Saturday, September 02, 2017

I don’t think I’ve ever seen a breach update claiming that fewer records were lost than initially believed.  At least they updated quickly. 
That Instagram hack is shaping up to be way bigger than anyone thought
A bug in the social media company's API reportedly allowed hackers to gain access to account holders' phone numbers and email addresses, with Instagram assuring everyone on Aug. 30 that it was the celebs of the world who were targeted.  But that was then. 
Things are looking just a tad bit different now, with reports suggesting that as many as 6 million accounts were possibly affected and that regular old users may have fallen victim as well. 
The company issued a new statement on Sept. 1, copping to the fact that things may be worse than it originally admitted. 


It’s all in the timing…
Yes, let’s release a breach notification at 5 pm on the Friday of a big holiday weekend….
In this case, it’s The Neurology Foundation in Rhode Island, reporting on an incident involving employee wrongdoing.  You can read the full press release here.  Note that although the problem was discovered months ago, notification of the breach was delayed “as a result of law enforcement’s investigation.”  But does that mean that law enforcement actually asked them to delay notification, or did they just decide to delay notification themselves due to the investigation?

(Related).
And yet another breach disclosed at the beginning of a holiday weekend – this one posted by the State of Alaska:
September 1, 2017 ANCHORAGE – The Alaska Department of Health and Social Services had a security breach that may have disclosed personal information of individuals who have interacted with the Office of Children’s Services.  Due to the potential for stolen personal information, DHSS urges Alaskans who have been involved with OCS to take actions to protect themselves from identity theft.
On July 5 and July 8, two OCS computers were infected with a Trojan horse virus, resulting in a potential HIPAA breach of more than 500 individuals.  It is not yet known if the division’s confidential information was accessed.  It is possible that OCS reports and documents containing family case files, personal information, medical diagnoses and observations, and other related information was accessed during this breach.  


How to turn a (relatively) small breach into a true nightmare.
We haven’t seen many data security enforcement actions under the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, but a recent case is a good opportunity to remind entities that they may be covered by it even if they didn’t know it.
Edward McAndrew, Kim Phan, and Zaven Sargsian of Ballard Spahr write:
The Federal Trade Commission (FTC) this week announced a consent order with TaxSlayer, LLC, an online tax preparation services provider, to settle claims that the company violated the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule and Privacy Rule.
As part of the online tax preparation process, TaxSlayer customers are asked to provide a significant amount of sensitive personal information, including Social Security number, telephone number, address, income, marital status, family size, bank names, and bank accounts.
Between October and December 2015, hackers were able to access account information for approximately 8,800 TaxSlayer customers, resulting in an unknown number of false tax returns being filed.
Read more on JDSupra.
As the authors note, the FTC also blogged about this case on the FTC’s site.  Lesley Fair of the FTC writes, in part:
For a two-month period in 2015, TaxSlayer was subject to a list validation attack, which allowed remote attackers to access the accounts for about 8,800 TaxSlayer users.  (A list validation attack, also known as credential stuffing, is where hackers steal login credentials from one site and then – banking on the fact that some consumers use the same password on multiple sites – use them to access accounts on other popular sites.)  In an unknown number of cases, criminals used the data to commit tax identity theft.  They filed fake returns with altered routing numbers and pocketed refunds they weren’t owed.  And what a mess that left for victimized consumers.  Long delays in getting their rightful refunds, freezes or holds on their credit, and endless hours trying to unscramble the ID theft egg.
In the proposed complaint, the FTC alleges that TaxSlayer violated the Privacy Rule and Reg P by failing to give customers the privacy notices they were due.  What’s more, TaxSlayer violated the Safeguards Rule by failing to have a written information security program, failing to conduct the necessary risk assessment, and failing to put safeguards in place to control those risks – specifically, the risk that remote attackers would use stolen credentials to take over consumers’ TaxSlayer accounts and commit tax identity theft.
Tracking the settlements in several other GLB cases, TaxSlayer must comply with the rules and will be subject to every-other-year independent assessments for the next decade.  You can file a comment about the proposed settlement by September 29, 2017.


The same concerns just before every election.  Someone is going to get burned. 
Russian Election Hacking Efforts, Wider Than Previously Known, Draw Little Scrutiny


Same technique is used to select “smart bomb” targets.  (With much better resolution.)
Facebook maps populations in 23 countries to expand internet
In a bid to expand the reach of internet to every corner of the world, Facebook said that it has created a data map of the human population of 23 countries by combining government census numbers with information obtained from satellites.
Citing Janna Lewis, Facebook's head of strategic innovation partnerships and sourcing, the Media reported that the mapping technology can pinpoint any man-made structures in any country on Earth to a resolution of five metres.


I might have my students use this to record their Digital Forensics homework.  (Looks like this is Chrome only for now.)
Loom - Screencast on Chromebooks, Macs, and PCs
Loom is a free screencasting tool that works on Chromebooks, Macs, and Windows computers.  Loom is a Chrome extension.  With Loom installed you can record your desktop, an individual tab, and or your webcam.  That means that you could use Loom to just record a webcam video on a Chromebook.  Of course, this also means that you can use Loom to record your webcam while also recording your desktop.  Loom recordings can be up to ten minutes long.  A completed recording can be shared via social media and email.  You can also download your recordings as MP4 files to upload to YouTube or any other video hosting service.
Applications for Education
This is the time of year when you're likely to be introducing some new tools to your students and or your colleagues.  Creating a screencast video that your students or colleagues can watch whenever they need reminders of how to use a tool can save you a lot of time in the long run.  Loom makes it easy to quickly record a screencast video on almost any computer. 

No comments: