Sunday, May 17, 2015

Another “Worst Practices” example?
As I pointed out in reporting on Starbuck’s response to Bob Sullivan’s disclosure of a breach involving the mobile app accounts, not everyone would find their explanation and response satisfactory. Today, Bob Sullivan fired back:
Since I broke news of the Starbucks mobile pay / gift card /credit card attack last Monday, there has been some confusion about what the real risk is, who is to blame, and how to fix the problem. This is not unusual when a security issue arises with a large company that’s not offering a lot of detail about what’s going on.
Starbucks actually never denied that intruders had hijacked consumers accounts, and anyone can find victims complaining about just that with a few moment’s work, but some journalists seemed eager to clear Starbucks of any culpability in the issue. That’s unfortunate, because my email this week makes it clear that plenty of Starbucks customers are pretty angry at the way this issue has been handled, and many of them don’t appreciate being blamed for having their money stolen after they placed their trust in Starbucks.

Another reason to log changes and log managements review of changes. I think I'd side with the insurer. If I installed sprinklers and fire doors, etc. in order to get fire insurance, I'd be expected to allow the doors to swing shut and provide water to the sprinkler system, wouldn't I?
So you apply for cyberinsurance and in your application, you describe all the security controls and policies you have in place. And an insurance company looks it all over and issues you a policy because you meet the minimum security practices they require.
But then you don’t actually adhere to all the controls and policies you said you have in place – or your business associate doesn’t – and you have a data breach.
Does the insurer still have to cover you?
Columbia Casualty, a unit of CNA Financial Corp., is asking a court to agree that it is not obligated to pay a $4.1 million settlement in litigation stemming from a breach involving Cottage Health System. The breach occurred after an employee of vendor inSync removed security controls on a server. The insurer’s complaint alleges that:
The hospital system failed to “continuously implement the procedures and risk controls identified” in its insurance application, it states. The data breach was caused by its “failure to regularly check and maintain security patches on its system, its failure to regularly reassess its information security exposure and enhance risk controls, its failure to have a system in place to detect unauthorized access or attempts to access sensitive formation stored on its servers and its failure to control and track all changes to its network to ensure it remains secure among other things.”
Read more on Business Insurance.

An interesting conundrum. If the team buys the helmet and sensor, isn't the data theirs too? Should players buy their own helmets, fitting them with any sensors they want? Perhaps BYOG (bring your own gear) will be the next meme on the Internet of Things?
Brett Martel of AP reports:
When big-money NFL careers are at stake, the use of impact-measuring sensors in football helmets isn’t as routine as one might expect.
The NFL Players Association’s Mackey-White Committee, which spearheads player safety initiatives, spent considerable time discussing not only the potential health benefits of helmet sensors, but also the legal and ethical pitfalls that come with them in mid-April.
Committee members made it clear the NFLPA wants to pursue placing sensors in helmets as soon as the technology meets its standards. But the union also wants to ensure sensor data isn’t used in a way that infringes upon players’ medical privacy rights, or creates scenarios whereby careers are arbitrarily cut short by the teams for which they play.
Read more on Washington Times.

Another peek behind the curtain of “Security Theater”
This robot can crack your combination lock in less than 30 seconds
Weeks after introducing a manual method that narrows the number of potential combinations to a specific Master Lock down to just eight, intrepid hacker and engineer Samy Kamkar has developed an open source, 3D-printed robot that applies the technique automatically. Calling his gadget the "Combo Breaker," Kamkar claims it can crack a common combination lock in less than 30 seconds.
Kamkar's device uses a technique that feels for telltale points of resistance along a combination lock's dial. With the right algorithm, one can use these resistance points to figure out the first and third digits of a three-digit combination lock, along with eight possibilities for the second digit. From there, it's just a matter of trying each one out. The Arduino-based Combo Breaker is motorized to do exactly that.

No comments: