Part of any security plan is a review for any
indications of a breach, We never assume our defenses will be
perfect. Their investigation found signs of the breach, why weren't
they using those tool all the time?
Customers may be singing, “You got mud on your
face, you big disgrace” when they receive a breach notification
from
GlamGlow, the
latest business to disclose that it had a breach more than one year
ago that they’ve only recently discovered. The
notification
letter begins:
We recently became aware that an
unauthorized party accessed the glamglowmud.com
website and acquired certain personal information of some of our
customers. After learning of the issue, we launched an investigation
and retained outside experts to help us understand the nature and
scope of the issue. Based on the investigation, we believe the
incident occurred between
September 19 and September 21, 2014 and May 12 and May 15, 2015.
The affected information may have included names; addresses;
telephone numbers; payment card numbers, expiration dates and
security codes; email addresses; and GlamGlow account passwords.
Those notified are being offered one year of
services with Equifax Credit WatchTM Gold. In the meantime, check
your statements for signs of fraud, and change your passwords if
you’ve reused your GlamGlow password anywhere else.
How often is too often? How big is too big? How
sensitive is too sensitive? When does bad security rise to a level
that attracts regulatory attention? A clear threshold would be nice.
Priya Anand reports:
Consumer and data privacy advocates are
asking federal regulators to investigate the breach at credit bureau
Experian, which compromised the personal information of millions of
T-Mobile customers.
“We believe that it is incumbent on the
regulatory agencies to fully investigate this breach, including
whether other Experian databases have been breached,” they
wrote in a letter to the Federal Trade Commission and Consumer
Financial Protection Bureau, a watchdog agency. “A data security
breach that affected Experian’s credit report files would be a
terrifying and unmitigated disaster.”
Well, maybe now the FTC will do something. It’s
nice to see others urging an investigation. I wish they had spoken
up back in 2012 when I first disclosed Experian’s repeated breaches
involving their credit report database, but better late than never.
A contract with your clients?
Mark McGreary writes:
New
innovations come hand in hand with new privacy issues. [I
respectfully disagree. Bob] Privacy policies may seem
like a last minute add-on to some app developers but they are
actually an important aspect of an app. Data breaches are an
imminent risk and a business’s first defense to potential problems
is a privacy policy.
Fordham University in New York hosted its
Ninth Law and Information Society Symposium last week [May
13th,
actually Bob] where policy and technology leaders came
together to discuss current privacy pitfalls and solutions. Joanne
McNabb, the California attorney general’s privacy education
director and a leader in policies affecting the privacy agreements of
companies such as Google and Apple, emphasized in a panel that she
“wants to make the case for the unread privacy policy.” She
noted that the policy mainly promotes “governance and
accountability [and] it forces an organization to be aware of their
data practices to some degree, express them and then therefore to
stand behind them.” The privacy policy still matters
because it protects businesses from the risks associated with having
a high level of data.
Whether a privacy policy is read is
insignificant. The protections it puts in place for all parties
involved are crucial.
Indeed. How
many enforcement actions have we seen by the FTC (including the
Wyndham
case)
where the FTC quoted the firm’s privacy policy and argued that the
entity did not live up to the assurances it had made to consumers?
If your policy promises “industry standard” data security, are
you living up to that promise? If not, I think you can reasonably
expect to be sued in the event of a data breach involving identity
information.
Any Privacy Policy here? When is “consent”
not voluntary?
Dana DiFilippo reports:
…. Bucks County officials announced the
new database – the first of its kind nationally – at a news
conference yesterday at the county courthouse in Doylestown,
recounting case after case in which the new database solved crimes
that might have gone cold with few other clues.
[…]
The new system – in which authorities
can swab suspects for DNA even before they’re arrested –
might raise the eyebrows of privacy-protective civil-rights
advocates. The state database maintained by the Pennsylvania State
Police, for example, contains DNA only from convicted offenders.
But Harran emphasized that suspects
must consent to be swabbed, unless officers can persuade a
judge for a court order.
“People think it’s ‘Big Brother,’
” Harran said, referring to a character in a popular dystopian
novel about government oppression. “It’s not. It’s an
all-voluntary program. People can say no. Thank
God criminals are stupid” and usually consent.
Being religious is not being godly.
WTH?
Joe Cadillic is all over this one (some typos
corrected by me):
According to an Arizona Dept. of Child
Safety document,
churches are working with social workers to spy on families and
they’re also using “Child
Safety and Risk Assessments“.
According to a Tuscon.com article,
church leaders are openly encouraged to collaborate with the gov’t.
The article goes on to explain how religious organizations will spy
on families and help the gov’t decide whether they should remove a
child from their family!
“Called
The Care Portal, the online tool allows DCS caseworkers who know of a
specific need of a child or family to submit that
request via email to nearby churches enrolled in the system.”
Does this solve everything?
Sacramento – Today, in a landmark victory for
Californians’ digital privacy rights, Governor Jerry Brown signed
the California Electronic
Communications Privacy Act (CalECPA, SB 178) into law.
The bill, jointly authored by Senators Mark Leno (D-San Francisco)
and Joel Anderson (R-Alpine), updates the state’s privacy laws for
the digital age by protecting Californians against warrantless
surveillance of their digital information.
“Governor Brown just signed a law that says ‘no’
to warrantless government snooping in our digital information. This
is a landmark win for digital privacy and all Californians,” said
Nicole Ozer, Technology &
Civil Liberties Policy Director at the ACLU of California. “We
hope this is a model for the rest of the nation in protecting our
digital privacy rights.”
… CalECPA updates California’s privacy
protections to reflect the modern digital world and reinforces
constitutional rights to privacy by ensuring that police get a
warrant before accessing digital information like emails, text
messages and online documents and tracking or searching electronic
devices like cell phones. Full bill language, polling, fact sheets,
and more information about CalECPA can be found here:
www.aclunc.org/calecpa.
SOURCE: ACLU of Northern California
Better than England? But only one city, so far.
Zheping Huang reports:
During
China’s National Day holidays this month, almost
8
million tourists visited Beijing in just four days—and the
Chinese government kept a close watch on every one of them as they
toured the capital’s streets.
Beijing
police added new surveillance cameras ahead of the holiday, and have
expand coverage in the city to “100 percent” for the first time
ever, to “tighten the capital’s security” and “avoid crimes
in crowds,” state-run
China
Daily reported.
Is there a report that says they work?
Joe Cadillic starts with this statement:
According to a National Academies of
Sciences, Engineering, and Medicine (NAS) report,
airport X-ray body scanners are safe.
but then proceeds to question how unbiased and
independent the report really is.
You can read what he found and his 10 reasons not
to trust the NAS report on his blog,
MassPrivateI.
A calculated PR stunt?
Chris Mandle reports:
The photo agency responsible for the nude
photos of Justin Bieber have denied claims the singer’s privacy was
invaded as he stood on the decking of a remote holiday apartment.
Speaking to The Independent, a
spokesman from FameFlynet UK
said: “There’s no invasion of privacy” and would not comment on
whether a long-lens was used to get the photos.
Bieber was photographed while on holiday
in Bora Bora, walking from the inside of a seafront bungalow to the
decking outside. Several photos show full-frontal nudity.
The pictures were published exclusively
on New
York Daily News, who covered Bieber’s crotch with a modesty
bar, but the originals were leaked onto Twitter late last night and
soon went viral.
If this would be an invasion of privacy for a
female, it’s an invasion of privacy for Bieber. If it’s an
invasion of privacy for a private (non-public) figure, it’s an
invasion of privacy for a public figure or celebrity. We need to
stop with the double standards. This is not just a matter of
tackiness. If you sit quietly by while this happens to Bieber, why
should you expect that your own privacy should be respected or
protected?
“We weren’t really serious about that.”
This was a looser going in. If I encrypt my email (for example) and
then my email provider encrypts it again, all they can decrypt is the
gibberish I sent them. Would the government then go after them for
“failing” to decrypt my message?
Obama
administration opts not to force firms to decrypt data — for now
After months of deliberation, the Obama
administration has made a long-awaited decision on the thorny issue
of how to deal with encrypted communications: It will not — for
now — call for legislation requiring companies to decode messages
for law enforcement.
If I started a database like this one and charged
just a couple of cents for each query, would I be competitive with
the big boys?
Tami Abdollah of AP reports:
For years, police nationwide have used
patrol car-mounted scanners to automatically photograph and log the
whereabouts of peoples’ cars, uploading the images into databases
they’ve used to identify suspects in crimes from theft to murder.
Nowadays, they are also increasingly
buying access to expansive databases run by private companies whose
repo men and tow-truck drivers photograph license plates of vehicles
every day.
Civil libertarians and lawmakers are
raising concerns about the latest practice, arguing that there
are few, if any, protections against abuse [No
risk for me to store the data, right? Bob] and that the
private databases go back years at a time when agencies are limiting
how long such information is stored.
Smartphones are the new credit cards. You need a
device that accepts the phone's offer to pay – that would seem to
be the bottleneck. Will you need a proprietary device for each
phone/payment system combination?
Apple Pay
Continues To Expand, Coming To Starbucks, KFC And Chili's
This one is not on Hillary. Why do I get the
feeling that no one involved with this investigation has a clue how
Computer Security (or any other form of security) is supposed to
work. I try to teach my students to pay attention to any warnings
about security.
Clinton
e-mails were vulnerable to hackers, tech firm warned
A technology subcontractor that has worked on
Hillary Rodham Clinton’s e-mail setup expressed concerns over the
summer that the system was inadequately protected and vulnerable to
hackers, a company official said Wednesday.
But the concerns were rebuffed by the company
managing the Clinton account, Platte River Networks, which said it
had been instructed by the FBI not to make changes. [I
doubt this is what they meant. Bob]
… A Platte River Networks spokesman
acknowledged receiving upgrade requests from Datto.
“It’s not that we ignored them, but the FBI
had told us not to change or adjust anything,” the spokesman, Andy
Boian, said.
Boian said, however, the company did not take
Datto’s concerns to the FBI.
… The concerns expressed by Datto reflected
worry that the system, which
was still in use for the Clintons’ personal office in August,
[Really? So
they are making changes every day! Bob] could have been
vulnerable to hackers who targeted it for its new notoriety amid the
swirling controversy.
For my Computer Security students. They “yell”
at your drone, thinking that will “freeze” it in place. If you
drone loses your command signals, isn't it programmed to return to
where it was launched?
UK firms
develop drone-freezing ray
The Anti-UAV Defense System (Auds) works by
covertly [Rather
obvious actually. Bob] jamming a drone's signal, making
it unresponsive.
After this disruption, the operator is likely to
retrieve the drone believing that it has malfunctioned.
The system joins a host of recently announced
technologies which can blast larger drones out of the sky.
… The Auds operator can then choose to freeze
the drone just for a short time - to convince its owner that there's
something wrong with it – or for a longer period, until
its battery dies and it crashes.
Auds has been tested in the UK, the USA and
France, said Mr Taylor, and government organisations in all three
countries had been involved in those tests.
I find this difficult to understand. Did the
software change how the engines worked or how the emissions were
reported? Either way, I don't see how the company could miss this.
Volkswagen
U.S. CEO Says He Didn’t Know in 2014 of Emissions Defeat Devices
… Michael Horn, head of Volkswagen Group of
America, said during a congressional hearing on Thursday that he
believed “a couple of software engineers” were responsible for
software that allowed nearly a half million diesel-powered cars sold
in the U.S. since 2008 to dupe emissions tests.
… House Republicans and Democrats alike
decried Volkswagen’s long running deception with defeat-device
software that made the auto
makers’ diesel cars run cleaner during emissions testing than they
did on the road. [Apparently,
the cars can run clean. Perhaps it causes the engines excessive
wear? Bob]
… Mr. Horn ruled out buying back vehicles from
dealers. He said the cars
are legal and safe to drive. [How
can that be? Is this about extra pollution taxes? Bob]
Volkswagen is focused on repairs, hoping to have a fix available next
year, he added. A timetable for a U.S. recall isn’t yet set.
… Volkswagen has so far set aside $7.3 billion
to address the problem. Current Chief Executive Matthias Müller has
said the cost will likely rise.
(Related)
Volkswagen
America's CEO blames software engineers for emissions cheating
scandal
… At one point, Horn was asked if he knew how
the defeat devices work. "Personally, no. I’m not an
engineer," he responded. Later, in response to a similar
question, Horn was suddenly able to describe how the defeat devices
were able to fool the EPA's tests, and mimicked turning a car's
steering wheel. (One of
the ways the offending software was able to recognize whether a car
was being tested or not was to monitor the amount of movement in the
steering wheel.) [Sounds
like the software changed what it reported,
not want actually happened in the engine. Bob]
This is a pretty significant failure. Have we
become so incompetent that we can't train soldiers? Or perhaps we
can't find potential soldiers to train? Or maybe Russia is right and
we should never have declared the Assad government as evil.
Obama
Administration Ends Pentagon Program to Train Syrian Rebels
The Obama administration has ended the Pentagon’s
$500 million
program to train and equip Syrian rebels, administration officials
said on Friday, in an acknowledgment that the beleaguered program had
failed to produce any kind of ground combat forces capable of taking
on the Islamic State in Syria.
… The change makes official what those in the
Pentagon and elsewhere in the administration have been saying for
several weeks would most likely happen, particularly in the wake of
revelations that the program at one point last month had only “four
or five” trainees in the fight in Syria — a far cry from the plan
formally started in December to prepare as many as 5,400 fighters
this year, and 15,000 over the next three years.
Perspective. (Apparently, I'm still anti-social)
Social
Media Usage: 2005-2015
“Nearly two-thirds of American adults (65%) use
social networking sites, up from 7% when Pew Research Center began
systematically tracking social media usage in 2005. Pew Research
reports have documented in great detail how the rise of social media
has affected such things as
work,
politics
and
political
deliberation,
communications
patterns around the globe, as well as the way people
get
and share information about health,
civic
life,
news
consumption,
communities,
teenage
life,
parenting,
dating
and even people’s
level
of stress.”
(Related) An infographic.
Think
Before You Tweet: Don’t Let Social Media Get You Fired
Nuts, just nuts.
Hack
Education Weekly News
… “The U.S. Department of Education’s
Office of Inspector General has pumped the brakes on competency-based
education, partially due to concerns about the level of interaction
between instructors and students in some of those programs,”
Inside
Higher Ed reports.
… “
These
states spend more on prisons than colleges.” (Saved you a
click: Michigan, Oregon, Arizona, Vermont,
Colorado,
Pennsylvania, New Hampshire, Delaware, Rhode Island, Massachusetts,
and Connecticut.)
…
Via
the AP: “The former CEO of Chicago Public Schools will plead
guilty in an indictment that alleges she was involved in a scheme to
steer $20 million worth of no-bid contracts to education companies in
exchange for bribes and kickbacks, her attorney said Thursday.”
[It's a Chicago thing.
Bob]
… The University of Phoenix has been barred
from recruiting on military bases,
says
The Wall Street Journal, and troops will not be able to use
federal money to pay for classes at the school.
…
Via
District Administration: “Of the 2,000 high school students in
Albemarle County Public Schools, only 25 requested lockers last
school year, as more students carry their devices and books in
backpacks.” Instead of lockers: charging stations.