Part of any security plan is a review for any
indications of a breach, We never assume our defenses will be
perfect. Their investigation found signs of the breach, why weren't
they using those tool all the time?
Customers may be singing, “You got mud on your
face, you big disgrace” when they receive a breach notification
from GlamGlow, the
latest business to disclose that it had a breach more than one year
ago that they’ve only recently discovered. The notification
letter begins:
We recently became aware that an unauthorized party accessed the glamglowmud.com website and acquired certain personal information of some of our customers. After learning of the issue, we launched an investigation and retained outside experts to help us understand the nature and scope of the issue. Based on the investigation, we believe the incident occurred between September 19 and September 21, 2014 and May 12 and May 15, 2015. The affected information may have included names; addresses; telephone numbers; payment card numbers, expiration dates and security codes; email addresses; and GlamGlow account passwords.
Those notified are being offered one year of
services with Equifax Credit WatchTM Gold. In the meantime, check
your statements for signs of fraud, and change your passwords if
you’ve reused your GlamGlow password anywhere else.
How often is too often? How big is too big? How
sensitive is too sensitive? When does bad security rise to a level
that attracts regulatory attention? A clear threshold would be nice.
Priya Anand reports:
Consumer and data privacy advocates are asking federal regulators to investigate the breach at credit bureau Experian, which compromised the personal information of millions of T-Mobile customers.
“We believe that it is incumbent on the regulatory agencies to fully investigate this breach, including whether other Experian databases have been breached,” they wrote in a letter to the Federal Trade Commission and Consumer Financial Protection Bureau, a watchdog agency. “A data security breach that affected Experian’s credit report files would be a terrifying and unmitigated disaster.”
Read more on MarketWatch.
Well, maybe now the FTC will do something. It’s
nice to see others urging an investigation. I wish they had spoken
up back in 2012 when I first disclosed Experian’s repeated breaches
involving their credit report database, but better late than never.
A contract with your clients?
Mark McGreary writes:
New innovations come hand in hand with new privacy issues. [I respectfully disagree. Bob] Privacy policies may seem like a last minute add-on to some app developers but they are actually an important aspect of an app. Data breaches are an imminent risk and a business’s first defense to potential problems is a privacy policy.
Fordham University in New York hosted its Ninth Law and Information Society Symposium last week [May 13th, actually Bob] where policy and technology leaders came together to discuss current privacy pitfalls and solutions. Joanne McNabb, the California attorney general’s privacy education director and a leader in policies affecting the privacy agreements of companies such as Google and Apple, emphasized in a panel that she “wants to make the case for the unread privacy policy.” She noted that the policy mainly promotes “governance and accountability [and] it forces an organization to be aware of their data practices to some degree, express them and then therefore to stand behind them.” The privacy policy still matters because it protects businesses from the risks associated with having a high level of data.
Read ore on Fox Rothschild Privacy
Compliance & Data Security. I love this line:
Whether a privacy policy is read is insignificant. The protections it puts in place for all parties involved are crucial.
Indeed. How
many enforcement actions have we seen by the FTC (including the
Wyndham
case)
where the FTC quoted the firm’s privacy policy and argued that the
entity did not live up to the assurances it had made to consumers?
If your policy promises “industry standard” data security, are
you living up to that promise? If not, I think you can reasonably
expect to be sued in the event of a data breach involving identity
information.
[It
looks like Fordham videod everything:
http://livestream.com/internetsociety/solvingprivacy
Any Privacy Policy here? When is “consent”
not voluntary?
Dana DiFilippo reports:
…. Bucks County officials announced the new database – the first of its kind nationally – at a news conference yesterday at the county courthouse in Doylestown, recounting case after case in which the new database solved crimes that might have gone cold with few other clues.
[…]
The new system – in which authorities can swab suspects for DNA even before they’re arrested – might raise the eyebrows of privacy-protective civil-rights advocates. The state database maintained by the Pennsylvania State Police, for example, contains DNA only from convicted offenders.
But Harran emphasized that suspects must consent to be swabbed, unless officers can persuade a judge for a court order.
“People think it’s ‘Big Brother,’ ” Harran said, referring to a character in a popular dystopian novel about government oppression. “It’s not. It’s an all-voluntary program. People can say no. Thank God criminals are stupid” and usually consent.
Read more on Philly.com.
Being religious is not being godly.
WTH?
Joe Cadillic is all over this one (some typos
corrected by me):
According to an Arizona Dept. of Child Safety document, churches are working with social workers to spy on families and they’re also using “Child Safety and Risk Assessments“.
According to a Tuscon.com article, church leaders are openly encouraged to collaborate with the gov’t. The article goes on to explain how religious organizations will spy on families and help the gov’t decide whether they should remove a child from their family!
“Called The Care Portal, the online tool allows DCS caseworkers who know of a specific need of a child or family to submit that request via email to nearby churches enrolled in the system.”
Read more on MassPrivateI.
Does this solve everything?
Sacramento – Today, in a landmark victory for
Californians’ digital privacy rights, Governor Jerry Brown signed
the California Electronic
Communications Privacy Act (CalECPA, SB 178) into law.
The bill, jointly authored by Senators Mark Leno (D-San Francisco)
and Joel Anderson (R-Alpine), updates the state’s privacy laws for
the digital age by protecting Californians against warrantless
surveillance of their digital information.
“Governor Brown just signed a law that says ‘no’
to warrantless government snooping in our digital information. This
is a landmark win for digital privacy and all Californians,” said
Nicole Ozer, Technology &
Civil Liberties Policy Director at the ACLU of California. “We
hope this is a model for the rest of the nation in protecting our
digital privacy rights.”
… CalECPA updates California’s privacy
protections to reflect the modern digital world and reinforces
constitutional rights to privacy by ensuring that police get a
warrant before accessing digital information like emails, text
messages and online documents and tracking or searching electronic
devices like cell phones. Full bill language, polling, fact sheets,
and more information about CalECPA can be found here:
www.aclunc.org/calecpa.
SOURCE: ACLU of Northern California
Better than England? But only one city, so far.
Zheping Huang reports:
During
China’s National Day holidays this month, almost 8
million tourists visited Beijing in just four days—and the
Chinese government kept a close watch on every one of them as they
toured the capital’s streets.
Beijing
police added new surveillance cameras ahead of the holiday, and have
expand coverage in the city to “100 percent” for the first time
ever, to “tighten the capital’s security” and “avoid crimes
in crowds,” state-run China
Daily reported.
Read more on Quartz.
Is there a report that says they work?
Joe Cadillic starts with this statement:
According to a National Academies of Sciences, Engineering, and Medicine (NAS) report, airport X-ray body scanners are safe.
but then proceeds to question how unbiased and
independent the report really is.
You can read what he found and his 10 reasons not
to trust the NAS report on his blog, MassPrivateI.
A calculated PR stunt?
Chris Mandle reports:
The photo agency responsible for the nude photos of Justin Bieber have denied claims the singer’s privacy was invaded as he stood on the decking of a remote holiday apartment.
Speaking to The Independent, a spokesman from FameFlynet UK said: “There’s no invasion of privacy” and would not comment on whether a long-lens was used to get the photos.
Bieber was photographed while on holiday in Bora Bora, walking from the inside of a seafront bungalow to the decking outside. Several photos show full-frontal nudity.
The pictures were published exclusively on New York Daily News, who covered Bieber’s crotch with a modesty bar, but the originals were leaked onto Twitter late last night and soon went viral.
Read more on The
Independent.
If this would be an invasion of privacy for a
female, it’s an invasion of privacy for Bieber. If it’s an
invasion of privacy for a private (non-public) figure, it’s an
invasion of privacy for a public figure or celebrity. We need to
stop with the double standards. This is not just a matter of
tackiness. If you sit quietly by while this happens to Bieber, why
should you expect that your own privacy should be respected or
protected?
“We weren’t really serious about that.”
This was a looser going in. If I encrypt my email (for example) and
then my email provider encrypts it again, all they can decrypt is the
gibberish I sent them. Would the government then go after them for
“failing” to decrypt my message?
Obama
administration opts not to force firms to decrypt data — for now
After months of deliberation, the Obama
administration has made a long-awaited decision on the thorny issue
of how to deal with encrypted communications: It will not — for
now — call for legislation requiring companies to decode messages
for law enforcement.
If I started a database like this one and charged
just a couple of cents for each query, would I be competitive with
the big boys?
Tami Abdollah of AP reports:
For years, police nationwide have used patrol car-mounted scanners to automatically photograph and log the whereabouts of peoples’ cars, uploading the images into databases they’ve used to identify suspects in crimes from theft to murder.
Nowadays, they are also increasingly buying access to expansive databases run by private companies whose repo men and tow-truck drivers photograph license plates of vehicles every day.
Civil libertarians and lawmakers are raising concerns about the latest practice, arguing that there are few, if any, protections against abuse [No risk for me to store the data, right? Bob] and that the private databases go back years at a time when agencies are limiting how long such information is stored.
Read more on WTOP.
Smartphones are the new credit cards. You need a
device that accepts the phone's offer to pay – that would seem to
be the bottleneck. Will you need a proprietary device for each
phone/payment system combination?
Apple Pay
Continues To Expand, Coming To Starbucks, KFC And Chili's
This one is not on Hillary. Why do I get the
feeling that no one involved with this investigation has a clue how
Computer Security (or any other form of security) is supposed to
work. I try to teach my students to pay attention to any warnings
about security.
Clinton
e-mails were vulnerable to hackers, tech firm warned
A technology subcontractor that has worked on
Hillary Rodham Clinton’s e-mail setup expressed concerns over the
summer that the system was inadequately protected and vulnerable to
hackers, a company official said Wednesday.
But the concerns were rebuffed by the company
managing the Clinton account, Platte River Networks, which said it
had been instructed by the FBI not to make changes. [I
doubt this is what they meant. Bob]
… A Platte River Networks spokesman
acknowledged receiving upgrade requests from Datto.
“It’s not that we ignored them, but the FBI
had told us not to change or adjust anything,” the spokesman, Andy
Boian, said.
Boian said, however, the company did not take
Datto’s concerns to the FBI.
… The concerns expressed by Datto reflected
worry that the system, which
was still in use for the Clintons’ personal office in August,
[Really? So
they are making changes every day! Bob] could have been
vulnerable to hackers who targeted it for its new notoriety amid the
swirling controversy.
For my Computer Security students. They “yell”
at your drone, thinking that will “freeze” it in place. If you
drone loses your command signals, isn't it programmed to return to
where it was launched?
UK firms
develop drone-freezing ray
The Anti-UAV Defense System (Auds) works by
covertly [Rather
obvious actually. Bob] jamming a drone's signal, making
it unresponsive.
After this disruption, the operator is likely to
retrieve the drone believing that it has malfunctioned.
The system joins a host of recently announced
technologies which can blast larger drones out of the sky.
… The Auds operator can then choose to freeze
the drone just for a short time - to convince its owner that there's
something wrong with it – or for a longer period, until
its battery dies and it crashes.
Auds has been tested in the UK, the USA and
France, said Mr Taylor, and government organisations in all three
countries had been involved in those tests.
I find this difficult to understand. Did the
software change how the engines worked or how the emissions were
reported? Either way, I don't see how the company could miss this.
Volkswagen
U.S. CEO Says He Didn’t Know in 2014 of Emissions Defeat Devices
… Michael Horn, head of Volkswagen Group of
America, said during a congressional hearing on Thursday that he
believed “a couple of software engineers” were responsible for
software that allowed nearly a half million diesel-powered cars sold
in the U.S. since 2008 to dupe emissions tests.
… House Republicans and Democrats alike
decried Volkswagen’s long running deception with defeat-device
software that made the auto
makers’ diesel cars run cleaner during emissions testing than they
did on the road. [Apparently,
the cars can run clean. Perhaps it causes the engines excessive
wear? Bob]
… Mr. Horn ruled out buying back vehicles from
dealers. He said the cars
are legal and safe to drive. [How
can that be? Is this about extra pollution taxes? Bob]
Volkswagen is focused on repairs, hoping to have a fix available next
year, he added. A timetable for a U.S. recall isn’t yet set.
… On Thursday, German
prosecutors raided Volkswagen offices and private homes, seizing
documents and data storage devices that may shed light on who was
involved in the engine software and any alterations to it.
… Volkswagen has so far set aside $7.3 billion
to address the problem. Current Chief Executive Matthias Müller has
said the cost will likely rise.
(Related)
… At one point, Horn was asked if he knew how
the defeat devices work. "Personally, no. I’m not an
engineer," he responded. Later, in response to a similar
question, Horn was suddenly able to describe how the defeat devices
were able to fool the EPA's tests, and mimicked turning a car's
steering wheel. (One of
the ways the offending software was able to recognize whether a car
was being tested or not was to monitor the amount of movement in the
steering wheel.) [Sounds
like the software changed what it reported,
not want actually happened in the engine. Bob]
This is a pretty significant failure. Have we
become so incompetent that we can't train soldiers? Or perhaps we
can't find potential soldiers to train? Or maybe Russia is right and
we should never have declared the Assad government as evil.
Obama
Administration Ends Pentagon Program to Train Syrian Rebels
The Obama administration has ended the Pentagon’s
$500 million
program to train and equip Syrian rebels, administration officials
said on Friday, in an acknowledgment that the beleaguered program had
failed to produce any kind of ground combat forces capable of taking
on the Islamic State in Syria.
… The change makes official what those in the
Pentagon and elsewhere in the administration have been saying for
several weeks would most likely happen, particularly in the wake of
revelations that the program at one point last month had only “four
or five” trainees in the fight in Syria — a far cry from the plan
formally started in December to prepare as many as 5,400 fighters
this year, and 15,000 over the next three years.
Perspective. (Apparently, I'm still anti-social)
Social
Media Usage: 2005-2015
by Sabrina
I. Pacifici on Oct 8, 2015
“Nearly two-thirds of American adults (65%) use
social networking sites, up from 7% when Pew Research Center began
systematically tracking social media usage in 2005. Pew Research
reports have documented in great detail how the rise of social media
has affected such things as work,
politics
and political
deliberation, communications
patterns around the globe, as well as the way people get
and share information about health, civic
life, news
consumption, communities,
teenage
life, parenting,
dating
and even people’s level
of stress.”
(Related) An infographic.
Think
Before You Tweet: Don’t Let Social Media Get You Fired
Nuts, just nuts.
Hack
Education Weekly News
… “The U.S. Department of Education’s
Office of Inspector General has pumped the brakes on competency-based
education, partially due to concerns about the level of interaction
between instructors and students in some of those programs,” Inside
Higher Ed reports.
… “These
states spend more on prisons than colleges.” (Saved you a
click: Michigan, Oregon, Arizona, Vermont, Colorado,
Pennsylvania, New Hampshire, Delaware, Rhode Island, Massachusetts,
and Connecticut.)
… Via
the AP: “The former CEO of Chicago Public Schools will plead
guilty in an indictment that alleges she was involved in a scheme to
steer $20 million worth of no-bid contracts to education companies in
exchange for bribes and kickbacks, her attorney said Thursday.”
[It's a Chicago thing.
Bob]
… “Test
Scores Under Common Core Show That ‘Proficient’ Varies by State,”
NYT’s Motoko Rich reports.
… Via
The Chronicle of Higher Education: “MIT Unveils
‘MicroMaster’s,’ Allowing Students to Get Half Their Degree
From MOOCs.” (That is, a
master’s degree in supply chain management.)
… The University of Phoenix has been barred
from recruiting on military bases, says
The Wall Street Journal, and troops will not be able to use
federal money to pay for classes at the school.
… Via
District Administration: “Of the 2,000 high school students in
Albemarle County Public Schools, only 25 requested lockers last
school year, as more students carry their devices and books in
backpacks.” Instead of lockers: charging stations.
No comments:
Post a Comment