Heartbleed Means HealthCare.gov Users Must Reset Passwords
By Aliya Sternstein
April 19, 2014
Federal officials are telling Obamacare website account holders to reset
their passwords, following revelations of a bug that could allow hackers
to steal data.
Officials earlier in the month said the government’s main public sites,
including HealthCare.gov, were safe from the risks surrounding Heartbleed
— faulty code recently found in a widely-used encryption tool.
But, this weekend, the online marketplace’s homepage directs users to
change their login information.
“While there’s no indication that any personal information has ever been
at risk, we have taken steps to address Heartbleed issues and reset
consumers’ passwords out of an abundance of caution,” HealthCare.gov
INFO: Google scans user’s emails
Google updates terms of service to reflect its scanning of users’ emails
Google has updated its terms of service to reflect that it analyzes user
content including emails to provide users tailored advertising, customized
search results and other features.
The Internet giant’s scanning of users’ email has been controversial with
privacy groups describing it as an intrusion into user privacy.
Mission-critical satellite communications wide open to malicious hacking
By Dan Goodin
April 17, 2014
Mission-critical satellite communications relied on by Western militaries
and international aeronautics and maritime systems are susceptible to
interception, tampering, or blocking by attackers who exploit easy-to-find
backdoors, software bugs, and similar high-risk vulnerabilities, a
researcher warned Thursday.
Ground-, sea-, and air-based satellite terminals from a broad spectrum of
manufacturers—including Iridium, Cobham, Hughes, Harris, and Thuraya—can
be hijacked by adversaries who send them booby-trapped SMS text messages
and use other techniques, according to a 25-page white paper published by
penetration testing firm IOActive. Once a malicious hacker has remotely
gained control of the devices, which are used to communicate with
satellites orbiting in space, the adversary can completely disrupt
mission-critical satellite communications (SATCOM). Other malicious
actions include reporting false emergencies or misleading geographic
locations of ships, planes, or ground crews; suppressing reports of actual
emergencies; or obtaining the coordinates of devices and other potentially
“If one of these affected devices can be compromised, the entire SATCOM
infrastructure could be at risk,” Ruben Santamarta, IOActive’s principal
security consultant, wrote. “Ships, aircraft, military personnel,
emergency services, media services, and industrial facilities (oil rigs,
gas pipelines, water treatment plants, wind turbines, substations, etc.)
could all be impacted by these vulnerabilities.”
Santamarta said that every single one of the terminals he audited
contained one or more weaknesses that hackers could exploit to gain remote
access. When he completed his review in December, he worked with the CERT
Coordination Center to alert each manufacturer to the security holes he
discovered and suggested improvements to close them. To date, Santamarta
said, the only company to respond was Iridium. To his knowledge, the
remainder have not yet addressed the weaknesses. He called on the
manufacturers to immediately remove all publicly accessible copies of
device firmware from their websites to prevent malicious hackers from
reverse engineering the code and uncovering the same vulnerabilities he
My colleague Scott Michelman has obtained an excellent ruling from the Court of Appeals for the Fourth Circuit holding that a company could not sue the federal government over its maintaining files about a allegedly bad product while keeping both the name of the product, and the name of the company, confidential
Paul Alan Levy
Public Citizen Litigation Group
1600 – 20th Street, NW
Washington, D.C. 20009
Fourth Circuit: Injury to Corporate Reputation Not Enough to Justify Sealing Court Case
‘Company Doe’ Sued to Keep Complaint Out of Federal Database Designed to Warn Consumers of Faulty Products
April 16, 2014
Contact: Scott Michelman (202) 588-7739
Angela Bradbery (202) 588-7741
WASHINGTON, D.C. – Holding that injury to corporate reputation doesn’t justify sealing a court case, an appellate court today in Company Doe v. Public Citizen handed a key victory (PDF) to consumers. It also solidified the integrity of a federal database designed to warn consumers about faulty products and confirmed the importance of public access to courts, Public Citizen said today.
In the case, a company sued to keep a complaint about one of its products out of a database created by the Consumer Product Safety Commission (CPSC) and persuaded a district court judge to adjudicate the matter in secret, sealing most documents pertaining to the case and permitting the company to use the pseudonym “Company Doe.” Public Citizen, along with Consumer Federation of America and Consumers Union (the publisher of Consumer Reports), objected to the seal. The U.S. Circuit Court of Appeals for the Fourth Circuit ruled today that the record must be unsealed.
“The Fourth Circuit sent a strong message today that corporations that turn to the courts must accept that public access to the proceedings is part of going to court in an open and democratic society,” said Scott Michelman, the Public Citizen attorney handling the case.
The public will learn the name of the company as soon as the case is sent back to the district court, Michelman said.
The court ruled that:
• Injury to corporate reputation is not enough to justify sealing court records under the First Amendment;
• The right to exclude a report from the CPSC database doesn’t include the right to litigate the entire matter in secret;
• Judicial opinions, summary judgment materials and docket sheets are protected by First Amendment right of access to courts;
• Permitting a company to use a pseudonym to challenge the inclusion of a report in the CPSC database was an abuse of discretion in light of the public interest in the database; and
• District courts must act expeditiously on sealing requests.
The underlying case was the first legal challenge to the CPSC product safety database, which was set up in 2011 as required by the Consumer Product Safety Improvement Act of 2008. Allowing public access to the court record allows the public to assess both the functioning of the court and the effect of this case on the CPSC and its database going forward.
“The ruling is a complete victory for consumers and a strong vindication of the First Amendment imperative to conduct litigation in the open,” Michelman added. “This decision will stand as a bulwark against the conduct of secret litigation such as occurred in this case.”
Learn more about the case.
States announced today and their grant amounts are:
Alaska — $1,519,520
Illinois — $22,060,358
New York — $36,046,044
Pennsylvania — $18,355,214
South Carolina — $7,195,035
On Earth Day (April 22), the Department will broadcast live on its USTREAM channel the announcement of 2014 U.S. Department of Education-Green Ribbon Schools Award winners, as well as post all nomination packages and release a highlights document. (Note: National Environmental Education Week is April 13-19, and National Park Week is April 19-27.)
The Department is currently seeking applications for the Elementary and Secondary School Counseling Program, the Advanced Placement (AP) Test Fee Program, and the Turnaround School Leaders Program. The school counseling program provides funding to districts to establish or expand school counseling programs, with special consideration given to applicants that can: demonstrate the greatest need for counseling services in the schools to be served; propose most innovative and promising approaches; and show the greatest potential for replication and dissemination. Applications are due April 28. The test fee program awards grants to states to enable them to pay all or a portion of AP test fees on behalf of low-income students. Applications are due May 8. The school leadership program supports projects to develop and implement or enhance and implement a critical leadership pipeline that selects, prepares, places, supports, and retains school leaders for School Improvement Grant (SIG) schools or SIG-eligible schools. Applications are due May 23.
Moreover, for the current fiscal year, the Department’s Office of Innovation and Improvement (OII) is conducting13 grant competitions across five program areas: Arts in Education, Charter Schools, Investing in Innovation (i3), Full-Service Community Schools, and Teacher Quality Partnerships. Four of the competitions are already underway. Announcements of the other competitions are slated for later this spring.
Also, be sure to review the Department’s FY 2014 Grants Forecast (as of March 31), which lists virtually all programs and competitions under which the agency has invited or expects to invite applications for awards and provides actual or estimated dates for the transmittal of applications under these programs. (Note: This document is advisory only and not an official application notice of the Department of Education.)
Skills for the New Economy: Preparing Students for College and Careers
RETHINKING HIGH SCHOOL
On April 7, during his visit to Bladensburg High School in Prince George’s County, Maryland, President Obama announced 24 Youth CareerConnect grants, providing $107 million to local partnerships of school districts, institutions of higher education, workforce investment boards, and employers as they redesign the teaching and learning experience for youth to more fully prepare them with the knowledge, skills, and industry-relevant education needed to get on the pathway to a successful career, including postsecondary education or registered apprenticeship. “We challenged America’s high schools to…say what they can do to make sure their students learn the skills that businesses are looking for in high-demand fields,” the President said. “And we asked high schools to develop partnerships with colleges and employers and create classes that focus on real life applications for the fields of the future — fields like science and technology and engineering and math…. The winners across the board are doing the kinds of things that will allow other schools to start duplicating what they’re doing…. And that’s what we want for all the young people here. We want an education that engages you…that equips you with the rigorous and relevant skills for college and for a career” (blog post, with remarks and video).
The Youth CareerConnect program was established this year by the Labor Department, in collaboration with the Education Department, using one-time revenues from the H-1B visa program. Grants range from $2.2 million to $7 million. The program wholly complements additional proposals in the President’s Fiscal Year 2015 budget to ensure high school students graduate ready for college and career success and to help the U.S., once again, lead the world in college attainment.
Bladensburg High School was part of a three-school team from the county that won a $7 million grant. It offers several career academies with high school curricula aligned with college-level entrance requirements for Maryland’s state university system. Through a collaborative effort with local partners, it will expand the capacity of its Health and Biosciences Academy to better prepare more students for one of the region’s highest growth industries. Students who concentrate in health professions will be able to earn industry-recognized certifications in the fields of nursing and pharmacy. Biomedical students will be able to earn college credit from the University of Maryland at Baltimore County and the Rochester Institute of Technology. All students will have access to individualized college and career counseling designed to improve preparation for college-level coursework and the attainment of industry-recognized credentials. Students will also have the ability to receive postsecondary credit while still in high school and have access to paid work experiences with employer partners such as Lockheed Martin. Overall, the grant will help prepare 2,500 graduates at Bladensburg and other schools across the county to succeed academically and graduate career-ready in the high-demand fields of health care and information technology.
On the same day, the Departments of Education and Labor launched the Registered Apprenticeship-College Consortium, a new effort that will allow graduates of registered apprenticeship programs to turn their years of rigorous on-the-job and classroom training into college credits toward an associate’s or bachelor’s degree. Registered apprenticeship programs are sponsored by joint employer and labor groups, individual employers, or employer associations. Currently, the registered apprenticeship system includes a network of more than 19,000 programs nationwide — offering nearly 1,000 different career opportunities. Participating sponsors will have their programs evaluated by a third-party organization (for example, the American Council on Education or the National College Credit Recommendation Service) to determine the college credit value of the apprenticeship completion certificate. Graduates will be able to earn up to 60 credits based on their apprenticeship experience.
Wanted: Students to take cocaine – University asks for volunteers to take drugs for study
A prestigious London university has asked for volunteers to take part in an experiment where they will be required to take cocaine.
An email sent by a professor at King’s College London asks for ‘healthy male volunteers, 25 – 40 years of age, to take part in a clinical study involving nasal administration of cocaine.’ The email, which was sent on Thursday afternoon to hundreds of postgraduate and undergraduate students at the university, is in seven sections, each titled with a question. Under the section, ‘What will happen?’, the email states: ‘After cocaine administration, repeated biological samples (blood, urine, hair, sweat, oral fluid) will be taken to compare and investigate how cocaine and its metabolites are spread through the human body.’
By Brian Krebs
April 3, 2014
An exclusive KrebsOnSecurity investigation detailing how a unit of credit
bureau Experian ended up selling consumer records to an identity theft service
in the cybercrime underground has prompted a multi-state investigation by
several attorneys general, according to wire reports.
Reuters moved a story this afternoon quoting Illinois Attorney General Lisa
Madigan saying that ”it’s part of a multistate investigation,” and that
Connecticut Attorney General George Jepsen said that Connecticut is looking
into the matter as well.
News of the breach first came to light on this blog in October 2013, when
KrebsOnSecurity published an exclusive story detailing how a Vietnamese man
running an online identity theft service bought personal and financial records
on Americans directly from a company owned by Experian, one of the three major
U.S. credit bureaus.
Hieu Minh Ngo, a 24-year-old Vietnamese national, pleaded guilty last month to
running an identity theft service out of his home in Vietnam. Ngo was arrested
last year in Guam by U.S. Secret Service agents after he was lured into
visiting the U.S. territory to consummate a business deal with a man he
believed could deliver huge volumes of consumers’ personal and financial data
The Folklore and Education section produces an annual newsletter, awards the Dorothy Howard Folklore and Education Prize and the Robinson-Roeder-Ward Fellowship, works with partners in the field, and organizes sessions and events at the AFS annual meeting. The Latest Edition of the Folklore and Education Section Newsletter is available online: Spring 2014 (pdf). (See below for the archive of newsletters dating from 2001.)
The Latest Edition of the Folklore and Education Section Newsletter is available online: Spring 2014 (pdf).
Gregory Hansen Editor
Rosemary Hathaway, the newsletter’s co-editor