That Instagram hack is shaping up to be way bigger than
anyone thought
A bug in the social media company's API reportedly allowed
hackers to
gain access to account holders' phone numbers and email addresses, with
Instagram assuring everyone on Aug. 30 that it was the celebs of the world who
were targeted. But that was then.
Things are looking just a tad bit different now, with reports suggesting that as many as 6 million accounts were
possibly affected and that regular old users may have fallen victim as
well.
The company issued a new statement on Sept. 1, copping to
the fact that things may be worse than it originally admitted.
It’s all in the timing…
Yes, let’s release a breach notification at 5 pm on
the Friday of a big holiday weekend….
In this case, it’s The Neurology Foundation in Rhode
Island, reporting on an incident involving employee wrongdoing. You can read the full press release here. Note that although the problem was discovered months ago, notification of the
breach was delayed “as a result of law
enforcement’s investigation.” But
does that mean that law enforcement actually asked them to delay notification,
or did they just decide to delay notification themselves due to the
investigation?
(Related).
And yet another breach disclosed at the beginning of a
holiday weekend – this one posted by the State
of Alaska:
September 1, 2017 ANCHORAGE – The
Alaska
Department of Health and Social Services had a security breach
that may have disclosed personal information of individuals who have interacted
with the Office
of Children’s Services. Due to the potential for stolen personal
information, DHSS urges Alaskans who have been involved with OCS to take actions
to protect themselves from identity theft.
On July 5 and July 8, two OCS computers were infected with a
Trojan horse virus, resulting in a potential HIPAA breach of more than 500
individuals. It is not yet known if the
division’s confidential information was accessed. It is possible that OCS reports and documents
containing family case files, personal information, medical diagnoses and
observations, and other related information was accessed during this breach.
via News-Miner
How to turn a (relatively) small breach into a true
nightmare.
We haven’t seen many data security enforcement actions
under the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, but a recent case is a good opportunity to remind entities
that they may be covered by it even if they didn’t know it.
Edward McAndrew, Kim Phan, and Zaven Sargsian of Ballard
Spahr write:
The Federal Trade Commission
(FTC) this week announced a consent
order with TaxSlayer, LLC, an online tax preparation services provider, to
settle claims that the company violated the Gramm-Leach-Bliley Act (GLBA)
Safeguards Rule and Privacy Rule.
As part of the online tax
preparation process, TaxSlayer customers are asked to provide a significant
amount of sensitive personal information, including Social Security number,
telephone number, address, income, marital status, family size, bank names, and
bank accounts.
Between October and December
2015, hackers were able to access account information for approximately 8,800
TaxSlayer customers, resulting in an unknown number of false tax returns being
filed.
Read more on JDSupra.
As the authors note, the FTC also blogged about this case
on the FTC’s site. Lesley Fair of the FTC
writes, in part:
For a two-month period in 2015,
TaxSlayer was subject to a list validation attack, which allowed remote
attackers to access the accounts for about 8,800 TaxSlayer users. (A list validation attack, also known as
credential stuffing, is where hackers steal login credentials from one site and
then – banking on the fact that some
consumers use the same password on multiple sites – use them to
access accounts on other popular sites.) In an unknown number of cases, criminals used
the data to commit tax identity theft. They
filed fake returns with altered routing numbers and pocketed refunds they
weren’t owed. And what a mess that left
for victimized consumers. Long delays in
getting their rightful refunds, freezes or holds on their credit, and endless
hours trying to unscramble the ID theft egg.
In the proposed
complaint, the FTC alleges that TaxSlayer violated the Privacy Rule and Reg
P by failing to give customers the
privacy notices they were due. What’s more, TaxSlayer violated the Safeguards
Rule by failing to have a written
information security program, failing to
conduct the necessary risk assessment, and failing to put safeguards in place to control those risks –
specifically, the risk that remote attackers would use stolen credentials to
take over consumers’ TaxSlayer accounts and commit tax identity theft.
Tracking the settlements in
several other GLB cases, TaxSlayer must comply with the rules and will be
subject to every-other-year independent assessments for the next decade. You can file a comment about the proposed
settlement by September 29, 2017.
The same concerns just before every election. Someone is going to get burned.
Russian Election Hacking Efforts, Wider Than Previously
Known, Draw Little Scrutiny
Same technique is used to select “smart bomb”
targets. (With much better resolution.)
Facebook maps populations in 23 countries to expand internet
In a bid to expand the reach of internet to every corner
of the world, Facebook said that it has created a data map of the human
population of 23 countries by combining government census numbers with
information obtained from satellites.
Citing
Janna Lewis, Facebook's head of strategic innovation partnerships and
sourcing, the Media reported that the mapping technology can pinpoint any
man-made structures in any country on Earth to a resolution of five metres.
I might have my students use this to record their Digital
Forensics homework. (Looks like this is
Chrome only for now.)
Loom - Screencast on Chromebooks, Macs, and PCs
Loom is a free screencasting tool that works on
Chromebooks, Macs, and Windows computers. Loom is a Chrome extension. With Loom installed you can record your
desktop, an individual tab, and or your webcam. That means that you could use Loom to just
record a webcam video on a Chromebook. Of course, this also means that you can use
Loom to record your webcam while also recording your desktop. Loom recordings can be up to ten minutes long. A completed recording can be shared via
social media and email. You can also
download your recordings as MP4 files to upload to YouTube or any other video
hosting service.
Applications for Education
This is the time of year when you're likely to be
introducing some new tools to your students and or your colleagues. Creating a screencast video that your students
or colleagues can watch whenever they need reminders of how to use a tool can
save you a lot of time in the long run. Loom
makes it easy to quickly record a screencast video on almost any computer.