Privacy Basics" guide to help
users understand who can see information that is posted.
Curious.
This will be fun to implement.
Jeff
Kosseff writes:
The Ninth Circuit recently issued two opinions addressing whether
companies should require customers to explicitly agree to key
provisions of user terms and other policies.
On Monday, a unanimous three-judge panel issued an opinion in Knutson
v. Sirius XM Radio. In this case, the plaintiff purchased a
Toyota that included a trial subscription to Sirius. About a month
after his trial subscription began, he received a Welcome Kit that
included a customer agreement with an arbitration clause.
[...]
The Knutson decision comes a few months after the Ninth
Circuit’s opinion in Nguyen
v. Barnes & Noble, Inc., in which the Ninth Circuit refused
to enforce an arbitration clause on Barnes & Noble’s website’s
terms of use. The terms were made available to users via a link at
the bottom of each page of the website. But the site did not require
users to affirmatively agree to the terms, such as by checking a box
or clicking “I agree.”
Read
more on Covington & Burling InsidePrivacy.
I
think this judge is smart.
A
federal court has ruled that country code domain names such as .us
and .uk aren’t property and can’t be seized as part of a court
process.
Victims
of terrorism from Iran, Syria and North Korea had asked the U.S.
District Court for the District of Columbia to force the nonprofit
Internet Corporation for Assigned Names and Numbers (ICANN) — which
handles domain names online — to hand over control of those
countries’ domain names, which are .ir, .sy and .kp, respectively.
…
This week, Judge Royce Lamberth tossed that argument out.
Country
code top-level domains (ccTLDs) "are not property" that can
be seized, he
ruled, because they “cannot be conceptualized apart from the
services provided” by the domain name managers.
Do
they view this as an arms race? Will they insist on air-to-air
missiles? How long before they go nuclear?
John
Surico writes:
Imagine a small drone fluttering its way across the East River in New
York City. Undetectable by radar, it’s headed toward midtown
Manhattan, and equipped with a destructive arsenal of weapons. Or a
chemical agent. Or explosives. Or on a collision course with a
jetliner. A hovering warcraft that can take out hundreds, if not
thousands, of American citizens, controlled by a not-too-distant
terrorist organization, and ready to unleash death from above on
suspecting New Yorkers.
Sounds terrifying, right? According to top New York Police
Department brass, this kind of nightmare scenario could be in
Gotham’s not-too-distant future.
Last week, CBS News reported
that the largest municipal police force in the country is seriously
considering weaponized drones as the newest security
threat to terrorists’ favorite target.
Read
more on Vice.
A
tidbit from MakeUseOf's collection of short items.
MPAA
Tells You Where To Watch TV
A
new website has launched detailing where you can watch your favorite
movies and TV shows online. And this particular one,
WhereToWatch.com, has been put
together by the Motion Picture Association of America (MPAA), those
crazy cats who protect the interests of Hollywood.
As
you may expect, Where To Watch only features legal sources for movies
and TV shows, such as Netflix and iTunes. It also doesn’t have any
advertising, which should win it some imaginary Internet points. As
Re/Code
points out, its one failing is a lack of pay TV listings, which
actually makes it perfect
for cord-cutters.
“Information
Governance,” the next big thing?
Symantec
– Government agencies and private sector businesses are drowning in
information
Navigating
Information Governance
– “In addition to managing the growing variety, velocity, and
volume of data, they must:
- Meet information transparency objectives
- Respond quickly to eDiscovery requirements
- Manage Freedom of Information Act (FOIA) requests and internal investigations
- Comply with records management regulations
- With data requirements skyrocketing, how can organizations leverage information governance to meet this tidal wave head on while ensuring data security?
To
find out, Symantec
recently surveyed 152 Federal government and 153 private sector
attorneys, IT executives, FOIA agents, and records managers to
examine barriers to and benefits of achieving true enterprise-wide
information governance.” Today’s information governance is
inadequate:
- Nearly three-quarters of respondents’ organizations (74%) have a formal, enterprise-wide information governance strategy, but just one in five say it’s very effective
Data
security is at risk:
- Just 37% give their organizations an “A” for data protection, 28% for data discovery, and 26% for data management
- Forty-four percent of respondents say that data security and protection is the single largest information governance-risk their organizations will face if not addressed
Organizations
must make investments in technology and training:
- Respondents believe their organization should take the following steps to ensure effective, enterprise-wide information governance programs: Improve training (46%), educate end users on the importance of records (46%), and improve technology (43%)
- During the next two years, organizations say they are most likely to invest in security software, document management, data loss prevention, and backup..”
No comments:
Post a Comment