This is a pretty
valuable set of data. (able to prescribe drugs) Who keeps data like
this in this country and has anyone breached that data?
Associated Press
reports
that the personal information of all licensed medical doctors in
Puerto Rico was acquired in a recent hack. They report that since
the hack, doctors have been getting harassing emails, but it’s not
clear from their reporting as to what information was accessed or
acquired in the intrusion, other than the statement from Puerto
Rico’s Association of Surgeons [I think AP
meant College of Physicians and Surgeons - Dissent] that whoever
stole the information can engage in identity theft and submit fake
prescriptions.
The AP also did not
report how many physicians had data in the database, but another AP
report in April 2013 noted that the number of doctors in Puerto
Rico had dropped from 11,397 to 9,950, according to the island’s
Medical Licensing and Studies Board. I cannot find any website for
the College of Physicians and Surgeons for Puerto Rico.
If anyone has
additional information on this breach, please let me know.
Updated:
With the clarity that extra caffeine brings, it dawned on me this
morning that even if there are less than 10,000 physicians currently,
we don’t know how far back their database goes, and there might be
many more individuals whose data were in there.
A caution for
academics, but a warning for owners/stewards/guardians/custodians of
data – you must set security rules and ensure they are followed.
(Why give up the data at all when you could run the analysis in-house
and only disclose the summarized results?)
Brian Bakst of AP
reports:
A
University of Minnesota law professor has apologized
to violent crime victims and witnesses after a computer with
sensitive information of nearly 300 people was stolen from his
office, but he said Friday that there’s no indication the thief has
accessed the data.
Criminologist
Barry Feld, a prominent juvenile justice scholar, was collecting data
from closed case records for a study on law enforcement interrogation
techniques when the laptop, a scanner and external hard drive were
taken last February. His research, which required
his team to sign confidentiality agreements before obtaining the
data, has since been terminated.
Read more on Pioneer
Press. Maura Lerner of the Star Tribune, who broke the
story yesterday, noted
the sensitivity and background of the individuals whose data were
on the stolen devices:
All
had been witnesses or victims in cases that were prosecuted in early
2005 in Hennepin and Ramsey County courts.
One
victim, who had been raped as an 11-year-old, received Feld’s
letter last week. Her mother told the Star Tribune that she was
shocked by the data theft, and that she had no idea that her
daughter’s information had been shared with a researcher. “I was
aghast,” she said. It was particularly galling, she said, because
the family had been unable to get some of that same information, such
as witness testimony, when they requested it.
Feld admitted that the
data were not properly secured:
“I
did not properly protect the data,” Feld told The Associated Press
in a phone interview Friday. The incident was first reported by the
Minneapolis Star Tribune.
A
police report said the equipment wasn’t locked and was stolen from
under a desk in the office Feld shares with several research
assistants. University police made no arrests in the case nor have
they had any leads, according to a school spokesman.
Not only were the data
not properly secured, it would appear that there was no backup or
master index, as it took from last February until now for them to
reconstruct a list of who needed to be notified.
All in all, this sounds
like a total failure. I would love to see the contract or agreement
the professor signed with the county to gain access to the research
materials. Did the agreement require him to not just maintain
confidentiality but to actually deploy reasonable and commercially
available security protocols? If not, why not? Perhaps some
enterprising reporter in Minnesota might want to investigate whether
the state and county are requiring adequate security for access to
personal and sensitive information.
“Now we can say we've
done something. We made a speech!” Looking at the President's
speech on “NSA reforms” I see that nothing specific has been
proposed. (What a surprise) On the other hand, perhaps that is the
correct response to all the kerfuffle. Vague words and phrases like:
… we will review
… we will reform
… a panel of
advocates from outside government to provide an independent voice in
significant cases [Definition of “significant” to follow Bob]
… I’m asking the
attorney general and DNI to institute reforms
… amend how we use
national security letters
… ordering a
transition
… we will only
pursue phone calls that are two steps removed from a number
associated with a terrorist organization, instead of the current
three [Sounds good, unless you think everyone on the calling tree
is part of the organization? Bob]
… develop options
(Related) Compare my
review with the EFF's 3.5/12
Read EFF’s
explanation for the scores they gave President Obama for his NSA
reform plan here.
(Related)
Yes, let’s just
declassify dump two dozen FISC orders right before a holiday weekend
(sigh). From IC on the Record:
The
documents being released today comprise orders from the FISC
approving the National Security Agency’s (NSA) collection and use
of telephony metadata under Section 501. These orders provide
additional information regarding the controls imposed by the FISC on
the processing, dissemination, security and oversight of telephony
metadata acquired under Section 501. This includes the Court’s
imposition of additional controls in response to compliance incidents
that were discovered by NSA and then reported to the FISC. These
orders are available at the website of the Office of the Director of
National Intelligence (http://www.dni.gov),
and ODNI’s public website dedicated to fostering greater public
visibility into the intelligence activities of the Government
(IcontheRecord.tumblr.com).
Access the orders here.
Do you see why I
recommend breach victims, even big ones with huge legal departments,
call in some Professional Help? This was not good customer service
even before the breach. Where were the managers?
Target
Refused To Process Fraud Claim Unless Customer Gave Up Sensitive Info
How comfortable would
you feel giving Target
all your sensitive information right now?
Michael Baxter of
Somerville has an answer: “I have no confidence in their security
there.”
Baxter and his wife got
a call Wednesday.
“They identified
themselves as the Target fraud detection department, and there
was a suspicious transaction of over $1,200,” Baxter told WBZ-TV.
[Is this an indication that the stolen cards are being used already?
Bob]
They called the number
on their statement and confirmed it was true. They are among as many
as 110 million customers affected by Target’s pre-holiday credit
card breach.
But what happened next
made Baxter feel like a victim all over again.
Target sent him a
questionnaire to fill out and return to process his claim.
It asks for
sensitive information like Social Security number, driver’s license
number, address, phone numbers, credit card number, children’s
names, and more.
… When he refused,
the customer service representative told him they could not process
his claim without it.
“I wasn’t getting
anywhere, so I asked for a manager. That took four or five minutes.
The supervisor came on the line and she was even more aggressive with
it.”
When we contacted
Target, the company changed its tune.
“Our policy is to
investigate all fraud claims even if the form is not filled out,”
said spokesperson Molly Snyder. “And filling out the form is not a
requirement. However, if we don’t have the form filled out it
makes our investigation more difficult.”
(Related)
Cybercrime
firm says uncovers six active attacks on U.S. merchants
A cybercrime firm says it has uncovered at least
six ongoing attacks at U.S. merchants whose credit card processing
systems are infected with the same type of malicious software used to
steal data from Target Corp.
… He said payment
card data was stolen in the attacks, though he didn't know how much.
… Komarov, an
expert on cybercrime who has helped law enforcement investigate
previous attacks, told Reuters on Friday that retailers in California
and New York were among those compromised by BlackPOS. Reuters was
unable to confirm the retailers' names. [If they are ONLY in New
York or ONLY in California, they can't be very large. Bob]
Why I love living in
Colorado...
Hunting
Licenses to Shoot at Drones: What Could Possibly Go Wrong?
Phil Steel of Deer
Trail, Colorado …
… has proposed that
his town adopt an ordinance that would allow residents to take up to
three shots at drones flying over the town at fewer than 1,000 feet
(more if your life is in danger). The measure, which has divided the
town of 550, will be voted on at the ballot box in April. Until
then, Steel is selling his own licenses, for $25
each, [Wish I had thought of it! Bob]
to anyone who wants, though they "have no legal value,"
Matt
Pearce reports in the Los Angeles Times.
Be careful what you
brag about?
Eriq Gardner reports
that Hulk Hogan has lost a round in his litigation over Gawker
publishing excerpts from a private sex tape they acquired. Hogan
failed
to get a federal court to grant an injunction prohibiting its
publication, but then found a state judge who granted his motion for
an injunction. Today, a Florida appeals court overturned
the injunction, explaining that given Hogan’s
own public comments about his affair, that this was a
matter of public concern and protected by the First Amendment.
If the court
decides they do need a warrant, will that apply to teachers as well?
(See yesterday's blog) How about border guards?
Wow.
David Kravets reports:
The
Supreme Court today agreed to decide the unsolved constitutional
question of whether police may search, without warrants, the mobile
phones of suspects they arrest.
The
justices did not immediately schedule a hearing in the most important
digital rights issue the high court has decided to review this term.
Read more on Wired.
See also the coverage on Blog
of Legal Times.
You don't need to be a
student to find this useful.
Make
Windows Start Faster: 10 Non-Essential Startup Items You Can Safely
Remove
For my “Raiders of
the lost files” (my Ethical Hacking students) DOCs, PDFs, ePUBS –
the booty is endless!
– is your personal
web crawler. It can crawl into any website and find what you really
want (video clips, images, music files, etc). FoxySpider displays
the located items in a well-structured thumbnail gallery for ease of
use. Once the thumbnail gallery is created you can view, download or
share (on Facebook and Twitter) every file that was fetched by
FoxySpider.
With FoxySpider you
can:
- Get all photos from an entire website
- Get all video clips from an entire website
- Get all audio files from an entire website
- Well, actually get any file type you want from an entire website
For my Twit students.
– is a Twitter
Analytics tool. It gives you stats such as who mentions you and how
many times, & number of retweets. You can also analyze another
Twitter user’s profile and obtain the same information. What’s
even better is that you can search for keywords on Twitter, with who
mentioned those words and how they fit into popular hashtags.
For my programming
students. (Useful for learning a new language, convert a program you
wrote in an old language.)
– is an online
web-based cross-platform source code converter that supports codes
such as C#, Visual Basic .Net, Java, Ruby, Iron Python, and Boo. The
free plan will allow you 8 conversions daily, and 2,048 characters
per conversion. To remove all restrictions, just share Varycode on
Facebook or Twitter.
For my researching
students...
30
Search Engines Perfect For Student Researchers
When you need to
research something, where do you start? Most of us answer this
question with “Google“,
and “Wikipedia“.
But if you’re researching online with Google and Wikipedia as your
main tools, you’re only hitting the tip of the iceberg. While
these offer some great basic information on a huge variety of
subjects, if you want to delve deeper, you need a wider variety of
sources to choose from.
The handy
infographic below takes a look at different methods of online
research, and gives a flowchart flush with a number of different web
search options for you to try out.
My weekly laugh...
… Congress
has passed the 2014 "omnibus appropriations legislation."
Among other things, a win for open access to
publicly-funded research: it
requires that “federal agencies with research budgets of at
least $100 million per year will be required provide the public with
free online access to scholarly articles generated with federal
funds.” The bill also removes
restrictions that prevented the NSF
from funding political science. There’s more
money for the NIH
and more money for the Pell
Grant.
… Senator Patty
Murray (D-WA) and Representative Jared Polis (D-CO)
have introduced
the Investing in States To Achieve Tuition Equity (IN-STATE) Act of
2014, which provides incentives for states to offer in-state tuition
and need-based aid for undocumented students.
[Could my nephew claim to be undocumented (who wants
to admit they are from New Jersey) and get in state tuition? Bob]
… Early this week,
The
LA Times reported that the Los
Angeles School District was surveying how much other
districts had paid for their technology. Because, ya know, I guess
they didn’t think to do any due diligence before agreeing to the
outrageous $768 per iPad
price-tag.
… Whatever the
investigation into pricing, it didn’t stop the school board from
earmarking
$115 million to buy more iPads
to make sure everyone has one in time for “standardized testing
scheduled for this spring.” Priorities.
… You can now
rent
textbooks at Staples (or via Staples.com at
least).
… The US
News & World Report has released its
rankings of the Best Online Programs.
… The Berkman
Center for Internet and Society have released a number of reports on
student privacy, including
this one that talks with youth about their thoughts on tech usage
at school. Spoiler alert: they know how to bypass your web filters.
