Concern: Was this a
warm up for the Target breach? Now who is liable?
I live in Texas, and
there’s a regional retailer that has just announced
a data breach that is believed to have affected more than half a
million customers. The announcement is controversial because the
company, Spec’s, supposedly knew about the theft of payment card
data almost a year ago and is just now telling customers. As you
might imagine, people affected by this breach are rather upset.
Let me lay out the
details, as
reported by the Houston Chronicle newspaper.
… On March 29, the Houston Chronicle reported that “a
sophisticated computer scam” was perpetrated against the Spec’s
retail payment system for a year and a half. The breach is believed
to have started October 31, 2012, and continued as late as March of
2014. The article suggests that authorities within Spec’s knew
early last year (2013) that the computer system had been compromised.
… According to a
Spec’s spokesperson Jenifer Sarver, federal investigators had asked
the retailer not to divulge any details during the ongoing
investigation. Sarver said, “It took professional forensics
investigators considerable time to find and understand the problem,
then make recommendations for Spec’s to fully address and fix
them.”
Poor security can haunt
you even after you sell the company.
As I tweeted
last night, Experian has sued the former owner/shareholder of
Court Ventures over the mess Experian found itself in when it
acquired Court Ventures and later learned that a criminal had been
using a Court Ventures account to access a U.S InfoSearch database
with information on over 200 million Americans.
Today, Jim Finkle of
Reuters reports
on Experian’s cross-complaint in Court Ventures v. Experian, a
lawsuit filed in Superior Court of California in Orange County. In
today’s example of Extreme Chutzpah, it seems Court Ventures had
sued Experian, seeking release of the escrow account created when
Experian purchased Court Ventures. For its part, Experian
counter-sued because Court Ventures had been notified of
indemnification claims arising from the Ngo case. The escrow account
is only a small portion of what was an $18 million acquisition.
In Experian’s
cross-complaint, they raise claims against Court Ventures and its
co-founder and shareholder Robert Gundling for breach of warranty,
breach of contract, express contractual indemnification, promissory
fraud, intentional misrepresentation, and negligent
misrepresentation.
In their
cross-complaint, Experian claims that Court Ventures misrepresented
the credit header data that the service enabled clients to obtain
through it relationship with U.S. InfoSearch. Experian claims that
Court Ventures represented the credit header data as a service that
would enable investigators to find an individual’s address for
trace purposes. In actuality, Experian claims, when they checked
logs after the Secret Service contacted them, Court Venture clients –
including Ngo – were able to input names and states and obtain the
Social Security numbers of individuals with that name in that state.
Parenthetically, I note this would be consistent with what Brian
Krebs had reported that a single query often produced records on
multiple individuals.
When Experian
discovered that credit header data was being used to obtain Social
Security numbers, they immediately cut off the service for all users
– including Ngo.
In addition to the
complaint that Court Venture did not verify Ngo (a/k/a Jason Low)’s
bona fides as an investigator eligible to use the service, Experian’s
cross-complaint also alleges that Court Ventures engaged in web
scraping and other possibly illegal acts to obtain the records in its
database, despite having assured Experian in the
sales agreement that Court Ventures was in compliance with all laws
and Experian would have no legal issues when it took over the
business.
To date, and based on
media reports by others, it appears that Experian has not notified
any consumers about this breach and now claims that they don’t know
whose data were stolen. That’s noteworthy because in December
2013, Tony Hadley of Experian informed Senator Rockefeller’s
committee that Experian knew who these people (victims of Ngo’s
activity) were and would protect them. Perhaps Senators Rockefeller
and McCaskill should send another letter to Experian asking them to
explain Mr. Hadley’s misrepresentations or errors.
Jim Finkle provides
some additional details on the litigation on Reuters.
Articles like this do
not make me comfortable that anyone is in control. Apparently DHS
will give the local police money (grants) to purchase any toy that
attract them and local politicians don't care enough to ask why they
need it or how it works. Do they really believe they can turn this
device on and instantly find missing children?
Joel Kurth and Lauren
Abdel-Razzaq report:
Oakland
County commissioners asked no questions last March before unanimously
approving a cellphone tracking device so powerful it was
used by the military to fight terrorists.
Now,
though, some privacy advocates question why one of the safest
counties in Michigan needs the super-secretive Hailstorm device that
is believed to be able to collect large amounts of cellphone data,
including the locations of users, by masquerading as a cell tower.
Read more on Detroit
News.
[From
the article:
The technology can
track fugitives and find missing children, but privacy advocates said
they worry because similar machines can collect data from innocent
smartphone users.
… Oakland County,
like other agencies, obtained Hailstorm using money from a U.S.
Homeland Security grant.
On the other hand...
Allie Bohm writes:
On
Monday, Utah became the first state to enact legislation
simultaneously protecting location information and electronic
communications content, regardless of age, from government
access—ensuring that state and local law enforcement can only
access that sensitive information when there is good reason to
believe that it will reveal evidence of a crime, or in true
emergencies.
Read more on ACLU’s
blog.
[From
the article:
This is notable for two
reasons.
- First, these are the primary two reforms we seek to the outdated federal law that governs our privacy in the digital age, the Electronic Communications Privacy Act (ECPA).
- Second, Utah’s new law is also remarkable because of its breadth.
Once something gets on
the Internet, you can never get it off, so make it searchable and
only scholars will bother to read it. Or my students, writing about
security.
Introducing
the ACLU’s NSA Documents Database
by Sabrina
I. Pacifici on April 3, 2014
By Emily
Weinrebe, ACLU National Security Project: “The public debate
over our government’s surveillance programs has reached remarkable
heights since the first set of NSA
disclosures in June 2013 based on documents leaked by Edward
Snowden. Since then, additional disclosures by both
the press and government have illuminated our government’s vast and
invasive surveillance apparatus. These documents stand as primary
source evidence of our government’s interpretation of its authority
to engage in sweeping surveillance activities at home and abroad, and
how it carries out that surveillance. The ACLU hopes to facilitate
this debate by making these documents more easily accessible and
understandable. Toward that end, today we are launching the NSA
Documents Database. This tool will be an up-to-date,
complete collection of previously secret NSA documents made public
since last June. The database is designed to be easily searchable –
by title, category, or content – so that the public, researchers,
and journalists can readily home in on the information they are
looking for. We have made all of the documents text-searchable to
allow users to investigate particular key words or phrases.
Alternatively, the filter function allows users to sort based on the
type of surveillance involved, the specific legal authorities
implicated, the purpose of the surveillance, or the source of the
disclosure. For example, you can have the database return all
documents that both pertain to “Section 215″ and “Internal
NSA/DOJ Legal Analysis.” We will update the database with new
documents as they become available to the public.”
Deep Learning allows
this software to learn how to recognize faces. What's next? Could
be a security feature – the camera sees your face and signs you
in...
Facebook
working on facial recognition technology that can spot users from the
side
Facebook is known
for being creepy due to all its privacy issues, but the social
network might seem extra creepy with its new facial recognition
technology. There's a strong hate for facial recognition, and we
doubt Facebook's implementation will make it any more acceptable.
Facebook's facial
recognition software is quite advanced, probably something only the
military or the NSA has access to. According to a new report from
Facebook,
the technology researchers are looking into has the ability to
recognize a person's face just as accurate as a human being. If this
is real, then the social network is turning into a scary place, and
only a drastic change in Facebook's privacy policy and options could
allow such a software to move forward.
Bear in mind that
Facebook has already implemented facial recognition in its software,
you might have noticed it when tagging your friends or family in
photos. However, this software is far from accurate, and many times
require the user to figure out who person's are, manually.
The social network's
new facial recognition software, now known as "DeepFace",
is aimed at fixing the accuracy issue, along with recognizing a
person even if their face is turned sideways.
So easy, even your
three year old will be able to use it! Repeatedly! Voice or scan!
Sign up for an invitation.
The
free gadget that Amazon hopes will compel you to order more stuff —
lots more stuff
Amazon just launched a
slick-looking website for the Amazon
Dash, a handheld gadget for adding products to your shopping
list.
“Every member of the
family can use Dash to easily add items to your AmazonFresh shopping
list,” reads the site. Just aim the business end at the barcode on
an empty peanut butter jar, press the scan button, and it retrieves
the data from the code and beams it to the cloud. Next time you
place an order with AmazonFresh, that peanut butter will already be
on your shopping list.
I have to ask, it this
had been done by the Berkman Center at Harvard, would people
applaud?
The
Fall of Internet Freedom: Meet the Company That Secretly Built ‘Cuban
Twitter'
The United States
discreetly supported the creation of a website and SMS service that
was, basically, a Cuban version of Twitter, the
Associated Press reported Thursday. ZunZuneo, as it was called,
permitted Cubans to broadcast short text messages to each other. At
its peak, ZunZuneo had 40,000 users.
And what government
agency made ZunZuneo? It wasn’t the CIA. No, it was the U.S.
Agency for International Development, USAID, working with various
private companies, including the D.C. for-profit contractor Creative
Associates and a small, Denver-based
startup, Mobile Accord.
This is “hacking”
in its pure form. “What happens when I do this?”
A 5-year-old San Diego
boy has outwitted the sharpest minds at Microsoft — he's found a
backdoor to the Xbox.
Kristoffer Von Hassel
managed to log in to his father's Xbox Live account. When the
password log-in screen appeared, Kristoffer simply hit the space
button a few times and hit enter.
Robert Davies tells
KGTV-TV (http://bit.ly/1hmrTan
) that just after Christmas he noticed his son playing games he
supposedly couldn't access.
Davies, who works in
computer security, says he reported the issue to Microsoft, which
fixed the bug and recently listed Kristoffer on its website as a
"security researcher."
For my fellow geezers..
Pew
– Older Adults and Technology Use
by Sabrina
I. Pacifici on April 4, 2014
Aaron Smith – April
3, 2014: “America’s seniors have historically been late adopters
to the world of technology compared to their younger compatriots, but
their movement into digital life continues to deepen, according to
newly
released data from the Pew Research Center. In this report, we
take advantage of a particularly large survey to conduct a unique
exploration not only of technology use between Americans ages 65 or
older and the rest of the population, but within the senior
population as well. Two different groups of older
Americans emerge. The first group (which leans toward
younger, more highly educated, or more affluent seniors) has
relatively substantial technology assets, and also has a positive
view toward the benefits of online platforms. The other (which tends
to be older and less affluent, often with significant challenges with
health or disability) is largely disconnected from the world of
digital tools and services, both physically and psychologically. As
the internet plays an increasingly central role in connecting
Americans of all ages to news and information, government services,
health resources, and opportunities for social support, these
divisions are noteworthy—particularly for the many organizations
and individual caregivers who serve the older adult population.”
For my students
Bypass
Georestrictions By Changing Your Smartphone’s DNS Settings
DNS
tunneling services allow you to access geo-restricted services
just by changing
your DNS server. In other words, you can watch American Netflix
or Hulu by changing one setting. Services like UnoDNS
and Unblock-Us
aren’t just for your computer. They’ll work on smartphones,
tablets, and even game consoles.
We are in the
“education business” like the shoemaker's children.
… New York State
has pulled
out of inBloom (which according
to Politico, leaves the data infrastructure organization with no
customers). While some are hailing this as a victory for student
privacy, Funnymonkey’s
Bill Fitzgerald notes it’s “only good news for the other
players in the space” – players like Pearson.
… “The University
of Florida will pay Pearson Embanet an
estimated $186 million over the life of its 11-year contract — a
combination of direct payments and a share of tuition revenue — to
help launch and manage the state’s first fully online, four-year
degree program,” reports The
Gainesville Sun. Phil
Hill clarifies some of the numbers.
… Textbook
publisher Cengage has emerged
from bankruptcy.