Tuesday, March 31, 2015

After the fact, will your security practices look as dumb as this one?
No, Human Resource Advantage. You do not get to put an unencrypted thumb drive with employee records in the regular mail to TrustHCS and then claim you take the security of personal information in your control “very seriously.”
From your own investigation, that drive contained names, Social Security numbers, dates of birth, bank account information, postal and email addresses, and any leave of absence requests, including those submitted under the Family Medical Leave Act for several current and former employees of TrustHCS.
Heck, there wasn’t even any password protection (not that that would have done much).
“Very seriously?”
No way.
And where were you in all this, TrustHCS? Did your contract with Human Resource Advantage permit them to send you sensitive employee records without any encryption or protection? If it did, why? And if it didn’t, are you still using them?


For my Computer Security students. What if this is just practice? Also should be food for tought for my Risk Analysis students.
Turkey Investigates Cause of Worst Power Outages in 15 Years
The most extensive power failure in 15 years disrupted services across Turkey, with the prime minister saying all possible causes including terrorism were being investigated.
… Yildiz ruled out insufficient energy supply, while saying he couldn’t yet exclude the possibility of a cyber attack. The ministry was also investigating whether a disruption at a power plant in Izmit could have created a “domino effect” of power failures nationwide, he said.
… The nationwide failures expose vulnerability in Turkey’s electricity infrastructure, according to Aaron Stein, an associate fellow at the Royal United Services Institute, who wrote about the subject in a report published this year by Edam, an Istanbul-based think tank.
“Turkey has yet to formulate a policy regarding the defense of critical national infrastructure,” Stein said by e-mail from Geneva today. “Turkey has never defined critical national infrastructure and therefore does not have a national plan to defend these non-defined sites.”

(Related) You have to exercise your talents.
Why experts think China launched the cyberattacks against GitHub
… The attack began when an individual or group hacked software used by Baidu, China’s largest search engine. The attackers altered the software Baidu uses to serve ads on Chinese websites, causing Baidu users’ computers to automatically and repeatedly connect to other sites. The attack was invisible, so Baidu users didn’t know that their browsers were hammering away at other servers.
That flood of traffic was directed toward two anti-censorship tools hosted on GitHub. One is a piece of software developed by GreatFire, a non-profit group that monitors censorship in China. The Chinese government harshly restricts what websites its people may visit, and has repeatedly censored products from Google and other Western companies in recent years. The other tool under attack allows Chinese users to access a translated version of The New York Times, which is blocked in China. It isn’t known who is behind the software that copies the Times’s content.

(Related)
Rutgers University Faces China And Ukraine In ‘March Madness’ DDoS Attack
… In an email sent out Sunday to tens of thousands of Rutgers students at 2:30PM EST, approximately an hour after the university's website went down for 15 minutes, Rutgers vice president of Information Technology Don Smith acknowledged the cyberattack, saying "The Rutgers Office of Information Technology (OIT) has been working around the clock to resolve service interruptions caused by a Distributed Denial of Service (DDOS) that began Friday afternoon."
Reports are saying that although certain tools used by Rutgers students and faculty have been affected — for instance, the university's Sakai learning software was not available off-campus on Sunday — the university has not detected any thefts of personal or confidential information up until this point.


Guidelines for my Ethical Hackers.
PCI Security Standards Council Releases Guidance on Pen Testing
The report, available here, was developed by a PCI Special Interest Group of industry experts and is aimed at organizations of all sizes, budgets and sectors. Specifically, the guidance focuses on understanding the different components comprising a penetration test and how they differ from a vulnerability scan in terms of scope, application and network layer testing, segmentation checks and social engineering. It also provides advice on determining the qualifications of a pen tester as well as information related to the "three primary parts of a penetration test": pre-engagement, engagement and post-engagement.


Important because my Computer Security students will monitor activity to locate threats and forecast operational issues before they result in failures. We will need to know where the line is to avoid crossing it.
In an investigation report released today, B.C. Information and Privacy Commissioner Elizabeth Denham is recommending that the District of Saanich disable key features of its employee monitoring software including keystroke logging, automated screen shots and continuous tracking of computer program activity because they violate the privacy rights of employees and elected officials.
Commissioner Denham has also recommended the District destroy all data collected by the software, Spector 360. The District has agreed to do so following the conclusion of the Commissioner’s investigation.
“Public bodies have a responsibility to secure and protect their computers and networked systems against internal and external threats, however they must also respect an employee’s legal right to privacy,” said Commissioner Denham.
… “The District can only collect personal information that is directly related to and necessary for the protection of IT systems and infrastructure. An employee’s every keystroke and email, or screen captures of computing activities at 30-second intervals clearly exceeds that purpose and is not authorized by privacy law.”
The Commissioner also found that the District failed to provide adequate notice to employees and elected officials about the amount and type of personal information it was collecting.
… Investigation Report F15-01: Use of employee monitoring software by the District of Saanich is available for download at: https://www.oipc.bc.ca/report/investigation-reports/


A lot of little dips into the Big Data pool.
Microsoft: Just Three Enterprises Impacted by Law Enforcement Requests in 2H 2014
In its transparency report, Microsoft said that the total number of law enforcement requests received in the second half of 2014 was 31,002, bringing to the total for the year to 65,496, down from 72,279 in 2013.
Of the data provided to law enforcement, which requires a court order or a warrant, 3 percent was content customers created, shared or stored on Microsoft services, such as email. The remaining 97 percent of data disclosed was non-content data, Microsoft said, including things such name, email address, email address, name, state, country, ZIP code and IP address captured at the time of registration.


Have we just outlawed news helicopters?
Eugene Volokh writes:
Does the First Amendment include a right to gather information using flying drones? The federal trial court decision in Rivera v. Foley (D. Conn. Mar. 23) is to my knowledge the first court decision to consider the matter, and it’s largely skeptical of the First Amendment claim — though of course it won’t be the last word on the subject, both because it is just a trial court opinion, and because it mostly holds that any right to use drones wasn’t “clearly established” at the time of the events.
Read more on The Volokh Conspiracy.
[From the article:
The court concluded that no right to gather information through videorecording had been recognized under Supreme Court and Second Circuit precedent. (Several decisions from other circuits have recognized such a right, but two others have held that no such right was clearly established at the time of those decisions, and in any event the Second Circuit, in which this particular case arose, hadn’t spoken.)
But the court went further, concluding that, even if a right to videorecord was recognized, it did not clearly extended to hovering above — even 150 feet above — “the site of a major motor vehicle accident and the responding officers within it, effectively trespassing onto an active crime scene”


Big Data and Analytics?
IBM’s latest big bet: $3 billion on the Internet of things
Imagine adjusting store merchandising based on whether it will rain or snow over the next 48 hours. Alerting auto insurance policy holders to find shelter as a hailstorm approaches. Or anticipating spikes in electricity demand, using temperature and humidity metrics to consider historical data.
Those are just three scenarios made possible through a new global, strategic relationship between IBM and The Weather Company, parent of the Weather Channel and WSI, which licenses forecast information to businesses.
… Right now, IBM figures that up to 90% of the data generated by devices such as appliances, connected vehicles, smartphones and other connected devices is never analyzed.
… Among other things, IBM will train at least 10,000 consultants on data services in the coming months, including 5,000 weather specialists. It will also fund market development, research and development, and additional alliances, he said. “We are looking at non-traditional sources, data sources that people have had trouble integrating into operational systems,” Cawley said.
… Another high-profile example is Oracle’s buyout of Datalogix, which collects insights about more than $2 trillion in consumer spending that could serve as the foundation for new marketing services. Expect more of the same from Google, Microsoft, and Amazon Web Services.
“All of these guys are racing to find companies to partner with that have these huge sources of data,” Gens said. “It will become an arms race of who can accumulate the most valuable sources.”


Something to tease my Business Intelligence students?
The Importance of Data Occupations in the U.S. Economy
Economics & Statistics Administration, Department of Commerce. By William Hawk, Regina Powers, Economists, and Robert Rubinovitz Deputy Chief Economist Economics and Statistics Administration Office of the Chief Economist. ESA Issue Brief #01 -15. March 12, 2015.
“The growing importance of data in the economy is hard to dispute. But what does this mean for workers and jobs? A lot, as it turns out: higher paying (over $40/hour), faster growing jobs. In this report we identify occupations where data analysis and processing are central to the work performed and measure the size of employment and earnings in these occupations , as well as in the industries that have the highest concentration of these data occupations. Key findings of the report include:
• Employment where data is central to the job was about 10.3 million in 2013 (of which 1.6 million were government workers), or about 7.8 percent of all employment. However, including occupations where working with data is at least an important part of the job dramatically increases that number: to 74.3 million jobs, or over half of the workforce.
• Hourly wages for private-sector workers in data occupations, which are concentrated in the broad categories of business and computer/mathematical occupations, averaged $40.30 in 2013, about 68 percent higher for all occupations.
• For these top data occupations, two-thirds or more of the workers have at least a college degree; in comparison about one-third of workers across all occupations have a bachelor’s degree or higher.


That's “suspects” not those wearing bracelets in lieu of jail. (This “suspect” is “a recidivist sex offender.” Apparently, the bracelet was seen as an extension of the “always let law enforcement know where you are” laws.)
Orin Kerr writes:
The case is Grady v. North Carolina. Held: Forcing someone to wear an ankle bracelet to monitor location is a Fourth Amendment search. The new decision extends the Jones search doctrine to searches of persons, and it provides more opportunity to ponder what the Jones test means. I’ll start with the history, then discuss the new decision, and then offer some thoughts on the new case.
Read more on The Volokh Conspiracy.


Interesting.
Daniel Solove writes:
Does scholarship really have an impact? For a long time, naysayers have attacked scholarship, especially scholarship about law. U.S. Supreme Court Chief Justice Roberts once remarked: “Pick up a copy of any law review that you see, and the first article is likely to be, you know, the influence of Immanuel Kant on evidentiary approaches in 18th Century Bulgaria, or something.” He noted that when the academy addresses legal issues at “a particularly abstract, philosophical level . . . they shouldn’t expect that it would be of any particular help or even interest to the members of the practice of the bar or judges.” Judge Harry Edwards also has attacked legal scholarship as largely irrelevant.
Critics are quick to point out that much legal scholarship is not cited much — and many articles are never even cited by anyone other than the authors themselves in subsequent works.
But I think that a lot can be learned from the story of one of the most influential law articles of all. That article was Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harvard Law Review 193 (1890).
Read more on Concurring Opinions.
Related: Orin Kerr has now uploaded a short paper to SSRN called, “The Influence of Immanuel Kant on Evidentiary Approaches in Eighteenth Century Bulgaria.” As Orin writes, “Well, someone had to do it.”


...or perhaps Russia needs to sell the gas? They don't have enough storage and they can't shut down the wells.
Why Russia suddenly wants to supply cheap gas to Ukraine
… So why is Russia suddenly offering to help the country it has spent the past few months undermining?
Last week the European Commission sent a letter to the Russian government asking it to consider granting Kiev a discount on its gas from Russia, such as abolishing the export duty, which now costs $100 per thousand cubic metres of gas.
The Russian response — requesting Gazprom lower its prices for Ukraine — hints that Russia is seeking to cool tensions in the region to wriggle out of international sanctions as it attempts to pull itself out a deep economic downturn.


For my Android toting students.
WhatsApp Voice Calls Open To All - No Invites Needed
Today however, the voice call feature is literally open for all.
The feature has currently been rolled out to the Android platform, so others may need to wait a bit.
To download the update if your Play Store hasn’t prompted you yet, you can head over to APK Mirror and download the file or if you want to play it official then go to the WhatsApp Website to download it. If you are someone who plays by the book and would wait for the automatic update then it may take a day or so for it to be available on the Google Play Store.


For my cable cutting students, but many are public domain so I might find a use for them in the classroom.
5 Lesser-Known Free Sites for Watching TV Shows


Funny that they reached the same conclusion we have.
What MIT Is Learning About Online Courses and Working from Home
“Virtual work” is increasingly just “work” for most of us – whether we’re dialing into a conference call with our branch offices in London and New York, or VPN-ing in from home to catch up with work after-hours, remote work is the new normal.
What we’re seeing most recently, and what I’m very excited about, is going from that linear model to a much more non-linear idea. The digital learning experience is becoming really a collection of inter-related learning nuggets, that you might take very different paths through, depending who you are and what your needs are, and how you learn most effectively. So that’s where I’m seeing some interesting changes happening.


Tools for my toolkit.
Convert PDFs to Google Docs to Differentiate Instructional Materials
Recently, we discovered a feature of Google Drive that has changed how we prepare and access materials and resources for our students. As we attempt to make all curricula digital and thus make it available to all students, the idea of using PDFs was always a problem. PDFs are just not editable in most situations, and this was an issue when it came to modifying and differentiating documents. Adobe Acrobat was our “go to” application for this type of conversion, but it was costly and often hard to come by in an educational setting. Note: We still use Adobe Acrobat for complex projects or documents that do not convert well in Google Drive. With the most recent update to Google Drive, OCR (Optical Character Recognition) capabilities are better and easier than ever.
  1. Open and sign into Google Drive
  2. Upload a PDF document to your Drive
  3. Right-Click on the document once it is uploaded.
  4. Choose Open with>Google Docs
The original PDF remains in your Drive and a new, converted document is created. You can open your new document and rename, edit, annotate, share, etc. just as you can do with any other Google Doc, Slides or Sheets. This works best with PDF documents that are clear and mostly text-based. Tables, images and formatted text can be a bit of a challenge for Google Docs (images and tables tend to end up on one page and text on a separate page), but I am sure it’ll get even better and easier in the next update.

No comments: