For
my Computer Security and Business Continuity students. It can happen
to anyone. The trick is to realize that and plan for it. (Are some
of these departments thinking, “They wouldn't dare attack us!”?
And
yet more police departments pay ransom to unlock their systems. WCSH
in Maine reports:
Lincoln County Sheriff Todd Brackett said four towns and the county
have a special computer network to share files and records. Someone
accidentally downloaded a virus, called “megacode”, that put an
encryption code on all the computer data.
The Sheriff said it basically made the system unusable, until they
paid a ransom fee of about $300 to the creator of the virus.
[…]
And those Midcoast departments aren’t the only law enforcement
victims. The Houlton Police Department was also hit by the same or
similar virus early this week, and it locked up all their files.
Chief Terry McKenna said they, too, were forced to pay the ransom to
get their computer data restored
Read
more on WCSH.
So
now that they’ve publicly admitted that they’ve paid ransom to
unlock their files, are they more likely to get hit again? Can they
really be sure their employees won’t fall for the next malware
attempt?
There’s
no doubt that this is a growing problem – or that at least
departments are being more transparent in reporting it. Earlier this
week, I noted the Tewksbury Police Department case in Massachusetts,
but there have been others, too, as the Boston Globe reported:
Among other small-town police forces hit was the Swansea Police
Department. It fell
victim to the same threat in November 2013 and paid $750 to get
its files back.
The police department in the Chicago suburb of Midlothian paid $500
in January. In Dickson County, Tenn., the sheriff’s office came
under attack in October. Despite
seeking aid from the FBI, [It's
hard to prevent this after it happens. Bob] the agency
ended up paying $572 in ransom.
Not
all departments pay the ransom – and some,
thankfully, don’t need to:
But in Durham, N.H., Police Chief Dave Kurz chose not to pay because
the department had backed up the encrypted information and could work
around the seized database.
“We had to clean essentially all the computers, but all of our data
was prepared,” Kurz said.
Others
refuse to pay but lose their data:
The four-member police force in Collinsville, Ala., was hit in June,
with the hackers demanding $500 to free up a database of mugshots.
Chief Gary Bowen dug in, refused to pay, and never got his
department’s files back.
“There was no way we were going to succumb to what felt like
terrorist threats,” Bowen said.
Obviously,
it would be much better if more departments were as prepared as the
Durham, NH police were. Because what are all these departments going
to do when the attackers start asking for even more money? And what
happens when the criminals start really hitting the k-12 systems?
Will the districts pay ransom rather than be brought to their knees
by locked files?
In
related and helpful news, Charlie Osborne reports that Scraper
ransomware has been broken, allowing for victims to circumvent
payment and access their locked data.
This
will (probably) be the last post on this subject. Note: Someone has
to use “Worst Practices” so we are motivated to create “Best
Practices.”
I
continue to look for details on the case of a 14-year old middle
school student who is facing two felony counts for allegedly hacking
into his district’s network (see previous coverage of the case on
this blog here
and here).
In
today’s installment of How Badly Can a District Screw Up
InfoSecurity? Ashley Feinberg of Gawker
reports:
Another devious, young techno-wiz was placed safely behind bars this
past Wednesday after
authorities say he deftly “hacked into his school’s
secure computer network” by guessing the password (his teacher’s
last name). The crime? Changing the desktop background to
two dudes kissin’. The punishment? Arrest on felony charges.
The hacker wunderkind of Holiday, Florida’s Paul R. Smith Middle
School, Domanik Green, explained that he uncovered the secret
password by “watching the teacher type it in.” At which
point, and like a young Julian Assange, he “logged into a teacher’s
computer who [he] didn’t like and tried putting inappropriate
pictures on his computer to annoy him.”
So
he shoulder-surfed the password. Wait until you find out how long
ago that happened. In an interview with yet
another news station:
Green, interviewed at home, said students would often log
into the administrative account to screen-share with their
friends. They’d use the school computers’ cameras to see each
other, he said.
Green had previously received a three-day suspension for accessing
the system inappropriately. Other students also got in
trouble at the time, he said. It was a well-known
trick, Green said, because the password was easy to remember: a
teacher’s last name. He said he discovered it by watching
the teacher type it in.
So
the district knew last year they had a problem. And what did they do
to prevent recurrences? And what did they do to educate the students
to understand the seriousness of their conduct?
And
why did they issue one password to teachers two years ago, as ABC
reports:
During a news conference, Sheriff Chris Nocco said approximately two
years ago one password had been given to teachers, which somehow made
it into the hands of a student, which was then passed on.
Nocco said the student had the password and was able to make remote
access to the computer and was looking for porn.
Apparently
a picture of two men kissing is “porn?” Oh well, that may be a
whole other discussion.
“Surveillance
is as surveillance does.” F. Gump
Joe
Cadillic writes that as more and more smart meters and smart devices
are deployed, the government will have access to more and more
details of our private lives. And it’s the Department of Homeland
Security that he’s particularly concerned about:
There’s even a ‘National
Energy Sector Cyber Security Organization‘ funded by both the
DOE and DHS. For those of you “in the know,” you know there’s
really no difference between the DOE and DHS they’re one and the
same. Click here,
here
& here
to read more.
Need more proof ‘Smart Meters’ are controlled and monitored by
DHS? Look no further than DHS’s ‘Control
Systems Security Program' Where they admit to working with
“control systems owners, vendors and law enforcement”.
“The Industrial Control Systems Cyber Emergency Response
Team collaborates with international and private sector Computer
Emergency Response Teams (CERTs) to share control systems-related
security incidents and mitigation measures.”..
Read
more on MassPrivateI.
From
the “You ain't got no stinking privacy!” department: That
argument should raise a few eyebrows, even in Philadelphia.
Dustin
Slaughter reports:
The City of Philadelphia does not want you to know in which
neighborhoods the Philadelphia Police Department (PPD) is focusing
their use of powerful automatic license plate readers (ALPR), nor do
they want disclosed the effectiveness (or lack thereof) of this
technology, as they continue to fight a Declaration public
records request filed
in January with MuckRock News.
City officials argue in their response that every metro
driver is under investigation, in an effort to exempt so-called
criminal investigatory records from release under PA’s
Right-to-Know Act:
Read
more on The
Declaration.
This
isn't a privacy issue, because the photos are “art”
Hili
Perlson writes:
A Supreme Court ruling
in favor of photographer Arne Svenson brings troubling news for
privacy advocates (already distraught by Edward
Snowden’s Smashed Laptop Displayed at the V&A).
When his show “The Neighbors” opened at Julie
Saul Gallery in 2013, it was met with outrage, followed by legal
action.
Svenson
had been taking pictures of New York residents inside their lower
Manhattan apartments with a telephoto lens, thus confirming one of
the biggest fears New Yorkers have concerning their privacy.
Read
more on artnet.
[From
the article:
However,
conceding that Svenson's work is in fact art is what won the case for
him, as the judges' verdict was based on Svenson's First Amendment
rights as an artist.
…
According to the HR, while New York laws prohibit the
“non-consensual use of a person's name, portrait or picture for
advertising or trade purposes," the laws also allow an exception
for news media and so-called “matters of public concern."
I'm
sure everyone will follow everything. (How many people service these
accounts?)
Social
Media Directory – DHS
by
Sabrina
I. Pacifici on Dec 27, 2014
“The
Department of Homeland Security and its component agencies use
numerous social media accounts to provide you with information in
more places and more ways [the listing is quite long – what
appears below is only a portion of the total]. The Department uses
non-government sites to make information and services more widely
available. Sometimes we are directly engaging with you on these
sites, sometimes we use these services because we want to be where
you already are. It’s important to remember that these are
commercial sites and are not required to follow government standards.
[Lists
omitted. Bob]
Social
Networks / Anti-Social Networks. The definition often is very
personal.
Divorce
by Facebook: New York woman gets OK to file papers online
…
Ellanora Arthur Baidoo has been trying to divorce her husband for
several years, according to her attorney, Andrew Spinnell.
But,
Spinnell said, he and his client haven't been able to find Victor
Sena Blood-Dzraku to serve him the papers. Baidoo has been able to
reach her husband by phone and "he has told her that he has no
fixed address and no place of employment," according to court
documents.
"He
has also refused to make himself available to be served," the
document said.
After
exhausting other ways of serving him the papers, Spinnell filed an
application asking for "service by alternate means," in
this case, via social media.
In
his decision, Justice Matthew Cooper said the "advent and
ascendency of social media," means sites like Facebook and
Twitter are the "next frontier" as "forums through
which a summons can be delivered."
Yet
another surprising user of social networks? Only if you believe that
these elected officials actually type Tweets themselves. I have to
think these guidelines are intended to prevent another disaster like
the “Hillary's Emails” debacle.
Social
Media in the House of Representatives: Frequently Asked Questions
by
Sabrina
I. Pacifici on Apr 10, 2015
CRS
– Social
Media in the House of Representatives: Frequently Asked Questions
– Jacob R. Straus, Analyst on the Congress; Matthew E. Glassman,
Analyst on the Congress. April 2, 2015.
“Recently,
the number of Member offices adopting social media as an official
communications tool has increased. With the increased use of social
media accounts for official representational duties, the House has
adopted policies and regulations regarding the creation, content, and
use of third-party social media services. This report answers
several questions about the regulation of social media accounts in
the House of Representatives.
•How does the House define social media?
•How are social media accounts regulated in the House?
•What makes a social media account an official resource?
•Can Members use official funds for social media?
•Is some content prohibited on official social media accounts?
•Do the mass communications regulations apply to social media?”
An
interesting application of Data Analytics that my students should be
thinking about. (Can you “game” the system?)
Can
People Analytics Help Firms Manage People Better?
…
companies are starting to use data and sophisticated analysis in
issues such as recruiting, compensation and performance evaluation
because they believe it can help in better decision making.
The
Wharton People Analytics Conference 2015 opens in Philadelphia today.
Cade
Massey, practice professor of operations and information
management, and Adam
Grant, professor of management and psychology, who lead Wharton’s
people analytics initiative, spoke with Knowledge@Wharton about why a
data-driven approach to managing people at work is gaining traction.
Laugh
at education...
Hack
Education Weekly News
…
A “discussion draft” of a revision to FERPA was released
to the US House of Representatives’ education committee.
Three similar bills recently introduced in the Minnesota legislature
would require school districts to notify parents or guardians every
time a fellow parent, guardian, or an adult student deems
instructional material such as books or movies to be “sexually
explicit or obscene and therefore harmful to minors.” Although the
bills do not require discontinuing use of the disputed material, the
most extreme version would force districts to publicly justify its
retention in the curriculum. To make matters worse, all three bills
would apparently allow complainants to remain anonymous.
…
A
crowdfunding campaign to robocall all New York parents, urging
them to opt their children out of standardized testing. Gee,
no issues with privacy or data brokering there.
…
From the National Education Policy Center, a report called “On
the Block: Student Data and Privacy in the Digital Age.”
Education
Week’s summary:
Its authors, Alex Molnar and Faith Boninger, both University
of Colorado researchers, recommend that legal protections be
extended beyond students’ formal educational records to include the
wide range of student data – including anonymous information and
“metadata,” such as what type of device a student is using or
where they are accessing the Internet – that is now frequently
collected and shared by ed-tech companies. The researchers also
recommend that the legal burden to protect students’ information be
shifted to include vendors, as well as schools and districts.
This
could be useful for my students! What other software might be useful
in your browser!
How
to Run LibreOffice in Your Web Browser
LibreOffice
has done it. They have made the full transition from a
speculative branch of popular alternative office software Apache
OpenOffice to genuine competitor. Their recent announcement that
LibreOffice would be joining the swelling ranks of cloud
based office software was met with excitement – there appears
to be a massive amount of goodwill toward LibreOffice, and their
growing ability
to challenge Microsoft continues attract interest.
It
isn’t ready just yet. It should be ready by the end of the year.
It was originally conceived way back in 2011,
alongside announcements for Android and iOS versions – both of
which are also yet to appear, with the iOS version potentially never
appearing. However, if you want – nay, demand LibreOffice
in your browser before the end of the year, MakeUseOf has you
covered. Read on, friend!
Using
RollApp
If
you haven’t come across RollApp yet, it’s certainly worth a look.
RollApp builds a cloud
based virtual platform, allowing you to run applications within your
web browser. Applications
behave exactly how their desktop counterparts do, albeit
with minute time differences, depending on your Internet connection.
NIST Big Data Use Case & Requirements Subgroup