THE READER – New immigrant voting rights taskforce

From the Office of Mayor Mike McGinn
News, Updates, and Information

TUESDAY, SEPTEMBER 3, 2013

New immigrant voting rights taskforce
Today Mayor Mike McGinn announced several new efforts to support immigrant and refugee communities in Seattle, including the creation of an Immigrant Voting Rights Taskforce. The taskforce, comprised of community leaders, academics and attorneys, will be tasked with making Seattle more voter-friendly for the more than 100,000 Seattle residents who are foreign-born.

“This taskforce will get to the heart of many equity issues in the world of civic engagement for Seattle’s immigrant population,” said McGinn. “We have to strive as a city to meet the needs of all communities in getting their voice heard.”

The taskforce will look at a number of questions, including: more equitable placement of ballot boxes, registration deadlines for individuals who have just become citizens, extra outreach around voting to individuals who have become citizens, and linguistic assistance for non-English speakers. The goal is to evaluate what jurisdiction Seattle has over these issues and strategize how to lift institutional barriers through changes in policy and legislation. The Office of Immigrant and Refugee Affairs, created in 2012, will oversee the taskforce’s work and provide staff support.


Drop-in activities for some Seattle public school students if a strike happens
The City of Seattle announced Friday it will open and staff drop-in activities at 20 designated community centers for Seattle Public Schools students on free and reduced lunch from Kindergarten to 8th Grade if a strike delays the opening of Seattle Public Schools. The free program will operate from 8:00 a.m. to 5:00 p.m. beginning Thursday, September 5 and include supervised recreation activities, with an anticipated supervision ratio of 20 children to 1 adult leader. Seattle Parks and Recreation and the Associated Recreation Council will staff these sites.

To sign up for these services, click here.


28 new or expanded community gardens made possible through 2008 Parks and Green Spaces Levy
Mayor McGinn announced the growth of the city’s P-Patch Community Gardening Program with an increase of 20 new or expanded P-Patch gardens over the past four years, with another eight gardens in the works.

This growth is a result of funding from the 2008 Parks and Green Spaces Levy, which originally provided $2 million for four new gardens. Due to strong partnerships with neighborhood volunteers and community organizations and the leveraging of funds, 22 new or expanded garden projects have been supported with this funding. In addition last December, the Levy Oversight Committee recommended the reallocation of $427,000 in inflationary funds which will support another six projects. In total, 28 projects providing more than 700 additional garden plots will have been added by 2014.

“The spirit of volunteerism in the community and the management of this program has made the public’s investment go much further,” said Mayor McGinn. “As the second largest program in the nation, I’m excited that our city’s P-Patch Program has grown to provide more community members from across the city the opportunity to grow fresh organic food, as well as engaging with their fellow gardeners and neighbors.”


Good news for LGBTQ City employees
Last week the U.S. Department of the Treasury and the Internal Revenue Service (IRS) announced that all same-sex married couples will receive equal treatment under the tax code, regardless of whether their marriage is recognized in the state they reside in. This is great news for married couples in our community who have shouldered significant tax burdens that opposite-sex married couples do not face. For example, City of Seattle employees have been unfairly taxed on the health benefits we offer to their same-sex spouses and their children, potentially costing couples thousands of dollars a year.

With this new direction from the IRS, our Personnel Department is already working with Payroll to figure out the quickest way to stop taxing. They will also provide detailed information on how to file a claim for a refund from the IRS as soon as that information becomes available.

Read more.


 

THE READER – New funding for more preschool slots


From the Office of Mayor Mike McGinn
News, Updates, and Information WEDNESDAY, JULY 24, 2013New funding for more preschool slots
Mayor McGinn announced the award of approximately $470,000 in funding from the 2011 Families and Education Levy for investments in early learning at three Seattle preschools as part of the City of Seattle’s Step Ahead preschool program:

The 2011 funding increases slots at one existing Levy-funded preschool, Denise Louie Education Center in Seattle’s Beacon Hill neighborhood, and adds two preschools to the Step Ahead program, Seed of Life LLC (southeast Seattle), and Puget Sound Educational Service District (southwest Seattle). The Levy now funds a total of 20 preschool sites operated by 11 community agencies. For a complete list of Step Ahead preschools please see attached chart.

“This new funding will help more children get the early learning they need,” said Mayor McGinn. “Research has shown that high-quality early learning environments are key to a child’s future success in school and beyond.”

The Seattle Human Services Department (HSD), which administers the Step Ahead preschool program, received six applications for nine preschool sites totaling $996,000 in requested funds through a Request for Investment (RFI) process. The RFI sought to contract with a diverse group of providers to deliver preschool services for low- and moderate-income families of three- and four-year-old children who live in the attendance areas of Seattle elementary schools that are eligible for Families and Education Levy funding.


Support for young immigrants eligible for work visas
Today Mayor McGinn announced new City efforts to support young people eligible for work authorizations through the federal Deferred Action for Childhood Arrival (DACA) policy launched by President Barack Obama in June 2012. Individuals age 18 and over can now call the Seattle City Light Service Center at (206) 684-3000 and have their names added to the utility bill for their home, helping to provide a paper trail to prove residency.

“These small changes in the way the City operates can have a big impact on the lives of these young people,” said McGinn. “We have an opportunity here to support immigration reform at the local level. We hope other cities will follow our lead in supporting youth who are eligible for DACA.”

DACA offers a two year grant of reprieve from deportation as well as work authorization for unauthorized immigrants who were under the age of 31 as of June 15, 2012 and entered the United States under the age of 16. This includes many of those who would have been eligible for legal residency under the proposed DREAM Act.

Many DACA-eligible people have reported that one of their greatest challenges is to prove that they have been continuously residing in the United States since their arrival in childhood, after years spent hiding the fact of their residency. The City of Seattle will help DACA-eligible people prove their residency by permitting them to show utility bills with their name listed. Washington State has over 40,000 residents eligible for a work authorization under DACA, many of them currently residing in Seattle.


Improving safety on Northeast 75th Street
Mayor McGinn and City Traffic Engineer Dongho Chang announced last week four proposals for improving road safety by restriping Northeast 75th Street near Nathan Eckstein Middle School. The proposals were developed in partnership between the Seattle Department of Transportation (SDOT) and community residents in response to concerns raised after a tragic DUI-related collision on Northeast 75th Street in March.

“We’ve heard from residents that reducing speeds is a high priority on Northeast 75th Street,” said McGinn. “These proposals can help people slow down as they drive near Eckstein Middle School. We’ll work with the community to determine the best option for moving forward.”

SDOT has worked in collaboration with the community to consider changes to these streets in an effort to bring down speeds and make the roadway safer for students, neighbors and all roadway users. SDOT held three public meetings in April and May where attendees discussed existing conditions and traffic data, and discussed potential improvements. Support for different roadway configurations was one of the most common suggestions SDOT heard from the community in those meetings.


Seattle Children’s Hospital pledges funding for bike share program
Thank you to Seattle Children’s Hospital, which announced a $500,000 grant to Puget Sound Bike Share. The grant will provide adult helmets at future bike-share stations in the Seattle area. Seattle Children’s is the first major Seattle-area employer to invest in the program, which has received $1.75 million in state and federal grants.

“Seattle’s bike-share network will help provide a new option for people to get around, supporting health, safety and vibrant communities,” said Seattle Mayor McGinn. “This program is a partnership with the private sector, and we hope other institutions in our community will step forward to match Seattle Children’s investment.”


Video highlights (for more see http://seattle.gov/mayor/photos/videos.htm):


Seattle Named Hardest-Working City in U.S.

No Shootings or Killings for 363 Days, but the Fight Is Far From Over

Seattle directs contractors to advertise in ethnic media

Dragon Fest a boon to families, businesses


Recent blog posts:
Letter in support of County Ordinance 2013-0285 to protect immigrants and refugees


Upcoming Outreach EventsBlogFacebookTwitterFlickr

Be Super SafeCenter CityEngage SeattleJobs PlanNightlife

Safe CommunitiesSeaFi – SPD 20/20Walk Bike RideYouth and Families

Office of the Mayor
City of Seattle

Dropbox/WordPress threat vectors

 

Well, isn’t this just special?

 

–Chinese Cyberespionage Group Using Dropbox and WordPress (July 10, 2013) A Chinese cyberespionage group has reportedly begun using Dropbox and WordPress to spread malware and further its forays into target computer networks. The group is the same one believed to have been responsible for attacks on the New York Times. The attackers register for a Dropbox account, upload the specially crafted content, and share it with targeted users. A memo that purported to be from the US-ASEAN (Association of Southeast Asian Nations) business council was used as bait. Once the targets opened the file, the embedded malware contacts a WordPress blog for commands to reach a command-and-control server.

http://www.nbcnews.com/technology/dropbox-used-chinese-hackers-spread-malware-6C10642402

http://www.darkreading.com/attacks-breaches/dropbox-wordpress-used-as-cloud-cover-in/240158057

[Editor’s Note (Pescatore): Sort of a “dog bites man” story, no? A far more interesting story (“man bites dog”) would be: “For the first time in recorded history, going back to the Stone Age, bad guys decided *not* to use the same technology the good guys are using.”

(Henry): We’ve monitored this adversary for several years, and this latest tactic demonstrates their continued evolution.  Defenders filter outbound ports, and the adversary uses C2 sites that are difficult or impossible for administrators to block…yet another example of electronic “cat and mouse.”]

SANS NewsBites Vol. 15 Num. 054 : Vulnerabilities in Emergency Alert Systems; EPIC Asks Supreme Court to Halt NSA Phone Data Collection; Dark Seoul Attacks are Part of Larger Cyberespionage Operation

TOP OF THE NEWS

–Vulnerabilities in Emergency Alert Systems (July 8, 2013) Late last month, the US Computer Emergency Response Team (CERT) issued a vulnerability note about vulnerabilities in certain Emergency Alert System decoders, devices used to interrupt television and radio broadcasts. The flaws could be exploited to gain control of the systems and broadcast phony warnings. The flaws include a private root SSH key distributed in publicly available firmware images. There have been reports in the past several years of attacks on such systems on the local level. Some of the vendors have already issued fixes for the issues, according to the CERT advisory.

http://www.wired.com/threatlevel/2013/07/eas-holes/

http://www.kb.cert.org/vuls/id/662676

 

–EPIC Asks US Supreme Court to Halt NSA’s Broad Collection of Phone

Records

(July 8, 2013)

The Electronic Privacy Information Center (EPIC) has petitioned the Supreme Court of the United States (SCOTUS) to halt the National Security Agency’s (NSA’s) collection of phone record metadata. EPIC’s reasoning for going directly to SCOTUS is that it cannot appeal to the Foreign Intelligence Surveillance Court and there is no other court with the authority to vacate that court’s orders. Section 215 of the Patriot Act allows the Foreign Intelligence Surveillance Court to authorize warrants in cases where the government shows that the information sought is relevant to an authorized investigation. EPIC also argues that all phone records cannot be relevant to an investigation.

http://www.wired.com/threatlevel/2013/07/scotus-nsa-spying/

http://arstechnica.com/tech-policy/2013/07/supreme-court-asked-to-halt-nsa-phone-surveillance/

Petition: https://epic.org/EPIC-FISC-Mandamus-Petition.pdf

 

–Dark Seoul Attacks are Part of Larger Cyberespionage Operation (July 8, 2013) According to a study from McAfee Labs, the attacks launched against computers in South Korea in March, known as Dark Seoul, were part of a larger cyberespionage operation that is seeking military secrets. The scheme, dubbed “Operation Troy,” in a nod to references to the ancient city in the malware’s code, dates back to at least 2009. McAfee began investigating in March after attacks wiped data from computers at South Korean banks and television networks. Those behind the attacks are also targeting South Korean and US military data; the group uses malware that finds and uploads information about US/South Korean joint military exercises.

http://www.bbc.co.uk/news/technology-23227543

http://arstechnica.com/security/2013/07/hard-drive-wiping-malware-that-hit-s-korea-tied-to-military-espionage/

http://www.cbsnews.com/8301-202_162-57592604/hackers-targeting-u.s-south-korea-are-after-military-secrets-cybersecurity-experts-say/

 

***************************  Sponsored Links:  ******************************

 

1) Free Gartner report on why magic quadrant leadership for NAC is crucial for your company. http://www.sans.org/info/134462

 

2) REPORT: Business-tested, Gartner-approved: WhiteHat named a Leader in Application Security Testing in New Magic Quadrant Report

http://www.sans.org/info/134467

 

*****************************************************************************

 

THE REST OF THE WEEK’S NEWS

–US-Made Internet Monitoring Tools Detected on Networks in Sudan,

Iran, and Syria

(July 8, 2013)

Internet-monitoring devices made in the US have been detected on computer networks in Iran and Sudan; their presence is a violation of US sanctions banning sale of technology to those countries. Some of the Blue Coat Systems devices have also been detected on networks in Syria.

In that country, the tools have been used to censor websites and monitor communications of people questioning the government there. The tools are designed for web filtering and traffic analysis and can be used to view some encrypted traffic. Blue Coat says it cannot track who is using its products or how they are being used, but acknowledges that it can block devices from receiving company updates. Researchers say that means the company could possibly identify the locations of the devices in use.

http://www.washingtonpost.com/world/national-security/report-web-monitoring-devices-made-by-us-firm-blue-coat-detected-in-iran-sudan/2013/07/08/09877ad6-e7cf-11e2-a301-ea5a8116d211_story.html

 

–Japan’s Nintendo Fan Site Data Compromised (July 8, 2013) An attack on Japan’s Club Nintendo website compromised nearly 24,000 user accounts.  In a brute force attack, more than 15.5 million logins were attempted between June 9 and July 5, 2013. It is possible that the information being used to attempt the logins was taken from another website. The exposed information includes names, email and street addresses, and phone numbers. The site has four million members.

http://arstechnica.com/security/2013/07/mass-login-attack-on-nintendo-fan-site-hijacks-24000-accounts/

http://www.zdnet.com/club-nintendo-site-hacked-customer-data-exposed-7000017744/

http://www.theregister.co.uk/2013/07/08/nintendo_brute_force_attack/

http://www.computerworld.com/s/article/9240613/Nintendo_39_s_fan_site_hit_by_illicit_logins_24_000_accounts_accessed?taxonomyId=17

[Editor’s Note (Murray): We are seeing one of these compromises every week.  One now wants to be very careful about doing business with these sites that do not offer strong authentication. ]

 

–Cryptocat Fixes Encryption Flaw

(July 8, 2013)

Developers of the open-source instant messenger Cryptocat have acknowledged a security flaw in the application that suggests users’

communications were vulnerable to snooping for at least seven months.

Several lines of code in the keys used to encrypt group chats were easy to decipher. The flaw has been addressed in Cryptocat 2.0.42, but the developers urge users to upgrade to Cryptocat 2.1.x.

http://www.zdnet.com/encrypted-im-app-left-vulnerable-to-snooping-for-7-months-7000017748/

http://arstechnica.com/security/2013/07/bad-kitty-rooky-mistake-in-cryptocat-chat-app-makes-cracking-a-snap/

 

–Judge Orders US Government to Release Documents About Aaron Swartz (July 8, 2013) A federal judge has ordered the US government to release Secret Service documents about Aaron Swartz. The government must “promptly release to Plaintiff all responsive documents that it has gathered thus far and shall continue to produce additional responsive documents that it locates on a rolling basis,” wrote US District Judge Colleen Kollar-Kotelly. The government must immediately start releasing documents it has already processed, and it has until August 5 to answer and produce a timetable for release of the rest of the documents.

http://www.wired.com/threatlevel/2013/07/swartz-foia/

 

–European Parliament Demands Information on PRISM (July 7 & 8, 2013) The European Parliament has passed a resolution demanding that the US government provide “full information on PRISM and other such programmes involving data collection.” In addition, the European Parliament Civil Liberties Commission has voted to launch an “in-depth inquiry” into privacy and civil rights issues for EU citizens raised by PRISM. The Parliament is calling on member nations to consider putting a hold on counter-terrorism data transfer agreements with the US until the data are better protected.

http://www.computerworld.com/s/article/9240634/Fallout_from_NSA_surveillance_program_disclosures_spreads?taxonomyId=17

http://www.washingtonpost.com/blogs/wonkblog/wp/2013/07/07/european-outrage-about-the-nsa-could-force-us-to-rethink-our-surveillance-laws/

http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2013-0322&language=EN

http://www.europarl.europa.eu/news/en/pressroom/content/20130701IPR14770/html/Parliament-to-launch-in-depth-inquiry-into-US-surveillance-programmes

 

–Updated COPPA Rules Now in Effect

(July 5, 2013)

The US Federal Trade Commission’s (FTC’s) revised rules for the Children’s Online Privacy Protection Act of 1998 (COPPA) took effect on July 1, 2013. The law prohibits the collection of personal data from children without first obtaining verifiable parental consent. It also requires websites to have clear and accessible privacy policies, and to ensure the security of information it collects from children under age 13. The updated rules specify that personal information now includes “geolocation information and persistent identifiers that can be used to recognize a user over time and across different websites or online services,” and photos, videos, and sound recordings. COPPA applies to smartphone apps as well as websites.

http://www.informationweek.com/security/privacy/child-privacy-online-ftc-updates-coppa-r/240157734

COPPA Amendments: http://www.ftc.gov/os/fedreg/2013/01/130117coppa.pdf

[Editor’s Note (Henry): Interesting.  Remove “children” and “parental”

and replace with the word “people” and it sounds like it suits everyone’s needs…

(Pescatore): Since COPPA applies only if a site has “actual knowledge that they are collecting, using, or disclosing personal information from children under 13″ the FTC has promised more information “soon” on better definition of what constitutes “actual knowledge.” The FTC also has a “Safe Harbor” program (see

http://business.ftc.gov/content/safe-harbor-program) where industry groups can submit their self-regulation guidelines to the FTC for approval.

(Murray): These rules were published in January and drew limited comment.  However, they have significant impact.  Third parties are complaining because the rules discourage “child directed services” from placing their cookies. ]

 

–Microsoft’s July Security Update Includes Six Critical Bulletins (July 4, 5, 6, & 8 2013) On Tuesday, July 9, Microsoft plans to issue seven security bulletins, six of which address remote code execution flaws and are rated critical.

The seven bulletins will address flaws in all currently supported versions of Windows and Microsoft Office, as well as Lync, Silverlight, Visual Studio, and Internet Explorer (IE) versions 6 through 10 on Windows 8 and Windows RT.  One of the flaws likely to be addressed is a Windows kernel issue that a researcher posted to the Full Disclosure mailing list in early June, once again inciting pointed discussion about responsible disclosure.

http://technet.microsoft.com/en-us/security/bulletin/ms13-jul

http://www.eweek.com/security/microsoft-plans-critical-windows-security-patches/

http://www.v3.co.uk/v3-uk/news/2279824/microsoft-readies-six-critical-security-updates-for-patch-tuesday

http://www.h-online.com/security/news/item/Microsoft-Patch-Tuesday-to-close-kernel-hole-1911898.html

http://www.zdnet.com/julys-patch-tuesday-to-fix-six-critical-windows-office-ie-security-vulnerabilities-7000017747/

http://www.theregister.co.uk/2013/07/05/ms_july_2013_patch_tuesday_prealert/

http://www.computerworld.com/s/article/9240581/Internet_Explorer_pegged_for_critical_fix_on_Tuesday?taxonomyId=17

[Editor’s Note (Shpantzer): Some of these are also on OS X:

http://technet.microsoft.com/en-us/security/bulletin/ms13-022 ]

 

–UK ICO Has “Serious Questions” About Google’s Privacy Policy (July 4 & 5, 2013) The UK’s Information Commissioner’s Office (ICO) has given Google until September 20, 2013 to alter its privacy policy to comply with the UK Data Protection Act, or face “formal enforcement action.” The ICO said that Google’s current policy “does not provide sufficient information to enable UK users of Google’s services to understand how their data will be used across all of the company’s products.” Privacy watchdogs in other European countries have issued similar warnings.

http://www.theregister.co.uk/2013/07/05/ico_threatens_to_fine_google_over_privacy_policy_tweaks/

http://crave.cnet.co.uk/software/google-must-change-privacy-policy-says-uk-watchdog-50011656/

http://www.computerworld.com/s/article/9240584/Google_ordered_to_change_its_privacy_policy_in_the_UK?taxonomyId=17

http://www.bbc.co.uk/news/technology-23187771

 

************************************************************************

The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years.

He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

 

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI’s critical incident response. He is now president of CrowdStrike Services.

 

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

 

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

 

Ed Skoudis is co-founder of CounterHack, the nation’s top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

 

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power’s CSO.  He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

 

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

 

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

 

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

 

Rob Lee is the SANS Institute’s top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

 

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute’s Internet Storm Center, and co-author of the book Counter Hack Reloaded.

 

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

 

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa).  He is leading SANS’ global initiative to improve application security.

 

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

 

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

 

Alan Paller is director of research at the SANS Institute.

 

Brian Honan is an independent security consultant based in Dublin, Ireland.

 

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

 

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/

California’s first data-breach report finds 131 incidents hit 2.5 million citizens

This story appeared on Network World at
http://www.networkworld.com/news/2013/070213-california-data-breach-271488.html

By Ellen Messmer, Network World
July 02, 2013 10:44 AM ET

Network World – The state of California yesterday issued its first annual data-breach report saying for 2012 it recorded a total of 131 data breach incidents that put the personal data of more than 2.5 million Californians at risk.

According to California’s report, the retail industry reported the most data spills last year, accounting for 26% of the total, followed by finance and insurance at 23%. More than half of last year’s incidents reported in California involved Social Security numbers. And more than half of all the reported data breaches — 55% — were the result of deliberate intrusions by outsiders or unauthorized insiders.

“Particularly striking is the impact of the failure to encrypt sensitive personal information,” said California Attorney General Kamala Harris in her statement accompanying the state’s 2012 data-breach report. “It has been ten years since we realized the vulnerability of personal information on stolen laptops, lost data tapes, and misdirected emails. If encryption had been used, over 1.4 million Californians would not have had their information put at risk in 2012. That number represents more than half of the 2.5 million people affected by the 131 breaches covered in the report.”

California has had data-breach notification statutes in effect since 2003 which require California residents to be notified if their personal information is acquired by an unauthorized person, or believed to have been acquired. In 2012, for the first time, those subject to the California law were required to provide copies of their notices to the Attorney General when the breach involved more than 500 Californians, the report points out.

The type of personal information deemed sensitive includes Social Security numbers, driver’s license of California ID cards, financial account or health-related information. Yesterday was the first time California published a report summarizing annual data-breach incidents.

According to the report, of the 131 breaches, government held responsibility for 8% of them, healthcare industry 15%, education 8%, professional services 5%, retail industry 26% and financial and insurance industries 23%, with 15% of the remainder lumped as “other.”
An analysis of “type of failure” showed that 55% were tied to computers and security failures, including point-of-sale devices at merchants being compromised by skimming devices used by criminals to steal financial information.

In this category called “logical failures,” the California data-breach report noted that “two of the five largest breaches affecting more than 100,000 individuals were caused by outside hackers. Valve Corporation, an online game software company, reported an intrusion affecting 509,000 individuals in February 2012, and Global Payments, Inc., a processor of electronic payments transactions, reported an intrusion affecting 139,034 individuals in July 2012. Ten percent of the breaches (13) were caused by insiders — employees, contractors, vendors, customers — who intentionally accessed systems and data without authority.”

In the report, “physical failures” — comprising 27% of the total — were said to be related to lost or stolen hardware. Two of the five largest incidents there were said to be the California Department of Social Services reporting a lost computer storage device containing information on 845,000 parents, children and caregivers in March 2012, and Emory Healthcare, reporting missing data disks containing financial and medical information on 318,000 patients in May 2012.

A third category, “procedural failures,” constituted 18% of the overall breach incidents, and of these processing errors such as misdirected physical and electronic mail or unintentional web postings, an incident reported May 2012 involving First Data Corporation was highlighted as information on 108,500 merchants was “inadvertently transmitted to outside firms,” according to the report.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com

All contents copyright 1995-2013 Network World, Inc. http://www.networkworld.com

Report: US energy at cyberattack risk

U.S. oil and natural gas operations are increasingly vulnerable to cyber attacks that can harm the competitiveness of energy companies or lead to costly outages at pipelines, refineries or drilling platforms, a report said on Wednesday. The energy business, including oil and gas producers, was hit by more targeted malware attacks from April to September last year than any other industry, said the Council on Foreign Relations (CFR) report, citing data from a Houston-based security company, Alert Logic. Cyber attacks on energy companies, which are increasing in frequency and sophistication, take two main forms, the CFR report said. The first kind, cyber espionage, is carried out by foreign intelligence and defense agencies, organized crime, or freelance hackers. These parties covertly capture sensitive corporate data or communications with the goal of gathering commercial or national security intelligence. U.S. energy companies are subject to frequent and often successful attempts by competitors and foreign governments to access long-term strategic plans, bids tendered for new drilling acreage, talks with foreign officials and other trade secrets, the report said.
Source: http://www.reuters.com/article/2013/06/26/net-us-usa-energy-hackers-idUSBRE95P06120130626

Android’s new ransomware scam

Owners of Android devices beware, after Symantec warned that criminals have begun targeting Android smartphones with software that locks the device until a ransom is paid to get the unlock code. Known as ransomware, the scam has typically targeted personal computers, where it has become a profitable way for cyber-criminals to fleece consumers whose computers are not adequately protected against these scams. Now, the aggressive fake antivirus scam has spread to mobile devices as well, Symantec stated in a blog post. A program called Android Defender – not related to a legitimate program of the same name – infects the victim’s device by using a fake installer and then appears to do a scan, finding a number of critical security issues. If the user does not buy the program, it will eventually make the device unusable, said Kevin Haley, director of product management of Symantec’s security response group.
Source: http://www.techweekeurope.co.uk/news/android-ransomware-scam-120099

Hack attacks on medical devices

Computer viruses do not discriminate. Malware prowling the cybersphere for bank information and passwords does not distinguish between a home computer or a hospital machine delivering therapy to a patient. Even if a radiation therapy machine, say, is infiltrated unintentionally, malware could theoretically cause radiation doses to spike.
Medical device-makers need to protect their products from cyber attack, according to recent draft guidance the U.S. Food and Drug Administration. The FDA calls for medical device manufacturers to consider the vulnerabilities that crop up when medical devices are designed to be more thoroughly integrated into networks and connected to the Internet. It asks manufacturers to draw up security plans to protect systems from malware before submitting plans for market approval. The agency also prodded hospitals to step up future reporting of any cyber attacks.
Source: http://news.yahoo.com/cyber-concern-hack-attacks-medical-devices-110200388.html

Google not required to delete PII

Google is not obliged to delete personal (identifying) information (PII) from its search results, even when that information damages an individual’s reputation, an adviser to the European court of justice has decided. In a long-running case about the “right to be forgotten” by search engines, judges have been asked to rule on whether Google should be treated under law as a publisher of information or simply a host. The case is based on a complaint by Mario Costeja, a Spaniard who made a Google search of his name and found a newspaper announcement from 15 years earlier saying a property he owned was up for auction because of non-payment of social security contributions.
Source: http://www.guardian.co.uk/technology/2013/jun/25/google-not-delete-sensitive-information-court

Hacker Scrapes Thousands Of Public Phone Numbers Using Facebook Graph Search

A hacker has exploited Facebook’s Graph Search to collect a database of thousands of phone numbers and Facebook users. Both parties agree that all the information was left public by users (even if the users themselves may still not realize it). But Facebook issued him a cease and desist after the hacker continued to scrape data and argued with Facebook that the availability of the information invades users’ privacy. Brandon Copley, a mobile developer in Dallas, Texas, searched and downloaded 2.5 million entries of phone numbers from the social network. He says many of these entries are empty, as they either aren’t active numbers or aren’t connected to a Facebook user with public settings; however, he notes that thousands of entries do match a phone number with the name of a Facebook user.
Source: http://techcrunch.com/2013/06/24/hacker-scrapes-thousands-of-public-phone-numbers-using-facebook-graph-search/