Security News

XSS flaw on Wix leaves the door open to worms

A cross-site scripting vulnerability on a single website can divert unsuspecting users to malicious sites. When that same vulnerability exists across millions of websites, a worm can hop from site to site and compromise even more users. Now, a worm can...

Public participation should be used to fuel big data in healthcare

Public participation should be used to drive big data projects in the healthcare industry, according to a report by the Nuffield Council on Bioethics. But according to the research, this cannot happen without increased transparency about how the data will be collected and used. The report mentioned several current projects that have been called into question over whether their use of data is ethical, including the NHS Care.data initiative, 100K Genomes and UK Biobank. Martin Richards, chair of the Nuffield Council on Bioethics Working Party and emeritus professor of family research at the University of Cambridge, said that as it becomes cheaper and easier to collect data, health services are collecting it from a number of different places, such as GP records, laboratory tests and even health-based applications. “There is a strong public interest in the responsible use of data to generate knowledge, drive innovation and improve health. However, people understandably have concerns about their privacy. If we don’t get this right, we risk losing public trust in research and, ultimately, missing out on the benefits this type of research can bring,” he said. Lack of transparency was Care.data’s downfall, and in early 2014 the scheme was delayed by six months to “allow more time to build understanding of the benefits of using the information, what safeguards are in place and how people can opt out”, according to an NHS spokesperson. The Nuffield report said the plans for Care.data to extract patient data and pass it on to the Health and Social Care Information Centre (HSCIC) highlighted the differences between the privacy expectations of patients and legal requirements of the HSCIC. “It highlighted the absence of governance arrangements to negotiate this difference, and raised questions about how the rights of individuals were respected. Failure to attend to these prospectively led to ad hoc policy changes and a damaging loss of public and professional trust,” the report said. In the latter part of 2014, the project faced further delays due to concerns over lack of publicity and clarity of the proposed programme, despite ongoing positive support from patients. As the use of healthcare data grows, it is no longer just the concern of the Human Rights Act, but also the Data Protection Act, leading to changes in governance such as the recent update that allows the Information Commissioner’s Office (ICO) to force audits on NHS authorities. But despite challenges, the project has pushed forward, and in October last year the scheme finally entered testing with four clinical commissioning groups (CCGs). According to the report, public concerns should be addressed and any data project should release a statement on how data will be used, collected and accessed, as well as who it will be available to. “Data is increasingly seen as a commodity to exploit and there are often strong political, economic or scientific interests that try to set the terms of a data project prior to any wider public debate,” said Susan Wallace, member of the Nuffield Council on Bioethics Working Party and lecturer of population and public health sciences at the University of Leicester. “We say that any data project should first take steps to find out how people expect their data to be used and engage with those expectations through a process of continued participation and review.” Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

Two more wild iPhone concepts we'd like to see one day...

Designers imagine future devices equipped with screens on the side and a parachute system. Too bad they don't actually work for Apple. by Eric Mack @ericcmack / December 9, 201510:58 AM PST

Hundreds of millions of Apple users potentially affected by XcodeGhost malware

Malware incident represents first major breach of usually stringent Apple App Store security

Move over Java. Drive-by attacks exploiting Microsoft Silverlight on the rise

Running an outdated version of Silverlight? Now would be a good time to upgrade.

Cop—fired for having lapel cam turned off a lot—reinstated to force

Officer said cam accidentally unplugged from battery before fatal shooting of a teen.

Password hack of vBulletin.com fuels fears of in-the-wild 0-day attacks

Hacks on sites using the widely used forum software spread to its maker.    

ICO investigates illegal data sharing in charity sector

The Information Commissioner's Office (ICO) is investigating data sharing in the charity sector following concerns that organisations might be selling contact data about donors. A report by the Daily Mail claims that the contact details of an elderly dementia sufferer were passed on 200 times, leading to the vulnerable man being contacted hundreds of times by charities after he forgot to tick a "don't share my details" box. As a result, the personal details of 87-year-old widower Samuel Rae also fell into the hands of 12 scam firms, which led to him losing £35,000 after being bombarded with calls. Information Commissioner Christopher Graham said data sharing in the charity sector is "clearly concerning" and wrote that the ICO has "launched an investigation to work out exactly what has happened". The watchdog states that it's ready to take action if the law has been broken, which could see charities issued with a fine of up to £500,000 or face prosecution under the Data Protection Act in the magistrates court. "The Data Protection Act is very clear: the very first principle is that your data should only be processed fairly and lawfully. What has been described in the papers this week doesn't look like that," said Graham. "If Samuel Rae is still being plagued with unwanted mail and unwanted approaches, then it is really beside the point whether or not he ticked a box in 1994," he continued, adding that not ticking such a box does not constitute consent and '"that doesn't give you the right to trade in people's personal information years after the event". Graham said cases like this mean there's a danger of charity becoming "a dirty word" which he said "clearly isn't fair", but he added that the Data Protection Act applies to every organisation, no matter what sector they are in. "The rules on data protection and the rules about privacy and electronic communications apply to all who are processing data, whether businesses or charities. Everyone's got to stick to the law, and if the law's been broken then we will act," he said. The Information Commissioner's Office is also currently investigating the 56 Dean Street health clinic after contact details of 780 HIV patients were leaked.

New security requirements protect, frustrate students seeking financial aid

In May 2015, the US Department of Education announced that it would sunset its old e-signature system for the Free Application for Federal Student Aid (FAFSA) and replace it with a new system to authenticate FAFSA information.

But the new system is apparently causing confusion and frustration among students. Students who want to apply for most federal and state financial aid for higher education in the US must fill out a FAFSA by midnight March 2 (that's tonight, if you're a teen or if you have a teen applying to college).

But filling out the form is not an easy process for students or their parents, who must also be registered with the Department of Education if the student can be claimed as a dependent. The change that the Department of Education implemented was a seemingly small one, but it’s created some friction that wasn’t there before, the Los Angeles Times reported. Previously, students and parents had to apply for a Federal Student Aid PIN with their social security number to access their FAFSA online.
If they later forgot their PIN, they had to recover it by reentering a social security number as well as a corresponding name and date of birth. Now, students and parents must create a Federal Student Aid ID (FSA ID), which allows users to access their FAFSA information through a user name and password.

The setup of a FSA ID also requires that students and parents have social security numbers as well as a valid e-mail addresses. In explaining the reason for the change, the Department of Education wrote, "Having a username and password is much more secure than a PIN that you enter in conjunction with personally identifiable information (your Social Security number, name, and date of birth).

The fewer times you have to enter personally identifiable information over the Internet, the safer you are.” While the change should have been simple, one survey from Get Schooled, an education hub geared towards students and funded by the Bill and Melinda Gates Foundation, found that approximately one in five high school seniors said they had problems signing up online, either because they were getting error messages or because they weren't sure of the steps they had to take to sign up. According to the Los Angeles Times, high school counselors are also reporting that students are having trouble navigating the creation of an FSA ID. “I am just so confused about FSA ID,” one student told Get Schooled, according to the Times.

Another said, “I could set not up a FSA ID, I got so many error messages so I had to mail it." Because of the importance of the approaching deadline, the Times reported that "Officials are asking students to submit even an incomplete FAFSA immediately, so that they make the deadline but can fill in more information later.” On the Department of Education's blog post regarding the change to FSA IDs, parents and students are complaining en masse about confusing instructions and not being able to login to the system with the username and password they created.

As one parent complains: Ok so I’m a parent who FINALLY got the FSA ID thing to work.
I am now verified. However, now it says ONLY a student should log in using the FSA ID so why did I have to go through all of this to get one?? How do I now log into the system?? I simply wanted to use the Data Retrieval tool through the IRS to verify my information as my son’s application was chosen for “verification”. When I enter his name, birthdate etc it takes me to his fafsa page that says it’s been processed but from there I cannot make changes... Another student rants: This new process is absolutely ridiculous! I have tried to create my FSA ID and it says that my id is not linked.
I set it up correctly and verified my email with the code and it won’t let me in.

Today is the cutoff to get this submitted and I have spent hours trying to sign in and then more hours on the phone trying to get a rep. Yet another commenter posted: I am a student success adviser for the Iowa College Access Network. We provide free FAFSA assistance for parents and students.
I had a parent in today. Her FSA ID did not work and we set one up for her husband and his did not work. How do we fix a FSA ID that does not work? It said that the ID did not match information on file.

Also during the session, it said a problem may have occurred due to maintenance. The Department of Education offers an 800-number that students and parents can call if they run into problems they can't seem to fix.

But college-prep forums have commenters complaining of excessive wait times to speak to personnel that can help them. Once they do get the right people on the line, resolutions can be as simple as "you thought the form to set up a FSA ID was asking for your child's date of birth but it was actually asking for your own date of birth" to "we're not sure how to fix this, send in a paper copy of the FAFSA." Kim Cook, director of the National College Access Network, told the Los Angeles Times that overall, the change to FSA ID is a good thing that will help protect students' identifying information, but she said she wished the Department of Education had made setting up an FSA ID more user-friendly. Besides functional issues with the new system that students are reporting, the new requirement for an e-mail address could put a stumbling block in the way of poorer families whose parents might not have e-mail addresses.

And the Department of Education reminds students that an FSA ID constitutes a "legal signature," and students should not set one up for their parents, yet another barrier to getting students to file complete information.
Similarly, the requirement for a Social Security Number has slowed the processing of applications from students whose parents are immigrants under both the PIN and FSA ID systems.
If a student has a social security number but their parents do not, the student must mail in a paper copy of the FAFSA, which adds a hurdle to applying for financial aid.

And for marginalized students, financial aid is sometimes the only way they'll be able to attend college at all. Ars has contacted the Department of Education for more information on whether the FSA ID requirement is slowing down FAFSA processing and we will update when we've received a response.

Silk Road film unintentionally shows what’s wrong with the “Free Ross”...

Innocent man or an activist for privacy and "harm reduction?" They'll take both.

FreedomPop’s ‘Snowden phone’ encrypts your calls and data

The new $189 "Privacy Phone" comes with VPN, 128-bit encryption, and other tricks aimed at keeping you safe and anonymous. March 5, 2014 5:32 AM PST (Credit: Screenshot by Lance Whitney/CNET) Want to protect your phone calls and data from the fe...

ATM hackers release cold, hard cash at the click of a...

The ATMitch heist has shown attackers are now able to remotely create an ATM tunnel to financial reward with little effort.