Wells Fargo BYOH

March 8, 2011

At the end of January, I wrote about the current trend in allowing users to bring their own hardware into an enterprise environment. Some companies are allowing personally owned smartphones and tablets, for example, to connect to their enterprise network. This both makes employees happy and saves the company money.

Other companies are not allowing this. Wells Fargo, for one.

From the article:

“I carry two phones. One for personal, and one for work,” says Martin Davis, executive vice president and head of Wells Fargo’s technology integration office. “I’ve got two iPads in my briefcase, for personal and work. We keep it separate.”

I like the way he thinks.


SSD Self-Purging

March 7, 2011

Researchers from Australia have published a new paper indicating that forensic tasks will be a lot more difficult on solid-state drives than it is on standard hard drives. Routines built into the drive hardware to clean up unused space will alter data, without any human intervention at all. Worse yet, tools like “write blockers” are ineffective because the actions are internal to the drive and not initiated from the outside.

Evidence gathering is going to be a lot tougher until some new tools are developed.


Calling Service Shut Down

February 27, 2011

The unique services of callservice.biz, which assisted thousands of identity thieves since the site’s founding in 2007, have been shut down.

The idea was simple: since many identity thieves are operating in non-English-speaking countries, they need people with believably American accents to talk to bankers. Callservice.biz supplied voice talent, in German or English, to use the data stolen by criminals to impersonate account holders and authorize things like wire transfers or withdrawals.

The owner of the site, Dmitry M. Naskovets, has pled guilty to wire fraud charges and is facing up to thirty seven and a half years in prison.


Lojack for Students

February 19, 2011

The Anaheim Union High School District of California has come up with a new scheme for battling truancy: track students with GPS units.

Students with four or more unexcused absences are issued a GPS unit, which they must carry with them during the day. Their locations are checked five times a day – when they leave home for school, when they arrive, lunchtime, when they leave school, and eight PM. In addition to location tracking, students are assigned to a mentor for one-on-one planning sessions to avoid future truancy.

This is an interesting solution to a common problem – although I have to wonder how beneficial it really is to the other students to divert funds from education to technology, in the interests of filling the classroom with students who would rather not be there.


Cybersecurity Budget

February 15, 2011

In a fairly austere budget year, the Obama administration is pushing for a significant increase in cybersecurity research funding at the federal level. This is a clear response to the complete inability of some government agencies to control data exfiltration (see: Wikileaks) as well as the threat to SCADA and other systems represented by Stuxnet.


UL Approval

February 10, 2011

Underwriters Laboratories, the independent product testing firm that certifies electrical and electronic devices of all stripes, is launching a new standard for security testing. UL2825, which will be officially launched on February 14, will verify that equipment can handle DDOS traffic, malicious traffic, and other adverse security conditions.


Hoover Dam

February 7, 2011

Part of the hype for the current “Internet Kill Switch” legislation has been evocative images of the Hoover Dam. Clearly, nobody wants the floodgates of the Hoover Dam to open due to an Internet security breach – it’s a great image, because it’s like something out of a Bond movie. So the backers of the bill have been painting that picture and hoping that the visceral dread it evokes will help carry the bill through Congress.

Only one problem – the Hoover Dam, according to the people who actually manage it, isn’t connected to the Internet.

Next thing you know, villains won’t have eyepatches and cats. What a world.


Facebook Subpoenas

January 28, 2011

For a long time, public posts on the Internet have been admissible as evidence. But more and more often, private or restricted posts are being subpoenaed from sites like Facebook and MySpace for use in court.

From the article:

In the United States, postings on social networks are generally governed by the federal Stored Communications Act, which regulates how private information can be disseminated in non-criminal matters. The law has been interpreted to mean that the sites don’t have to hand over users’ personal data in response to a civil subpoena. Defense lawyers, though, have devised a strategy to work around this roadblock: They ask judges to order plaintiffs to sign consent forms granting defendants access to their private material. The defendants then attach these consent forms when they subpoena the sites. In these subpoenas, the plaintiffs are essentially authorising the sites to hand over printouts of the private portions of their pages to the defendants.

Long story short – if you’re going to claim a debilitating injury, you probably shouldn’t post photos of your rock-climbing trip a week later on Facebook. Even if they’re “private”, they’re not.


Student Intellectual Property

January 26, 2011

It’s a given in the world of research universities that the school is at least a partial owner of new patents or products created by its faculty. But with students creating more and more “apps” for platforms like iOS and Android, and with those apps often being worth big money, policies on university ownership of student creations are getting more attention.

From the article:

Missouri relented in Brown’s case. It also wrote rules explicitly giving student inventors the legal right to their unique ideas developed under specific circumstances. If the invention came from a school contest, extracurricular club or individual initiative, the university keeps its hands off. If the student invention came about under a professor’s supervision, using school resources or grant money, then the university can assert an ownership right – just as it does for faculty researchers.

This is an important trend that needs to be watched – in your organization, are there policies governing what intellectual property rights belong to the company for work performed by employees? If one of your call center workers invents The Next Big Thing while taking a support call, what happens?

If you haven’t thought about this yet, it’s probably time. Writing policies as they are needed is never a good idea.


Confidentiality of Work Email

January 24, 2011

An appellate court in California has ruled that attorney-client privilege does not apply to messages sent from a client using his or her corporate email account; the particular case was that of a young woman who felt that her employers had become hostile when learning of her pregnancy. The emails between her and her attorney were introduced at trial as evidence of her emotional state.

The emails were not considered confidential because the small business involved had a written policy declaring email to be monitored and intended for business use only. This is further proof of how important it is to have properly written and publicized security policies in a business environment.