Saturday, September 20, 2014

One interesting and unusual security step.
Sheplers, the leading multi-channel western-wear retailer, today issued the following statement:
Sheplers has determined that our payment systems suffered a security breach in which hackers gained access to our systems and some of our customers’ payment card information was exposed. With the assistance of a leading computer security firm, we are continuing our investigation into this incident, and we are cooperating with law enforcement in their efforts to find the criminals responsible. Although our investigation continues, at the present time, we believe it is safe to use payment cards at Sheplers.
Our information to date indicates that the breach potentially impacts customers who used payment cards at Sheplers’ retail locations between June 11, 2014, and September 4, 2014. At this time, we do not believe that this incident affected our online webstore.
When we first received an informal tip from a financial institution suggesting the possibility of a breach, we hired a leading computer security firm to conduct a thorough investigation and suspended all electronic processing of payment cards for sales at our retail store locations until we could determine whether customer information was at risk.


Interesting collection of comments. I would say: remain humble, it will happen to you.
Feedback Friday: 56 Million Payment Cards Compromised in Home Depot Breach - Industry Reactions
… What types of security solutions should have been used by Home Depot? What are best practices for avoiding such incidents? What steps should the retail industry take? These are just some of the questions answered by members of the security industry.
And the Feedback Begins...


For my Computer Security students. How to defeat simple passwords. My Ethical Hackers must create a tool like this.
Is your security up to this challenge?
Simon Hartley reports:
Police are investigating after attempts were allegedly made to hack a nationwide patient database.
In an email obtained by the Otago Daily Times, Southern Primary Health Organisation clinical adviser Keith Abbott, of Dunedin, warned GPs and health organisations about the ”significant hacking attempt” on September 9.
He said the hacker tried to gain access to DrInfo, which is used by health boards, including the Southern District Health Board, medical centres and GPs around the country.
”Starting at 11am on September 9, in one case continuously lasting for 12 hours, a single IP [internet protocol] address has made over 20 million attempts to guess the passwords of practices, PHOs and DHBs in New Zealand,” Dr Abbott said.
Read more on Otago Daily Times.


For my Computer Security students. Physical security isn't perfect. (Imagine what someone who was not mentally ill might be able to do.)
Secret Service investigates after man jumps White House fence, reaches doors
A man jumped over the White House fence and made it to the front doors of the executive mansion before being apprehended on Friday, sparking an evacuation within the complex shortly after President Barack Obama departed for the weekend.
Omar J. Gonzales, a 42-year-old white male from Texas, made it onto the grounds at 7:20 EDT, a U.S. Secret Service spokesman said. Gonzales ignored commands to stop and was ultimately caught, unarmed, just inside the North Portico doors of the White House, one of the building's main entrances.


My weekly giggle...
Rolling Jubilee, a group that grew out of the Occupy Movement, announced this week that it has purchased “for about three cents on the dollar, of nearly four million dollars’ worth of private debt from Everest College, which is part of the for-profit Corinthian Colleges system. The debts had been incurred by more than two thousand students.” The group then notified students that some of their debt had been canceled. [For three cents on the dollar, there may be a viable business opportunity here. Or does that only work with failing schools? Bob]
Coursera is pursuing MOOCs-on-demand.
We find the number of people who enroll for a class and immediately start taking it are twice as likely to complete it as those who enroll a month or two before it begins,” Koller explained.
A 95-page report from the American Institutes for Research (AIR) has evaluated LAUSD’s “Common Core Technology Project.” Only 1 teacher out of 245 classrooms reported using the Pearson curriculum. (It’s costing the district about $200 per device for a three-year licensing deal.) 80% of high schools reported they “rarely used the tablets.” The report found that the district was so busy dealing with the distribution of the iPads, it never really addressed using them in the classroom.
Spotify has data-mined what music college students listen to. [Was this necessary? Bob]

Friday, September 19, 2014

It's not always good to be “Number One.” From their statements, I still don't like how they are handling this breach. I'm not even sure they understand what happened to them.
With 56 Million Cards Compromised, Home Depot's Breach Is Bigger Than Target's
Home Depot announced that 56 million credit cards were compromised in a breach that lasted from April to September 2014—making this latest retail breach larger than Target’s 40-million card breach.
… Home Depot says the malware used in the attack has not been seen in previous attacks, describing the malware as “unique” and “custom-built.” This differs from reports during the investigation that experts believed the breach involved the same malware as the Target breach.
… Home Depot estimates that the breach has cost approximately $62 million, with more costs likely to come. The company believes it will be reimbursed $27 million thanks to its insurance coverage. Last month, Target announced that its breach cost the company $148 million, more than twice the amount Home Depot is estimating.
… Home Depot also announced that it has now “rolled out enhanced encryption of payment data” to all its stores in the United States, completing a project that was started at the beginning of this year.

(Related)
Home Depot Confirms: It’s The Largest Data Breach Ever
… Interestingly, Krebs On Security reported the new Home Depot breach figures actually would have been much larger, but the numbers were limited because the thieves chose to only attack self-checkout units.
“Many banks have been bracing for a financial hit that is much bigger than the exposure caused by the breach at Target, which lasted only three weeks and exposed 40 million cards,” the Krebs report said. “But so far, banking sources say Visa and MasterCard have been reporting far fewer compromised cards than expected given the length of the Home Depot exposure.” Krebs also reported that MasterCard is telling financial institutions that it “found evidence of compromise at approximately 1,700 of the nearly 2,200 U.S. stores, with another 112 stores in Canada potentially affected.”

(Related) “We can get plywood from Oregon to New Jersey in three days. Computer Security isn't that important.”
Home Depot: 56M Cards Impacted, Malware Contained
… As to the timeline, multiple financial institutions report that the alerts they’re receiving from Visa and MasterCard about specific credit and debit cards compromised in this breach suggest that the thieves were stealing card data from Home Depot’s cash registers up until Sept. 7, 2014, a full five days after news of the breach first broke.


Imagine if this had happened to Congressional paychecks! (Not that those guys need the money) Makes a really good “bad example” for my Computer Security class. This can happen when you use the same password on multiple systems.
Susan Edelman and Philip Messing report:
A hacker stole the paychecks from four FDNY firefighters by breaking into a computer at their engine company, stealing their passwords — and then routing the dough to Russia, sources said on Wednesday.
The firefighters, from Staten Island’s Engine Co. 167, discovered that their paychecks hadn’t been direct-deposited into their bank accounts about three weeks ago, the sources said.
Read more on NY Post.


I'd like to see more. Are they saying that this information is Private, so they want to make it Public? Or is the concern that the police (“authorities” or “government” in this article) are screwing up the surveillance? Or that knowing where a police car was would cripple national security?
AP reports:
A California judge’s ruling against a tech entrepreneur seeking access to records kept secret in government databases detailing the comings and goings of millions of cars in the San Diego area via license plate scans was the second legal setback within a month for privacy advocates.
An initial ruling issued Thursday upheld the right of authorities to block the public from viewing information collected on vehicles by networks of cameras on stoplights and police cars. A judge will hear arguments Friday in the case before the ruling becomes final.


Another surveillance concern: phone cell towers.
Ashkan Soltani and Craig Timberg report:
As a black sedan pulled into downtown Washington traffic earlier this week, a man in the back seat with a specially outfitted smartphone in each hand was watching for signs of surveillance in action. “Whoa, we’ve just been hit twice on this block,” he said, excitement rising in his voice, not far from FBI headquarters.
Then as the car passed the Federal Trade Commission’s limestone edifice, “Okay, we just got probed.” Then again, just a few minutes later, as the car moved between the Supreme Court and the Capitol, he said, “That’s the beginning of an interception.”
The man was Aaron Turner, chief executive of Integricell, a mobile security company.
Read more on Washington Post.
[From the article:
As Goldsmith acknowledges, if there are indeed IMSI catchers in the locations his company reported on Wednesday, the CryptoPhone cannot easily determine whether they are deployed by the U.S. government, a local police force, a foreign intelligence agency or some other entity.
Experts say the most common users of IMSI catchers are law enforcement agencies, but such surveillance gear has become so affordable and common that many security experts believe that criminals are using them to spy on targets, including perhaps the police themselves.


If you don't pay attention (manage) it is really easy to get it wrong. I'd be a lot happier if they simply “received” information from all of these entities.
GAO released yet another report on Healthcare.gov on this week (the first one was noted here). From the highlights:
Enrollment through Healthcare.gov is supported by the exchange of information [What health information do they “exchange?” Bob] among many systems and entities. The Department of Health and Human Services’ (HHS) Centers for Medicare & Medicaid Services (CMS) has overall responsibility for key information technology (IT) systems supporting Healthcare.gov. These include, among others, the Federally Facilitated Marketplace (FFM) system, which facilitates eligibility and enrollment, plan management, and financial management, and the Federal Data Services Hub, which acts as the single portal for exchanging information between the FFM and other systems or external partners. CMS relies on a variety of federal, state, and private-sector entities to support Healthcare.gov activities. For example, it exchanges information with the Department of Defense, Department of Homeland Security, Department of Veterans Affairs, Internal Revenue Service, Office of Personnel Management, Peace Corps, and the Social Security Administration to help determine applicants’ eligibility for healthcare coverage and/or financial assistance. Healthcare.gov-related systems are also accessed and used by CMS contractors, issuers of qualified health plans, state agencies, and others.
[ … ]
For Full Report:


How does the FTC think about security?


Wasn't this resolved by the Walker case? If someone with a gun asked me to identify myself, I probably would. If they don't like my ID – perhaps because it's from another state – what can they do next?
Papers, Please! Writes:
Last week a Los Angeles police officer detained the movie actress Danielle Watts and told her, “I have every right to ask for you ID…. You do not have a right to say ‘No’…. Somebody called, which gives me the right to be here, so it gives me the right to identify you by law.”
In the aftermath, the Los Angeles Police Protective League (LAPPL) has posted a false and misleading so-called “public service announcement” on the subject of Providing ID To Police Officers.
What happened to Ms. Watts, and what is our reading of the case law on these issues?
Read more on Papers, Please!


I'm trying to get the Security Club to build a wiki that points to all of these guides. (So I don't have to)
OWASP Releases New Testing Guide
The Open Web Application Security Project (OWASP) announced on Wednesday the availability of version 4 of the OWASP Testing Guide.
New chapters have been introduced for identity management testing, cryptography, error handling and client-side testing. The number of test cases has been increased from 64 to 87.
The OWASP Testing Guide Version 4 in PDF format is available here.


Useful tools. Might be real interesting to ask my students to flowchart their decision processes...
How To Create Stunning Flowcharts With Microsoft Word

Thursday, September 18, 2014

How should I interpret this? Home Depot has no record of the transactions involved? The breach is so big that it is easier to assume the entire population was involved that to accurately determine who was/was not involved? Neither Home Depot nor their lawyers have any idea how to manage a breach?
This just in:
Hogan Lovells, attorneys for Home Depot, sent the New Hampshire Attorney General a notification of the breach. Their letter, dated September 9, reiterates that they first learned of a possible breach on September 2 and confirmed it on September 9.
Home Depot still doesn’t have exact numbers, it seems. The letter says that “At this time we cannot determine how many residents of the state are affected.” Home Depot therefore notified every New Hampshire resident who used a payment card in their stores from April on, including an offer of free credit monitoring services.
You can read their notification (pdf) with the attached notice to consumers.


Local! Someone looking for a handy dumpster? Have these already been mined for personal information?
Jaclyn Allen reports that a passerby discovered boxes of folders with what appeared to be mortgage information files:
The folders have one company in common, Colorado First Commercial Mortgage, which has been out of business in Colorado for more than a decade.
But wait, there’s more, it seems. When the Sheriff’s office went to investigate, they discovered dozens of more boxes in back of the same complex.
Read more on The Denver Channel.


Ignorance is... well, ignorance.
Dian Schaffhauser reports:
Compared to parents in Malaysia, Poland and Italy, American parents look like babes in the woods when it comes to awareness of in-school data mining of their children’s information, including online behavior and email habits. Whereas 75 percent of Malaysians, 71 percent of Poles and 70 percent of Italians are aware of the practice, only 51 percent of parents in the United States know about it. But once they do know about it, more than nine out of 10 are “concerned or very concerned about the practice” and more than four out of five say they are likely to take action against the practice.
These results come from a set of surveys conducted by SafeGov.org among parents worldwide to understand their views on the benefits and risks of expanding in-school access to Internet applications such as email, document creation and group collaboration. In the United States, 540 people were surveyed online in August 2012 for a margin of error of ±4.16. In other countries the surveys were done in 2013 and 2014 for a margin of error that ranged from ±4.33 to ±5.67.
Read more on THE Journal


Riiiiiight...
Apple Won't Decrypt Your iPhone, Even if the Government Requests It
After the recent leak of nude celebrity photos, possibly due to an iCloud hack, it was reasonable to expect Apple to react at its iPhone event. Not a word was said about the incident during the event, but Tim Cook later said the company is taking additional steps to protect its users' security and privacy, and now, Apple is delivering on that promise.
We've noticed yesterday that Apple had strengthened its iCloud security with two-factor authentication; now, the company made public its updated Privacy Policy on an entirely new section of its website.
… Finally, Cook claims Apple has "never worked with any government agency from any country to create a backdoor in any of our products or services." "We have also never allowed access to our servers. And we never will," he writes.
The wording of that last paragraph is particularly interesting; when asked about its participation in NSA's PRISM program back in June 2013, Apple said it does not give any government agency "direct access" to its servers. "Any government agency requesting customer data must get a court order," Apple said at the time.
Now, Cook says flat out Apple has never allowed access to its servers — direct or not — and court orders are not mentioned.
That position is reiterated in a special section of Apple's new Privacy page, called "Government Information Requests". There, Apple goes a step further, claiming it cannot decrypt a user's phone (if it's protected by a passcode) even if a government requests it.
… There's a catch, though: even if Apple is unable to hand over the data from your phone, it can (and will, if asked via a court order) hand over the data from your iTunes or iCloud account.


Because only real 'Mericans should have guns. Not them thar A-rab-americans, or them Mes-i-can-americans or anyone else what ain't us.
Kelly Riddell reports:
The Obama administration quietly has been forcing new gun buyers to declare their race and ethnicity, a policy change that critics say provides little law enforcement value while creating the risk of privacy intrusions and racial profiling.
With little fanfare, the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) in 2012 amended its Form 4473 — the transactional record the government requires gun purchasers and sellers to fill out when buying a firearm — to identify buyers as either Hispanic, Latino or not. Then a buyer must check his or her race: Indian, Asian, black, Pacific Islander or white.
Read more on Washington Times.
Well, this should make a lot of heads explode – and put civil libertarians and the NRA on the same side of an issue.


“...Then we hit them with the “Your insurance is void” laser beam!”
New Radar Gun to Help Police Detect Texting Drivers
… A Virginia company is working on a device that detects the radio signals sent out from a vehicle when someone inside is using a cell phone.
The technology is able to differentiate text messaging from phone calls. Virginia law allows adults to talk on a cellphone while driving, but not send text messages.


Tools for self-surveillance.
iOS 8 Turns Your iPhone Into A Personal Healthcare Monitor


We offer classes to fix that...
Workers Don’t Have the Skills They Need – and They Know It
How do workers feel about the adequacy of their skills? Until now, few studies have examined their views. Today, a survey of employees is being released that provides strong confirmation of the notion that employees need better skills to do their jobs well, especially skills related to technology.
… The new survey, commissioned by Udemy, a company that provides online training courses, sharply challenges the view that the skills gap is a corporate fiction. Polling 1,000 randomly selected Americans between the ages of 18 and 65, the survey found that 61% of employees also feel that there is a skills gap. Specifically, 54% report that they do not already know everything they need to know in order to do their current jobs. Moreover, about one third of employees report that a lack of skills held them back from making more money; a third also report that inadequate skills caused them to miss a promotion or to not get a job.
The most important skills that employees are missing are computer and technical skills. Of those reporting that they needed skills for their current job, 33% reported lacking technical skills, including computer skills.


For my Data Analytics students.
IBM's Watson May Change the Face of Business Analytics
IBM on Tuesday announced Watson Analytics, a natural language-based cognitive service designed to provide businesses with instant access to powerful predictive and visual analytics tools.
It runs on desktop PCs and mobile devices.
Some features will be offered to beta testers within 30 days. IBM later this year will offer a variety of Watson Analytics freemium and premium packages.

(Related) Need I say more?
Algorithms Make Better Predictions — Except When They Don’t


A warning for my Math students?
People Are More Selfish and Dishonest After Doing Math
Research participants who had spent 15 minutes solving math problems were 4 times more likely to lie for personal gain in an ethics game than those who had answered randomly selected verbal questions from a standardized test, says a team led by Long Wang of the City University of Hong Kong. The act of calculating appears to crowd out people’s social and moral concerns, resulting in behavior that is more self-interested and even immoral. Stimuli such as family photos that prompt thoughts about social values appear to diminish these negative effects, the researchers say.


Just because...

Wednesday, September 17, 2014

If you don't manage your security, this could happen to you.
Brian Krebs reports:
C&K Systems Inc., a third-party payment vendor blamed for a credit and debit card breach at more than 330 Goodwill locations nationwide, disclosed this week that the intrusion lasted more than 18 months and has impacted at least two other organizations.
Read more on KrebsOnSecurity.com.
I wonder when we’ll find out who the other two C&K clients were. They’d be wise to go public before Brian outs them.

(Related) If you do manage your security, it can still happen but you can detect it earlier and perhaps reduce the impact.
JPMorgan Shares Information on Recent Cyber Attacks
JPMorgan Chase, one of the largest banks in the United States, has confirmed that its systems were breached this summer, but investigators say there's no evidence that the attackers had gained access to highly sensitive information.
People familiar with the investigation have told The New York Times that the hackers penetrated roughly 90 of the company's servers between June and late July when the breach was detected. The attackers reportedly gained access to the details of one million customers and information on installed software after obtaining high-level administrative privileges, but an unnamed individual close to the matter said only names, addresses and phone numbers have been compromised.
There appears to be no evidence that social security numbers, financial information, or proprietary software have been obtained.


For my Computer Security students: This is why we try to teach every employee about security.
Ben Grubb reports:
Thousands of Australian computers are being locked up by hackers using malicious software that encrypts files and asks for a ransom to make them available again.
Fairfax Media understands Australian government agencies and a number of large enterprises and individuals have been successfully targeted by the scam.
Called “Cryptolocker” and “CryptoWall”, the “ransomware” comes in various forms with the CryptoWall version estimated by the government e-safety alert service Stay Smart Online to have infected approximately 20,000 Australian computers.
Read more on Sydney Morning Herald.
[From the article:
Computers are typically infected after victims click on a malicious link in an email purporting to be from Australia Post or Telstra.
… In order to help victims, two security firms have collaborated on a service called Decrypt Cryptolocker, which claims to decrypt files for free and has been hailed by Stay Smart Online. But Mr Bailey said the site didn't always work.
"We have seen this [website] work in some cases to be able to decrypt files and not for others," Mr Bailey said.
alleged Russian hacker Evgeniy Mikhailovich Bogachev, 30, was charged as the leader of a criminal ring responsible for the malware and another known as Gameover Zeus.
The US Federal Bureau of Investigation estimated Bogachev made $US100 million from his activities. [and you wonder why the bad guys like doing this? Bob]

(Related) Note that nothing this Corp does will stop employees from clicking on a bad link.
US Bolstering Cyber Defense With New Corps: NSA Chief
The US military is building a new cyber defense corps that can be used to protect the nation and possibly for offensive purposes, the commander of the unit said Tuesday.
National Security Agency director Michael Rogers, who also heads the US Cyber Command, said the 6,200-member unit should be fully operational by 2016, to bolster defenses against hackers and state-sponsored cyberattacks.
Rogers told a cybersecurity conference that the unit would be able to assist in protecting against cyberattacks on "critical infrastructure," which includes computer-controlled power grids, financial networks, transportation and other key sectors.


Can't wait until the government takes all our health care records public!
GAO has released a report on Healthcare.gov. Here are some of the highlights of the report:
While CMS has taken steps to protect the security and privacy of data processed and maintained by the complex set of systems and interconnections that support Healthcare.gov, weaknesses remain both in the processes used for managing information security and privacy as well as the technical implementation of IT security controls. CMS took many steps to protect security and privacy, including developing required security program policies and procedures, establishing interconnection security agreements with its federal and commercial partners, and instituting required privacy protections. However, Healthcare.gov had weaknesses when it was first deployed, including incomplete security plans and privacy documentation, incomplete security tests, and the lack of an alternate processing site to avoid major service disruptions. While CMS has taken steps to address some of these weaknesses, it has not yet fully mitigated all of them. In addition, GAO identified weaknesses in the technical controls protecting the confidentiality, integrity, and availability of the FFM [Federally Facilitated Marketplace - Dissent]. Specifically, CMS had not: always required or enforced strong password controls, adequately restricted access to the Internet, consistently implemented software patches, and properly configured an administrative network. An important reason that all of these weaknesses occurred and some remain is that CMS did not and has not yet ensured a shared understanding of how security was implemented for the FFM among all entities involved in its development. Until these weaknesses are fully addressed, increased and unnecessary risks remain of unauthorized access, disclosure, or modification of the information collected and maintained by Healthcare.gov and related systems, and the disruption of service provided by the systems.
[...]
What GAO Recommends
GAO is making six recommendations to implement security and privacy management controls to help ensure that the systems and information related to Healthcare.gov are protected. HHS concurred but disagreed in part with GAO’s assessment of the facts for three recommendations. However, GAO continues to believe its recommendations are valid, as discussed in the report.
For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov or Dr. Nabajyoti Barkakati at (202) 512-4499 or barkakatin@gao.gov.
For Full Report:
HEALTHCARE.GOV: Actions Needed to Address Weaknesses in Information Security and Privacy Controls GAO-14-730: Published: Sep 16, 2014. Publicly Released: Sep 16, 2014. (78 pp, pdf)


“We can, therefore we must!”
A Department of Justice proposal to amend Rule 41 of the Federal Rules of Criminal Procedure would make it easier for domestic law enforcement to hack into computers of people attempting to protect their anonymity on the Internet. The DOJ has explicitly stated that the amendment is not meant to give courts the power to issue warrants that authorize searches in foreign countries—but the practical reality of the underlying technology means doing so is almost unavoidable.
The result? Possibly the broadest expansion of extraterritorial surveillance power since the FBI’s inception.
… Broadly, the term “Network Investigative Techniques,” (NIT) describes a method of surveillance that entails “hacking,” or the remote access of a computer to install malicious software without the knowledge or permission of the owner/operator. Once installed, malware controls the target computer.
The right Network Investigative Technique can cause a computer to perform any task the computer is capable of—covertly upload files, photographs and stored e-mails to an FBI controlled server, use a computer’s camera or microphone to gather images and sound at any time the FBI chooses, or even take over computers which associate with the target (e.g. by accessing a website hosted on a server the FBI secretly controls and has programmed to infect any computer that accesses it).


Like Apps, “There's a business model for that.” e-Country Clubs, whoda thunk it?
Netropolitan the Social Media Site that Costs $9000 to Join
Netropolitan is a new hob-knobbing social media network for the filthy rich and costs a peasantry $9,000 to join plus $3,000 each year in member fees.
Netropolitan calls itself an “online country club for people with more money than time” and was started by James Touchi-Peters who claimed that the wanted an “environment where you could talk about the finer things in life without backlash.”


A game for my students AFTER they complete the Final Exam.
– is an addictive little game which uses the images from the Reddit page “Earth Porn”. You have to find the emoji who is standing still among a sea of rapidly moving emojis. Once you do, you get to the next level. In the background are different pictures of beautiful scenes from around the world.


This might be useful for my Javascript programming students, if they can find or build a useful algorithm.
– is a platform for viewing, creating and sharing any type of algorithm. All algorithms on the site are public and can be viewed and shared by any user of the site. Registered users can create new algorithms or fork an existing one.


An article for my Ethical Hackers.
4 Things You Must Know About Those Rogue Cellphone Towers
… What if your phone had connected to a cell tower operated by a rogue individual, and that person was intercepting every SMS. Ever call. Every kilobyte of data sent?
It’s more likely than you think.


Tools & Techniques Interesting video for my Computer Security students.
ATM PIN Theft and the Mathematics of Systematic Guessing
The video below describes how an infrared device on iPhones can be used to steal Personal Identification Numbers (PINs) on ATM cards and credit cards. It is important that you watch this video because it also contains instructions on how to prevent theft.

Tuesday, September 16, 2014

It's very hard to change a culture.
The Veterans Administration continues to struggle with securing veterans’ personal and protected health information, as its monthly reports to Congress reflect. First, consider the sheer number of different types of incidents reported to Congress for the month of August:
Total number of Internal Un-encrypted E-mail Incidents 92
Total number of Mis-Handling Incidents 114
Total number of Mis-Mailed Incidents 138
Total number of Mis-Mailed CMOP Incidents 9
Total number of IT Equipment Inventory Incidents 9
Total number of Missing/Stolen PC Incidents 1 (1 encrypted)
Total number of Missing/Stolen Laptop Incidents 9 (9 encrypted)
Total number of Lost BlackBerry Incidents 17
Total number of Lost Non-BlackBerry Mobile Devices
(Tablets, iPhones, Androids, etc.) Incidents 3


Mobile is a drop in he bucket. The vast majority of “endpoints” will exist on the Internet of Things. Unfortunately, each new “generation” of devices ignores security in the early iterations. Then we play catch up for the next few years.
Focus of Endpoint Breaches Will Shift to Mobile Devices by 2017: Gartner
At the Gartner Security and Risk Management Summit taking place in the United Arab Emirates, the IT research and advisory firm's analysts are discussing the latest mobile security trends and threats.
Gartner predicts that mobile devices will become increasingly targeted by cybercriminals in the upcoming years, and warned organizations of some risks they face unless they take measures. Gartner believes that by 2015, over 75% of mobile applications will fail basic security tests.
While currently most attacks target desktop devices, Gartner predicts that the focus of endpoint breaches will shift to mobile devices such as tablets and smartphones.


Seems like a fast response, but remember: each new generation repeats the sins of the previous generation. If you remember that, you know what questions to ask. Unfortunately, you also know what the answers will be.
Sam Colt reports:
Connecticut’s attorney general has called for a meeting with Apple over concerns about the privacy of health data collected by the Apple Watch.
“When new technologies emerge in consumer markets they inevitably lead to new questions, including questions about privacy,” Attorney General Jepsen said.
Apple has already said that it will not share health information from Apple Watch users. CEO Tim Cook reiterated that on Friday in his interview with Charlie Rose on PBS.
Still, Jepsen has questions for Apple about how the health data will be stored and what specific data the Apple Watch will be able to collect. He also questions how Apple will monitor third-party apps that claim to make diagnoses if they don’t have proper approval from government regulators.
Read more on Business Insider.


More threats? More likely, “we can, therefore we must!”
Google Transparency Report Shows Jump in Data Requests
Demands for Google users' data have shot up 150 percent worldwide since 2009, according to the latest edition of Google's Transparency report.
According to Google, there has been a 250 percent increase during that period in the U.S. In the first half of this year, demands for information in the U.S. jumped 19 percent.


What does a 20% error rate mean? 20% of the time it can't identify me from a picture or 20% of the time it identifies me as “Hillary Clinton?”
From EPIC:
The FBI announced that the Next Generation Identification system, one of the largest biometric databases in the world, has reached “full operational capability.” In 2013, EPIC filed a Freedom of Information Act lawsuit about the NGI program. EPIC obtained documents that revealed an acceptance of a 20% error rate in facial recognition searches. Earlier this year, EPIC joined a coalition of civil liberties groups to urge the Attorney General Eric Holder to release an updated Privacy Impact Assessment for the NGI. The NGI is tied to “Rap Back,” the FBI’s ongoing investigation of civilians in trusted positions. EPIC also obtained FOIA documents revealing FBI agreements with state DMVs to run facial recognition searches, linked to NGI, on DMV databases. EPIC’s recent Spotlight on Surveillance concluded that NGI has “far-reaching implications for personal privacy and the risks of mass surveillance.” For more information, see EPIC: EPIC v. FBI – Next Generation identification.


What is going on here? A very small minority of customers that don't allow them to analyze their behavior for advertising? Some confusion in their legal department?
Comcast Is Threatening To Cut Off Customers Who Use Tor, The Web Browser For Criminals (CMCSA)
Multiple users of anonymous web browser Tor have reported that Comcast has threatened to cut off their internet service unless they stop using the legal software.
According to a report on Deepdotweb, Comcast customer representatives have branded Tor "illegal" and told customers that using it is against the company's policies.
… One Comcast representative, identified only as Kelly, warned a customer over his use of Tor software, DeepDotWeb reports:
Users who try to use anonymity, or cover themselves up on the internet, are usually doing things that aren’t so-to-speak legal. We have the right to terminate, fine, or suspend your account at anytime due to you violating the rules. Do you have any other questions? Thank you for contacting Comcast, have a great day.
… In a statement to Deepdotweb, Comcast defended its actions, seemingly asserting that it needs to be able to monitor internet traffic in case they receive a court order:

(Related)
April Glaser writes that Comcast has responded to allegations previously noted on this blog:
This morning Comcast issued a statement denying that the ISP is blocking Tor and denying that there is any record of exchanges between Comcast and Tor users. The Vice President went as far as to say that he also uses Tor at times, adding, “Comcast doesn’t monitor our customer’s browser software, web surfing or online history.”
But considering the fact that Comcast hasn’t always been completely transparent about its network practices, we still invite Internet users to contact us if they’ve been discouraged from using Tor by any Internet service provider. To do so, please email info@eff.org to share your story.
Read more on EFF.


Perspective. Today's “worst case scenario” is tomorrows commonplace.
Adrienne Hill reports:
Education, like pretty much everything else in our lives these days, is driven by data.
Our childrens’ data. A whole lot of it.
Nearly everything they do at school can be — and often is — recorded and tracked, and parents don’t always know what information is being collected, where it’s going, or how it’s being used.
The story begins at the bus stop.
Read more on MarketPlace.


A slightly different take on the nude celebrity photos here in the US. Involves BYOD and syncing with workplace devices.
Israeli teacher in nude Web photos to return to classroom
A week after nude pictures of an Israeli high school teacher were posted online, the mother of two plans to return to class Tuesday as debate here swirls over issues of privacy, law and digital decorum.
… The high school is one of several in Israel replacing textbooks with computer tablets. The teacher lent her tablet to a pupil who had forgotten hers. Another classmate snooping around the photos file found several nude pictures, snapped them with his cellphone camera and passed them on.
The teacher was further shocked to learn that images long deleted from her phone were on the school-issued device, which pulled them from the cloud as she synced it with her phone and electronic mail as instructed by the program’s computer managers, who reportedly did not mention any information sensitivity issues.
… In January, the parliament, or Knesset, voted to make online circulation of intimate images without the subject’s full consent an act of sexual harassment that can carry a five-year jail sentence.
Being a minor does not protect the 17-year-old student from criminal law, according to the teacher's attorney, Orit Hayoun, who expects the police to investigate the case and the school to discipline the offender and stand by its employee.
… The attorney said that although depicting his client naked, the pictures were innocuous. “We don’t live in the dark ages,” she said. [Apparently, here in the US, we do. Bob]


Perspective. Something to generalize?
Rethinking the Bank Branch in a Digital World
More US bank branches closed in 2013 than ever before. More than 85% of retail banking transactions are now digital. The bank branch is “going south,” mobile-banking entrepreneur Brett King said to CNBC. “And there’s no reason to assume we’ll see a resurgence of activity at the branch—the mobile app is the nail in the coffin.”
So are we witnessing the death throes of brick-and-mortar retail banking? Will banking soon be like the business of selling recorded music—almost all done online?
In our view, no. Rather than going the way of Tower Records, leading banks are reinventing themselves with innovative mashups of digital technologies and physical facilities, a combination we call “digical.”


Another infographic for my Computer Security students.
How To Stay Anonymous Online In 2014


An “old school” business plan? Weave an image into fabric. Make everything from T-shirts to wallpaper to baby blankies to socks with your face on them.
Before Computers, People Programmed Looms

Monday, September 15, 2014

Yes. Absolutely. Every time.
Charles Mabbett of the Office of the New Zealand Privacy Commissioner raises a good question:
Is it acceptable for a lawyer acting for a client to send a very private communication to a work email address of the other party?
A complaint based on exactly this kind of scenario was made to the Legal Complaints Review Officer (LCRO) who provides independent oversight and review of the decisions made by the standards committees of the Law Society and the Society of Conveyancers.
In the complaint BO v DE from September last year, a lawyer acting for a man in a relationship property matter emailed a letter to the man’s ex-wife at her work address. The lawyer had been given the address by his client, the former husband.
According to the LCRO’s decision, the woman was furious at receiving “an intensely personal, embarrassing and defamatory” email at her work address. Through her lawyer, she demanded an apology from her ex-husband’s lawyer and she vigorously denied suggestions in the letter about alcohol abuse and gambling. The woman said the email and attachment had become the property of her employer, and others in her workplace might have access to it.
Read more on their blog to find out what the review concluded.


If Apple can send you a U2 album, they can send you advertising...
Yes: That U2 Album Means Apple Can Send Data To Your iPhone


If nothing else, you should never underestimate the ability of a geek to cause trouble.
Toby Manhire reports:
An already tumultuous New Zealand election campaign took another dramatic turn less than a week before polling day when the prime minister, John Key, responded angrily to claims by the American journalist Glenn Greenwald that he had been “deceiving the public” over assurances on spying.
Greenwald, who is visiting New Zealand at the invitation of the German internet entrepreneur Kim Dotcom, says he will produce documents provided by the NSA whistleblower Edward Snowden that prove the New Zealand government approved mass surveillance of its residents by the Government Communications Security Bureau (GCSB), New Zealand’s equivalent of the NSA.
Read more on The Guardian.


Do you have access to a piano?
Piano Maestro Offers a Fun Way to Learn to Read and Play Sheet Music
Piano Maestro (formerly known as Piano Mania) is a neat iPad app from Joy Tunes. The new Piano Maestro app offers lessons on playing the piano. Students place their iPads on their pianos or electronic keyboards to view the lesson as they play along. The app offers challenges of varying difficulty from simple one-hand lessons to complex lessons requiring the use of both hands. Students earn points for completing each lesson and mastering new songs. Teachers can check their students’ progress by having students use the “connect to teacher” feature of Piano Maestro.
Piano Maestro is free to download and access for basic lessons. More difficult lessons and the larger catalog of music requires purchasing the premium features. But this fall Joy Tunes is offering Piano Maestro’s premium features for free to registered music teachers and their students. The premium features includes a library of more than 800 songs including pop music songs from artists like Bruno Mars and Taylor Swift.


Dilbert illustrates that saying something does not make it so...