Another “Worst Practices” example?
As I pointed out in reporting on Starbuck’s
response to Bob Sullivan’s disclosure of a breach involving the
mobile app accounts, not everyone would find their explanation
and response satisfactory. Today, Bob Sullivan fired back:
Since I broke news of the Starbucks mobile pay / gift card /credit card attack last Monday, there has been some confusion about what the real risk is, who is to blame, and how to fix the problem. This is not unusual when a security issue arises with a large company that’s not offering a lot of detail about what’s going on.
[…]
Starbucks actually never denied that intruders had hijacked consumers accounts, and anyone can find victims complaining about just that with a few moment’s work, but some journalists seemed eager to clear Starbucks of any culpability in the issue. That’s unfortunate, because my email this week makes it clear that plenty of Starbucks customers are pretty angry at the way this issue has been handled, and many of them don’t appreciate being blamed for having their money stolen after they placed their trust in Starbucks.
Read more on BobSullivan.net.
Another reason to log changes and log managements
review of changes. I think I'd side with the insurer. If I
installed sprinklers and fire doors, etc. in order to get fire
insurance, I'd be expected to allow the doors to swing shut and
provide water to the sprinkler system, wouldn't I?
So you apply for cyberinsurance and in your
application, you describe all the security controls and policies you
have in place. And an insurance company looks it all over and issues
you a policy because you meet the minimum security practices they
require.
But then you don’t actually adhere to all the
controls and policies you said you have in place – or your business
associate doesn’t – and you have a data breach.
Does the insurer still have to cover you?
Columbia Casualty, a unit of CNA Financial Corp.,
is asking a court to agree that it is not obligated to pay a $4.1
million settlement in litigation stemming from a breach
involving Cottage Health System. The
breach occurred after an
employee of vendor inSync removed security controls on
a server. The insurer’s complaint alleges that:
The hospital system failed to “continuously implement the procedures and risk controls identified” in its insurance application, it states. The data breach was caused by its “failure to regularly check and maintain security patches on its system, its failure to regularly reassess its information security exposure and enhance risk controls, its failure to have a system in place to detect unauthorized access or attempts to access sensitive formation stored on its servers and its failure to control and track all changes to its network to ensure it remains secure among other things.”
Read more on Business
Insurance.
An interesting conundrum. If the team buys the
helmet and sensor, isn't the data theirs too? Should players buy
their own helmets, fitting them with any sensors they want? Perhaps
BYOG (bring your own gear) will be the next meme on the Internet of
Things?
Brett Martel of AP reports:
When big-money NFL careers are at stake, the use of impact-measuring sensors in football helmets isn’t as routine as one might expect.
The NFL Players Association’s Mackey-White Committee, which spearheads player safety initiatives, spent considerable time discussing not only the potential health benefits of helmet sensors, but also the legal and ethical pitfalls that come with them in mid-April.
Committee members made it clear the NFLPA wants to pursue placing sensors in helmets as soon as the technology meets its standards. But the union also wants to ensure sensor data isn’t used in a way that infringes upon players’ medical privacy rights, or creates scenarios whereby careers are arbitrarily cut short by the teams for which they play.
Read more on Washington
Times.
Another peek behind the curtain of “Security
Theater”
This robot
can crack your combination lock in less than 30 seconds
Weeks after introducing a manual method that
narrows the number of potential combinations to a specific Master
Lock down to just eight, intrepid hacker and engineer Samy Kamkar has
developed an open source, 3D-printed
robot that applies the technique automatically. Calling his gadget
the
"Combo Breaker," Kamkar claims it can crack a common
combination lock in less than 30 seconds.
Kamkar's device uses a technique that feels for
telltale points of resistance along a combination lock's dial. With
the right algorithm, one can use these resistance points to figure
out the first and third digits of a three-digit combination lock,
along with eight possibilities for the second digit. From there,
it's just a matter of trying each one out. The Arduino-based Combo
Breaker is motorized to do exactly that.
No comments:
Post a Comment