Saturday, November 14, 2015

Another good “bad example” to share with my Computer Security students. Consider how this could go undetected for so long.
The breach in question may have begun in January, 2012, years before OH Muhlenberg acquired Muhlenberg Community Hospital, but it potentially impacted all patients, all payment guarantors, employees and some credentialed providers after that date and before OH Muhlenberg learned of the breach and contained it. This incident does not yet appear on HHS’s public breach tool, so the number potentially impacted is not known as of the time of this posting.
OH Muhlenberg, LLC issued the following press release today:
[ … ]
OH Muhlenberg, LLC acquired the Muhlenberg Community Hospital operations on July 1, 2015. Prior to that time, the hospital had been owned and operated by Muhlenberg Community Hospital since 1938. As part of the acquisition, OH Muhlenberg, LLC acquired substantially all of the assets of the hospital in Muhlenberg, including its computer systems, patient records and other records.
On September 16, 2015, the Federal Bureau of Investigation (FBI) notified the hospital of suspicious network activity involving third parties. Upon learning this information, the hospital took immediate action, including initiating an internal investigation and engaging a leading digital forensics and security firm to investigate this matter. Based upon this review, the hospital confirmed that a limited number of computers were infected with a keystroke logger designed to capture and transmit data as it was entered onto the affected computers. The infection may have started as early as January 2012.
… Upon learning of the incident, the hospital took prompt steps to address and contain it, including immediately blocking the external unauthorized IP addresses, taking steps to disable the malware and continuing to enhance the security of its systems moving forward.
The affected computers were used to enter patient financial data and health information, information about persons responsible for a patient’s bill and employee/contractor data, including potentially name, address, telephone number(s), birthdate, Social Security number, driver’s license/state identification number, medical and health plan information (such health insurance number, medical record number, diagnoses and treatment information, and payment information), financial account number, payment card information (such as primary account number and expiration date) and employment-related information. [ … ]




Bad for my Computer Security students, good for my Computer Forensics students.
Lucian Constantin reports:
Companies relying on Microsoft BitLocker to encrypt the drives of their employees’ computers should install the latest Windows patches immediately. A researcher disclosed a trivial Windows authentication bypass, fixed earlier this week, that puts data on BitLocker-encrypted drives at risk.
Ian Haken, a researcher with software security testing firm Synopsys, demonstrated the attack Friday at the Black Hat Europe security conference in Amsterdam. The issue affects Windows computers that are part of a domain, a common configuration on enterprise networks.
Read more on PCWorld.




For my Computer Security students. This is not for amateurs. Consider the downside of attacking state sponsored hackers.
Hacking Back: Industry Reactions to Offensive Security Research
A good example of researchers “hacking back” is detailed in a report published this week by security firm Check Point. The company hacked into the phishing and C&C servers of the Iran-linked group dubbed Rocket Kitten (aka Newscaster), which led to the identification of victims and even an individual suspected of being the main developer.
[The report:
The complete report, titled “Rocket Kitten: A Campaign with 9 Lives” is available for download in PDF format.




Perhaps the FTC won't be leading the way to secure data, at least until they figure out what that means. Who made the decision to go after LabMD?
In a data security enforcement action that some have characterized as a modern version of David vs. Goliath, David won today, and the FTC lost. It was an enforcement action that the FTC never should have commenced, as I’ve argued repeatedly, and today’s loss may actually make future enforcement actions more difficult for them as the standard for demonstrating likelihood of substantial injury has now been addressed in this ruling.
Background
LabMD was a cancer detection laboratory whose security practices were designed to comply with HIPAA’s standards. The FTC opened an investigation into their data security practices after an employee violated their policies and downloaded P2P software that wound up exposing some patient information on the file-sharing network.
For that mistake – which wasn’t even a reportable breach under HIPAA back in 2008 – the FTC came down like a ton of bricks on them. In 2013, after LabMD steadfastly refused to sign a consent order, the FTC filed a complaint that included many of its now-common complaints about what constitutes “unreasonable” data security practices that put consumers at risk of substantial injury.
But the FTC’s case relied primarily on evidence by a third party, Tiversa, Inc., who had testified to Congress and to the FTC that a LabMD file with patient information had been exposed a file-sharing network and had been downloaded by others. That testimony turned out not to be credible.
But the FTC had taken Tiversa’s testimony and asked some experts to assess the risk of substantial harm to consumers. The experts, however, were told to assume that the breach had occurred. As it turned out, the data had not been downloaded by anyone other than Tiversa. In time, the FTC informed the administrative law judge hearing the complaint that they would not rely on Tiversa’s original testimony nor on their expert witnesses’ statements. Instead, they argued that LabMD’s “unreasonable” data security had put consumers at risk of substantial injury – even though there was no evidence that the data had ever been shared or that even one consumer had been harmed.
By then, LabMD had closed its doors to new testing, crushed under the weight and expense of fighting the FTC. [Will they ever recover any of that? Probably as likely as the FTC apologizing... Bob]
Today, Administrative Law Judge Michael Chappell issued his ruling in FTC v. LabMD. It is a somewhat startling ruling for its veiled criticisms of the FTC commissioners’ actions.
On the main issues, though, Judge Chappell summarizes his ruling:
Section 5(n) of the FTC Act states that “[t]he Commission shall have no authority to declare unlawful an act or practice on the grounds that such act or practice is unfair unless [1] the act or practice causes or is likely to cause substantial injury to consumers [2] which is not reasonably avoidable by consumers themselves and [3] not outweighed by countervailing benefits to consumers or to competition.” 15 U.S.C. § 45(n). Complaint Counsel has failed to carry its burden of proving its theory that Respondent’s alleged failure to employ reasonable data security constitutes an unfair trade practice because Complaint Counsel has failed to prove the first prong of the three-part test – that this alleged unreasonable conduct caused or is likely to cause substantial injury to consumers.
First, with respect to the 1718 File, the evidence fails to prove that the limited exposure of the 1718 File has resulted, or is likely to result, in any identity theft-related harm, as argued by Complaint Counsel. Moreover, the evidence fails to prove Complaint Counsel’s contention that embarrassment or similar emotional harm is likely to be suffered from the exposure of the 1718 File alone. Even if there were proof of such harm, this would constitute only subjective or emotional harm that, under the facts of this case, where there is no proof of other tangible injury, is not a “substantial injury” within the meaning of Section 5(n).
[…]
At best, Complaint Counsel has proven the “possibility” of harm, but not any “probability” or likelihood of harm. Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury under Section 5(n) requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case. Accordingly, the Complaint is DISMISSED.
I’ve uploaded the entire ruling here (pdf), and I’m sure there will be more discussion and analysis later, but this is just so stunning that I wanted to get the news out immediately.




What is “notification” today? Do we need to use every possible means? Is there a hierarchy?
I’m not sure that posting a breach notification on a Facebook page is sufficient when you also have a web site where you could post the announcement. Assuming everyone is on Facebook is risky.
Case in point: Common Market in Union, Maine, posted this on their Facebook page on October 30.
ATTENTION COMMON MARKET CUSTOMERS
We recently learned that there has been a breach of Debit and Credit Card data in our area. The Common Market was one of the stores compromised. Please keep a close eye on your Debit and/or Credit Card transactions for the last couple of months (from August 12 to October 26) for any suspicious activities or charges that you do not recognize. Contact your bank immediately if you see any suspicious activity.
We have been in close contact with our Debit/Credit card processor and they have taken steps to make sure our system is now secure.
We sincerely apologize for any inconvenience this has caused.
That FB post shows up in a scrolling feed on their web site, but if someone didn’t happen to check the site before it scrolled down, they might miss it.
While I commend Common Market for their transparency in notifying their customers, I would encourage ALL entities to post such disclosures on the home page of their web sites or prominently linked from the home page of their web sites.




Should become the basis for many interesting scenarios. If I understand the process, the terrorist in Paris could have sent messages to thousands of innocent people telling them to “begin the attack.” If that message went out at 3AM for example, most of the recipients would never have seen it and would be very surprised when the SWAT teams blew their front door down.
Soon, You Could Receive a Facebook Message That Disappears Before You Read It
Facebook is testing a new feature on Facebook Messenger in France that allows users to create messages that self-destruct an hour after they're sent. (Yes, you read that right: they disappear an hour after they're sent, not read.)
It's the first time a disappearing messaging feature has been available on the platform, and it's a clear indication that the company will continue to compete with Snapchat, the app that brought disappearing messages to the forefront. (Facebook tried, unsuccessfully, to acquire the company in 2013.)
… This latest attempt is different, primarily because it adds ephemerality as a feature to an existing app instead of requiring users to download a new one. But in practical terms, it seems pretty messy. Say you send someone an ephemeral message through Facebook Messenger, but they don't see it for a few hours. Does this mean your message will self-destruct before it's ever opened?
Apparently, yes.




For my student who asked me this week (the 6th week of the quarter) “What textbook?”
Search Any Book With Google – It’s Finally Legal!
… Google Books Library Project makes the complete text from all books searchable. When you search for a keyword or phrase in a book, the Search Engine Results Page (SERP) returns basic bibliographic information about the book and relevant snippets of context around the keywords.
If a book is out of copyright you can read and download the whole book. Sometimes publishers even give permission for their books (or portions of them) to be available on Google Books – including popular ones.
… This ruling is popular among fans of Google Books, but the implications reach farther than that. Non-profits, libraries, and software developers today have a much greater understanding of how Fair Use can protect them, and that’s great news. As Dan Cohen wrote in The Atlantic, this ruling could lead to all sorts of innovations:
Because many institutions want to avoid legal and financial risk, many possible uses that the courts would find fair — including a number of non-commercial, educational uses — are simply never attempted. A clearer fair-use principle, with stronger support from the courts, will make libraries and similar organizations more confident about pursuing forms of broader digital access.




So I make that (80.7 / 2,800 = 0.0288) a 2.88% return. Of course they could raise tolls every year.
Canadian consortium buys Chicago Skyway lease rights for $2.8 billion
A decade after investors gave the city more than $1.8 billion to lease the Chicago Skyway for 99 years, the rights to run the privatized highway and collect tolls have been sold for $1 billion more than the original price.
… The Skyway company reported collecting nearly $80.7 million in revenue from tolls last year, a slight increase from 2013.




Perspective. The only generation where the majority have posted selfies are the Millennials. Infographic.
The Selfie Habits Across Different Generations




For my students interested in Big Data.
9 Useful Open Source Big Data Tools
… Why are so many Big Data projects open source? There's no definitive answer, but most likely it's related to the fact that Hadoop is the project that got the Big Data bandwagon rolling. Since Hadoop is open source, many folks who work with it are active in the open source community. That means the tools they develop are also likely to be open source.




Interesting, but I probably will still ignore PowerPoint.
Microsoft announces two brilliant PowerPoint 2016 design tools
First, a new Designer feature is a bit like a real-time template. You can create all of your slides the way you normally do, with a template or without. You lay out the images and text, get everything in the order you want, and even create all of the timings and transitions. Then, you pick the Designer tool. As Maloney explained, it’s like taking your slides and giving them a graphic designer who knows how improve them even more and wow an audience. [I like it! Facts first, then pretty. Bob]
… Another interesting aspect to the Designer is that the processing for the suggestions occurs in Microsoft Azure in the cloud, and this feature knows which designs most users pick. If none one is picking the one with the art gallery look, it won’t keep showing up. It’s the power of the crowd instilled in the app. [I hate it! Looking for the lowest common denominator? Bob]
… Another new feature called Morph ... lets you create animations without having to know anything about how animation works. You create some art, move it around, and Morph watches what you are doing and builds the animation. [Distracting. Bob]




I can't believe so much happens every week!
Hack Education Weekly News
Via the LA School Report: “A year later, secrecy surrounds FBI probe of LAUSD's iPad program.”
… The University of Illinois has paid $875,000 to settle Steven Salaita’s lawsuit, resulting from the school’s decision to fire Salaita based on comments he made on Twitter about Palestine.
… “The Starbucks Corporation this week announced that it will offer a tuition-free education to a spouse or child of its employees who are veterans or active-duty members of the U.S. military,” Inside Higher Ed reports. (That is, tuition-free education at ASU Online as part of Starbucks’ existing deal with the school.)
… “Math tutoring service in the form of a phone sex hotline.” Stay classy, ed-tech. [Does it work? Bob]
… “Schools Can’t Stop Kids From Sexting. More Technology Can,” Jonathan Zimmerman argues in a NYT op-ed. Moar technology!




Perspective. I hadn't thought of that, but she might be on to something here.
How The Old Farmer’s Almanac Previewed the Information Age
… It must have seemed, to the people of the 1792, when The Farmer’s Almanac was founded, something like what a smartphone is to people today: a handheld, portable device that contained information about all manner of things—health advice, weather predictions, jokes, recipes, charts detailing the times of sunrises and sunsets, and other “new, useful, and entertaining” tidbits, as the cover promised.


No comments: