Friday, October 09, 2015

Part of any security plan is a review for any indications of a breach, We never assume our defenses will be perfect. Their investigation found signs of the breach, why weren't they using those tool all the time?
Customers may be singing, “You got mud on your face, you big disgrace” when they receive a breach notification from GlamGlow, the latest business to disclose that it had a breach more than one year ago that they’ve only recently discovered. The notification letter begins:
We recently became aware that an unauthorized party accessed the glamglowmud.com website and acquired certain personal information of some of our customers. After learning of the issue, we launched an investigation and retained outside experts to help us understand the nature and scope of the issue. Based on the investigation, we believe the incident occurred between September 19 and September 21, 2014 and May 12 and May 15, 2015. The affected information may have included names; addresses; telephone numbers; payment card numbers, expiration dates and security codes; email addresses; and GlamGlow account passwords.
Those notified are being offered one year of services with Equifax Credit WatchTM Gold. In the meantime, check your statements for signs of fraud, and change your passwords if you’ve reused your GlamGlow password anywhere else.




How often is too often? How big is too big? How sensitive is too sensitive? When does bad security rise to a level that attracts regulatory attention? A clear threshold would be nice.
Priya Anand reports:
Consumer and data privacy advocates are asking federal regulators to investigate the breach at credit bureau Experian, which compromised the personal information of millions of T-Mobile customers.
“We believe that it is incumbent on the regulatory agencies to fully investigate this breach, including whether other Experian databases have been breached,” they wrote in a letter to the Federal Trade Commission and Consumer Financial Protection Bureau, a watchdog agency. “A data security breach that affected Experian’s credit report files would be a terrifying and unmitigated disaster.”
Read more on MarketWatch.
Well, maybe now the FTC will do something. It’s nice to see others urging an investigation. I wish they had spoken up back in 2012 when I first disclosed Experian’s repeated breaches involving their credit report database, but better late than never.




A contract with your clients?
Mark McGreary writes:
New innovations come hand in hand with new privacy issues. [I respectfully disagree. Bob] Privacy policies may seem like a last minute add-on to some app developers but they are actually an important aspect of an app. Data breaches are an imminent risk and a business’s first defense to potential problems is a privacy policy.
Fordham University in New York hosted its Ninth Law and Information Society Symposium last week [May 13th, actually Bob] where policy and technology leaders came together to discuss current privacy pitfalls and solutions. Joanne McNabb, the California attorney general’s privacy education director and a leader in policies affecting the privacy agreements of companies such as Google and Apple, emphasized in a panel that she “wants to make the case for the unread privacy policy.” She noted that the policy mainly promotes “governance and accountability [and] it forces an organization to be aware of their data practices to some degree, express them and then therefore to stand behind them.” The privacy policy still matters because it protects businesses from the risks associated with having a high level of data.
Read ore on Fox Rothschild Privacy Compliance & Data Security. I love this line:
Whether a privacy policy is read is insignificant. The protections it puts in place for all parties involved are crucial.
Indeed. How many enforcement actions have we seen by the FTC (including the Wyndham case) where the FTC quoted the firm’s privacy policy and argued that the entity did not live up to the assurances it had made to consumers? If your policy promises “industry standard” data security, are you living up to that promise? If not, I think you can reasonably expect to be sued in the event of a data breach involving identity information.
[It looks like Fordham videod everything: http://livestream.com/internetsociety/solvingprivacy




Any Privacy Policy here? When is “consent” not voluntary?
Dana DiFilippo reports:
…. Bucks County officials announced the new database – the first of its kind nationally – at a news conference yesterday at the county courthouse in Doylestown, recounting case after case in which the new database solved crimes that might have gone cold with few other clues.
[…]
The new system – in which authorities can swab suspects for DNA even before they’re arrested – might raise the eyebrows of privacy-protective civil-rights advocates. The state database maintained by the Pennsylvania State Police, for example, contains DNA only from convicted offenders.
But Harran emphasized that suspects must consent to be swabbed, unless officers can persuade a judge for a court order.
“People think it’s ‘Big Brother,’ ” Harran said, referring to a character in a popular dystopian novel about government oppression. “It’s not. It’s an all-voluntary program. People can say no. Thank God criminals are stupid” and usually consent.
Read more on Philly.com.




Being religious is not being godly.
WTH?
Joe Cadillic is all over this one (some typos corrected by me):
According to an Arizona Dept. of Child Safety document, churches are working with social workers to spy on families and they’re also using “Child Safety and Risk Assessments“.
According to a Tuscon.com article, church leaders are openly encouraged to collaborate with the gov’t. The article goes on to explain how religious organizations will spy on families and help the gov’t decide whether they should remove a child from their family!
“Called The Care Portal, the online tool allows DCS caseworkers who know of a specific need of a child or family to submit that request via email to nearby churches enrolled in the system.”
Read more on MassPrivateI.




Does this solve everything?
Sacramento – Today, in a landmark victory for Californians’ digital privacy rights, Governor Jerry Brown signed the California Electronic Communications Privacy Act (CalECPA, SB 178) into law. The bill, jointly authored by Senators Mark Leno (D-San Francisco) and Joel Anderson (R-Alpine), updates the state’s privacy laws for the digital age by protecting Californians against warrantless surveillance of their digital information.
“Governor Brown just signed a law that says ‘no’ to warrantless government snooping in our digital information. This is a landmark win for digital privacy and all Californians,” said Nicole Ozer, Technology & Civil Liberties Policy Director at the ACLU of California. “We hope this is a model for the rest of the nation in protecting our digital privacy rights.”
… CalECPA updates California’s privacy protections to reflect the modern digital world and reinforces constitutional rights to privacy by ensuring that police get a warrant before accessing digital information like emails, text messages and online documents and tracking or searching electronic devices like cell phones. Full bill language, polling, fact sheets, and more information about CalECPA can be found here: www.aclunc.org/calecpa.
SOURCE: ACLU of Northern California




Better than England? But only one city, so far.
Zheping Huang reports:
During China’s National Day holidays this month, almost 8 million tourists visited Beijing in just four days—and the Chinese government kept a close watch on every one of them as they toured the capital’s streets.
Beijing police added new surveillance cameras ahead of the holiday, and have expand coverage in the city to “100 percent” for the first time ever, to “tighten the capital’s security” and “avoid crimes in crowds,” state-run China Daily reported.
Read more on Quartz.




Is there a report that says they work?
Joe Cadillic starts with this statement:
According to a National Academies of Sciences, Engineering, and Medicine (NAS) report, airport X-ray body scanners are safe.
but then proceeds to question how unbiased and independent the report really is.
You can read what he found and his 10 reasons not to trust the NAS report on his blog, MassPrivateI.




A calculated PR stunt?
Chris Mandle reports:
The photo agency responsible for the nude photos of Justin Bieber have denied claims the singer’s privacy was invaded as he stood on the decking of a remote holiday apartment.
Speaking to The Independent, a spokesman from FameFlynet UK said: “There’s no invasion of privacy” and would not comment on whether a long-lens was used to get the photos.
Bieber was photographed while on holiday in Bora Bora, walking from the inside of a seafront bungalow to the decking outside. Several photos show full-frontal nudity.
The pictures were published exclusively on New York Daily News, who covered Bieber’s crotch with a modesty bar, but the originals were leaked onto Twitter late last night and soon went viral.
Read more on The Independent.
If this would be an invasion of privacy for a female, it’s an invasion of privacy for Bieber. If it’s an invasion of privacy for a private (non-public) figure, it’s an invasion of privacy for a public figure or celebrity. We need to stop with the double standards. This is not just a matter of tackiness. If you sit quietly by while this happens to Bieber, why should you expect that your own privacy should be respected or protected?




“We weren’t really serious about that.” This was a looser going in. If I encrypt my email (for example) and then my email provider encrypts it again, all they can decrypt is the gibberish I sent them. Would the government then go after them for “failing” to decrypt my message?
Obama administration opts not to force firms to decrypt data — for now
After months of deliberation, the Obama administration has made a long-awaited decision on the thorny issue of how to deal with encrypted communications: It will not — for now — call for legislation requiring companies to decode messages for law enforcement.




If I started a database like this one and charged just a couple of cents for each query, would I be competitive with the big boys?
Tami Abdollah of AP reports:
For years, police nationwide have used patrol car-mounted scanners to automatically photograph and log the whereabouts of peoples’ cars, uploading the images into databases they’ve used to identify suspects in crimes from theft to murder.
Nowadays, they are also increasingly buying access to expansive databases run by private companies whose repo men and tow-truck drivers photograph license plates of vehicles every day.
Civil libertarians and lawmakers are raising concerns about the latest practice, arguing that there are few, if any, protections against abuse [No risk for me to store the data, right? Bob] and that the private databases go back years at a time when agencies are limiting how long such information is stored.
Read more on WTOP.




Smartphones are the new credit cards. You need a device that accepts the phone's offer to pay – that would seem to be the bottleneck. Will you need a proprietary device for each phone/payment system combination?
Apple Pay Continues To Expand, Coming To Starbucks, KFC And Chili's




This one is not on Hillary. Why do I get the feeling that no one involved with this investigation has a clue how Computer Security (or any other form of security) is supposed to work. I try to teach my students to pay attention to any warnings about security.
Clinton e-mails were vulnerable to hackers, tech firm warned
A technology subcontractor that has worked on Hillary Rodham Clinton’s e-mail setup expressed concerns over the summer that the system was inadequately protected and vulnerable to hackers, a company official said Wednesday.
But the concerns were rebuffed by the company managing the Clinton account, Platte River Networks, which said it had been instructed by the FBI not to make changes. [I doubt this is what they meant. Bob]
… A Platte River Networks spokesman acknowledged receiving upgrade requests from Datto.
“It’s not that we ignored them, but the FBI had told us not to change or adjust anything,” the spokesman, Andy Boian, said.
Boian said, however, the company did not take Datto’s concerns to the FBI.
… The concerns expressed by Datto reflected worry that the system, which was still in use for the Clintons’ personal office in August, [Really? So they are making changes every day! Bob] could have been vulnerable to hackers who targeted it for its new notoriety amid the swirling controversy.




For my Computer Security students. They “yell” at your drone, thinking that will “freeze” it in place. If you drone loses your command signals, isn't it programmed to return to where it was launched?
UK firms develop drone-freezing ray
The Anti-UAV Defense System (Auds) works by covertly [Rather obvious actually. Bob] jamming a drone's signal, making it unresponsive.
After this disruption, the operator is likely to retrieve the drone believing that it has malfunctioned.
The system joins a host of recently announced technologies which can blast larger drones out of the sky.
… The Auds operator can then choose to freeze the drone just for a short time - to convince its owner that there's something wrong with it – or for a longer period, until its battery dies and it crashes.
Auds has been tested in the UK, the USA and France, said Mr Taylor, and government organisations in all three countries had been involved in those tests.




I find this difficult to understand. Did the software change how the engines worked or how the emissions were reported? Either way, I don't see how the company could miss this.
Volkswagen U.S. CEO Says He Didn’t Know in 2014 of Emissions Defeat Devices
… Michael Horn, head of Volkswagen Group of America, said during a congressional hearing on Thursday that he believed “a couple of software engineers” were responsible for software that allowed nearly a half million diesel-powered cars sold in the U.S. since 2008 to dupe emissions tests.
… House Republicans and Democrats alike decried Volkswagen’s long running deception with defeat-device software that made the auto makers’ diesel cars run cleaner during emissions testing than they did on the road. [Apparently, the cars can run clean. Perhaps it causes the engines excessive wear? Bob]
… Mr. Horn ruled out buying back vehicles from dealers. He said the cars are legal and safe to drive. [How can that be? Is this about extra pollution taxes? Bob] Volkswagen is focused on repairs, hoping to have a fix available next year, he added. A timetable for a U.S. recall isn’t yet set.
… On Thursday, German prosecutors raided Volkswagen offices and private homes, seizing documents and data storage devices that may shed light on who was involved in the engine software and any alterations to it.
… Volkswagen has so far set aside $7.3 billion to address the problem. Current Chief Executive Matthias Müller has said the cost will likely rise.


(Related)
Volkswagen America's CEO blames software engineers for emissions cheating scandal
… At one point, Horn was asked if he knew how the defeat devices work. "Personally, no. I’m not an engineer," he responded. Later, in response to a similar question, Horn was suddenly able to describe how the defeat devices were able to fool the EPA's tests, and mimicked turning a car's steering wheel. (One of the ways the offending software was able to recognize whether a car was being tested or not was to monitor the amount of movement in the steering wheel.) [Sounds like the software changed what it reported, not want actually happened in the engine. Bob]




This is a pretty significant failure. Have we become so incompetent that we can't train soldiers? Or perhaps we can't find potential soldiers to train? Or maybe Russia is right and we should never have declared the Assad government as evil.
Obama Administration Ends Pentagon Program to Train Syrian Rebels
The Obama administration has ended the Pentagon’s $500 million program to train and equip Syrian rebels, administration officials said on Friday, in an acknowledgment that the beleaguered program had failed to produce any kind of ground combat forces capable of taking on the Islamic State in Syria.
… The change makes official what those in the Pentagon and elsewhere in the administration have been saying for several weeks would most likely happen, particularly in the wake of revelations that the program at one point last month had only “four or five” trainees in the fight in Syria — a far cry from the plan formally started in December to prepare as many as 5,400 fighters this year, and 15,000 over the next three years.




Perspective. (Apparently, I'm still anti-social)
Social Media Usage: 2005-2015
by Sabrina I. Pacifici on Oct 8, 2015
“Nearly two-thirds of American adults (65%) use social networking sites, up from 7% when Pew Research Center began systematically tracking social media usage in 2005. Pew Research reports have documented in great detail how the rise of social media has affected such things as work, politics and political deliberation, communications patterns around the globe, as well as the way people get and share information about health, civic life, news consumption, communities, teenage life, parenting, dating and even people’s level of stress.”


(Related) An infographic.
Think Before You Tweet: Don’t Let Social Media Get You Fired




Nuts, just nuts.
Hack Education Weekly News
… “The U.S. Department of Education’s Office of Inspector General has pumped the brakes on competency-based education, partially due to concerns about the level of interaction between instructors and students in some of those programs,” Inside Higher Ed reports.
… “These states spend more on prisons than colleges.” (Saved you a click: Michigan, Oregon, Arizona, Vermont, Colorado, Pennsylvania, New Hampshire, Delaware, Rhode Island, Massachusetts, and Connecticut.)
Via the AP: “The former CEO of Chicago Public Schools will plead guilty in an indictment that alleges she was involved in a scheme to steer $20 million worth of no-bid contracts to education companies in exchange for bribes and kickbacks, her attorney said Thursday.” [It's a Chicago thing. Bob]
Via The Chronicle of Higher Education: “MIT Unveils ‘MicroMaster’s,’ Allowing Students to Get Half Their Degree From MOOCs.” (That is, a master’s degree in supply chain management.)
… The University of Phoenix has been barred from recruiting on military bases, says The Wall Street Journal, and troops will not be able to use federal money to pay for classes at the school.
Via District Administration: “Of the 2,000 high school students in Albemarle County Public Schools, only 25 requested lockers last school year, as more students carry their devices and books in backpacks.” Instead of lockers: charging stations.


No comments: